Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google Chrome Chromium

Here Comes the Google Chrome Change that Worries Ad-Blocker Creators (cnet.com) 119

CNET reports: With the next version of Chrome, Google is moving ahead with a plan to improve privacy and security by reining in some abilities of extensions used to customize the browser. The move had angered some developers who expected earlier it would cripple ad blockers. Manifest v3, the programming interface behind Google's security plans, will arrive with Chrome 88 in mid-January, Google said Wednesday at the Chrome Dev Summit. Extensions using the earlier Manifest v2 will still work for at least a year...

Among other things, Manifest v3 limits the number of "rules" that extensions may apply to a web page as it loads. Rules are used, for example, to check if a website element comes from an advertiser's server and should therefore be blocked. Google announced the changes two years ago. Reducing the number of rules allowed angered creators of extensions like the uBlock Origin ad blocker and the Ghostery tracking blocker. They said the rules limits will stop their extensions from running their full lists of actions to screen ads or block tracking. That could let websites bypass extensions — and the preferences of people who installed them...

The shift brought on by Manifest V3 will spread to all browsers, to the detriment of ad blocking software, predicted Andrey Meshkov, co-founder and chief technology officer of AdGuard, an ad-blocking extension... Ghostery is working to update its extension for Manifest V3 but would rather spend its time on "real privacy innovations," President Jeremy Tillman said in a statement Wednesday. "We still have real misgivings that these changes have more to do with Google protecting its bottom line than it does with improving security for Chrome users...."

The importance of the Chrome team's choices are magnified by the fact that other browsers, including Microsoft Edge, Vivaldi , Opera and Brave, are built on its Chromium open-source foundation. Microsoft said it will embrace Manifest v3, too.

"Another Manifest v3 change is that extensions no longer may update their abilities by downloading code from third-party sites.

"The entire extension now must be distributed through the Chrome Web Store, a measure Google says improves security screens and speeds reviews."
This discussion has been archived. No new comments can be posted.

Here Comes the Google Chrome Change that Worries Ad-Blocker Creators

Comments Filter:
  • by BladeMelbourne ( 518866 ) on Sunday December 13, 2020 @09:39AM (#60825438)

    It's time to move to Firefox, if you have not already done so.

    • That's all fine and good, until Google tells Mozilla to implement it in Firefox or lose funding, since they're still Mozilla's primary funding source.

      Most likely, you'll need to go to a Firefox fork maintained by a non-Mozilla entity.

      • I guess you missed the news that Mozilla fires the 750 developers working on Firefox.

        Now the devs have the "opportunity to pursue other opportunities for funding."

        Just disable all images. You won't load the ads. Problem pretty much solved.

        Also disabled those crappy html5 auto play videos.

        • "I guess you missed the news that Mozilla fires the 750 developers working on Firefox."

          Likely because they would not bow down to Google's [primary funder] wishes and they needed fresh meat who will suck dick and say "Yes Google, we will screw over the user!"

          Now I find companies like Google to be a far bigger and real threat to me than some basement hacker or a Russian crypto-extortion group. Therefore, I am doing everything I can to lock down all of my stuff against those companies to prevent any fo

        • "Now the devs have the "opportunity to pursue other opportunities for funding."

          Which no doubt involves holding a sign on a street corner, and eventually moving into a cardboard condo. Weasel wording is what those at the top do, because I guess they feel saying "fired" makes *them* look bad.

          Wow, and these snakes still demand that we consider them "Trustworthy(TM)"? Unsorry, but I don't consider snakes to be trustworthy.

      • by AmiMoJo ( 196126 )

        Mozilla has been getting less dependent on Google over time: https://www.ghacks.net/2020/12... [ghacks.net]

        But in any case there is no reason for Google to demand this. The limit is 150,000 rules per add-on, and since Google is one of the most popular sources of ads and also one of the easiest to block (no shenanigans, they use well known domains) this won't affect anyone's ability to block Google ads. They would have to reduce it to less than 10 rules globally for it to have much effect.

      • That's all fine and good, until Google tells Mozilla to implement it in Firefox or lose funding, since they're still Mozilla's primary funding source.

        Browsers are hugely important in the current Internet-centric society. I donate to Mozilla to support a free Internet that is not controlled by mega corps.
        https://donate.mozilla.org/en-... [mozilla.org]

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      I see the Google Trolls/bots downvoters are out in force today.

      Google is EVIL through and through. Why don't people get that? You are their data source. They take, take and take. Then we get adverts by the gazillion.
      F*** Google.

      • Fuck google? No thanks - with all the billions of people they've fucked, you're guaranteed to pick up a nasty bug.

        Reminiscent of Nixon claiming he had phlebitis - you don't fuck 300 million people and only get phlebitis!

      • They do get it.

        They are just in denial. And not very smart. Under a barrage of bullshit, repeated until it feels true.

        Essentially you are expecting a snowman to to walk through a volcano outbreak to get to the underground freezer. Yeah, he knows volcanoes are bad, mmkay. ;)

    • It contains the same limitations as Safari, which supports blocking adverts just fine. Nothing to worry about here. Besides, Google is slowly transitioning users towards paid services which will fix the problem long-term.
    • by PPH ( 736903 )

      I never moved away. Well, almost never.

      One of our state government sites said "Requires Chrome". So I installed it. Chrome is seriously broken on that site. So, having to get my work done, I went back to Firefox. And that worked perfectly. Not just Firefox, but OLD Firefox (v42.0).

      I fired off a message to the state IT people suggesting that they delete or modify the "Requires Chrome" note. I never heard back and the requirement is still up on their site.

  • Clever Google (Score:5, Insightful)

    by ceoyoyo ( 59147 ) on Sunday December 13, 2020 @09:43AM (#60825448)

    Remember when Chrome was shiny and new? Why would the world's largest ad agency release a web browser? Why, to battle Microsoft's evil plans and ensure the web remained free of course!

    So now that almost everybody's browser, including the one from the old evil itself, is actually Chrome, we see why the world's largest ad agency actually wanted to build the software that everyone uses to view their ads.

    • Re: (Score:3, Insightful)

      by clokwise ( 844691 )

      And the next step will be to build (even) more proprietary features that only work in Chrome, and simply extinguish Firefox.

      • by kvutza ( 893474 )
        It'll depend on whether the other (Chrome-based) web browsers will be seen by gov authorities as a competition of Google. One more anti-monopoly suit is something that Google will probably want to avoid. At some point in the past, such a suit avoiding (about monopoly on desktop systems) was the thing that saved Apple from being crushed by Microsoft. But well, it is about social sites nowadays, no one cares about web browsers anymore.
      • And the other next step with the other tentacles will be Chromebooks and Project Fuchsia. Aka being your OS, your hardware, and ultimately your life. A Chaebol. A true Umbrella coproration.

      • by AmiMoJo ( 196126 )

        Seems unlikely given the anti-trust investigations. Microsoft helped Apple back in the 90s so they could claim not to be a monopoly.

        In fact it seems likely that one of the reasons why it's so easy to build custom versions of Chrome is to encourage more browsers to exist. Firefox was a real pain in the arse to work with back then, the code base was crusty and bloated. Thanks to Chrome we now have a number of decent browsers all competing and Google can claim they have plenty of competition.

      • And the next step will be to build (even) more proprietary features that only work in Chrome, and simply extinguish Firefox.

        Or simply block Firefox. Google _already_ block open-source Chromium based browsers from logging into their services. Supposedly because they are "less-secure".

      • the next step will be to build (even) more proprietary features that only work in Chrome, and simply extinguish Firefox.

        Apparently, they're pretty aggressive about doing that with youTube.

    • I wondered why they are dragging ass on making simple "no autoplay" and "silence whatever is yapping on this web page" buttons. The only thing I can think of is they are afraid of some kind of anti-trust thing for making competitor ads harder to see or listen to.

      • Disable images. Easy to do in Firefox.

        No ads. No videos trying to load. No "share with" icons loaded from various servers. No web bugs. No streaming services. Makes the browser much faster, and 2 gigs of data on a mobile plan easily lasts a month.

        You can also disable JavaScript if you wanna get rid of the #1 cause of the insecure web.

    • If you actually remember when Chrome was shiny and new, you remember that it didn't allow true ad-blocking back then. All the early Chrome extensions could do was load all the ads and then make them invisible after. This is just Chrome coming full circle back to less useful blocking.

      I use Chrome. I'll probably switch to Firefox after this release. I'm not mad. I suspect the end result will be that ad blockers in Firefox will soon be much more effective than they are now -- because companies like Twitch won'

    • Screw it.

      I am going back to IE 6

  • by weilawei ( 897823 ) on Sunday December 13, 2020 @09:55AM (#60825488)

    How does preventing my privacy and security extensions from working improve privacy and security?

    This is the most Orwellian doublespeak crap I've seen this week.

    • Are any ad blocking extensions reporting your blocked things back, for the purpose of categorizing you for targetted advertising?

    • by mark-t ( 151149 ) <markt@ner[ ]at.com ['dfl' in gap]> on Sunday December 13, 2020 @10:15AM (#60825536) Journal

      What I was able to easily find on the matter was vague, but if I understand correctly, the notion appears to be that the rules permit extensions to do things that may be undesirable for the end user, and this danger can really only be mitigated by limiting what the rules are allowed to do.

      Basically, the concern is that the permissions that these extensions have can be easily abused, and might present an even greater risk to the user's security and privacy than the remote web server that the extension is trying to block

      • by burtosis ( 1124179 ) on Sunday December 13, 2020 @11:18AM (#60825762)
        By this logic all sharp or pointy things should be locked away from people and kept in a safe centralized location and no one should be allowed more than a few at any time. Because, um, someone could hurt themselves or others and it’s for their own safety.
      • If they were really concerned with security they'd drop support for JavaScript.

        Web browsers are the biggest security hole on the Internet. And JavaScript is the biggest security hole in the browser.

        • by mark-t ( 151149 )
          If Javascript is properly configured in a web browser to only run in the container that it starts in, then this is not an issue. There are plenty of use cases for Javascript that do not pose any security or privacy threat. The
          • The various side channel attacks on processor hardware have shown this sandboxing to be worth f*** all.

            • by mark-t ( 151149 )
              That's not a failing of javascript, nor a failing of running javascript in a browser in general. That is a failure on the part of the browser developer to implement a proper container.
        • by tepples ( 727027 )

          If they were really concerned with security they'd drop support for JavaScript.

          What's the replacement for script in the browser? Navigation and form submission, with a full reload of the entire page's markup every single time? Downloadable native applications made for an OS you don't have, with the possibility that they're censored by the OS publisher?

      • by DeVilla ( 4563 )

        My concern is that this breaks what an extension I choose to install can do to protect me from the java script and poor practices employed by websites behind my back. Sure, a malicious extension could be bad. But malicious java script is more prevalent, harder to validate before obtaining & running it, and is more likely to be used by malicious 3rd parties.

        So they are modestly addressing a secondary attack surface by preventing the ability to protect a primary attack surface. This cure is worse than

        • by mark-t ( 151149 )
          My point was to answer the question as best as I could, not to defend the rationale for it.
    • by apoc.famine ( 621563 ) <apoc DOT famine AT gmail DOT com> on Sunday December 13, 2020 @11:13AM (#60825740) Journal

      Not if you read TFS.

      There is notes that many extensions including some privacy ones update themselves from 3rd party sites, with code not vetted through the chrome web store. That is a little dodgy, for sure.

      But look - either my ad blockers keep working in Chrome, or I don't use Chrome anymore. It's really that simple. And I know that's true for a lot of people. Google can shot themselves in the foot if they want to. That's on them.

      • That bit has nothing to do with the ad blocker changes.

        The problem that concerns ad blockers is that Google is removing an API which allowed them to intercept and block any web request from Chrome. The problem was that a slow extension (for example, by regexing a url against an entire blacklist database, something an ad blocker could do that has the potential to be quite slow) would slow down the entire browser and users would not be able to tell that it was an extension that was responsible. Chrome does di

    • by Rockoon ( 1252108 ) on Sunday December 13, 2020 @11:52AM (#60825876)

      How does preventing my privacy and security extensions from working improve privacy and security?

      The same way that pushing you through their own DNS service improves your privacy and security.

  • by xack ( 5304745 ) on Sunday December 13, 2020 @09:56AM (#60825494)
    If Firefox becomes primarily used for adblocking, many sites will start banning Firefox, and only let in browsers that have nerfed ad blockers.
    • You just fake the User-Agent.
      • by xack ( 5304745 ) on Sunday December 13, 2020 @10:39AM (#60825626)
        Browser fingerprinting has gotten better. Brave is often detected and blocked even though it uses a Chrome user agent.
        • by Cesare Ferrari ( 667973 ) on Sunday December 13, 2020 @10:41AM (#60825638) Homepage

          In that case, they loose my business. If I get an 'ad blocker detected' type screen, I go elsewhere

          • I kind of like the idea of loosing a customers business, setting it free upon the open space of competing markets.
          • by dshk ( 838175 ) on Sunday December 13, 2020 @01:04PM (#60826108)
            What do they lose? Nothing. If you use adblocker and you have no paid subscription, then you are more like a beggar than a customer.
            • by nagora ( 177841 )

              The issue is not adverts as such, it's the sort of adverts they use and the tracking that comes with it.

              There must be a way to sell advertising on websites that doesn't require auto-play with audio and tracking bugs.

            • by Baki ( 72515 )

              If enough people think alike, they lose their "business model".

        • Sorry, but they can never win.

          Firefox can easily simulate whatever version of Chrome you want to the site owner, while doing something completely else for the user.

          "Fingerprinting" is not magic.
          And most sites won't stay up to date with every little step in the war, so even if some get a successful "fingerprint" pattern... without an ever-increasing massive amount of false positives, mind you .. most sites will work in any case.
          And those that don't will die a sorry death. (*Waves EU flag*)

        • Brave is often detected and blocked even though it uses a Chrome user agent

          Do you spend your time visiting only Russian and Chinese sites from Kurdistan or something? I've not come across a website that has ever used fingerprinting to actually block a browser. Shit even MS's garbage custom IE experience relies on user strings.

          • These sites typically aren't depending on browser fingerprinting, but some wacky verification that you've been served ads. Typically there's little missed, but most sites afflicted with this anti-adblock script won't run even if adblock is disabled because they depend on servers that nobody in their right mind would allow connections to.

    • "Many sites will start blocking Firefox."

      Let them. There is no web site in the world that has anything you really really need anyway. The essential stuff is in multiple places, which is why paywalls don't work.

      Seriously, if 99% of the Internet were to disappear tomorrow, nothing of value would be lost.

      • Seriously, if 99% of the Internet were to disappear tomorrow, nothing of value would be lost.

        "I'm fairly sure if they took porn off the internet, there'd only be one website left, and it'd be called 'Bring back the porn!'"
        -- Dr. Cox (Scrubs, S3:E4, "My Lucky Night")

    • by tokul ( 682258 )

      > many sites will start banning Firefox

      HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

      It is not firefox and it runs not on Windows.

      Browser can be locked down to the point where it can safely declare that it is Chrome or Edge.

  • The only way around this is to do the filtering in an external proxy, which (unfortunately) will need to be made a trusted CA so it can decrypt and re-encrypt traffic. Basically, we're being forced to MITM ourselves.

    Doing this securely and in a way non-technical people can use it is not easy.

    • And the next logical step in Google's war on privacy will be to block users from adding CA certificates to Chrome. :(
    • by crow ( 16139 )

      Yes. I use a Proxy Auto Configuration file for ad blocking, which was awesome until Google decided to not pass in the full URL for https sites, so the PAC script only sees what is sent unencrypted. Now it only works for ad servers that are different hosts, so it's essentially a glorified /etc/hosts file block.

      • by dskoll ( 99328 )

        I currently use a whole suite of defenses.

        Zeroth layer: Don't use Google Chrome

        First layer: Pi-hole [pi-hole.net] to block DNS queries to known ad / tracking networks.

        Second layer: Privoxy [privoxy.org], which is now almost useless since most Web traffic is HTTPS now.

        Third layer: Ghostery [ghostery.com], Adblock Plus [adblockplus.org] and uBlock Origin [ublockorigin.com].

        So far, those defenses are reasonably effective.

        • by caseih ( 160668 )

          A stopped using Ghostery a while back and now use the EFF's Privacy Badger, which does the same thing but I trust it a lot more.

    • by Sebby ( 238625 )

      Doing this securely and in a way non-technical people can use it is not easy.

      Which is the reason Google implement its own security features in that specific way - they've been planning this all along knowing most users can't know how best to protect themselves, and took advantage of that for their ad business, under the guise of "user privacy & security".

  • I feel a tight squeezing about my balls
  • When you use a browser made by a privacy rapist. [urbandictionary.com]

  • by Anonymous Coward

    The open source community needs to step up here and actually develop a browser instead of lazily repackaging chromium. The reason we have a browser monopoly is because the open source community has gotten incredibly lazy and has delegated the browser to Google, and we all know that Google is Evil incarnate.

    • by nagora ( 177841 )

      The open source community needs to step up here and actually develop a browser instead of lazily repackaging chromium. The reason we have a browser monopoly is because the open source community has gotten incredibly lazy and has delegated the browser to Google.

      No. The reason is that we've allowed browsers to become vastly over-complicated to the point where it's very very hard to even get a usable first cut up and running.

  • by larryjoe ( 135075 ) on Sunday December 13, 2020 @10:46AM (#60825652)

    ""The entire extension now must be distributed through the Chrome Web Store, a measure Google says improves security screens and speeds reviews."

    China, the US, Apple, Google, all impose restrictions on data that increases their ability to restrict data and increase surveillance. Meanwhile they cast their restrictions that benefit their own interests as inconveniences that they undertake for the benefit of society. All in the name of "security". Apple and Google don't use the exact term, but in a sense they are also fighting their own definitions of "terrorism".

    • What kind of funny pills are you taking, mate?

    • by AmiMoJo ( 196126 )

      What's the alternative though? If they allow add-ons to download arbitrary code into the browser and take advantage of permissions that the user gave on installation they get attacked for having bad security. FWIW Mozilla has the same policy.

      They used to allow side-loading until malware started exploiting that by installing unwanted add-ons. Same with binary extensions, they had to disable local installation of those because of repeated abuse.

  • by FudRucker ( 866063 ) on Sunday December 13, 2020 @11:10AM (#60825726)
    if the developers are killing the browser's ability to block advertising, i refuse to allow the internet to turn my PC into a platform for advertising, the advertisers better just focus on TV and radio and highway billboards, because they are NOT going to trash my computer content with their garbage
    • THE killer feature of AR glasses is gonna be real world ad blocking.

      I, in full seriousness, hope every single person collaborating with the ad industry (e.g. by working there out of choice) ends up in prison or thrown out of civilized society.
      Literally all it does is harm. (Except of course to those who use it to harm.)

  • Why is this a surprise???
  • Comment removed based on user account deletion
    • Except Google deliberately works on killing all other browsers via the WhatWG and introducing new kitchen sinks at a weekly rate until nobody can keep up anymore.

      Only Firefox holding out now.
      And, while I'm using that right now out of sheer principle of not supporting criminal organizations... it doesn't feel good. With most extensions gone, aka its whole point, and only a handful approved extensions left on mobile, and the new UI being a *massive* step backwards (no custom searches except with manual adding

  • Nowadays in the form of lock-in via locked-down computeroid devices.

    Because otherwise, *every* program allows arbitrary extensions. They are called *patches*. :)

    Which is why not giving users root should be a crime, and be prosecuted as monopolism.
    Looking at the EU, that may soon well become true. *fingers crossed*

    (Off-topic: Funny, how Trump, while ruining the US, was a good thing for the EU, with him bringing our politicians finally over the edge of not being US lapdogs anymore. And how Biden, while better

  • by fleeped ( 1945926 ) on Sunday December 13, 2020 @12:05PM (#60825916)

    It's good, it's fast, it's free, it's not Google or Microsoft.

    For the few webpages that Firefox fails to work, sure use bloody Chrome, but for day-to-day work? No contest, no excuse.

    • Given the number of times the sky has fallen as prophesied by Chrome related stories on Slashdot, I'll switch when adblockers stop working. I suspect just like the last 10 times ad blockers were going to "stop working" that I'll still be using Chrome a year from now.

      • The more you use it though, the greater their market share, and the more crap they will feel entitled to get away with.
        I'm been borderline masochistic trying to only use Firefox on mobile as well ... enough is enough with Chrome.

        • Their market share has remained relatively unchanged for well over 5 years. If this is the "crap they feel entitled to get away with" I think we're going to be just fine.

          I don't use Chrome on Android because it has no adblocker.

  • If you do not want to see ads, and you do not want to pay either for a subscripton, then do not visit ad supported web pages. That is so simple.

    I do not buy into the security argument. I have not used ad-blockers for 20 years and I have never got a malware infection. On the other hand I regularly see problems caused by antimalware software - including ad-blockers - on customers' and friends' PCs.

    I also do not buy into the bandwidth usage argument either. You are not forced to visit any website except some g

    • by tepples ( 727027 )

      I'm willing to see ads. I don't want to see ads based on tracking my browsing history across dozens of unaffiliated websites. When websites insistently mention "ad or tracking blockers" in one breath several times in one help page, they create an impression that contextual advertising, as opposed to interest-based advertising, is off the table as an option.

      I'm willing to pay. I'm not willing to pay upwards of 19 USD for a year's subscription just to read a single article on a website. Where are micropayment

      • by dshk ( 838175 )

        "Where are micropayments?"

        They tried several times in different ways but almost nobody wanted to use them. Most people do not want to pay, even if it is only 1 cent and only one click. On the other hand many more people happily setup and manage and sometimes pay for an ad-blocker. Some web sites experience about 20% of their visitors use ad-blocker. I do not know why.

      • by dshk ( 838175 )
        Interest based ads pay at least three times more than contextual ads. In other words you would have to see 3-5 times more ads for the same content, which is impossible. They are indeed off the table for 80% of the current web.
    • "If you do not want to see ads, and you do not want to pay either for a subscripton, then do not visit ad supported web pages. That is so simple"

      Hahahaha! Good one! If you want to browse like it's 1994, with the same limited offerings, sure.

      And just because you don't see an ad does not mean that there isn't telemetry, or a vector for malware, or underhanded Bitcoin mining going on. You might as well go back to TV and actual paper newspapers.

      I'm going to help myself to the offerings of the 2020s web, *and* b

  • Chrome worked fine for me a year ago, even three years ago. Can please you start doing something else developers?

    • Because now they need to turn the thumbscrews tighter and tighter on the user. Google is far from alone in doing this

      "Oh we will make sure you can't break DRM, and we will remove the 'obscure' tools we're pretty sure you don't need while giving tools that are shielded from you but the bad actors can freely screw you over with, but hey, here's a nice shiny new rattle for you to play with" with in recent times "you are going to take this update whether you like it or not!"- general industry attitude.

  • It's been a while since I coded an ad-blocker. Does this mean that they are going to drop `browser.webRequest` because with that interface you can regex the rules yourself without bumping into any rule limit.
  • Just split the extension into two or three independent extensions. The rules could even be grouped - "basic", "moderate", "strict" - so that the different extensions have meaningful and useful separate identities, and Chrome couldn't just declare them a workaround. So what's really going on?

    "Another Manifest v3 change is that extensions no longer may update their abilities by downloading code from third-party sites. "The entire extension now must be distributed through the Chrome Web Store, a measure Google says improves security screens and speeds reviews."

    And while improving security screens is certainly useful, it also will allow Google to ban the implementation of rules they don't like for the vast majority of users of Chromium based browsers.

  • How about a local filtering agent installed on the user machine and communicating with the extension via some sort of a socket?
  • Chrome, Javashit developers are in bed with the enemy.

    So they are going to make sure you bend over and take it in the tookas from Ad/malware companies.

    I think I'll have to make a boilerplate form for replying to these kinds of stories.

  • by couchslug ( 175151 ) on Monday December 14, 2020 @01:20AM (#60828176)

    They're cheap, effective, use little power and take little space.

    If conveniently prepackaged virtual Pi-Hole becomes available for non-techy users it could be very popular. I've not tried running one in Docker but will give it a go.

  • This is Slashdot, not CNN. Tech helplessness here is inexcusable.
    Convenient browser extensions aren't the only options to block unwanted content (which can also be a security threat).

    If objectionable content never gets to the browser it's not a problem. Perhaps we need an Ask Slashdot on the subject.

  • How the heck does a browser know how many rules an extension applies? Isn't that entirely internal to the extension? How is it exposed to the browser?

Bus error -- please leave by the rear door.

Working...