Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday August 29 2020, @11:35PM   Printer-friendly
from the my-computer-my-choice dept.

Brave takes brave stand against Google's plan to turn websites into ad-blocker-thwarting Web Bundles:

A proposed Google web specification threatens to turn websites into inscrutable digital blobs that resist content blocking and code scrutiny, according to Peter Snyder, senior privacy researcher at Brave Software.

On Tuesday, Snyder published a memo warning that Web Bundles threaten user agency and web code observability. He raised this issue back in February, noting that Web Bundles would prevent ad blockers from blocking unwanted subresources. He said at the time he was trying to work with the spec's authors to address concerns but evidently not much progress has been made.

His company makes the Brave web browser, which is based on Google's open-source Chromium project though implements privacy protections, by addition or omission, not available in Google's commercial incarnation of Chromium, known as Chrome.

[...] The Web Bundles API is a Google-backed web specification for bundling the multitude of files that make up a website into a single .wbn file, which can then be shared or delivered from a content delivery network node rather than a more distant server. It's one of several related specifications for packaging websites.

The problem, as Snyder sees it, is that Web Bundles takes away the very essence of the web, the URL.

"At root, what makes the web different, more open, more user-centric than other application systems, is the URL," he wrote. "Because URLs (generally) point to one thing, researchers and activists can measure, analyze and reason about those URLs in advance; other users can then use this information to make decisions about whether, and in what way, they'd like to load the thing the URL points to."

An individual concerned about security or privacy, for example, can examine a JavaScript file associated with a particular URL and take action if it looks abusive. That becomes difficult when the file isn't easily teased out of a larger whole. Web Bundles set up private namespaces for URLs, so privacy tools that rely on URLs don't work.

"The concern is that by making URLs not meaningful, like just these arbitrary indexes into a package, the websites will become things like .SWF files or PDF files, just a big blob that you can't reason about independently, and it'll become an all or nothing deal," Snyder explained in a phone interview with The Register.

Separately, Google has been working to hide full URLs in the Chrome omnibox.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by barbara hudson on Sunday August 30 2020, @01:47AM (1 child)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday August 30 2020, @01:47AM (#1044035) Journal

    Remember the FTP specand how you can choose to download x number of bytes starting at offset y?

    There's metadata about the bundles individual files,,their start offset, and their size. There is absolutely no requirement to download everything. That includes individual or all JavaScript , individual or all css, and individual or all images, videos, emojishit, etc.

    So, a possibility workaround:

    Open the stream containing the bundle.

    In the header there's the offset fr the list of assets (files) in the bundle.

    Parse the header

    For each file in the bundle, check it against a whitelist of approved types

    Only download the chunks you approve.

    Name them as local files using the same names in the header metadata.

    Drop the connection

    Verify the downloads to actually be what they claim to be.

    Open the index file locally.

    This is SO not high tech. And yet nowadays even something as simple as this requires all sorts of committees, discussion groups, and probably a Code of Conduct.

    Good thing things weren't like that in the good old days - we would still be arguing over the CoC for zmodem, and PKZip. And the debase file formats. And the up-arrow mouse pointer would be banned because "it's obviously a representation of the male penis."

    How long before people put together simple scripts to just grab the parts they want? And save bandwidth while screwing up advertisers?

    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Sunday August 30 2020, @11:12AM

    by Anonymous Coward on Sunday August 30 2020, @11:12AM (#1044144)

    uiGood summary. Yes, there is sufficient information available about bundles before fully downloading them that it should be possible to change ad blockers to do blocking in two stages. Firstly, the ad blocker chooses which parts of a web bundle get downloaded based on lists of known good/bad signatures, and then it does blocking at the content level as well for anything deemed undesirable after the downloading but before that content gets displayed or executed.