Because of this, sometime in 2022 I will shut down Sitetruth, my fifteen year old ad blocking and site evaluation system. That offers add-ons for Chrome and Firefox, and puts a tag with company background info on each search result. Some search ads are removed, and some are de-emphasized. Some time next year, Google will probably force that add-on out of Chrome, as they tighten their grip over what browsers are allowed to do.
I did this as a technology demo, to demonstrate automated site background checking. The concept that you have to have a business address to sell online is almost archaic now, even though it's the law in the EU and California. So, today often the system often can't tie a web site to business records.
I was working on a project about 15 years ago that could tie a website to a business address. The underlying assumption is that many/most legitimate businesses that sell products have registered trademarks. The main purpose of a mark is to enable traceability back to a legitimate, non-ephemeral source for a product. If the reader disagrees that reputable products would have associated trademarks, then stop reading here. :)
These trademarks can be represented in a domain name or TLD. IP offices that register the marks generally obtain physical mailing addresses for physical correspondence. The crux of the idea is that the domain name and TLD do not have to be issued by ICANN. As such, it does not have to follow any pre-established conventions. Trademark registration systems already have unique identifiers and classifications that can be represented in the domain name/TLD. Thus we can create a new, collision-free naming system that offers more than ICANN, e.g., a direct association to an IP office.^1 This leverages the work of IP offices to collect business addresses (or at least addresses of the registrant's lawyers/agents who would by necessity have the business address of the registrant). Under this system the perceived legitimacy of the business is reliant on the trademark registration, not a "TLS certificate". The legitimacy of the domain name/TLD becomes dependant on the trademark registration, not an unaccountable, known-to-be-corrupt entity such as ICANN. To put it simply, names require an associated trademark. The system favours businesses that want to enable consumers to trace a product back to an original, legitimate source. It is a naming system for real(TM) business. :)
Personally, if I were trying to assess the legitimacy of a business, I would rather rely on the records of a trademark office versus the records of a TLS certificate provider. But that's just me.
1. ICANN of course, to ensure its own profits, chose to allow disputes to occur and create quasi-legal dispute resolution systems instead.
I used TLS certs, mailing addresses on web sites, purchased commercial business directories, Hoovers (before they were acquired by DNB), SEC filings, and Yahoo Directory (defunct). But not domain info, which was just too low-quality.
Snail mail addresses intended for humans were the most useful. Although they could be spoofed, that's very rare, and tends to attract legal attention.
Forgot to mention the key feature. Users can search for entities/products using trademark names and registration classes, i.e., by searching the appropriate name containing the entity/product name and/or classification. Currently, a page of search results from a "state of the art web search engine" can leave one guessing about the sites represented by the domain names listed in the URLs. The searcher trusts that the search engine "knows what she is looking for" and has performed a disambiguation for her, automatically.
Whereas under the new system, the domain names unambiguously indicate trademark-protected names of companies or products, including their trademark classifications. This tells the searcher exactly what type of entity/goods the site purports to describe/offer and the source of those goods. No need for the search engine to second guess what the searcher is looking for.
For example, a name might be formed as something like productX.companyY.classZ. A user could search for URLs with subdomain "productX" and TLD matching "classZ", or a search for domain matching "companyY" and TLD matching "classZ", or perhaps a more broad search for domain under "classZ".
Yes this is the craziest part of the transition from V2 to V3. V3 is still bugged.
I crashed chrome by setting the incognito key to "split", and turns out there's no way to be sure that when you open an incognito page, your extension will be awake. What a mess.
I will postpone the "upgrade" the most I can, then I suppose I'll be forced to write a desktop app and pay hefty licenses to Microsoft/Apple. Google is just ignoring the complaints and the bug reports.
Wow, I kind of thought the headline would be an overstatement, but the article actually seems pretty even-handed and truthful in describing what's happening with Google's power over the browser market.
I, on the other hand, found the article to be terrible. Consider the following quote:
> Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities.
One would think that the article would then go on to detail exactly what these "new specifications" are and how would they reduce the capability of ad and tracker blockers.
That never happens. We keep getting statements to the effect that Manifest V3 is bad but we're never told what makes it bad.
What aspects of Manifest V3 limit ad blocker capabilities? Since Manifest V3 has been introduced way back in 2019 and, since then, has gone through various changes, are the quotes listed towards the end of the article recent or do they reflect an earlier version of V3?
There was controversy over changes to the WebRequest API but that was two years ago and, I believe, changes have been made. Are there still changes that break functionality? What changes were made over the past two years? Have things gotten better or worse?
Follow the links in the first paragraph of the article, they go into details about the technical aspects of why Manifest V3 is harmful to users.
It's disappointing to see this sentiment again, as this has been Google's tactic in the past decade: feign innocence and initiate technical discussions, then move goalposts and start over until their opponents are exhausted.
When we first heard of Manifest V3, it took them months to find a ridiculous reason for no longer allowing proper control over requests in Chrome, and they kept jumping between performance, privacy and security, as researchers refuted all their technical arguments one by one.
By now there is nothing left to discuss, they'd just need to stop being malicious.
> There was controversy over changes to the WebRequest API but that was two years ago and, I believe, changes have been made. Are there still changes that break functionality? What changes were made over the past two years? Have things gotten better or worse?
The WebRequest API’s blocking functions, which are central to the functionality of uBlock, are still slated to be removed.
The article does not mention changes over the last two years because there haven't been any to mention. The new WebRequest API still does not support blocking requests (and still does support _recording_ requests), and the replacement for that functionality is still very limited.
Browser extensions have a higher trust level than internet sites. V3 simply dis restricts the former which gives the latter more wiggle room. Sure, there are hostile browser extensions, but at that point security and privacy is already compromised.
It will impact µBlock Origin negatively for example and I want this plugin to be able to access the page unrestricted.
I agree with you. The article is terrible. It's a collection of reactions and scare quotes from industry figures. I followed the first few links in the article and they're not much better. You'd hope that EFF, of all people, would be able to make a simple and compelling summary of the issue.
While a good message that does have actual merit if you know what's happening already, I don't see how this is a legitimate consideration of MV3.
The entire argument regarding security doesn't mention any of the reasons Chrome developers cite its security improvement, instead it brings up that Firefox "does good enough already" and that malicious extensions can still get past the review process. the review process is by itself improved with V3 as extensions that pull in code remotely can no longer get past the review process[0], especially with how many current extensions implement RCE C&C intentionally. They also say extensions are "usually interested in simply observing the conversation between your browser and whatever websites you visit" - that's 'usually', though; malicious extensions intercepting and modifying requests for their own benefit isn't unheard of.
Instead of only stating 'this is bad', it would be beneficial to include both (A) what they say (B) their basis for the decision, if any (C) why that line of reason is incorrect/deceiving.
What Google says vs what's going on aren't necessarily the same thing, they have a long history of selling us the 'for your convenience' line while removing functionality that people depended on but that ultimately hurt Google's business interests: to be able to force feed you more ads.
They have long outlived their credit in the bank of the benefit of the doubt.
Google has not provided any reason to not include "block request" functionality. And that the super bad faith underlying fact that poison their "reasoning".
There is still "block request" functionality, the change is that it's now declarative. This is the same way it works in Safari, and is (a) more efficient because you don't need to execute JS to evaluate each request and (b) more private because an ad/content blocker doesn't need to be given such broad permissions. There are serious tradeoffs (no request time js makes it less flexible) but it's still very capable and easily can be used to block Google ads.
IMHO it's really about "those who give up freedom for security deserve neither", as that classic saying goes[1]. The excuse of "security" has been used throughout time to take away personal freedoms, and with Google (and some of the other authoritarian parts of the industry) pushing very hard in one direction especially within the past few years, it's about time we started pushing much harder in the other. Indeed, good enough is good enough.
[1] I am well aware that was not the original context of the quote, but it's a nice rallying cry of the sentiment behind the movement.
I think the fact that it will significantly limit privacy and ad blockers is sufficient reason for a high level of criticism, which I took as the main point.
I didn't see dissecting the security details as the point they were trying to make. Instead it was to partially undermine the reasons Google said they were doing this.
Basically "here's why it's bad for privacy, and here are why Google's stated reasons for the update are insufficient to justify that"
"significantly limit privacy"? You either don't know what this change does or find it "significantly more private" when an extension developer has full read / write access to your web requests
"extensions that pull in code remotely can no longer get past the review process"
When Google says "pull in code remotely" they dont mean from a remote server. Instead its 'code remote to Google' aka code you wrote yourself sitting on your hard drive. This kills greasemonkey/tampermonkey and all the other UserScript extensions. Google saw how great Apple is doing and fell in love with the concept of walled garden. Its their browser and they wont let you execute any code that wasnt approved by them.
Anyone who pays attention to the web platform should know by now that any rationale Chrome (or Google in general) developers give for web platform decisions is made up. They repeatedly told us they had specific motives for AMP and it was all a lie, AMP was designed to tighten their grip on the advertising market. It's not the only example - the way their autoplay whitelist works is also transparently manipulative despite lies to the contrary - and I would bet money that MV3 is partially motivated by business incentives in the same way. Googlers' paychecks are signed by Ads and GCP and ad-blockers actively undermine the former.
Review by Google is completely worthless for my security considerations. I need my software to work for me, so Chrome will not be part of that anymore.
To say browser extensions pose a risk is true, but it hardly makes it in the top list of threats anymore. Malicious sites however still do and Google just restricted our ability to let third party tools provide essential services. Sure, these could be malicious, but that is generally not a wide spread IT problem of today. That should be also obvious to Chrome developers.
Accidentally they also restrict ad blockers? Come on, you are getting played.
Beneficial in what sense? If manifest v3 is still bad on net, then including chrome's counter arguments makes for bad rhetoric and thus does a poor job of advancing a valiant goal.
The security improvement is negible compared to the danger of data extraction which ad blockers pretty effectively prevent in many cases. No, the security advantages just plainly aren't there and I think this is more driven by Google business interests.
Installing random plugins is a security issue. But web tracking is by far the more significant threat.
I see a lot of people suggesting Firefox, which is great. But also, considering Chrome is basically Chromium, can't we just fork Chromium and keep using that?
Can such a fork be upheld for a long time? Browsers are one of the most complex programs out there. I have my doubts even regarding whether Brave could maintain such a fork, let alone smaller entities.
Yeah, for an article that claims in the title to be adressing Chrome users, it does a very poor job of actually telling these users what this "Manifest v3" thing is and why exactly it's a "raw deal" for them. Provided they even know what a "raw deal" is - for me it's a rarely-used US-specific expression, and I am only aware of it because of an R.E.M. song (https://genius.com/Rem-monty-got-a-raw-deal-lyrics).
A lot of comments here are wondering what Firefox will do and if uBlock Origin would be made useless in Firefox like it would be in Chrome (once Mv3 is implemented). Short answer: Firefox is adopting various parts of Mv3, but will continue to support blocking webrequest, which is used by extensions like uBlock Origin. So uBlock Origin would become useless in Chrome, possibly Edge and a few other browsers, but not on Firefox.
Quoting from this update [1] from Mozilla:
> Google has introduced declarativeNetRequest (DNR) to replace the blocking webRequest API. This impacts the capabilities of extensions that process network requests (including but not limited to content blockers) by limiting the number of rules an extension can use, as well as available filters and actions.
> After discussing this with several content blocking extension developers, we have decided to implement DNR and continue maintaining support for blocking webRequest. Our initial goal for implementing DNR is to provide compatibility with Chrome so developers do not have to support multiple code bases if they do not want to. With both APIs supported in Firefox, developers can choose the approach that works best for them and their users.
> We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR as currently implemented by Chrome does not yet meet the needs of extension developers.
Chrome has just been getting worse and worse over time, but if you can recall, Firefox was also a slug when it was at a peak of market dominance and before that MSIE...
The problem is that orgs and companies stop caring once they gain the primary market share. They also start dictating standards to everyone and ignoring user feedback. It's symptomatic of our current software development driven economy.
I recall when as a web dev I had to ensure my code was best supported by 3-4 browsers and don't miss that era at all, but it would be much better if proper regulation, consumer protection, and ethical corporate behavior came into play before hostile competition, corruption, and monopoly-driven "dictatorware" do in software market dominance for a change.
Mozilla never seemed to get out of that "the user is an idiot, best ignored" mindset even as their market share falls lower than a vendor-specific mobile browser. It's mind-boggling how just about everyone except the people calling the shots in that org can point out the problem.
Get a DNS Sink (such as pfblockerNG-devel). Works without Add-Ons or client config and in any browser. uBlock Origin is really only used on my computer for when I am not at home.
No DNS based solution comes anywhere close to what uBO offers. You can hide elements you don't like. You can block individual scripts or resources in a web page, even if they are first party resources. No DNS sink solution can do that.
Browsing the internet would be an extremely bad experience for me if I just relied on a DNS sink.
Mentioning again to the entrepreneurical ones here that I want to pay money for something that works like old Firefox but uses the new supposedly more secure code base.
I pay for IntelliJ so why not pay for the just as important browser if I can get one that I like?
Just don't increase the pricing to Jetbrains level until you have Jetbrains level features.
It's hard to take EFF seriously when they write so hyperbolically. What's clearly also the case is that Chrome extensions are one of the great modern security and privacy challenges --- to the point where multiple tech company security teams have people whose job it is just to screen them. Another detail that EFF doesn't want to share is that ad blockers are some of the worst offenders --- they demand maximal access to user data (think about how they work), and there are lots of them, not all of them, uh, implemented scrupulously.
EFF doesn't want to give you the other side of this story, because they're not an honest interlocutor.
If you had the other side of the story, you might still think Manifest v3 was a bad deal. Random ad blockers are very dangerous, but there are ad blockers that everyone trusts, and you might not want to make it harder for them to maintain their projects.
But EFF doesn't trust you to make that decision on your own.
I think this comment doesn't portrait the situation with abusive tracking honestly and I fail to see how this could get so many upvotes. No, adblockers are certainly not the worst privacy offenders. Sure, there are bad plugins, but that isn't an issue exclusive to blockers and the problem with infromation extraction is mostly relegated to malicious scripts on the websites themselves, as the article points out.
The worst privacy offenders are ad trackers and I don't think it has to be explained that Google has an interest in putting constraints on them. How much that influences Manifest v3 is everybodies guess of course.
But your framing is dishonest as Manifest v3 does take away user choice. A choice that allows you to install bad addons with all the implications. But turning that around and saying the EFF tries to take away choice is just false in this context.
I also fail to see hyperbole, I think this is the usual relativization that puts users in a worse spot than before.
> EFF doesn't want to give you the other side of this story, because they're not an honest interlocutor
And who would that honest interlocutor be in your opinion?
The best and most user oriented ad blockers will be affected by this and this is the actual security issue here. No other scenario comes even close.
There is no decision left to make once this change goes through. You can talk about improved security all you want, but the fact remains that uBlock Origin will be permanently crippled. This by far negates any security or privacy gain that Manifest v3 could possibly make.
This is in fact one of the best arguments pro to do the change:
* Chrome destroys ad blocking
* Advanced users now suffer the same internet as everyone else
* Advanced users will find a solution, and that solution can't be chrome anymore
* This starts an exodus of advanced users .
* Advanced users configure the browsers for everybody else, hence everybody else also joins the exodus
The end result is less of a monopoly.
This is the same mechanism that ultimately killed of IE and moved everybody to chrome: The monopoly of the time got so arrogant they didn't listen to their users, so users fled to a better alternative.
The strange thing is, groups of people have more or less the same tolerance for abuse, know their limits have already been violated for a while, and learn alternatives from each other. As a result, It takes a long time of abuse to trigger an exodus, but when it started, it starts everywhere at the same time. Then the abuser tries stopping the exodus by rolling back only the last change, but that's not enough anymore.
The EFF doesn't need to give "the other side" because the other side is mostly
obvious to the target audience (which isn't random people, Google itself is a huge part of the target audience). Note that Google doesn't give the other side either. Also, nothing in politics works like that, if you want to get people to join your cause you don't end everything you say with "But keep in mind that $foo".
Still not giving the other side and using "dangerous" and other "think of the children" terms triggers my bullshit and what are you hiding detector. And the only thing vouching for them is their reputation.
Speaking of reputation EFF has been doing this shady speak for last few years and my respect for them is quite diminished. I suppose they can still do it because they have practicality a monopoly to "protect privacy online" with Apple being a distant second player.
So long as they're only interested in preaching to the choir, that's true. If they want to reach other people who are as zealous, they could stand to give a better full of the landscape.
Every time someone mentions this I have to think about the messed up ecosystem of Safari Webextensions.
Safari only allows extensions installed via the apple store, but every single adblocker there is a scam.
I'm not kidding you, I audited most of them. Chances are it's either a three years outdated list of adblock plus that doesn't catch anything or it's an extension that replaces all google analytics identifiers with their own to make money (even when it's a paid extension).
The only thing worse than Chrome is Safari at the moment. And Apple doesn't give a shit about anything there, I reported the malicious extensions to no effect at all.
So when thinking of the other side and "removal of choice" I don't have a healthier, audited ecosystem in mind...I have Safari in mind, which right now is a worse attack surface than IE6 back in the days when it comes to Privacy or Security.
Malicious extensions (as answer to comments). DONT install any of them, as I think they're scamware.
You can't list these apps, say they're scam or they don't work with no proof whatsoever except your word, especially when there's counter arguments they actually work.
Explain yourself, or are we supposed to take your word for gospel?
As somebody currently using Wipr and not seeing any ads, would you mind bridging the gap between your assertions and my reality? Genuinely curious how we could be truthfully so out of step on this.
I use Wipr and it is great. I don't see ads, which is the reason I use it. So I don't see your point. Other than the fact that you are making a competitor, so you are incentivized to post something like this.
Time to share the testing protocol details, I think. Unless you want people to just believe that [4,5], two of 3 most recommended ad blockers for Apple devices, don’t work or don’t remain up to date.
Google could add a simple button in Chrome if they wanted to trust users to make their own decision about displaying Google advertisement on Chrome. Instead they went with a decision that results in more google advertisements reaching users, which means that it is EFF that doesn't trust users?
Technology changes means nothing without outcomes, or else it is just changes to electrical potential of positive and negative state. If extensions like uBlock Origin are crippled or forced to leave than the outcome is crap, which is what occurred when safari did a similar "step in the direction of privacy, security, and performance". I wonder if google was aware of this when making the decision.
> Random ad blockers are very dangerous, but there are ad blockers that everyone trusts, and you might not want to make it harder for them to maintain their projects.
The answer to "Random ad blockers are dangerous" is not: Let's cripple all adblockers to safeguard our "users".
The obvious answer is create a review process similar to what Firefox did. Maybe Google should use some of their 0.0001% annual income to contract a full time review team to protect us against rogue extensions.
I think an honest interlocutor would look at what's behind Big Corp double speech:
Google: Protect ad-revenue while pretending to protect users.
Apple: Protect Apple against government pressure while pretending to protect the children.
The article talks about the extension review process at Mozilla (hint: It's manageable) and bad/malicious extensions. So I'm not sure where your "other side of the story" bit comes from...
That seems like an unnecessarily uncharitable reading of what they're saying.
We are constantly handing over power to big tech in the name of security, and they inevitably end up using that power against us.
Yes there are shady actors out there, but that doesn't mean we have to give the tech monopolies a monopoly over what are the capabilities of the internet and who can be trusted.
The main issue is user choice. If I want to run an extension, no matter how malicious, on my machine, I should be able to do it. This applies for my phone too, which is a capable computer for all practical purposes.
Apple has normalized the "we know better" approach, and has enjoyed great success doing it. Google is simply following that same philosophy. They know better than you, what's good for you and what's bad.
We need a fully independent browser, open-source, and built on modern technology. That way, users who care about this can get what they want. And users who trust Google to get it right, can use chrome or one of its derivatives.
Firefox has (had?) that potential, but for whatever reason Mozilla seems unable to execute effectively. The result is that Firefox has become a follower, doing the same things Chrome is doing. Thus defeating the original motivation for users looking for an alternative.
Brave looks promising, but given that they build on top of chromium, I am not sure how long they can resist fundamental changes in the codebase. Or whether they even intend to provide the needed alternative.
All in all I feel this represents a sorry state of browsers, and consumer software in general.
Readit News
I did this as a technology demo, to demonstrate automated site background checking. The concept that you have to have a business address to sell online is almost archaic now, even though it's the law in the EU and California. So, today often the system often can't tie a web site to business records.
The concept of "legitimate business" is dead.
These trademarks can be represented in a domain name or TLD. IP offices that register the marks generally obtain physical mailing addresses for physical correspondence. The crux of the idea is that the domain name and TLD do not have to be issued by ICANN. As such, it does not have to follow any pre-established conventions. Trademark registration systems already have unique identifiers and classifications that can be represented in the domain name/TLD. Thus we can create a new, collision-free naming system that offers more than ICANN, e.g., a direct association to an IP office.^1 This leverages the work of IP offices to collect business addresses (or at least addresses of the registrant's lawyers/agents who would by necessity have the business address of the registrant). Under this system the perceived legitimacy of the business is reliant on the trademark registration, not a "TLS certificate". The legitimacy of the domain name/TLD becomes dependant on the trademark registration, not an unaccountable, known-to-be-corrupt entity such as ICANN. To put it simply, names require an associated trademark. The system favours businesses that want to enable consumers to trace a product back to an original, legitimate source. It is a naming system for real(TM) business. :)
Personally, if I were trying to assess the legitimacy of a business, I would rather rely on the records of a trademark office versus the records of a TLS certificate provider. But that's just me.
1. ICANN of course, to ensure its own profits, chose to allow disputes to occur and create quasi-legal dispute resolution systems instead.
Snail mail addresses intended for humans were the most useful. Although they could be spoofed, that's very rare, and tends to attract legal attention.
Whereas under the new system, the domain names unambiguously indicate trademark-protected names of companies or products, including their trademark classifications. This tells the searcher exactly what type of entity/goods the site purports to describe/offer and the source of those goods. No need for the search engine to second guess what the searcher is looking for.
For example, a name might be formed as something like productX.companyY.classZ. A user could search for URLs with subdomain "productX" and TLD matching "classZ", or a search for domain matching "companyY" and TLD matching "classZ", or perhaps a more broad search for domain under "classZ".
https://bugs.chromium.org/p/chromium/issues/detail?id=115225...
Example of breaking long-runnng classroom extensions used in education: (comment 63) https://bugs.chromium.org/p/chromium/issues/detail?id=115225...
And breaking a simple image picker: (comment 36) https://bugs.chromium.org/p/chromium/issues/detail?id=115225...
I crashed chrome by setting the incognito key to "split", and turns out there's no way to be sure that when you open an incognito page, your extension will be awake. What a mess.
I will postpone the "upgrade" the most I can, then I suppose I'll be forced to write a desktop app and pay hefty licenses to Microsoft/Apple. Google is just ignoring the complaints and the bug reports.
> Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities.
One would think that the article would then go on to detail exactly what these "new specifications" are and how would they reduce the capability of ad and tracker blockers.
That never happens. We keep getting statements to the effect that Manifest V3 is bad but we're never told what makes it bad.
What aspects of Manifest V3 limit ad blocker capabilities? Since Manifest V3 has been introduced way back in 2019 and, since then, has gone through various changes, are the quotes listed towards the end of the article recent or do they reflect an earlier version of V3?
There was controversy over changes to the WebRequest API but that was two years ago and, I believe, changes have been made. Are there still changes that break functionality? What changes were made over the past two years? Have things gotten better or worse?
The article gives absolutely no details.
It's disappointing to see this sentiment again, as this has been Google's tactic in the past decade: feign innocence and initiate technical discussions, then move goalposts and start over until their opponents are exhausted.
When we first heard of Manifest V3, it took them months to find a ridiculous reason for no longer allowing proper control over requests in Chrome, and they kept jumping between performance, privacy and security, as researchers refuted all their technical arguments one by one.
By now there is nothing left to discuss, they'd just need to stop being malicious.
The WebRequest API’s blocking functions, which are central to the functionality of uBlock, are still slated to be removed.
It will impact µBlock Origin negatively for example and I want this plugin to be able to access the page unrestricted.
The entire argument regarding security doesn't mention any of the reasons Chrome developers cite its security improvement, instead it brings up that Firefox "does good enough already" and that malicious extensions can still get past the review process. the review process is by itself improved with V3 as extensions that pull in code remotely can no longer get past the review process[0], especially with how many current extensions implement RCE C&C intentionally. They also say extensions are "usually interested in simply observing the conversation between your browser and whatever websites you visit" - that's 'usually', though; malicious extensions intercepting and modifying requests for their own benefit isn't unheard of.
Instead of only stating 'this is bad', it would be beneficial to include both (A) what they say (B) their basis for the decision, if any (C) why that line of reason is incorrect/deceiving.
0: https://developer.chrome.com/docs/extensions/mv3/intro/mv3-o...
What Google says vs what's going on aren't necessarily the same thing, they have a long history of selling us the 'for your convenience' line while removing functionality that people depended on but that ultimately hurt Google's business interests: to be able to force feed you more ads.
They have long outlived their credit in the bank of the benefit of the doubt.
Docs: https://developer.chrome.com/docs/extensions/reference/decla...
(Disclosure: I work on ads at Google, speaking only for myself)
[1] I am well aware that was not the original context of the quote, but it's a nice rallying cry of the sentiment behind the movement.
I didn't see dissecting the security details as the point they were trying to make. Instead it was to partially undermine the reasons Google said they were doing this.
Basically "here's why it's bad for privacy, and here are why Google's stated reasons for the update are insufficient to justify that"
When Google says "pull in code remotely" they dont mean from a remote server. Instead its 'code remote to Google' aka code you wrote yourself sitting on your hard drive. This kills greasemonkey/tampermonkey and all the other UserScript extensions. Google saw how great Apple is doing and fell in love with the concept of walled garden. Its their browser and they wont let you execute any code that wasnt approved by them.
User Agent no more, Its Google Agent now.
To say browser extensions pose a risk is true, but it hardly makes it in the top list of threats anymore. Malicious sites however still do and Google just restricted our ability to let third party tools provide essential services. Sure, these could be malicious, but that is generally not a wide spread IT problem of today. That should be also obvious to Chrome developers.
Accidentally they also restrict ad blockers? Come on, you are getting played.
Installing random plugins is a security issue. But web tracking is by far the more significant threat.
Quoting from this update [1] from Mozilla:
> Google has introduced declarativeNetRequest (DNR) to replace the blocking webRequest API. This impacts the capabilities of extensions that process network requests (including but not limited to content blockers) by limiting the number of rules an extension can use, as well as available filters and actions.
> After discussing this with several content blocking extension developers, we have decided to implement DNR and continue maintaining support for blocking webRequest. Our initial goal for implementing DNR is to provide compatibility with Chrome so developers do not have to support multiple code bases if they do not want to. With both APIs supported in Firefox, developers can choose the approach that works best for them and their users.
> We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR as currently implemented by Chrome does not yet meet the needs of extension developers.
[1]: https://blog.mozilla.org/addons/2021/05/27/manifest-v3-updat...
The problem is that orgs and companies stop caring once they gain the primary market share. They also start dictating standards to everyone and ignoring user feedback. It's symptomatic of our current software development driven economy.
I recall when as a web dev I had to ensure my code was best supported by 3-4 browsers and don't miss that era at all, but it would be much better if proper regulation, consumer protection, and ethical corporate behavior came into play before hostile competition, corruption, and monopoly-driven "dictatorware" do in software market dominance for a change.
Browsing the internet would be an extremely bad experience for me if I just relied on a DNS sink.
Deleted Comment
I pay for IntelliJ so why not pay for the just as important browser if I can get one that I like?
Just don't increase the pricing to Jetbrains level until you have Jetbrains level features.
It might be great but for now refuse to support anything that further strengthen Googles grip on the market.
EFF doesn't want to give you the other side of this story, because they're not an honest interlocutor.
If you had the other side of the story, you might still think Manifest v3 was a bad deal. Random ad blockers are very dangerous, but there are ad blockers that everyone trusts, and you might not want to make it harder for them to maintain their projects.
But EFF doesn't trust you to make that decision on your own.
The worst privacy offenders are ad trackers and I don't think it has to be explained that Google has an interest in putting constraints on them. How much that influences Manifest v3 is everybodies guess of course.
But your framing is dishonest as Manifest v3 does take away user choice. A choice that allows you to install bad addons with all the implications. But turning that around and saying the EFF tries to take away choice is just false in this context.
I also fail to see hyperbole, I think this is the usual relativization that puts users in a worse spot than before.
> EFF doesn't want to give you the other side of this story, because they're not an honest interlocutor
And who would that honest interlocutor be in your opinion?
The best and most user oriented ad blockers will be affected by this and this is the actual security issue here. No other scenario comes even close.
Switch to Firefox.
* Chrome destroys ad blocking
* Advanced users now suffer the same internet as everyone else
* Advanced users will find a solution, and that solution can't be chrome anymore
* This starts an exodus of advanced users .
* Advanced users configure the browsers for everybody else, hence everybody else also joins the exodus
The end result is less of a monopoly.
This is the same mechanism that ultimately killed of IE and moved everybody to chrome: The monopoly of the time got so arrogant they didn't listen to their users, so users fled to a better alternative.
The strange thing is, groups of people have more or less the same tolerance for abuse, know their limits have already been violated for a while, and learn alternatives from each other. As a result, It takes a long time of abuse to trigger an exodus, but when it started, it starts everywhere at the same time. Then the abuser tries stopping the exodus by rolling back only the last change, but that's not enough anymore.
And if you're a webmaster, add some crippling/inconveniencing logic if user agent equals chrome.
Speaking of reputation EFF has been doing this shady speak for last few years and my respect for them is quite diminished. I suppose they can still do it because they have practicality a monopoly to "protect privacy online" with Apple being a distant second player.
Safari only allows extensions installed via the apple store, but every single adblocker there is a scam.
I'm not kidding you, I audited most of them. Chances are it's either a three years outdated list of adblock plus that doesn't catch anything or it's an extension that replaces all google analytics identifiers with their own to make money (even when it's a paid extension).
The only thing worse than Chrome is Safari at the moment. And Apple doesn't give a shit about anything there, I reported the malicious extensions to no effect at all.
So when thinking of the other side and "removal of choice" I don't have a healthier, audited ecosystem in mind...I have Safari in mind, which right now is a worse attack surface than IE6 back in the days when it comes to Privacy or Security.
Malicious extensions (as answer to comments). DONT install any of them, as I think they're scamware.
[1] AdBlock for Safari and Adblock for Mobile, which is an outdated AdBlock Plus fork: https://apps.apple.com/de/app/adblock-for-safari/id140204259...
[2] AdBlock Plus (which is the same scam model as other eyeo GmbH products): https://apps.apple.com/de/app/adblock-plus-f%C3%BCr-safari/i...
[3] Stop Ads https://apps.apple.com/lu/app/stop-ads-der-ultimative-ad-blo...
[4] 1Blocker https://itunes.apple.com/app/id1107421413
[5] Wipr doesn't do anything, literally https://appsto.re/us/thAB9.i
[6] Ad blocker https://apps.apple.com/de/app/ad-blocker-remove-ads/id153692...
Explain yourself, or are we supposed to take your word for gospel?
As somebody currently using Wipr and not seeing any ads, would you mind bridging the gap between your assertions and my reality? Genuinely curious how we could be truthfully so out of step on this.
Technology changes means nothing without outcomes, or else it is just changes to electrical potential of positive and negative state. If extensions like uBlock Origin are crippled or forced to leave than the outcome is crap, which is what occurred when safari did a similar "step in the direction of privacy, security, and performance". I wonder if google was aware of this when making the decision.
The answer to "Random ad blockers are dangerous" is not: Let's cripple all adblockers to safeguard our "users".
The obvious answer is create a review process similar to what Firefox did. Maybe Google should use some of their 0.0001% annual income to contract a full time review team to protect us against rogue extensions.
I think an honest interlocutor would look at what's behind Big Corp double speech:
Google: Protect ad-revenue while pretending to protect users.
Apple: Protect Apple against government pressure while pretending to protect the children.
But neither does google on the other hand, and they're the ones that can actually do something more about it than writing a blog post.
That's kinda what we are paying them to be, no?
Google is just a for profit company.
We are constantly handing over power to big tech in the name of security, and they inevitably end up using that power against us.
Yes there are shady actors out there, but that doesn't mean we have to give the tech monopolies a monopoly over what are the capabilities of the internet and who can be trusted.
Apple has normalized the "we know better" approach, and has enjoyed great success doing it. Google is simply following that same philosophy. They know better than you, what's good for you and what's bad.
We need a fully independent browser, open-source, and built on modern technology. That way, users who care about this can get what they want. And users who trust Google to get it right, can use chrome or one of its derivatives.
Firefox has (had?) that potential, but for whatever reason Mozilla seems unable to execute effectively. The result is that Firefox has become a follower, doing the same things Chrome is doing. Thus defeating the original motivation for users looking for an alternative.
Brave looks promising, but given that they build on top of chromium, I am not sure how long they can resist fundamental changes in the codebase. Or whether they even intend to provide the needed alternative.
All in all I feel this represents a sorry state of browsers, and consumer software in general.