Google's Plans for Chrome Extensions 'Won't Really Help Security', Argues EFF

Is Google making the wrong response to the DataSpii report on a "catastrophic data leak"? The EFF writes: In response to questions about DataSpii from Ars Technica, Google officials pointed out that they have "announced technical changes to how extensions work that will mitigate or prevent this behavior." Here, Google is referring to its controversial set of proposed changes to curtail extension capabilities, known as Manifest V3.

As both security experts and the developers of extensions that will be greatly harmed by Manifest V3, we're here to tell you: Google's statement just isn't true. Manifest V3 is a blunt instrument that will do little to improve security while severely limiting future innovation... The only part of Manifest V3 that goes directly to the heart of stopping DataSpii-like abuses is banning remotely hosted code. You can't ensure extensions are what they appear to be if you give them the ability to download new instructions after they're installed.

But you don't need the rest of Google's proposed API changes to stop this narrow form of bad extension behavior. What Manifest V3 does do is stifle innovation...
The EFF makes the following arguments Google's proposal:

• Manifest V3 will still allow extensions to observe the same data as before, including what URLs users visit and the contents of pages users visit
• Manifest V3 won't change anything about how "content scripts" work...another way to extract user browsing data.
• Chrome will still allow users to give extensions permission to run on all sites.

In response Google argued to Forbes that the EFF "fails to account for the proposed changes to how permissions work. It is the combination of these two changes, along with others included in the proposal, that would have prevented or significantly mitigated incidents such as this one."

But the EFF's technology projects director also gave Forbes their response. "We agree that Google isn't killing ad-blockers. But they are killing a wide range of security and privacy enhancing extensions, and so far they haven't justified why that's necessary."

And in the same article, security researcher Sean Wright added that Google's proposed change "appears to do little to prevent rogue extensions from obtaining information from loaded sites, which is certainly a privacy issue and it looks as if the V3 changes don't help."

The EFF suggests Google just do a better job of reviewing extensions.

Re:

[Anonymous Coward]

See, ad-blocking plugs require both, the ability to modify the request stream and to update data from untrusted sources. Manifest V3 guts the ability of ad blocking to work.

Now, there are ways of having this cake... properly.

a) have a context whitelist / blacklist. When a extension requests "pre-load" access, each URL is passed to the extensions and either added to the white list or black list in memory, by the extension going "blacklist" or "whitelist", and then the browser honors the request.
b) have a fea

Mozilla, jump on this

[Dutch Gun]

This is an opening for you to take back some browser marketshare. You've frittered away your once-dominant position by screwing around with all sorts of things your users never asked for while Google simply built a better browser. Now you need to keep focusing on things many of us do care about, like robust ad-blocking, privacy, security, standards compliance, performance, and promotion of a free and open web. I've seen some hints of this [forbes.com] recently, and it's encouraging.

Or, integrate more unnecessary junk like Pocket directly into the browser with no way to remove it, and maybe revamp your UI again, because people *love* releaning how to use software they've already been using for a decade or more for no good reason. Gotta keep those UX designers doing something, right?

Re:

[AmiMoJo]

Mozilla is even more privacy focused than Google. Their extension system is actually MORE limited than Google's, for privacy reasons.

Firefox violates some of the standards in the name of privacy too, e.g. cookie handling and permission handling. Some features are disabled because they are thought to be abusive, and Firefox actively interferes with standards compliant code such as the HTML Canvas element in order to prevent profiling.

You are barking up the wrong tree.

Re:

[QuietLagoon]

}}} You've frittered away your once-dominant position by screwing around with all sorts of things your users never asked for while Google simply built a better browser. {{{ --- Not only did Mozilla add all sorts of unwanted things to Firefox, they also took away the ability to use the wanted things with the extreme extensions API changes.

blocking advertisements ?

[johnjones]

either you can allow access to the extensions and they 'can' siphon your data or block access and they will not be able to filter your data

choose one

Re:

[Aighearach]

They just want to get everybody stuck on some kind of "platform" that they control, instead of just letting people use a web browser.

The part where they cash it in comes much later, and only happens if they get enough people locked in.

Discussing this or that with arcane arguments

[Mr. Dollar Ton]

when one is outside of the decision process is a little bit pointless, because Google won't listen.

Here's how it works for me: the very moment I see an ad in pages/sites I have not approved to show ads, the browser that did that is gone and replaced with something else.

Ok, Google?

Re:

[c-A-d]

MODS need to upvote this comment.

google's plans help google's financial security...

[QuietLagoon]

google looks to be trying to block the ability to block ads in the browser. Guess who has a major revenue source in website ads?