SoylentNews is people
SoylentNews
from the bring-back-common-sense-adctl dept.
Google engineers have proposed changes to Chromium which would completely break content-blocking extensions, including various ad blockers, ostensibly for "security" reasons.
Per The Register:
In a note posted Tuesday to the Chromium bug tracker, Raymond Hill, the developer behind uBlock Origin and uMatrix, said the changes contemplated by the Manifest v3 proposal will ruin his ad and content blocking extensions, and take control of content away from users.
Content blockers may be used to block ads, but they have broader applications. They're predicated on the notion that users, rather than anyone else, should be able to control how their browser presents and interacts with remote resources.
Manifest v3 refers to the specification for browser extension manifest files, which enumerate the resources and capabilities available to browser extensions. Google's stated rationale for making the proposed changes is to improve security, privacy and performance, and supposedly to enhance user control.
"Users should have increased control over their extensions," the design document says. "A user should be able to determine what information is available to an extension, and be able to control that privilege."
But one way Google would like to achieve these goals involves replacing the webRequest API with a new one, declarativeNetRequest.
[...] Hill, who said he's waiting for a response from the Google software engineer overseeing this issue, said in an email to The Register: "I understand the point of a declarativeNetRequest API, and I am not against such API. However I don't understand why the blocking ability of the webRequest API – which has existed for over seven years – would be removed (as the design document proposes). I don't see what is to be gained from doing this."
Hill observes that several other capabilities will no longer be available under the new API, including blocking media elements larger than a specified size, disable JavaScript execution by injecting Content-Security-Policy directives, and removing the outgoing Cookie headers.
And he argues that if these changes get implemented, Chromium will no longer serve users.
The Register points out that this will not just affect Google Chrome and Chromium, but also Chromium based web browsers such as Brave Browser and Microsoft Edge.
(Score: 5, Insightful) by Azuma Hazuki on Wednesday January 23 2019, @04:48PM (14 children)
As annoying as this is, and certainly neither easy nor free as just installing UBO is, if it comes to that, I will build the Pi Hole (see here: https://pi-hole.net/) [pi-hole.net] if it comes to this. If these weaselly motherfuckers want to escalate the war, fine; let's see them get through THAT.
I am "that girl" your mother warned you about...
(Score: 2) by nobu_the_bard on Wednesday January 23 2019, @08:17PM (1 child)
Blocking at this level, doesn't allow me only allow ads on websites that I approve of receiving the ads for, does it?
(Score: 5, Informative) by edIII on Wednesday January 23 2019, @08:57PM
I'm not sure that is precluded with pi-hole. You probably can white-list some domains. Then again, if those ads you wish to allow are also coming from problematic advertisers, then you would be unwise to allow it. Even if it contributed to content creators you wish to support.
The problem isn't just advertising and how we support content creators, it's also very much the mass surveillance that goes along with it, and the routine transmission of malware using the advertising distribution networks. If we could successfully sue these network for millions each time an unvetted advertisement gets through, than I might tone down the security concerns. However, they are largely unaccountable to the people they hurt.
If you wish to support somebody, write to them and encourage them to join Patreon or something. I personally find this perverted comic [oglaf.com] enjoyable and they don't thrust advertisements down my throat, and have other methods for me to support them. Including Patreon.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 5, Insightful) by edIII on Wednesday January 23 2019, @08:50PM (8 children)
DNS-over-HTTPS may present quite a problem if it is implemented inside Chrome/Chromium without the option to specify the DNS server. Imagine all DNS requests sent directly to 4.4.4.4 wrapped up in SSL certs you don't control. Then pi-hole won't work anymore. We need a full intercepting proxy that can also be a SSL middleman to strip away the protections that would stop us from moderating content.
The browser was the best place to do that because of SSL, but if the major browser developers are bunkering down, then we need forks fast. If they're willing to declare war against ad-blocking plugins, then I believe they would be willing to wrap up all the DNS requests in SSL in a way we don't control as well. This isn't just about ads, but ads being used to transmit malware. Something the big guys continually avoid accountability for, even though it costs consumers millions of dollars in repair fees constantly.
Man, we really need a FOSS browser that is several components:
Ideally it would have a backend component running on something like a Raspberry Pi all the way up to a high end server capable of serving many frontend "clients" on different devices. A frontend running on your Android phone could have VPN connectivity to the backend server to protect you while mobile.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Interesting) by Azuma Hazuki on Wednesday January 23 2019, @08:58PM (4 children)
Jesus Christ, that is *evil.* Whose idea was that, DNS over HTTPS?
To see our best tools for liberty and defense, the SSL and HTTPS standards, used against us as weapons is a special kind of tragedy...
I am "that girl" your mother warned you about...
(Score: 1, Interesting) by Anonymous Coward on Wednesday January 23 2019, @11:31PM
https was a defense for liberty? Not since the net got it in its mind to make it the enforced standard of all and browsers started warning you about insecure browsing, even for things that had absolutely no requirements for security. Quite the opposite of liberty.
(Score: 2) by darkfeline on Thursday January 24 2019, @05:42AM (2 children)
Spoken with the proud wisdom born from technical ignorance. Plain DNS notoriously suffers from many security problems: lack of trust, lack of privacy. DNSSEC only covers a small part of the problem. DNS-over-HTTPS is necessary to fully fix the problems with DNS.
https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ [mozilla.org]
Join the SDF Public Access UNIX System today!
(Score: 2) by Azuma Hazuki on Thursday January 24 2019, @06:41AM (1 child)
I know of the problems with DNS, thank you. But if DNS over HTTPS allows this sort of hijacking to happen, maybe we ought to be investigating another means of securing it. Don't assume so quickly.
I am "that girl" your mother warned you about...
(Score: 3, Interesting) by darkfeline on Thursday January 24 2019, @09:24AM
DoH is a protocol which has nothing to do whether it is implemented natively within a program. Any program can implement its own DNS to "hijack" resolution from the OS resolver. This has nothing to do with DoH.
And all of this is ignoring that Chromium is FOSS so you can replace any hypothetical hard coded DNS server.
Blah blah technical ignorance.
Join the SDF Public Access UNIX System today!
(Score: 1, Interesting) by Anonymous Coward on Thursday January 24 2019, @03:22AM
You will end up having to do what corporate proxy servers do. Create your own cert and man in the middle the thing.
(Score: 0) by Anonymous Coward on Thursday January 24 2019, @10:15AM
But ... think of the children! All our (basically government-mandated) ISP adult site blocking is done by DNS restriction. If google pull dns-over-https, they might fall foul of the law.
(Score: 1, Interesting) by Anonymous Coward on Thursday January 24 2019, @03:31PM
i've hated handing over any control to the browser. vpns over https/ssl dependent on the browser have been the worst! the tab crashes and oh look your connection depending on it is ruined and the far side hasn't timed out yet! try back later.
i would far prefer a NIC dependent solution that let the users or administrators of the topology control where dns queries go and how that gets encrypted and what happens if that fails.
treat the browser like an application, don't treat it as a dependency.
(Score: 0) by Anonymous Coward on Wednesday January 23 2019, @10:51PM (1 child)
Does anybody else know about this Pi Hole thing? On the surface it sounds quite intriguing. However, I'm a bit hesitant to give all my DNS traffic to a third party unknown place.
Can anybody else vouch for this?
(Score: 0) by Anonymous Coward on Thursday January 24 2019, @02:46PM
"give all my DNS traffic to a third party"
You're already doing that if you're using ISP caching DNS servers, or most of the "open" DNS servers, since they sell your data to whoever is willing to pay.
The way to get around that is to install a fully recursive resolver. There is one w/ maradns that works. It adds about 1/3rd of a second to page loads on average. Of course if everybody did this it would crash the root servers. So it isn't a scalable solution. But if you want privacy in your DNS, you're pretty much going to contribute you're little piece to DOS'ing ICANN.
This is really a legal problem more than it is a tech problem. DNS caching is switched data between parties unrelated to the ISP. With common cairrage what they do is felony wiretapping. But we don't have that because of Pai is a criminal.
The DNS over https thing is a land grab. Everybody knows DNS is deprecated. They are localizing it because they plan on proprieterizing it at the OS level. Essentially this gives them control over the registrars. Which is to say, the fact that you haven't seen half a dozen registrars get together and design a secure portable DNS over IPV6, means that they are going to all be subsidiaries of Comcast and AT&T here in the next several years.
(Score: 0) by Anonymous Coward on Monday January 28 2019, @01:34PM
Next up: both the dns requests and the content will be tunneled to bypass the OS and firewalls to make sure turd party content is loaded
Combined with removing plugin access to the DOM ads will dominate the internet tubes once again!