Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Google The Internet

Brave Complains Google's Newly-Proposed 'WebBundles' Standard Would 'Make URLs Meaningless' (brave.com) 169

"Google is proposing a new standard called WebBundles," complains Brave's senior privacy reseacher. "This standard allows websites to 'bundle' resources together, and will make it impossible for browsers to reason about sub-resources by URL." This threatens to change the Web from a hyperlinked collection of resources (that can be audited, selectively fetched, or even replaced), to opaque all-or-nothing "blobs" (like PDFs or SWFs). Organizations, users, researchers and regulators who believe in an open, user-serving, transparent Web should oppose this standard...

The Web is valuable because it's user-centric, user-controllable, user-editable. Users, with only a small amount of expertise, can see what web-resources a page includes, and decide which, if any, their browser should load; and non-expert users can take advantage of this knowledge by installing extensions or privacy protecting tools... At root, what makes the Web different, more open, more user-centric than other application systems, is the URL. Because URLs (generally) point to one thing, researchers and activists can measure, analyze and reason about those URLs in advance; other users can then use this information to make decisions about whether, and in what way, they'd like to load the thing the URL points to...

At a high level, WebBundles are a way of packing resources together, so that instead of downloading each Website, image and JavaScript file independently, your browser downloads just one "bundle", and that file includes all the information needed to load the entire page. And URLs are no longer common, global references to resources on the Web, but arbitrary indexes into the bundle. Put differently, WebBundles make Websites behave like PDFs (or Flash SWFs). A PDF includes all the images, videos, and scripts needed to render the PDF; you don't download each item individually. This has some convenience benefits, but also makes it near-impossible to reason about an image in a PDF independently from the PDF itself. This is, for example, why there are no content-blocking tools for PDFs. PDFs are effectively all or nothing propositions, and WebBundles would turn Websites into the same.

By changing URLs from meaningful, global identifiers into arbitrary, package-relative indexes, WebBundles give advertisers and trackers enormously powerful new ways to evade privacy and security protecting web tools... At root, the common cause of all these evasions is that WebBundles create a local namespace for resources, independent of what the rest of the world sees, and that this can cause all sorts of name confusion, undoing years of privacy-and-security-improving work by privacy activists and researchers...

We've tried to work at length with the WebBundle authors to address these concerns, with no success. We strongly encourage Google and the WebBundle group to pause development on this proposal until the privacy and security issues discussed in this post have been addressed. We also encourage others in the Web privacy and security community to engage in the conversation too, and to not implement the spec until these concerns have been resolved.

This discussion has been archived. No new comments can be posted.

Brave Complains Google's Newly-Proposed 'WebBundles' Standard Would 'Make URLs Meaningless'

Comments Filter:
  • Shocking! (Score:5, Funny)

    by locater16 ( 2326718 ) on Sunday August 30, 2020 @02:44AM (#60454766)
    Google trying to fuck over the entire internet to suit its own needs, I'm shocked, shocked I tell you!
    • Re:Shocking! (Score:5, Insightful)

      by Kisai ( 213879 ) on Sunday August 30, 2020 @03:29AM (#60454838)

      It's been doing this since imposing SSL on all websites while stifiling HTTP2 by not allowing unencrypted HTTP2, and then turning around and imposing it's own alternative to http1.1, and kept doing it with WASM (which everyone should turn off immediately)

      While I can see some reason to enable SSL, it basically doubled the CPU requirements of most websites that served static content that didn't need SSL, and completely obliterated the cacheability and CDN network performance.

      It's really a pity that Microsoft decided to adopt chromium instead of maybe just straight up adopting Safari's Webkit.

      • Unless you're running your website on 486 processors it's not going to have done anything noticeable to your CPU usage
        • Re: Shocking! (Score:3, Insightful)

          by cantsleep ( 2723025 )
          Not true. Noticable difference on smart phones at the time, also increased battery usage... significantly when not hardware optimized. Also, hosting 10,000 TLS concurrent requests at the server without caching is no joke. I imagine it was Google just using their market influence to prevent competition from ISPs on the analytics front. At the time the major cell phone networks and Comcast, etc. were gobbling up more data than they knew what to do with. Those fights still ongoing.
          • 10,000 TLS vs HTTP connections is so trivial of a difference that the major CDN providers donâ(TM)t even bother charging a different rate from normal HTTP.

            • 10,000 TLS vs HTTP connections is so trivial of a difference that the major CDN providers donâ(TM)t even bother charging a different rate from normal HTTP.

              It is pretty silly to presume that implies that they cost the same amount to serve. The implication is that they have the same value to their customer, perhaps because their customers wouldn't tolerate a price difference. Nothing is implied about the overhead.

              • The overhead is minor enough that no-one offering truly massive traffic loads even bothers to upcharge for HTTPS. This is well-established territory.

          • by AmiMoJo ( 196126 )

            If you are handling 10,000 concurrent connections you have one of the largest sites on the internet and not just one server, a large number of redundant servers. Handling 10,000 non-encrypted connections is no joke, and if you need to do that chances are your service is valuable enough that it should definitely be encrypted.

            Remember that it's not just your needs being considered here, it's the needs of your users, or perhaps your cattle if you are providing a """free""" ad-supported service.

            It's really a no

        • by sjames ( 1099 )

          He's not talking about load on the client system, he's talking about the server. One transfer being HTTPS rather than HTTP isn't a big deal. A few hundred add up fast.

          Free funny cat videos don't require encryption.

      • by AmiMoJo ( 196126 )

        Why is WASM bad, or at least worse than obfuscated Javascript?

      • Comment removed based on user account deletion
        • You'd think so, right?

          Up until relatively recently, about 5 years ago, budget-level Intel chips like Celerons and Pentiums did not all have Intel AES-NI.

          Many people still use those. As a matter of fact, I use one as a small home server. It's a Pentium 3805U [intel.com]. I obviously got it because it was cheap, but it's low power and does the job. Sure, I use it as a server, but most people would use that machine as a surf 'n office computer.

          Since it doesn't have AES-NI, encryption will be slower by definition. T

          • Jesus fucking christ. Your server isn't handling hundreds of concurrent connections. That piddly 10-15 concurrent connections per second isn't an issue, whether you are doing http or https.
          • I know you like the fun of keeping that old clunker running, but the electricity cost alone outstrips similar dedicated EC2 capacity at AWS.

            Your hobby project does not linearly scale to high-traffic sites, nor is your hobby setup common outside of other similar hobbyists.

            Iâ(TM)ve been working in this space for 20 years, what was difficult and costly 10 years ago is one or two clicks with no extra costs today.

      • Yes, not to mention the extra power requirements, of billions of devices, to deal with stuff that doesn't need the encryption.
  • by znrt ( 2424692 ) on Sunday August 30, 2020 @02:47AM (#60454770)

    but was bound to happen. however it's a bit appalling how stupid the pr is:

    - Create your own content and distribute it in all sorts of ways without being restricted to the network
    - Share a web app or piece of web content with your friends via Bluetooth or Wi-Fi Direct
    - Carry your site on your own USB or even host it on your own local network

    can't i do exactly the same right now? and this comes from the warriors of 'on demand and fast initial loading'?

    • by AmiMoJo ( 196126 )

      You could certainly zip up all the resources needed to do that but chances are the site will break if you do. Non-relative links won't work and lack of any way to sign the content means that it's both open to malware and distrusted by default by most browsers.

      WebBundles can be signed to ensure authenticity. Sharing locally is not very useful in the West but in developing nations where internet access is not universally available it has uses.

      • You could certainly zip up all the resources needed to do that but chances are the site will break if you do.

        The main cause of this problem is bad coding practice with most webapp devs having an seemingly irresistible urge to transform anything they touch into a giant katamari that needs to pull a zillion of javascript libraries from all over the internet (bonus point if a certain javacsript libraries shows up as a dependency of several of the pulled ones, but each requiring an incompatible different version).

        Non-relative links won't work

        ...but are usually correctly handled by a lot of the various slurpers/crawlers/"Save to..." browser's opti

  • Step #13342 (Score:4, Funny)

    by cantsleep ( 2723025 ) on Sunday August 30, 2020 @02:49AM (#60454778)
    Require web browser manufacturers digitally sign your bundle before distribution and execution.
  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Sunday August 30, 2020 @02:50AM (#60454780)

    Disclaimer: Professional Senior Web Developer here.

    I am highly sceptical of bloating the web further. WebAssembly is a good thing, webm is a good thing and Google deserves credit for that. However, I see nothing complex that this solution offers that can't be done with HTTP 2 Push, which we already have. I also really like the fact that despite all the VDOM bloat we have to deal these days I can still just push out clean HTML with some well built CSS and have a website that looks and runs neat and doesn't rack up 4MB per pagecall. I have a very strong suspicion that this bundle stuff Google is proposing will push the stupid web projekt managers to bloating the web even further and I don't like it.

    Bottom line: I'm highly sceptical of this Google addition to the web and side with Brave on this one.

    • by Kisai ( 213879 ) on Sunday August 30, 2020 @03:33AM (#60454844)

      WebAssembly was a mistake. The web should not be a collection of poorly optimized pseudo-compiled binaries running in the web browser, as it's been almost entirely abused by cryptominers and malware.

      HTTP2 should have been rolled out with both encrypted and unencrypted modes as standard, but instead browsers only implemented half of it, and then google decided to roll out it's own alternative anyway.

      Google is quickly hijacking "the web" for it's own purposes and we're already in a state of "works best or only on chrome", which harkens back to "works best on MSIE 4.0 or Netscape 4.0" of 1999

      • by Z00L00K ( 682162 ) on Sunday August 30, 2020 @04:53AM (#60454934) Homepage Journal

        Overall as I see many of these changes as being attempts to prevent evasion of serving of ads through adblockers.

    • by Cederic ( 9623 )

      I see nothing complex that this solution offers that can't be done with HTTP 2 Push, which we already have.

      Well, there's the fact that even with HTTP 2 Push you're managing multiple requests between client and server, for each page let alone multi-page browsing.

      With this new thing you're able to have just a single request, substantially reducing the impact of latency albeit at cost of additional overall bandwidth use.

      But the real difference is that Google will be able to deploy all of their spyware, tracking and adverts from the initial request. I can see why they like this.

    • by AmiMoJo ( 196126 )

      I've read through the entire linked GitHub issue and I agree, Brace is right. Surprising considering their attitude to scamming users with crypto currencies and slyly inserting referral URLs into links.

      The main issue is that there is no hard, mandatory link between the URL of a resource on the server and the URL of the same resource in the bundle. For for example if you have coin-miner.js on the server it can be renamed to ds87y87fsdha.js in the bundle, making it much harder to block.

      Someone from Google arg

  • Solution: (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Sunday August 30, 2020 @02:57AM (#60454790)

    All they really need to fix all this is to require a "point of origin" URL for each component of the bundle for where you can download the identical file. If the point of origin data doesn't match then the domain serving the bundle should be marked as a malicious website and should be delisted from search engines.

    They could do this but won't because the entire point is to bypass ad blocking.

  • by 93 Escort Wagon ( 326346 ) on Sunday August 30, 2020 @03:06AM (#60454802)

    Google's goal is identical to Facebook's. Google never, ever wants you to leave the Google-sphere. Having "bundles" is just one step away from Google grabbing those bundles from your website and serving their copy to other people, direct from a Google server.

    Read people's comments about why AMP really exists. Read people's comments about every other web move Google has proposed. At this point, this shouldn't be shocking to anyone.

    • by Jahta ( 1141213 )

      Google's goal is identical to Facebook's. Google never, ever wants you to leave the Google-sphere. Having "bundles" is just one step away from Google grabbing those bundles from your website and serving their copy to other people, direct from a Google server.

      Exactly. This is the logical extension of their campaign to suppress the URL in Chrome [slashdot.org]. Who needs URLs if everything is served from Google's servers?

  • by Casandro ( 751346 ) on Sunday August 30, 2020 @03:11AM (#60454810)

    I mean seriously, the number of web browser engines is shrinking year by year. Mozilla will probably give up on their own engine eventually as they see to have very little interest on sustaining a diverse web ecosystem. While browsers have code that is free by license, they are unfree by complexity as single persons of small groups are unable to make meaningful changes.

    Perhaps what we should do now is to invent and evaluate potential alternatives. For example, what happens if we add multimedia extensions to terminal standards? The 1980s Videotex standards, for example, included provisions to multiplex multiple data streams into your terminal. This way you could re-define your characters, transmit vector graphics, photographic information or even sound. This is done by using the "Unit Separator" character $1f followed by a character that defines the stream. This way we could for example define a "video" endpoint. It could include commands to define or change the area in fractional character cells which would be used as a canvas, and it could then send a video in chunks over the connection. If you add responses you can easily estimate the connection bandwidth and send lower bandwidth video.

  • by Anonymouse Cowtard ( 6211666 ) on Sunday August 30, 2020 @03:18AM (#60454826) Homepage
    At least we were warned
  • And so it begins (Score:5, Interesting)

    by Malays2 bowman ( 6656916 ) on Sunday August 30, 2020 @03:19AM (#60454828)

    Here comes that sudden "WOOSH!" down that slippery slope we have been sliding on. Bye bye freedom loving internet, bye bye any user control over crapware and unwanted Javashit annoyances, just bye bye to the internet as we know it.

      Welcome to the 100% controlled by THEM and 0% controlled by you internet. You will have a king, and you do only what the king allows or commands you to.

      Now it's clear. Googles "Do no evil" was a ruse. They never had the intent of NOT being evil.

    • Well, it's not different from the app-centric universe of mobile. There are relatively few things that can be done with an app and cannot be done with a web site, and even less if you added some extensions to the browser. But you will see everybody and their mom too pushing you towards their app instead of their web site. That is because that gives the control to them instead of you. Everybody fights for control, that's understandable. So I expect that new standard of Google to be openly embraced by all sup

      • And yet we are "babyfied" regardless. This is a very common narrative in the computer industry as of late: Treat users like they are stupid or infantile, and restrict them as such.

          This has got to stop. These companies are not God, they are not unstoppable forces, and we need to stop letting them treat users as retards and just something to milk money out of.

    • Now it's clear. Googles "Do no evil" was a ruse. They never had the intent of NOT being evil.

      It probably was legit at the time; but, like many a public company, the desire for ever increasing profits made it easy to drop that one quickly. Seems common for companies to lose their founding principles when they go public or become too large.

  • by bickerdyke ( 670000 ) on Sunday August 30, 2020 @03:28AM (#60454836)

    I can see those problems, too. But in the end, what's the difference between those bundles and including resources and scripts into the HTML page a base 32 encoded resource? Our developing your website as single page application? Probably even with that meta data that makes it behave like a native app in your phone app launcher or your desktop machines start menu

    • Right now I could write a Service Worker that intercepts browser requests and serves responses from a non-standard file format. Isn't this proposal just standardising a file format so I don't need to write any javascript?
      • And no matter if you access it with a service worker or that new web bundle, you need a way to address a single resource in the bundle. and if you do that with an anchor, you still have standard urls.

        • The concern AIUI is that the WebBundle format allows the bundle to contain pseudo-responses for any URL, not just paths relative to the bundle. If the URL of a resource referenced by the bundle matches a response packaged into the bundle then that pseudo-response is used without ever making a request to the original server. This is great if what you want is an archive of a specific session. It's less great if you think that a page that explicitly references example.org should actually get its content from e

  • Do No Evil.. (Score:4, Insightful)

    by betsuin ( 5812894 ) on Sunday August 30, 2020 @03:31AM (#60454840)
    Yeah, that went out the window. Google is now the problem.
  • A move against ... (Score:3, Insightful)

    by AncalagonTotof ( 1025748 ) on Sunday August 30, 2020 @03:53AM (#60454866)
    ... NoScript & similar plugins, and Pi-Hole. I would become mad quickly without them.
  • by bobstreo ( 1320787 ) on Sunday August 30, 2020 @04:55AM (#60454938)

    after a 60GB download of a bundle, it will display a smiley face. Just that.

    • by Hydrian ( 183536 )
      ISPs will load large bundles on their own page which they will try to default your browser or their app to so you much through your data allowance faster so they can charge more.
  • by El_Muerte_TDS ( 592157 ) on Sunday August 30, 2020 @05:22AM (#60454966) Homepage

    Guess what's next on Google's agenda

  • by onyxruby ( 118189 ) <onyxruby&comcast,net> on Sunday August 30, 2020 @06:02AM (#60454978)

    People keep forgetting that Google is an advertising company. Their analytics engines works at a macro level and can handle these "bundles" just fine. However people will not be able to do so. There is simply to much for the average person to put together in a reasonable period of time to mess with. I wonder if psychologists had a hand in guiding that aspect.

    Now you have a standard that will effectively get ahead of most advertising blocking tools for a while. More to the point it will notably slow down the speed and efficiency with which they operate. At a minimum companies that make advertising blockers will have to retool their programs to catch up with the new standards. Even once they have retooled they will never be as efficient due to having more to process. This means that people will be more apt do disable to ad-blockers out of annoyance on how long it takes their web page to load.

    Unfortunately this will also impede a lot of organizational and privacy security tools as well. Google doesn't care as they fall under collateral damage. This new standard offers zero benefit to the public at large. The standard endangers the public by degrading their security and privacy tools. Malvertising is certainly one of the most popular means of distributing malware via ad networks. Poor to shoddy standards around the advertising market have already made this a large issue. The use of this new standard would drive this problem through the roof.

    https://arstechnica.com/inform... [arstechnica.com]

    This standard benefits Google, advertisers, marketers and those in the malware business. The new standard is a security and privacy risk to everyone else.

  • by markdavis ( 642305 ) on Sunday August 30, 2020 @06:58AM (#60454986)

    >"Brave Complains Google's Newly-Proposed 'WebBundles' Standard Would 'Make URLs Meaningless'"

    Brave allows their browser to be controlled by Google because they base it on Chromium, just like every other multiplatform browser that isn't Firefox. This makes it yet another "Chrom*". And this gives Google the power to control more and more. And then they want to complain about Google doing such things? Here is your revelation: Having control over your browser's alias name and some control of the UI doesn't give you much control.

    • [Problems with Slashdot going offline this morning, and the rest of my posting was lost, so reply-to-self with the rest]

      >"We've tried to work at length with the WebBundle authors to address these concerns, with no success."

      So, they are finally realizing that there really is nothing community-driven about Chromium? That de-facto "standards" aren't really standards? Everyone has handed Google this power- the users who use Chrom* and the non-Firefox browser "developers" who based or switched their engines

  • by QuietLagoon ( 813062 ) on Sunday August 30, 2020 @08:10AM (#60455034)
    That is the reason behind this fiasco of a proposal. Google wants to make the web so that you have to see everything they want you to see. Next google will be proposing to force you to prop your eyelids open and stare at the monitor while google shows you what they want you to see.
  • by QuietLagoon ( 813062 ) on Sunday August 30, 2020 @08:12AM (#60455040)
    ... dominating the web, and Mozilla's Firefox in self-destruct mode, google will likely bring this to fruition.
  • 1) do no evil, and push that as your pr value
    2) get traction
    3) remove point one from your plan
    4) do evil to avoid ad-blocking
    5) profit!
  • I see a lot of negative comments. Google bashing may be well deserved in general, but this idea has some merit and should be explored. Making web pages into self-contained files could gain many benefits of pdfs. (However, pdf for all its ills still has a much simpler, more stable file format.)

    Today, most websites think they need to connect to 20 or more other sites. Most of these other sites serve up ads and tracking beacons. Moving towards "one site = one connection = one file" would clean up this mes

  • downloading a bundle instead of discrete elements could be more efficient, or it could be a nuisance, depending on your needs.

    sites deploying bundles only would probably be forced to provide discrete elements also, simply through demand pressure.

    furthermore, Brave and the slash/editor seem to forget that a PDF reader can be a browser too, and is equally capable of discerning and making choices about what to display, and how to display it - IF we take the time to improve the reader code.

    this will probably ha

    • by Hydrian ( 183536 )
      Web developer goes and grabs a webbundle so the site so can have a built-in PDF reader experience. Doesn't audit the bundle because of deadlines. The web developer doesn't know that the pdf reader is based on Adobe Acrobat. The site becomes a vector for security issues.
  • And Java. And anything else that requires runtime support to display something in a browser. It's been tried many times. It's very beneficial for people who want to use massive web and system resources for anything from pretty pictures and fades to privacy mining to outright malware. Now that we have HTML5 it's not very beneficial to actual users.

    I would partially disagree with lumping PDF into the group. Many browsers now open PDF in the browser. If properly sandboxed, that's marginally OK. PDF can also be

  • ... for quite some time. URLs are as meaningful or meaningless as content owners want them to. You can reason very well about https://example.com/memes/2020... [example.com] and all is fine and dandy, but absolutely nothing prevents the same content from being served to you as https://example.com/assets/dcb... [example.com] â" valid only for the duration of your session. Others will receive the same asset under totally different names. Go reason about that. These web bundles break nothing that is not already broken.

  • Also, make it impossible to block malicious content?
    That's what this sounds like. Hey Google, why not just encrypt it all with a proprietary algorithm while you're at it, so no one can even SEE what the content is until it's on the screen?
    Fuck you, Google. Kill yourselves, and let someone run Google who believes in 'Do No Evil' again.
  • IPFS has in a sense created web-bundles already.

    IPFS is based on numerical hashes to identify files, the authenticity part is built in.

    No particular server has to hold it, you can add it to your own machine and never go online again if you like.

    One of the best examples of this that comes to mind is "Atari 2600 + IPFS". It's a web page - with every Atari 2600 ROM and an emulator. It's not hosted in any particular place, if you know "QmacAqRVhJX9eS7YJX1vY3ifFKF9CduDqPEgaCUSa4x5xb" you can grab the "module"

  • s/complains/warns/
  • is that this is exactly like Microsoft bundling all of their security patches together so you can't pick and choose what you want to get or exclude, including those telemetry (er, customer experience and compatibility test suites)?

    amiright?

If you steal from one author it's plagiarism; if you steal from many it's research. -- Wilson Mizner

Working...