Google engineers have proposed changes to Chromium which would completely break content-blocking extensions, including various ad blockers, ostensibly for "security" reasons.
Per The Register:
In a note posted Tuesday to the Chromium bug tracker, Raymond Hill, the developer behind uBlock Origin and uMatrix, said the changes contemplated by the Manifest v3 proposal will ruin his ad and content blocking extensions, and take control of content away from users.
Content blockers may be used to block ads, but they have broader applications. They're predicated on the notion that users, rather than anyone else, should be able to control how their browser presents and interacts with remote resources.
Manifest v3 refers to the specification for browser extension manifest files, which enumerate the resources and capabilities available to browser extensions. Google's stated rationale for making the proposed changes is to improve security, privacy and performance, and supposedly to enhance user control.
"Users should have increased control over their extensions," the design document says. "A user should be able to determine what information is available to an extension, and be able to control that privilege."
But one way Google would like to achieve these goals involves replacing the webRequest API with a new one, declarativeNetRequest.
[...] Hill, who said he's waiting for a response from the Google software engineer overseeing this issue, said in an email to The Register: "I understand the point of a declarativeNetRequest API, and I am not against such API. However I don't understand why the blocking ability of the webRequest API – which has existed for over seven years – would be removed (as the design document proposes). I don't see what is to be gained from doing this."
Hill observes that several other capabilities will no longer be available under the new API, including blocking media elements larger than a specified size, disable JavaScript execution by injecting Content-Security-Policy directives, and removing the outgoing Cookie headers.
And he argues that if these changes get implemented, Chromium will no longer serve users.
The Register points out that this will not just affect Google Chrome and Chromium, but also Chromium based web browsers such as Brave Browser and Microsoft Edge.
(Score: 5, Insightful) by edIII on Wednesday January 23 2019, @08:50PM (8 children)
DNS-over-HTTPS may present quite a problem if it is implemented inside Chrome/Chromium without the option to specify the DNS server. Imagine all DNS requests sent directly to 4.4.4.4 wrapped up in SSL certs you don't control. Then pi-hole won't work anymore. We need a full intercepting proxy that can also be a SSL middleman to strip away the protections that would stop us from moderating content.
The browser was the best place to do that because of SSL, but if the major browser developers are bunkering down, then we need forks fast. If they're willing to declare war against ad-blocking plugins, then I believe they would be willing to wrap up all the DNS requests in SSL in a way we don't control as well. This isn't just about ads, but ads being used to transmit malware. Something the big guys continually avoid accountability for, even though it costs consumers millions of dollars in repair fees constantly.
Man, we really need a FOSS browser that is several components:
Ideally it would have a backend component running on something like a Raspberry Pi all the way up to a high end server capable of serving many frontend "clients" on different devices. A frontend running on your Android phone could have VPN connectivity to the backend server to protect you while mobile.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Interesting) by Azuma Hazuki on Wednesday January 23 2019, @08:58PM (4 children)
Jesus Christ, that is *evil.* Whose idea was that, DNS over HTTPS?
To see our best tools for liberty and defense, the SSL and HTTPS standards, used against us as weapons is a special kind of tragedy...
I am "that girl" your mother warned you about...
(Score: 1, Interesting) by Anonymous Coward on Wednesday January 23 2019, @11:31PM
https was a defense for liberty? Not since the net got it in its mind to make it the enforced standard of all and browsers started warning you about insecure browsing, even for things that had absolutely no requirements for security. Quite the opposite of liberty.
(Score: 2) by darkfeline on Thursday January 24 2019, @05:42AM (2 children)
Spoken with the proud wisdom born from technical ignorance. Plain DNS notoriously suffers from many security problems: lack of trust, lack of privacy. DNSSEC only covers a small part of the problem. DNS-over-HTTPS is necessary to fully fix the problems with DNS.
https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ [mozilla.org]
Join the SDF Public Access UNIX System today!
(Score: 2) by Azuma Hazuki on Thursday January 24 2019, @06:41AM (1 child)
I know of the problems with DNS, thank you. But if DNS over HTTPS allows this sort of hijacking to happen, maybe we ought to be investigating another means of securing it. Don't assume so quickly.
I am "that girl" your mother warned you about...
(Score: 3, Interesting) by darkfeline on Thursday January 24 2019, @09:24AM
DoH is a protocol which has nothing to do whether it is implemented natively within a program. Any program can implement its own DNS to "hijack" resolution from the OS resolver. This has nothing to do with DoH.
And all of this is ignoring that Chromium is FOSS so you can replace any hypothetical hard coded DNS server.
Blah blah technical ignorance.
Join the SDF Public Access UNIX System today!
(Score: 1, Interesting) by Anonymous Coward on Thursday January 24 2019, @03:22AM
You will end up having to do what corporate proxy servers do. Create your own cert and man in the middle the thing.
(Score: 0) by Anonymous Coward on Thursday January 24 2019, @10:15AM
But ... think of the children! All our (basically government-mandated) ISP adult site blocking is done by DNS restriction. If google pull dns-over-https, they might fall foul of the law.
(Score: 1, Interesting) by Anonymous Coward on Thursday January 24 2019, @03:31PM
i've hated handing over any control to the browser. vpns over https/ssl dependent on the browser have been the worst! the tab crashes and oh look your connection depending on it is ruined and the far side hasn't timed out yet! try back later.
i would far prefer a NIC dependent solution that let the users or administrators of the topology control where dns queries go and how that gets encrypted and what happens if that fails.
treat the browser like an application, don't treat it as a dependency.