uBlock Origin will soon stop functioning in Chrome as Google transitions to new browser extension rules.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      23
      ·
      edit-2
      5 months ago

      But they’re not blocking ad blockers. They’re restricting a huge attack surface which has the side effect of making it harder to build ad blockers. With this change, extensions can “only” alter/inspect/redirect/block 30,000 domains if they use the webRequest API. That’s not enough to build uBlock Origin with, but at least there’s limit now.

      Google should add a specific ad blocking API (though I suppose that name would run afoul of market competition laws, so maybe they’d need to workshop that stuff info “content enhancers” or whatever) before removing the ability for extensions to hide/block/redirect/alter arbitrary requests, but the way extension’s currently work is pretty terrible.

      It’s all fun and games if uBlock Origin uses this API, but if one of your other extensions get bought out by a Chinese malware company, you’d be wondering why “save downloads to Nextcloud” and “remove Google search bar from the browser home page” were able to steal all the money out of your checking account and open several credit cards in your name.

      Google’s approach sucks, but in my opinion other browsers should show stronger warnings when installing extensions with access to everything you do in a browser (and outside it, if you screen share).

      I don’t really care about Chrome, Chrome users can just download another browser if they don’t like ads. I do care about the risks in other browsers, and browsers need to do a lot better communicating and compartmentalising this risk to end users.

      • P03 Locke@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        69
        ·
        edit-2
        5 months ago

        With this change, extensions can “only” alter/inspect/redirect/block 30,000 domains if they use the webRequest API. That’s not enough to build uBlock Origin with, but at least there’s limit now.

        That seems like an arbitrary number. Why not 20,000? Or 300,000? What the hell is this limit even for? Even malware can still target 10 domains and do some significant damage. So, what the hell is the point?

        Remember, politicians don’t pass racist laws by directly saying they are excluding PoC into the law. They do it by targeting commonalities that happen to apply to PoC.

        Google isn’t going to flat-out say they are blocking uBlock Origin. They are going to do it by implementing “security features” that just so happen to target only uBlock Origin.

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          arrow-up
          8
          ·
          5 months ago

          Personally, I would’ve lowered the size of this was about security. Make it a nice, round number, like 1024.

          I think it must’ve been based on something like “the declarative layout is x KB per entry so if we assume the file can be 10MB at most we get about 30k entries”. Maybe they documented it somewhere, I don’t know.

          I think it’s clear that a security concern has been hijacked by the ad people. If it was just about security, some other content blocking API would’ve been set up. Safari on iOS has content blockers and that doesn’t even use web extensions, so clearly there are software design models that allow blocking without the “read any website data any time” risk that WebExtensions pose.

          But these features don’t just target ad blockers. It also affects other extensions, like Stylus for user CSS, or TamperMonkey for user scripts. It also affects other content blockers, of course. The big difference is that most extensions that require permanent access to every resource on every page are either ad blockers, malware, or power user scripts.

      • coffeetest@beehaw.org
        link
        fedilink
        arrow-up
        22
        ·
        5 months ago

        “For the security” is starting to sound a lot like “for the children”. I hope this works out better than secure boot. When these new ideas emerge that have, let’s call them, “side effects” like disabling ad-blockers or preventing Linux from being installed I am suspicious.

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          4
          ·
          5 months ago

          Google clearly shows their intent by not providing an alternative API for content filtering, but that doesn’t mean there are no security concerns. Malicious extensions have become so prevalent that Mozilla had to switch to only permitting signed extensions (despite community outroar) because shitty companies were inserting their extensions into the users’ profile directory without permission and breaking websites and even Firefox itself in some cases.

          Secure Boot requires the user to be able to turn it off, so if it gets in the way of anyone, it’s implemented wrong. Microsoft has a weird certification system for “super duper secure” laptops or whatever they call it where only their private key is loaded, but that’s a small amount of expensive business laptops.

          If anything, Secure Boot is an example of the “just let me turn it off if I want to” crowd making computers less secure for the majority because Microsoft allows booting a whole bunch of Linux distros on supposedly locked-down systems, which has been proven to make other attacks possible (like that recent one on Lenovo laptops where a Linux boot disk could insert a fingerprint into the fingerprint reader that would unlock TPM-based encryption).

          Nobody is preventing you from installing Linux through secure boot. In fact, you can take control of your secure boot settings and prevent anyone from installing Windows on your computer without your password.

          • adarza@lemmy.ca
            link
            fedilink
            English
            arrow-up
            12
            ·
            edit-2
            4 months ago

            if google cared, they’d vet ads and ad links, and guarantee their safety and security.

            if google cared, they’d put a stop to seo ‘optimizers’ and scammers scoring top positions on serps.

            but google doesn’t care about anything other than their profits and share price.

            adblockers can affect both of those. they’re using the weak cover of ‘security’ enhancement to neuter them.

            existing adblockers provide more safety and security than what can be realized by the shift to mv3.

      • BumpingFuglies@lemmy.zip
        link
        fedilink
        English
        arrow-up
        18
        ·
        5 months ago

        This is the most succinct, unbiased explanation I’ve seen for this change. Thank you for this! It’s good to know there’s an unintended security improvement in their otherwise brazen attempt to kill ad blockers on Chrome.

        Fuck Google.