Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Brave Takes Brave Stand Against Google's Plan to Turn Websites Into Ad-Blocker-Thwarting Web Bundles

posted by janrinok on Saturday August 29 2020, @11:35PM   Printer-friendly
from the my-computer-my-choice dept.

upstart writes in with an IRC submission:

Brave takes brave stand against Google's plan to turn websites into ad-blocker-thwarting Web Bundles:

A proposed Google web specification threatens to turn websites into inscrutable digital blobs that resist content blocking and code scrutiny, according to Peter Snyder, senior privacy researcher at Brave Software.

On Tuesday, Snyder published a memo warning that Web Bundles threaten user agency and web code observability. He raised this issue back in February, noting that Web Bundles would prevent ad blockers from blocking unwanted subresources. He said at the time he was trying to work with the spec's authors to address concerns but evidently not much progress has been made.

His company makes the Brave web browser, which is based on Google's open-source Chromium project though implements privacy protections, by addition or omission, not available in Google's commercial incarnation of Chromium, known as Chrome.

[...] The Web Bundles API is a Google-backed web specification for bundling the multitude of files that make up a website into a single .wbn file, which can then be shared or delivered from a content delivery network node rather than a more distant server. It's one of several related specifications for packaging websites.

The problem, as Snyder sees it, is that Web Bundles takes away the very essence of the web, the URL.

"At root, what makes the web different, more open, more user-centric than other application systems, is the URL," he wrote. "Because URLs (generally) point to one thing, researchers and activists can measure, analyze and reason about those URLs in advance; other users can then use this information to make decisions about whether, and in what way, they'd like to load the thing the URL points to."

An individual concerned about security or privacy, for example, can examine a JavaScript file associated with a particular URL and take action if it looks abusive. That becomes difficult when the file isn't easily teased out of a larger whole. Web Bundles set up private namespaces for URLs, so privacy tools that rely on URLs don't work.

"The concern is that by making URLs not meaningful, like just these arbitrary indexes into a package, the websites will become things like .SWF files or PDF files, just a big blob that you can't reason about independently, and it'll become an all or nothing deal," Snyder explained in a phone interview with The Register.

Separately, Google has been working to hide full URLs in the Chrome omnibox.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Brave Takes Brave Stand Against Google's Plan to Turn Websites Into Ad-Blocker-Thwarting Web Bundles | Log In/Create an Account | Top | 65 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by EJ on Sunday August 30 2020, @01:40AM (5 children)

    by EJ (2452) on Sunday August 30 2020, @01:40AM (#1044034)

    That's not what this does. The web browser has to be able to display the thing at the end of it all. That means the web browser has to be able to figure out what the data is and/or where to grab it from.

    This sounds like quite a bit of FUD to me.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by barbara hudson on Sunday August 30 2020, @01:57AM (2 children)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday August 30 2020, @01:57AM (#1044037) Journal
    It's totally fud. I doubt the guy even read the spec. Picture a header containing an offset to the list of contained files and their starting offsets and lengths. You can use FTP to seek to the index, get the file list and metadata, and download just the parts you want, using the same file names as in the header. And not downloading any file types you haven't whitelisted.

    The idea is to force you to download everything instead of blocking crap you don't want. Obviously not going to work, especially when you pre-sanitize your local copy to remove any reference to file types you didn't whitelist. It's like covid - lots of sanitizing, mask out undesirable file types, keep away from suspicious files.

    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.

    • (Score: 2) by Bot on Sunday August 30 2020, @09:40PM (1 child)

      by Bot (3902) on Sunday August 30 2020, @09:40PM (#1044348) Journal

      >You can use FTP to seek to the index

      you meant http range request I think, the number of websites with an anonymous FTP server active for the domain must be quite low these days.

      --
      Account abandoned.

      • (Score: 2) by barbara hudson on Sunday August 30 2020, @10:29PM

        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday August 30 2020, @10:29PM (#1044365) Journal

        This whole thing is only going to be used by google alone for their next generation to of AMP , so if you don't use google search you'll be able to see the original site, and not some web bundle that they want to serve up to act as a sort of private web, depriving the original site of hits while simultaneously inserting their own ads, so it's not like it's anything to be really worried about unless you serve up static content - and the original site can always poison googles crawl.

        Everyone is trying to make parts of the web into their own walled gardens, the biggest offenders being Facebook and Alphabet. But what do they supply that you really need?

        --
        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.

  • (Score: 5, Interesting) by deimtee on Sunday August 30 2020, @06:07AM (1 child)

    by deimtee (3272) on Sunday August 30 2020, @06:07AM (#1044099) Journal

    You've got to look further ahead. The next step after this is widespread is obviously to encrypt/decrypt the bundle using the same or similar DRM methods they use to play "protected" content.

    --
    If you cough while drinking cheap red wine it really cleans out your sinuses.

    • (Score: 2) by barbara hudson on Sunday August 30 2020, @11:04AM

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday August 30 2020, @11:04AM (#1044142) Journal
      The format is for google to use to deliver websites faster, same as google AMP. Don't want to use it, don't use google search. You'll be presented with the original web site, not the google AMP alternative. This is just their next version of AMP that puts them in charge.
      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.