Google Will Begin To Block Sign-ins From Embedded Browser Frameworks in June (venturebeat.com) 89
To fight phishing, Google last year announced it would require users to enable JavaScript during Google Account sign-in so that it could run attack-detecting risk assessments, and this week, the company said it'll begin to block all sign-ins from embedded browser frameworks like Chromium Embedded Framework starting in June. From a report: For the uninitiated, embedded browser frameworks enable developers to add basic web browsing functionality to their apps, and to use web languages like HTML, CSS, and JavaScript to create those apps' interface (or portions of it). They're typically cross-platform -- Chromium Embedded Framework runs on Linux, Windows, and macOS -- and they support a range of language bindings. With the change, Google is specifically targeting man in the middle (MITM) attacks, which it says are particularly difficult to spot from automation platforms like embedded browser frameworks.
Good idea (Score:3)
Bad idea (Score:3)
They're just starting an arms race; the inevitable next step is to work around whatever detection method(s) Google employs.
Re: (Score:2)
New light bulbs will just embed more Chrome to work around this, and old ones will stop functioning. We'll get nothing but more eWaste, less cash, and less security overall.
Re: (Score:2)
I, for one, welcome our new chromed lightbulbs.
Buying these 50s Cadillacs for my chrome fix is killing my budget . . . :)
hawk
Re: (Score:2)
Google operates services other than Search, such as Gmail and YouTube.
Re: Google Account? (Score:1)
I only use pop.google.com to get my gmail on Sylpheed. My gmail is deprecated because I pay for a fastmail account now.
I don't even log into Google on android anymore. Everybody should just log out of Google
Re: Google Account? (Score:1)
We only want to enable the "correct" man in the middle attackss
Re: (Score:3)
Ok, Gmail then. I'll admit it's handy for those who want to have their furry porn monthly email newsletter scanned and documented in a massive database forever by an ad agency so they can create an even finer-grained character assessment of your personality and deepest, darkest thoughts so that long after both you and Google are dead future generations can datamine your profile in the released-into-the-wild databases and subsequently belly laugh at what a twisted individual you once were.
But why would anyo
Re: (Score:2)
But why would anyone log in to Youtube?
Only logged-in users may upload videos to YouTube. Where should people who produce videos be uploading videos instead? If to their own websites, how should these people who who produce videos arrange for these videos to be recommended to viewers who watched videos with similar subject matter?
Re: (Score:2)
[Gmail is] handy for those who want to have their furry porn monthly email newsletter scanned and documented ... create an even finer-grained character assessment of your personality and deepest, darkest thoughts so [they can] belly laugh at what a twisted individual you once were.
No, that's just all kinds of wrong. They'll laugh at how naive and sophisticated you ARE -- because they're way most sophisticated than you'll ever be, and have brought you back from the dead in an Virtual Personality Simulator. It's just as good as you, but BETTER -- you won't just see a VR, you'll BE the VR! And if you learn that you're a construct, they'll simply restore you to before -- kinda like now.
Besides: the email's weekly, not monthly.
Re: (Score:1)
I never created a Gmail account. No one sent me an invitation.
And the only use for a YouTube account is to post comments. Why would anyone want that?
Re: (Score:2)
I never created a Gmail account. No one sent me an invitation.
Gmail left beta about a decade ago, becoming available to all subscribers to cellular phone service.
And the only use for a YouTube account is to post comments.
Not sure if satire, but where do you think the uploader name comes from when someone posts a video to YouTube?
will break OAuth for 3rd parties (Score:4)
With more and more 3rd party desktop apps being just embedded browsers it will break OAuth for them.
Re: (Score:3)
How will it break OAuth? The featured article linked to Google's workaround page [google.com], which involves opening the OAuth sign-in page in the user's default web browser. The tricky part is that for desktop applications, it requires listening for the redirect on localhost:80, which could cause the operating system's firewall to display a permission notification that might confuse a novice user.
Re: (Score:2)
I guess that if you consider flow that opens another, unrelated application as a proper usability then there is a workaround. For me it looks as something that will create tons of failed logins when average users will fail to understand what does this new window have to do with anything or don't even notice it (when it opens as a new tab in a window with hundreds already open). Firewall notification is just an icing on the cake.
This will lockout legimate alternative browsers (Score:5, Interesting)
Re: (Score:3)
But what would you use Google for? For search, there's DuckDuckGo. For mail, 4294967296 other providers that also don't randomly drop mails without a notification to the sender -- heck, some might even not read your private stuff! For maps, OSM. Etc, etc.
Re: (Score:2)
Who are the top ten rated email providers in 2019 other then google that provide 200+ aliases and custom domains? (Yahoo sucks and should have moved off of them years ago.)
Re: (Score:2)
Etc, etc.
Which service for video hosting with recommendations of videos with similar subject matter?
Which mobile phone operating system that is 1. designed to allow running user-made apps without needing to buy a specific brand of desktop or laptop computer, and 2. shipped on phones with a warranty valid in the United States?
Re: (Score:2)
Many sites use reCaptcha, a Google service, to prevent bot access.
Re: (Score:2)
But what would you use Google for? For search, there's DuckDuckGo...
Yeah - and I would dearly love to use DDG and Startpage instead of Google, because I hate the Big G. But even considering how much worse it is than it was five years ago, its results are still far, far more complete than any of the competitors I've tried. For many searches I do there simply is no viable substitute for Google.
Re:This will lockout legimate alternative browsers (Score:5, Insightful)
Google only wants you to use Chrome. It is frustrating to browse the web in Waterfox due to all the extra recaptchas i get and now google is flat out blocking browsers. Google makes so much money it can afford any legal action that gets thrown at them .
Agreed, this is just wrong. The whole point of the web, and the reason it took off, was that it was device agnostic (various hiccups along the way aside).
As long as you sent your request packets per a standard and got the response which contained structured markup language per as standard, stuff worked and you all didn't have to be using the same hardware and software.
Hasn't been true for a while though. (Score:2, Insightful)
Go and see how many MAJOR websites, even ones that claim to be open source/open content are now javascript-walled. Even the ones that aren't you often have to disable CSS on in order to get all the data without 'default closed' tables and list items.
I was joking with others after the devuan april fools gopher pages that maybe it is time to return to something simpler, like gopher, and do it all via Tor/I2P hidden services in order to avoid both the jurisdictional limitations of the modern internet as well a
Google makes billions on Javascript (Score:1)
Their primary business is not "search" or YouTube - it's spying and selling ads, both of which are best achieved with Javascript enabled and most hampered with it disabled.
There are many alternate routes to making things pseudo-secure (I maintain that nothing electronic is secure with encryption if the key is shorter than the payload, but that's another discussion), but enabling Javascript does not strike me as a particularly effective one, nor as being more beneficial than it is destructive. Much of the ba
Couldn't possibly be (Score:5, Insightful)
Couldn't possibly be to serve you ads. Definitely for security.
Re:Couldn't possibly be (Score:5, Insightful)
Couldn't possibly be to serve you ads. Definitely for security.
Any code, like javascript, that is run in the CLIENT instead of the server is not for security. Anyone who thinks that client-side scripts can perform security checks are morons.
Re: (Score:2)
A whole stream of fake apk and not one mention of my hook nose, definitely not him... apk is dead, folks, and Netcraft confirmed it...
Re: (Score:2)
I did "hang with the freaks" here but truth be told I never got personal until you did, calling me evil things which I'm not, for criticizing your primitive Hosts "security software". I can see why you might have thought that, given the company I kept.
I've never pretended to be you though, never crossed my mind.
However, all of this since then, has just been a war of attrition, sometimes I enjoy it, but to be fair, I'm not out to hurt you. I've seen what bullying has done to people, including you (and me! Fr
Doable in Chrome, but not in Chromium? (Score:2)
Topsyturvey willywonka pish. (Score:2, Insightful)
So Google demand insecurity to ensure security? Just please go die you fucking horrible corporation.