Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday August 29 2020, @11:35PM   Printer-friendly
from the my-computer-my-choice dept.

Brave takes brave stand against Google's plan to turn websites into ad-blocker-thwarting Web Bundles:

A proposed Google web specification threatens to turn websites into inscrutable digital blobs that resist content blocking and code scrutiny, according to Peter Snyder, senior privacy researcher at Brave Software.

On Tuesday, Snyder published a memo warning that Web Bundles threaten user agency and web code observability. He raised this issue back in February, noting that Web Bundles would prevent ad blockers from blocking unwanted subresources. He said at the time he was trying to work with the spec's authors to address concerns but evidently not much progress has been made.

His company makes the Brave web browser, which is based on Google's open-source Chromium project though implements privacy protections, by addition or omission, not available in Google's commercial incarnation of Chromium, known as Chrome.

[...] The Web Bundles API is a Google-backed web specification for bundling the multitude of files that make up a website into a single .wbn file, which can then be shared or delivered from a content delivery network node rather than a more distant server. It's one of several related specifications for packaging websites.

The problem, as Snyder sees it, is that Web Bundles takes away the very essence of the web, the URL.

"At root, what makes the web different, more open, more user-centric than other application systems, is the URL," he wrote. "Because URLs (generally) point to one thing, researchers and activists can measure, analyze and reason about those URLs in advance; other users can then use this information to make decisions about whether, and in what way, they'd like to load the thing the URL points to."

An individual concerned about security or privacy, for example, can examine a JavaScript file associated with a particular URL and take action if it looks abusive. That becomes difficult when the file isn't easily teased out of a larger whole. Web Bundles set up private namespaces for URLs, so privacy tools that rely on URLs don't work.

"The concern is that by making URLs not meaningful, like just these arbitrary indexes into a package, the websites will become things like .SWF files or PDF files, just a big blob that you can't reason about independently, and it'll become an all or nothing deal," Snyder explained in a phone interview with The Register.

Separately, Google has been working to hide full URLs in the Chrome omnibox.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by shortscreen on Sunday August 30 2020, @12:00AM (10 children)

    by shortscreen (2252) on Sunday August 30 2020, @12:00AM (#1043985) Journal

    Opera already had an .MHT format for condensing everything on a web page into one file, used for saving a local copy of a page. Would .WBN be similar to that? In some ways that could be an improvement over what we have now. The server would have to do the work of deciding what data you're going to get and packing it into that one file, instead of what many websites are doing now which is sending some JS which then wastes a zillion of my CPU cycles to piece together a bunch of crap spread across twenty different servers. And when JS running on the client is tasked with doing all of the loading, having JS disabled means you get nothing, whereas maybe a .WBN contains everything needed to render a page even without executing any JS.

    On the other hand, it would be yet more vendor lock-in and planned obsolesence and reinventing the wheel...

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 5, Insightful) by Anonymous Coward on Sunday August 30 2020, @12:19AM (5 children)

    by Anonymous Coward on Sunday August 30 2020, @12:19AM (#1043997)

    In some ways that could be an improvement over what we have now.

    In WHAT ways the "Downoad 10 GB to see these 5 lines of text" is an improvement over anything?

    • (Score: 2) by Runaway1956 on Sunday August 30 2020, @12:30AM (2 children)

      by Runaway1956 (2926) Subscriber Badge on Sunday August 30 2020, @12:30AM (#1044002) Journal

      There is one way, but only one way, it can be an improvement. That 10GB isn't being piped in from 'leventy-leven unidentifiable servers located around the world. Meaning, if you get malware or some such, you can identify where it came from. There is no other benefit to you, or to me, the "end users".

      • (Score: 2) by c0lo on Sunday August 30 2020, @12:36AM

        by c0lo (156) Subscriber Badge on Sunday August 30 2020, @12:36AM (#1044006) Journal

        That 10GB isn't being piped in from 'leventy-leven unidentifiable servers located around the world.

        Not that there is a single way to solve this problem.

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 5, Insightful) by TheReaperD on Sunday August 30 2020, @08:02AM

        by TheReaperD (5556) on Sunday August 30 2020, @08:02AM (#1044111)

        Right now, those 'laventy-leven' unintelligible (FTFY) 'servers located around the world' may not mean much to me and you, but my ad-blocker identifies common ad and malware servers (same thing to me) and prevent the content from ever being downloaded. It's this last part that rubs Google the wrong way because it effects their bottom line. Their fingerprinting technology has been perfected to the point where you don't even need to run it anymore for it to track you, you just have to download it. Earlier in the year, Google did a Chrome add-on policy change that was designed to prevent ad-blockers from selectively downloading content in order to have them stop messing with Google's fingerprinting tools. But, since everything is still in individual pieces, there are ways around the policy. That's where this change comes in. The ads, fingerprinting, and malware will still come from 'laventy-laven servers around the world', but now, they will be unidentifiable because the web server will gather them up from around the world, bundle the whole damn mess into a single file that you have no choice but to download the entire mess if you want anything. If this goes through, you have to download the fingerprint file that gets Google paid and if you are forced to download a virus or two, that's not their problem as their check will clear and that's all they care about.

        This is exactly like the bullshit phone companies were pulling when everyone started getting rid of their land lines as everyone moved to cell phones. They started doing 'bundling requirements' that required that you pay for a landline that you didn't want or use in order to get internet service. Some went so far as to require that you get basic cable too before the FCC blocked them from doing it. Same shit, different day. It may seem like I'm comparing apples to oranges, but I'm not. It's the exact same tactic of bundling shit you don't want with the stuff you need to take away your ability to choose.

        --
        Ad eundum quo nemo ante iit
    • (Score: 1, Interesting) by Anonymous Coward on Sunday August 30 2020, @12:39AM (1 child)

      by Anonymous Coward on Sunday August 30 2020, @12:39AM (#1044008)

      They would be very long lines of text.

      Minimizing connection and HTTP request overhead by bundling resources is a good idea, as is not bloating websites with pointless "frameworks" and other such crap. The two are not mutually exclusive. For many sites, the compressed stylesheet, script and individual navigation images would each fit in a single packet. Even with keep-alive and pipelining, the request overhead makes retrieving these assets a more expensive operation than it need be.

      • (Score: 5, Interesting) by barbara hudson on Sunday August 30 2020, @02:29AM

        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday August 30 2020, @02:29AM (#1044049) Journal

        Allowing people to block urls by file type saves way more bandwidth than bundles ever will. I've blocked all graphics, videos, images on my phone and it's amazing how little bandwidth I use now. No social media icons, no auto play videos, no stupid stock photos on news sites. Bundles would require me to set up a proxy on my laptop to download the index section of the bundle, then download the chunks of the files for the file types I whitelist. It would still be faster than downloading the entire bundle, and save bandwidth, so there's the incentive to do it. As a bonus, the advertisers won't know their ads were never downloaded so if the bundle server is counting every access to the file as a download of the entire bundle, advertisers will find their ad effectiveness drop like a stone. Which is a good thing considering how much of my bandwidth they want to waste showing me ads.

        Go back to simple text-only ads that don't suck up my mobile data plan and maybe we can talk. Or maybe not. It's going to take a while to even think about seeing any ads again. I suspect many of us haven't seen an ad in a long time. Those who have, you should perhaps consider stopping using YouTube and Facebook and gmail.

        --
        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
  • (Score: 3, Interesting) by krishnoid on Sunday August 30 2020, @01:10AM (1 child)

    by krishnoid (1156) on Sunday August 30 2020, @01:10AM (#1044022)

    Chrome also has a "Save as MHTML" extension/setting, handy for saving an HTML receipt/order confirmation along with all the logos and stuff as a single (large) file. Going out on the limb even further, this change could trade off WAN traffic for LAN traffic -- imagine a browser that downloads a remote-hosted web service (e.g., Jira) page as a bundle, then makes its file manifest available (size, date modified, CRC, contents) available within a LAN via a peer-to-peer protocol.

    Then someone else visiting that URL from inside the same LAN could request the bundle's manifest, find which pieces are local, then resend a request for just the pieces they can't get from the LAN, maybe decreasing the data transferred. It would at least decrease the overhead associated with multiple TCP connections.

    At the very least, wouldn't it help with cross-site scripting attacks and make sites host (and be responsible for) their ad content?

    • (Score: 0) by Anonymous Coward on Sunday August 30 2020, @12:40PM

      by Anonymous Coward on Sunday August 30 2020, @12:40PM (#1044159)

      I couldn't figure out how that would be an improvement over the caching servers we already have.

  • (Score: 3, Informative) by barbara hudson on Sunday August 30 2020, @01:47AM (1 child)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday August 30 2020, @01:47AM (#1044035) Journal

    Remember the FTP specand how you can choose to download x number of bytes starting at offset y?

    There's metadata about the bundles individual files,,their start offset, and their size. There is absolutely no requirement to download everything. That includes individual or all JavaScript , individual or all css, and individual or all images, videos, emojishit, etc.

    So, a possibility workaround:

    Open the stream containing the bundle.

    In the header there's the offset fr the list of assets (files) in the bundle.

    Parse the header

    For each file in the bundle, check it against a whitelist of approved types

    Only download the chunks you approve.

    Name them as local files using the same names in the header metadata.

    Drop the connection

    Verify the downloads to actually be what they claim to be.

    Open the index file locally.

    This is SO not high tech. And yet nowadays even something as simple as this requires all sorts of committees, discussion groups, and probably a Code of Conduct.

    Good thing things weren't like that in the good old days - we would still be arguing over the CoC for zmodem, and PKZip. And the debase file formats. And the up-arrow mouse pointer would be banned because "it's obviously a representation of the male penis."

    How long before people put together simple scripts to just grab the parts they want? And save bandwidth while screwing up advertisers?

    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    • (Score: 0) by Anonymous Coward on Sunday August 30 2020, @11:12AM

      by Anonymous Coward on Sunday August 30 2020, @11:12AM (#1044144)

      uiGood summary. Yes, there is sufficient information available about bundles before fully downloading them that it should be possible to change ad blockers to do blocking in two stages. Firstly, the ad blocker chooses which parts of a web bundle get downloaded based on lists of known good/bad signatures, and then it does blocking at the content level as well for anything deemed undesirable after the downloading but before that content gets displayed or executed.