I'd love to use ClearURLs, though last I checked it had a major flaw: it allows arbitrary code execution by the provider of the filter list. Among other things, it can redirect script URLs to arbitrary sources, and the filter list is periodically updated from a GitLab page, which enables the filter list provider to perform a targeted attack by serving a malicious filter list to a specific device.
The only filter list provider is the extension maintainer, so this information should be safe to share. I have not had the time to set up a PoC, but I'm confident that the filter rules are way too powerful.
At the very minimum, the current filter list should be included in the extension package rather than periodically updated from a remote URL. That way the filter list can be audited and must pass a review, without having a negative impact on the effectiveness of the extension, since the filter list does not appear to frequently change.
I agree with you there. For my stealth browser I decided to go with a different JSON based format [1] that can rewrite the URL parameters via wildcards (for both * at the start and end of both key and val).
It has the idea that you can audit a website and only list the allowed parameters there, so that a website search or sorting order or filters can still work.
I built my browser on an allowlist based concept because it seemed too impossible to maintain all bad urls, domains, parameters on the web. Most websites have more tracking than content in them, so I decided on maintaining lists to select the content rather than the ads and trackers.
Check out Neat URL - it's more basic, uses a comma-separated list of rules, and comes with some hard-coded presets you can override. I maintain my list in a text file and just update that and copy/paste in when I want to create one.
Of the defaults, I only override "cid, mbid" as blocking those on every site has ended up breaking some.
The last time I used it, it also disabled ETags by default. I lost many hours trying to figure out why those 10MB Kibana JS bundles are re-downloaded on every page load and only in my Firefox, checking about:config, etc... I know etags can be used for tracking and that Expires should be used instead but i did not expect CleanURLs to do anything more than just cleaning URLs...
I can no longer edit my comment, if someone has the time, please verify this vulnerability and follow up with the maintainer and Firefox reviewers, remote code execution is against add-on guidelines. My impression is that the maintainer is not malicious, though someone could exploit them or the filter list service, and hack the entire userbase of the extension.
I mean, you say paranoia, but I think back to the time I had to spend hours and hours unliking instagram posts made by a bot that had harvested our cookies by buying Nano Adblocker.
In this case, we know that extensions are sometimes sold and updated maliciously. Having external arbitrary code is a legitimately concerning vector because it bypasses Google verification of the extension.
Not that Google are great at their jobs in that case, but it's something.
So it's not paranoia in this case, it's "we can't have nice things" because of real bad actors.
I remember back when adware, spyware, and viruses ran amuck on PC’s thanks to lax Windows XP security design and an open internet without any effort to protect users. It was bad.
We do need to decentralize the decision making but the progress toward making the web safer for average folks is good.
Thanks for mentioning this. While I did install it upon seeing the news on removal, I'll go without it for now and hope for a similar project from the EFF.
I'm seeing downvotes for this and I am here to learn- where am I misguided? Is there a convincing argument to install this program? Let me know, I just want to understand what I may be unaware of, to receive the new information, and then if it makes sense I will correct my decision.
If you don't like the risk this poses, don't use the extension. Your ability to make informed decisions about risk vs reward keeps getting chipped away when Google pulls this kind of stuff off. Google should warn you about the security risks (edit: or just remove it from the public facing store and only keep the hard to guess URL active) but don't tell me what extensions I'm allowed to use or not. Even adding local extensions I make myself are treated like a security threat with a popup every time I open Chrome.
Stop the helicopter computing. People keep saying they want the old Internet back, this is why.
I disagree with this stance. Pulling extensions that have a large potential for abuse is absolutely in Google's prerogative, in my opinion.
Suppose our single maintainer decided to finally sell the extension, and the person who bought it made it so that all those links hijacked information or exposed you to malware. This would happen in one day without warning. How many people would be saying that was Google's fault for allowing this to happen?
You say people should determine for themselves based on risk, but most users of Chrome extensions are naive when it comes to understanding risk.
You're getting downvoted but I agree. It's one thing if the maintainer abuses his power as an extension provider. Quite another if they have a history of putting out a perfectly good extension and google acting like they're guilty before proven innocent.
I don't think you understand the issue. There is an accidental backdoor in the extension. The maintainer can manipulate and access the pages you visit at will, without needing to release a malicious update. All these features can be implemented without the maintainer being able to hack you without a trace, there is no loss of functionality if the security issue is patched.
It looks like the developer may be in the EU. If they offer the add-on as a business, it may be worth looking at if any of the internet rights legal groups will help take the case up under the 2019 EU platform rules.
These make various requirements around how Google act, and include requirements around removing products from platforms.
As an aside, it seems crazy that we allow platforms to take action when in positions of such clear conflict of interest, but that seems to be the way of the tech sector.
Except remote code execution wasn’t the reason google claims to take the add on down... come on, it’s a clear conflict of interest, and they could have easily asked to remove remote code execution possibility instead.
I really struggle to believe that "Google" thinks this itty bitty extension that a rounding error % of their users use would have an impact on their buisness model, which was grounds to kick it off the store.
This "just" sounds like the typical story we hear so often of an overzealous "app" reviewer waking up on the wrong side of the bed and just decided to delete someone's product and/or business (which is a huge problem itself!)
One extension does not have an impact, but in aggregate across many extensions these things can make a huge difference.
The primary reason Google has Chrome and Android is to maintain ecosystem control and to continue tracking users to support it's Ad business (or reduce the threat that other browsers will diminish it's business in these areas).
This reminded me of a library I released in January 2005. Part of the embedded docs from the 2011 release:
;;; The @b{urlskip} Racket library provides a function that translates some of
;;; the Web URLs that might be used to track a user across sites, by removing
;;; intermediate HTTP redirectors or information that might identify the user.
;;; Such a function might be used as part of a privacy-enhancing Web browser,
;;; or to canonicalize or un-obfuscate URLs for Web analysis projects.
;;;
;;; Note that @b{urlskip} is not intended to remove information used by
;;; ``affiliate'' referral programs to identify site operators that have sent
;;; users to a site. However, in some cases this affiliate ID information
;;; might be lost in the process of removing a intermediary URL that is used by
;;; a third party to track and profile users.
It had special-case handlers for various URL server authorities and the paths under them. So, for
A lot of the cases it handled were redirectors, which usually meant only the target URL, which was usually in a query parameter, but might be in the path, and might or might not be URL-escaped. So, for example,
I was going to link here to the code of `urlskip`, but it's no longer in the package repository where it used to be. (I added a lot of libraries to that repository, and don't recall whether there was some reason to remove this particular library.) It was a pretty niche library, and in a fringe language, so its impact might've only been as an example, pointing out that this could be done, and some rules for it.
Sounds like a great idea! I had a similar service in mind to resolve shortlinks like t.co/bit.ly, etc, this could also be a nice feature for web archiving like archive.org
I tried last year, and honestly it isn't bad. But I use the Chrome "install this site as an App" functionality a lot and Firefox's "app tabs" didn't work nearly as well. Plus, I hear they've removed or are removing said single site browser functionality.
This might be a somewhat niche case but it makes it really hard to switch as much as FF does have some nice features (picture in picture for all video content is very nice).
There's a billion dollar niche waiting for the right company:
- make a search engine that works
- show text ads clearly distinguishable from results
- play nice, and maybe even use use a cool slogan like "we're not evil" or something (it used to be someone else's but it seems they don't use it anymore ;-)
For me, it only broke websites when I had the extra options enabled in settings (enabled by default). I’d recommend turning them all off and trying to use it again
If you, like me, were wondering what that meant (or if it is an automatic distinction like "Amazon Choice"), this is what they say gets a "Recommend" badge.
>Recommended extensions are editorially curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff, along with community participation, selects each extension and manually reviews them for security and policy compliance before they receive Recommended status. These extensions may also qualify for promotions on the AMO homepage and other prominent locations. Developers cannot pay to have their extensions included in this program.
Just to add my own data point: I have some extensions in the Chrome Web Store and, from time to time, Google send me a notice that they violate privacy policies (but they don't collect any data) or some permissions are not used (but yes, they are).
So, after explaining and linking to the source code, they usually reply with another canned response:
Thank you for reaching out to us. We took a closer look at your item again and found it to be compliant with our policies. Your item has been reinstated and will be available in the store shortly. We apologise for the inconvenience caused to you in this matter. We value your contributions to the Chrome Web Store and look forward to working with you.
So maybe there is some Hanlon's razor at play here, too.
Sufficient incompetence is indistinguishable from malice, and should be treated similarly (at least when dealing with companies). In my opinion, a company that regularly flags things that are complaint with the rules is Bad regardless of motives.
> The reasons for this are ridiculous and probably only pretended because ClearURLs damages Google's business model. […]
> Among other things, it was claimed that the description of the addon is too detailed and thus violates the Chrome Web Store rules. The mention of all the people who helped to develop and translate ClearURLs is against Google's rules because it could "confuse" the user. Ridiculous.
> Also, Google has criticized that the description of the addon did not mention that there is a badged, an export/import function for the settings, a logging function for debugging, and a donation button. This would be "misleading".
> Last but not least, it was criticized that the "clipboardWrite" permission would not be necessary. But that's not true, and I've had a description for each permission in the Chrome Web Store Developer Dashboard for well over a year now. So the "clipboardWrite" permission is needed for writing clean links via the context menu into the clipboard.
> it was claimed that the description of the addon is too detailed and thus violates the Chrome Web Store rules.
This one does make me laugh more than the rest, coming from Google that names their apps in the Play store as follows:
"Android Auto - Google Maps, Media & Messaging"
"Files by Google: Clean up space on your phone"
"Google Chrome: Fast & Secure"
"Google Duo - High quality video calls"
"Phone by Google - Caller ID and spam protection"
If this is a policy, perhaps they'll delist their own apps from the store?
Google reject plugin saying description is too long and wordy, and doesn't cover points that it should.
So either Google must be trying to block a plugin for evil business reasons or Google is trying to improve the Chrome Web Store, making it less confusing for users and easier to search.
Improving the description will probably make more people install it, not less.
It needed different details. In the reviewer's opinion the description included irrelevant details while omitting information which would be relevant to someone trying to decide whether or not to install the addon. Which is a perfectly reasonable assessment IMHO. A small amount of "flavor text" is fine, but the main purpose of the description is to ensure that prospective users can make an informed decision. Anything else can go in the app's "about" page or on a separate website.
Now if we could just get app stores to mandate useful changelogs… No, Google, "Bug fixes and performance improvements" doesn't cut it. Describe the bugs that were fixed and where and by how much the performance was improved. Justify spending the effort and risk of updating the software to the new version. There is no point in a changelog message that could be applied equally well to every release of every software product ever made.
More fuel for the Google antitrust / breakup fire.
Google should not be allowed to develop Chrome or have any say in web standards. Every play they make favors themselves - unsemantic HTML5, AMP, crippled and removed extensions, progressive removal of the URL bar, https everywhere (no more self-hosted blogs unless you understand cert signing and automated renewal - why did the web stop being easy?), cookie standards that favor their moat, "acceptable ads" policies, ReCAPCHA, etc. etc.
I don't disagree with what you're saying, but I feel HTTPS everywhere does not belong in that list.
Secure by default doesn't sound evil to me, and Let's Encrypt made it easy enough to get free HTTPS certificates (and for non technical people, almost all hosting services I've seen offer it out of the box)
I agree with you except for the HTTPS part. In some nations it's not unheard of for ISPs to inject ads and tracking into webpages. This also opens the door for malware.
Let's Encrypt's with its certbot made it easy enough to get a cert and every major webserver supports HTTPS out of the box with good documentation.
Readit News
The only filter list provider is the extension maintainer, so this information should be safe to share. I have not had the time to set up a PoC, but I'm confident that the filter rules are way too powerful.
At the very minimum, the current filter list should be included in the extension package rather than periodically updated from a remote URL. That way the filter list can be audited and must pass a review, without having a negative impact on the effectiveness of the extension, since the filter list does not appear to frequently change.
https://github.com/ClearURLs/Addon/wiki/Rules
https://gitlab.com/anti-tracking/ClearURLs/rules
https://kevinroebert.gitlab.io/ClearUrls/data/data.minify.js...
It has the idea that you can audit a website and only list the allowed parameters there, so that a website search or sorting order or filters can still work.
I built my browser on an allowlist based concept because it seemed too impossible to maintain all bad urls, domains, parameters on the web. Most websites have more tracking than content in them, so I decided on maintaining lists to select the content rather than the ads and trackers.
[1] https://github.com/tholian-network/stealth/blob/X0/profile/p...
Of the defaults, I only override "cid, mbid" as blocking those on every site has ended up breaking some.
https://github.com/Smile4ever/Neat-URL
Not that Google are great at their jobs in that case, but it's something.
So it's not paranoia in this case, it's "we can't have nice things" because of real bad actors.
We do need to decentralize the decision making but the progress toward making the web safer for average folks is good.
Any vulnerability-prone system, will either fade away or end up with a centralized arbiter quite inevitably.
Stop the helicopter computing. People keep saying they want the old Internet back, this is why.
Suppose our single maintainer decided to finally sell the extension, and the person who bought it made it so that all those links hijacked information or exposed you to malware. This would happen in one day without warning. How many people would be saying that was Google's fault for allowing this to happen?
You say people should determine for themselves based on risk, but most users of Chrome extensions are naive when it comes to understanding risk.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32...
These make various requirements around how Google act, and include requirements around removing products from platforms.
As an aside, it seems crazy that we allow platforms to take action when in positions of such clear conflict of interest, but that seems to be the way of the tech sector.
This "just" sounds like the typical story we hear so often of an overzealous "app" reviewer waking up on the wrong side of the bed and just decided to delete someone's product and/or business (which is a huge problem itself!)
The primary reason Google has Chrome and Android is to maintain ecosystem control and to continue tracking users to support it's Ad business (or reduce the threat that other browsers will diminish it's business in these areas).
This move does well to reinforce my loyalty to Firefox as my main browser. Hopefully it has the same effect on others.
Thanks Barbara Streisand effect!
I think the final nail in the coffin for Chrome for me was the decision to hobble uBlock Origin several year back.
Firefox is far from perfect, but at least it's not completely owned by Google.
Case in point: Firefox on mobile has a selected _whitelist_ of addons you can install, and that's it.
I tried last year, and honestly it isn't bad. But I use the Chrome "install this site as an App" functionality a lot and Firefox's "app tabs" didn't work nearly as well. Plus, I hear they've removed or are removing said single site browser functionality.
This might be a somewhat niche case but it makes it really hard to switch as much as FF does have some nice features (picture in picture for all video content is very nice).
It's called Add to Home Screen
There's a billion dollar niche waiting for the right company:
- make a search engine that works
- show text ads clearly distinguishable from results
- play nice, and maybe even use use a cool slogan like "we're not evil" or something (it used to be someone else's but it seems they don't use it anymore ;-)
"Nothing to see here, you can't take photos of my mansion".
https://addons.mozilla.org/en-US/firefox/addon/clearurls/
>Recommended extensions are editorially curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff, along with community participation, selects each extension and manually reviews them for security and policy compliance before they receive Recommended status. These extensions may also qualify for promotions on the AMO homepage and other prominent locations. Developers cannot pay to have their extensions included in this program.
So, after explaining and linking to the source code, they usually reply with another canned response:
So maybe there is some Hanlon's razor at play here, too.- A bad or gone-bad automated system;
- Outsourced incompetent people;
- A try to soft push out what they don't like (it still takes patience and effort to deal with this);
- Some mix in between.
For sure, malice or not, it's flawed.
> Among other things, it was claimed that the description of the addon is too detailed and thus violates the Chrome Web Store rules. The mention of all the people who helped to develop and translate ClearURLs is against Google's rules because it could "confuse" the user. Ridiculous.
> Also, Google has criticized that the description of the addon did not mention that there is a badged, an export/import function for the settings, a logging function for debugging, and a donation button. This would be "misleading".
> Last but not least, it was criticized that the "clipboardWrite" permission would not be necessary. But that's not true, and I've had a description for each permission in the Chrome Web Store Developer Dashboard for well over a year now. So the "clipboardWrite" permission is needed for writing clean links via the context menu into the clipboard.
This one does make me laugh more than the rest, coming from Google that names their apps in the Play store as follows: "Android Auto - Google Maps, Media & Messaging" "Files by Google: Clean up space on your phone" "Google Chrome: Fast & Secure" "Google Duo - High quality video calls" "Phone by Google - Caller ID and spam protection"
If this is a policy, perhaps they'll delist their own apps from the store?
So either Google must be trying to block a plugin for evil business reasons or Google is trying to improve the Chrome Web Store, making it less confusing for users and easier to search.
Improving the description will probably make more people install it, not less.
> Also, Google has criticized that the description of the addon did not mention <list of things> ...
So it was simultaneously too detailed, but needed more details.
Now if we could just get app stores to mandate useful changelogs… No, Google, "Bug fixes and performance improvements" doesn't cut it. Describe the bugs that were fixed and where and by how much the performance was improved. Justify spending the effort and risk of updating the software to the new version. There is no point in a changelog message that could be applied equally well to every release of every software product ever made.
Google should not be allowed to develop Chrome or have any say in web standards. Every play they make favors themselves - unsemantic HTML5, AMP, crippled and removed extensions, progressive removal of the URL bar, https everywhere (no more self-hosted blogs unless you understand cert signing and automated renewal - why did the web stop being easy?), cookie standards that favor their moat, "acceptable ads" policies, ReCAPCHA, etc. etc.
Here's a laundry list of things they did to YouTube to hamper other, non-Chrome browsers: https://arstechnica.com/gadgets/2018/12/the-web-now-belongs-...
Let's Encrypt's with its certbot made it easy enough to get a cert and every major webserver supports HTTPS out of the box with good documentation.
Handing web standards over to an advertising company has been of the most damaging things ever done to the internet.
Deleted Comment