Most active commenters
  • crazygringo(5)
  • kuhsaft(5)
  • (4)
  • sunshowers(4)
  • freedomben(3)
  • kbolino(3)
  • Spunkie(3)
  • EasyMark(3)
  • pkasting(3)

←back to thread

"Begin disabling installed extensions still using Manifest V2 in Chrome stable"

(developer.chrome.com)
552 points freedomben | 98 comments | 11 Oct 24 14:20 UTC | HN request time: 1.838s | source | bottom
1. sho ◴[11 Oct 24 14:49 UTC] No.41809962[source]
Hopefully this is the inflection point for Chrome. Despite all their made-up "security" reasons, everyone knows this is solely about making adblock less effective. For many users, adblock is what makes chrome bearable - and if they make it unbearable, then those users will leave. Slowly but surely.

Google seems much too sure of itself making this change. I hope their arrogance pays off just the same as Microsoft's did with IE.

replies(14): >>41810044 #>>41810118 #>>41810304 #>>41810320 #>>41810359 #>>41810375 #>>41810472 #>>41810519 #>>41810553 #>>41811938 #>>41812626 #>>41813079 #>>41813685 #>>41822203 #
2. Rychard ◴[11 Oct 24 14:56 UTC] No.41810044[source]
The widespread adoption of Chrome was largely driven by word of mouth, people like you and I installing it on our friend's/relative's computers and telling them it was safer/faster/better.

Nothing stops us from doing the same thing again. I've been recommending Firefox to all my family/friends/colleagues for years (ever since I've seen the writing on the wall for Chrome). While Firefox isn't perfect, it's in a much better place than Chrome is, and meets the the needs of nearly 100% of people.

replies(4): >>41810119 #>>41810134 #>>41810545 #>>41816693 #
3. freedomben ◴[11 Oct 24 15:04 UTC] No.41810118[source]
Agreed on hoping this is the inflection point, but only partial agreement that it's about adblock. For sure Google wants adblock to die, but I think it goes even deeper than that.

I think it's part of a much bigger trend in tech in general but also in Google: Removing user control. When you look at the "security" things they are doing, many of them have a common philosophy underpinning them that the user (aka device owner) is a security threat and must be protected against. Web integrity, Manifest v3, various DoH/DoT, bootloader locking, device integrity which conveniently makes root difficult/impossible, and more.

To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in. The next generation won't have the wonderful and fertile computing environment that we enjoyed, and it's (partly) your fault.

replies(10): >>41810189 #>>41810253 #>>41810403 #>>41810484 #>>41811226 #>>41812153 #>>41812977 #>>41815654 #>>41816016 #>>41816240 #
4. undercut ◴[11 Oct 24 15:04 UTC] No.41810119[source]
>The widespread adoption of Chrome was largely driven by word of mouth

No, it was driven by having a banner in the most privileged spot of the Internet, Google.com (the most visited site in the world with 0 ads on the homepage) saying that was faster and more secure than the alternatives. In fact Firefox benefited from some free ads on Google.com against Internet Explorer before Google developed Chromium.

replies(5): >>41810173 #>>41810174 #>>41810991 #>>41812244 #>>41812327 #
5. Izkata ◴[11 Oct 24 15:06 UTC] No.41810134[source]
I swear I also remember it getting included in installation wizards for unrelated software (on Windows), so people would end up with Chrome/Chromium without even realizing it.
replies(1): >>41810582 #
6. freedomben ◴[11 Oct 24 15:09 UTC] No.41810173{3}[source]
It was kind of both, depending on the timeline. Early on it was word of mouth, then Google saw they had momentum and they capitalized on it with the banners and aggressive marketing.
replies(3): >>41810558 #>>41814967 #>>41815834 #
7. cyberpunk ◴[11 Oct 24 15:09 UTC] No.41810174{3}[source]
… isn’t that banner an ad?
8. justanotheratom ◴[11 Oct 24 15:11 UTC] No.41810189[source]
yes, iOS now restricts Apps from getting blanket access to their contacts, photos, and even clipboard. On the one hand, it does protect the user from malicious Apps that trick users into giving blanket access. On the other hand, they could have atleast done it like location access - where user still has an option to give blanket access. It is not fair that Siri is the only one that can access these things now.
replies(2): >>41810347 #>>41810527 #
9. kbolino ◴[11 Oct 24 15:18 UTC] No.41810253[source]
It is important, I think, to understand that personal computing is just one part of the picture. "Enterprise" environments (governments, businesses, large organizations, etc.) have demanded many of these "features" even before Google started implementing them. Your workplace, by and large, does not want you, the replaceable person who happens to be sitting at the keyboard, to be in full control of the device that they own and which is connected to their network. Often this is made more explicit by the device just being a "thin client" or other totally locked down narrow viewport to some other computer you can't even touch. It sucks and the general trend of workplaces trusting their employees less and less has been demeaning and degenerative to the point of often fostering self-fulfilling prophecies of mistrust (don't trust anyone => get untrustworthy people => bad things happen => don't trust anyone => ...).

However, it is important to also understand that the employee is not the only stakeholder. Government agencies answer to legislators, nonprofit management answer to donors, corporate management answer to investors, etc. There are layers of compliance that must be considered as well (internal policies, external regulations, different insurance costs, etc.). It is unsurprising that these fewer but generally deep-pocketed entities have an outsized influence on the market compared to more numerous but less moneyed end users. If you refuse to serve the former, you may quickly find yourself out of business.

replies(4): >>41810399 #>>41810523 #>>41810530 #>>41815683 #
10. crazygringo ◴[11 Oct 24 15:22 UTC] No.41810304[source]
> everyone knows this is solely about making adblock less effective

I thought I knew that.

Then I switched from uBlock Origin to uBlock Origin Lite in Chrome, which is compatible with Manifest v3. I was prepared for the horrible onslaught of ads, expecting at least a quarter would start getting through, ready to switch to Firefox...

...and didn't notice a single change. Not a single ad gets through.

And at the same time, loading pages feels a little faster, though I haven't measured it.

Which has now got me wondering -- what if Manifest v3 really was about security and performance all along?

Because if Google was using it to kill adblockers, they've made approximately 0% progress towards that goal as far as I can tell. If they really wanted to kill adblockers, they'd just, you know, kill adblockers. But they didn't at all.

replies(8): >>41810353 #>>41810378 #>>41810393 #>>41810478 #>>41810535 #>>41810636 #>>41812396 #>>41818090 #
11. moooo99 ◴[11 Oct 24 15:24 UTC] No.41810320[source]
Adblock doesn’t only make Google Chrome bearable, it makes the internet bearable. I recently uninstalled my Adblock for testing purposes. Most websites nowadays are just ads with a little bit of text in between
12. moi2388 ◴[11 Oct 24 15:27 UTC] No.41810347{3}[source]
It can. You can still give apps access to all of it with a single press.

And manifest v3 makes things a bit more tedious but not impossible. There are other adblockers which still function just fine

13. moi2388 ◴[11 Oct 24 15:28 UTC] No.41810353[source]
It makes things a bit more annoying? But in v3 you can still do everything you need to do to block ads
14. DataDive ◴[11 Oct 24 15:29 UTC] No.41810359[source]
> Hopefully this is the inflection point for Chrome.

Here is one empirical data point.

I switched over to Firefox this morning and will advocate for it.

I've considered it for a while, but I never felt motivated to make the switch. It took me a good half hour to set it up the way I like it.

replies(1): >>41819139 #
15. karaterobot ◴[11 Oct 24 15:30 UTC] No.41810375[source]
I'd like to think that's true, but I don't know, because people seem to have a very high tolerance for advertisements. Surprisingly so. I have a very low tolerance, and do what I can to get rid of them. But then, every once in a while I use someone else's computer and see how they live with them. I say "I can show you how to get rid of those ads," but they usually just don't care enough to do it. I bet the majority of people are like that—maybe the vast majority—and Google is probably making the same bet, but with even more information. My prediction is that if (God willing) Chrome loses significant market share, it'll be for some other reason than this.
16. flohofwoe ◴[11 Oct 24 15:31 UTC] No.41810378[source]
> ...and didn't notice a single change. Not a single ad gets through.

When I tried UBO Lite recently it couldn't block YouTube ads, not sure if that's impossible with Manifest V3, or if UBO Lite just isn't updated regularly like UBO to defeat the YouTube anti-ad-blocking updates.

Update: looks like it's fixed now, not bad :)

replies(2): >>41810402 #>>41810424 #
17. surajrmal ◴[11 Oct 24 15:33 UTC] No.41810393[source]
People seem to see what they want. And many seem to be blinded by Google hate and must find ways to be unhappy with all decisions they make. Google has publicly delayed v2 depreciation to ensure ad blockers worked well under v3.
18. ◴[11 Oct 24 15:33 UTC] No.41810399{3}[source]
19. ◴[11 Oct 24 15:33 UTC] No.41810402{3}[source]
20. Cthulhu_ ◴[11 Oct 24 15:33 UTC] No.41810403[source]
I get why they built in all of those protections; the vast majority of tech users are not knowledgeable about the details of the stuff they use. And I think a big chunk of those that are, overestimate their own abilities, knowledge, and control. They all need to be protected against themselves.

That said, I don't like that the choice is being taken away. If you do want to tinker at that level with the technology you own, you should be given the choice. By all means make it not obvious how to get there - like, have people reboot their computers while playing Twister on their keyboards with interesting key combos, but give them the option.

21. Cthulhu_ ◴[11 Oct 24 15:37 UTC] No.41810424{3}[source]
Youtube's adblocker-evasion and adblocker's youtube ad blocking has been a cat-and-mouse game since time immemorial.
22. kmlx ◴[11 Oct 24 15:42 UTC] No.41810472[source]
> making adblock less effective

adblocking still works just fine on Safari, which has been doing the same thing as Manifest V3 for years now.

replies(1): >>41813069 #
23. Spunkie ◴[11 Oct 24 15:43 UTC] No.41810478[source]
This is just because Google was especially insidious about how they crippled ad blockers in v3.

Adblockers do multiple things:

1. Visibly block ads from the user

2. Block the user tracking that's attached to those ads

3. Protect the user from malware

4. Save bandwidth and cpu cycles by not loading all that junk

5. Allow control to users over how a webpage is displayed to them

Arguably uBlock Origin Lite can only accomplish some of #1 and a sprinkle of #2 now. And even those abilities are compromised by artificially low limits imposed by chrome in v3 that will eventually allow ad networks to overwhelm those limits and get ads through to users.

Google is 100% boiling the frog here and you/the average user is left in the pot unaware.

replies(2): >>41811363 #>>41812477 #
24. Arch-TK ◴[11 Oct 24 15:43 UTC] No.41810484[source]
The technologies themselves are mostly a good idea. The problem is that the companies designing them also like to abuse them.

Take, for example, hardware attestation on android. There's not really any serious issue with this feature, it can be used to ensure your device is not compromised. This is for example how GrapheneOS enables its use with the auditor application.

But, on the other hand, Google abuses the feature to ensure that you are running a google signed OS if you want to use Google Pay. Meanwhile you can use banking apps which also use hardware attestation (although, from their perspective, they don't use enough of it to ensure it isn't being spoofed, and even then...) without any problem on GOS. Moreover, before Google Pay completely killed all of its competition, it was possible to even find third party banks which would provide you with the ability to pay with your phone without using google pay.

Likewise, secure boot is a great concept if you want to be more sure about the integrity of your laptop throughout its lifetime. But some companies have abused it to force you to use Windows. If you want to set up your own signing keys for secure boot, you end up having to deal with poorly managed UEFI keys from third parties which weaken the security of your machine. The feature, as it's implemented, is rarely designed with helping end user's secure their machines. But the core of the design is fine.

I think limiting root on a phone is also a really good idea, the issue is that Google likes to give themselves and their "system apps" special privileges. If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.

So all in all, fundamentally, most of these features are fine. They're genuinely great for security. But the main problem is how they're abuse by the companies in control and how little effort is put into allowing power-users to use those features for their own benefit.

replies(1): >>41810650 #
25. yupyupyups ◴[11 Oct 24 15:46 UTC] No.41810519[source]
Yeah, I don't browse the web without an ad blocker.
26. EasyMark ◴[11 Oct 24 15:46 UTC] No.41810523{3}[source]
Then they could have made Mv3 an option to turn on by sysadmins who lock down their browsers. If you aren’t locking down your users browsers then that’s on you. I mean at worst they could have made mv2 opt-in and most people would have highly curtailed their complaints of “I’ll jump ship to _____________” . People don’t like it when features are removed especially when there are viable alternatives like, adding a special tier of review to get mv2 approval for your extension, opt-in/out as discussed, easy access by sysadmins to turn it on/off. Instead google pulled a bully “so, pencil-neck, what are you gonna do about it?” instead. They are tone-deaf and see themselves as the new 800lb silverback on the block.
replies(2): >>41810681 #>>41815373 #
27. kstrauser ◴[11 Oct 24 15:47 UTC] No.41810527{3}[source]
That's literally how iOS works today. If I go into Settings > Privacy & Security > Photos, I can give apps None, Limited Access, or Full Access. Same with Contacts, same with the clipboard (where the per-app choices are Ask, Deny, or Allow).

> It is not fair that Siri is the only one that can access these things now.

That would be true if it was, but it isn't.

28. consp ◴[11 Oct 24 15:47 UTC] No.41810530{3}[source]
> It sucks and the general trend of workplaces trusting their employees less and less

You get what you pay for. Seeing that employee retention is frowned upon.

29. ◴[11 Oct 24 15:47 UTC] No.41810535[source]
30. EasyMark ◴[11 Oct 24 15:48 UTC] No.41810545[source]
Did you miss the barrage of ads for Chrome that google played for literally years on the internet and television?
replies(1): >>41815701 #
31. wooque ◴[11 Oct 24 15:50 UTC] No.41810553[source]
I'd argue it won't make a dent in Chrome market share.

People who really care about this (tech minded people) are not using Chrome anyway, others (regular people) will switch to less powerful Manifest V3 adblockers that would probably be good enough and won't switch from Chrome.

32. undercut ◴[11 Oct 24 15:50 UTC] No.41810558{4}[source]
It was a long time ago but I'm 99% sure that there was a banner for Chrome on Google.com since the first public release.
33. EasyMark ◴[11 Oct 24 15:52 UTC] No.41810582{3}[source]
I’ve been out of the windows game for so long I forgot all that malware that was installed by various installer engines and was so relieved when I found portable apps and oldversion.com and ninite. And now I guess there are things like chocolaty that do similar things. Switching to Mac and Linux I don’t really miss it at all
34. eikenberry ◴[11 Oct 24 15:56 UTC] No.41810636[source]
If I remember right then the difference is more about ad-tracking/privacy than blocking. V2 allowed UBO to find and intercept the calls to the ad servers before the calls were made. Where V3+UBL still makes the calls it just doesn't display the results. So while you might not see the ads, the ads see you.
replies(2): >>41811022 #>>41815045 #
35. freedomben ◴[11 Oct 24 15:57 UTC] No.41810650{3}[source]
No disagreement here, although if past experience has proven anything I think it's that companies will abuse whatever "security features" they can to accomplish their objectives. It reminds me a lot of the old adage, "the same wall can keep people in just like it can keep people out."

When the OS is fundamentally in the user's control, they are limited in what they can do, but when the OS disregards it's owners preferences/desires and enforces it's creators desires.

Minor thing actually:

> If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.

I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.

But all in all, I very much agree. I love those features when they are in my control on my devices. Biggest issue is, they virtually never are and the number of occurences is trending down.

Anyway,

replies(1): >>41820741 #
36. kbolino ◴[11 Oct 24 16:02 UTC] No.41810681{4}[source]
I was mostly commenting on the "broader trend" aspects and the assignment of primary blame to implementing engineers.

There's another problem with Chrome, which is that nobody is actually paying for it. So the big corps move features along there only in the sense that they won't adopt it or will drop it otherwise. I don't think the big corps are pushing for Mv3 but they also probably don't care that it arrives either. Conversely, I wager Google estimates nearly nobody will revolt and leave Chrome over the loss of Mv2. It hurts ad-blocker developers and it hurts the most conscious users, but Chrome is a marketing product targeted at mass adoption first and foremost. I personally hope their estimation is wrong and the current browser monopoly breaks, but this may not yet be the breaking point.

Even if that happens, Chrome eagerly adopting enterprise policy support may keep it on life support in that environment, though.

37. Uehreka ◴[11 Oct 24 16:36 UTC] No.41810991{3}[source]
Yeah, I feel like in general we on HN give ourselves way too much credit in terms of our ability to drive public opinion or affect purchasing/usage patterns among the public. The idea of the “nerd-led revolution” may have had some impact in the past, but I think the days of that are over. Large corporations now know what they’re doing in ways that they hadn’t figured out in the 2000s or even the early 2010s.
38. kuhsaft ◴[11 Oct 24 16:41 UTC] No.41811022{3}[source]
On the contrary, MV2 used onBeforeRequest which let extensions see what requests you were making. They could then take that data and use it for malicious purposes.

MV3 doesn’t allow extensions to know what requests are being made, so extensions can’t use your data maliciously.

Requests to ads that are blocked are blocked.

I think you’re thinking of Privacy-preserving ad measurement which is an option in Firefox and Safari. https://support.mozilla.org/en-US/kb/privacy-preserving-attr...

replies(3): >>41811870 #>>41812305 #>>41813398 #
39. kuhsaft ◴[11 Oct 24 17:02 UTC] No.41811226[source]
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.

That was a world where the user base was much more limited and devices were less capable. Now we have children, grandparents, educated, and uneducated users with access to web connected devices. These devices now contain everything about you. Compromise of a device can destroy someone’s life.

Not only that, but compromise of a device can cause collateral damage to other devices on the same network.

We now have to cater to every user. Not just to the technologically adept. Look at what people believe on social media. The bar is so low to con people into compromising their device.

replies(4): >>41811404 #>>41813719 #>>41822470 #>>41847036 #
40. crazygringo ◴[11 Oct 24 17:18 UTC] No.41811363{3}[source]
I don't think any of that is accurate though.

Manifest v3 blocks user tracking -- if the request is blocked, any tracking attached to it is blocked. I'm sure it's not 100% perfect, but it's certainly working well enough in practice.

And what malware are you talking about? If a request is blocked, it's blocked. It doesn't matter if it's an ad or malware.

Manifest v3 is better at #4, because the junk isn't loaded, and the blocking is more efficient in terms of CPU.

And then #5 I don't know what you're talking about. I use Stylus and Tampermonkey to customize webpages and they continue to work great.

So I just don't see the evidence that "Google is 100% boiling the frog here". That's what everyone was saying, but now that Manifest v3 has come out, I just see adblocking that continues to work and uses less CPU to do it.

I see a lot of fearmongering around Google, but now that the results are in with Manifest v3... they just don't seem true. You're making all these claims, but I just don't see the evidence now that we're seeing how it works in practice.

replies(1): >>41813902 #
41. jauntywundrkind ◴[11 Oct 24 17:22 UTC] No.41811404{3}[source]
Still a shit poor pathetic excuse to screw over the userscript/grease monkey users.

The browser is called a user agent, but this shift to absolute security no matter what, no say about it is a shift to native apps, is a shift to the developer is in control, is a shift to this being Google and the sites browser, not ours, and that being done unilaterally with nearly no opt outs is the sort of mega tectonic shift that ruins this magical special unique place in software where users had some say in what was happening. We cannot pander to imagined ever worsening users forever.

It feels like the things being done in the name of security are really building an immense prison. The work being done to allow verified age and identity checking ranks up there highly in the this corals humanity, area, not giving us agency.

replies(1): >>41811540 #
42. kuhsaft ◴[11 Oct 24 17:43 UTC] No.41811540{4}[source]
> Still a shit poor pathetic excuse to screw over the userscript/grease monkey users.

Tampermonkey still works fine with MV3

> We cannot pander to imagined ever worsening users forever.

The most popular software/hardware will always pander to the most users. That’s why they’re the most popular.

You can’t complain about the most popular option pandering to the most users. Well, you can complain, but you might be in the minority of the users.

> It feels like the things being done in the name of security are really building an immense prison.

I get that, but we are running so much untrusted code on our machines now. Applications that use thousands of dependencies with the hope that someone spots a bad actor.

replies(2): >>41811945 #>>41818486 #
43. GeoAtreides ◴[11 Oct 24 18:18 UTC] No.41811870{4}[source]
but op wasn't talking about what extensions are seeing, but what the ad servers do. You haven't address their point at all
44. throwaway48476 ◴[11 Oct 24 18:25 UTC] No.41811938[source]
So, are you going to leave chrome then?
45. ◴[11 Oct 24 18:26 UTC] No.41811945{5}[source]
46. pipo234 ◴[11 Oct 24 18:41 UTC] No.41812153[source]
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.

I recently quit my job, developing among others the means to "protect" media using DRM. While this was not a primary motivation, I'm glad to somewhat clean my hands.

The technology (dubbed Common Encryption) is a bunch of smoke and mirrors that a childishly easy to hack around. Yet clearly aimed against good faith consumers.

replies(1): >>41812306 #
47. sunshowers ◴[11 Oct 24 18:49 UTC] No.41812244{3}[source]
The other aspect, somewhat memory-holed, was that Chrome was automatically installed as shovelware if you went to install Adobe Flash for IE or Firefox:

https://www.reddit.com/r/chrome/comments/23jnmy/why_is_chrom...

This kind of not-freely-given consent was key to Chrome's growth.

replies(1): >>41812965 #
48. sunshowers ◴[11 Oct 24 18:54 UTC] No.41812305{4}[source]
Doesn't onBeforeRequest still exist in Manifest v3? The thing that's been removed is the ability to block on it, not the ability to register handlers for requests.
replies(1): >>41812416 #
49. immibis ◴[11 Oct 24 18:54 UTC] No.41812306{3}[source]
That's a good job - people who don't like DRM (you) get more money, and the bad DRM is a distraction that delays the implementation of good DRM.
replies(1): >>41847021 #
50. x0x0 ◴[11 Oct 24 18:56 UTC] No.41812327{3}[source]
Early chrome was driven by the fact that firefox was a piece of garbage. Firefox 3 was not good software, and had an unpleasant habit of totally crashing the entire browser regularly. Your only other popular choice was ie8. Also not great.

Later Google's ability to buy installs and put it on google.com came into play, but for at least the first 5 years and probably longer, chrome was a far faster, more secure, and more reliable choice. They also pioneered the multi-process model to isolate different components of the browser.

51. immibis ◴[11 Oct 24 19:02 UTC] No.41812396[source]
The same Google that's currently in legal hot water for always hiding its true motivations so effectively that even lawyers can't get any relevant documents?
52. kuhsaft ◴[11 Oct 24 19:03 UTC] No.41812416{5}[source]
It still exists, but now “ad blockers” can’t use the blocking API to record and forward metrics on hits. Ad blockers don’t even need the webRequest and webRequestBlocking permissions anymore.

Now, if an ad blocker has webRequest permissions it’s a red flag.

For example https://developer.chrome.com/docs/extensions/develop/concept... uses webRequest to send telemetry back to some remote server.

replies(1): >>41812566 #
53. tredre3 ◴[11 Oct 24 19:08 UTC] No.41812477{3}[source]
uBlock lite can accomplish 2, 3, 4 completely. It's only #1 and #5 that are truly affected by v3. But those two were already pretty limited in chrominum browsers compared to firefox.
replies(1): >>41813988 #
54. sunshowers ◴[11 Oct 24 19:14 UTC] No.41812566{6}[source]
Thanks, I see how that can help.

With Manifest v3, let's say I'm an ad blocker and I want to get access to metrics not to violate privacy, but just to report them to the user (X domains blocked, Y out of Z requests blocked, etc). How would I get access to those metrics?

replies(1): >>41812734 #
55. spankalee ◴[11 Oct 24 19:21 UTC] No.41812626[source]
What makes you say the security reasons are made up?
replies(1): >>41815738 #
56. kuhsaft ◴[11 Oct 24 19:31 UTC] No.41812734{7}[source]
Separate permission for debugging only available for development essentially. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

Otherwise, you can’t really without more invasive permissions.

https://stackoverflow.com/questions/74813523/chrome-extensio...

replies(1): >>41812872 #
57. sunshowers ◴[11 Oct 24 19:42 UTC] No.41812872{8}[source]
Oh wow, that's wild. Closing the loop on reporting things is such an important part of a trustworthy user experience.
58. badwolf ◴[11 Oct 24 19:49 UTC] No.41812965{4}[source]
Chrome was bundled with so many installers. Google probably spent billions shoving Chrome into any machine they could.
replies(1): >>41829302 #
59. shadowgovt ◴[11 Oct 24 19:50 UTC] No.41812977[source]
Their incentive is really to make the Chrome Web Store a tractable problem with minimal human effort. That's about 75% of the incentive. You can't actually make any guarantees at the CWS level regarding safety of audited code if the API allows audited code to execute non-audited code.

> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.

May I be blunt? I grew up in it, so yes. I am. I was there for the Windows virus wildfires. I was there for the malware distribution schemes. I was there for the first wave of enshittification. For the dotcom crash. For the spam wars. For the search engines that didn't work. For the JavaScript injection attacks. For the world where "nobody knew you were a dog" as long as you didn't talk like yourself. I couldn't trust most of my relatives to use a computer the way we had to use them in the late '90s / early aughts. That's not a problem now.

For all its flaws, the modern system is cleaner, simpler, faster, and better for end users and no longer requires them to be super-nerds (and meanwhile, open and malleable devices are still there for the super-nerds to play with and work with). This was the goal---to make computers something that benefit everyone, not just the technorati and the priest-class.

May the past become a foreign country, hard for the modern mind to comprehend. May it always be so.

60. timeon ◴[11 Oct 24 19:58 UTC] No.41813069[source]
Ad-blockers are not just about displaying the actual ads.

Does the Chrome blocks trackers even without ad-blocker Like Safari?

replies(1): >>41944294 #
61. ragnese ◴[11 Oct 24 19:59 UTC] No.41813079[source]
The vast, vast, majority of normies I know use Google Chrome and use zero extensions.
62. throwaway98346 ◴[11 Oct 24 20:28 UTC] No.41813398{4}[source]
> On the contrary, MV2 used onBeforeRequest which let extensions see what requests you were making. They could then take that data and use it for malicious purposes.

Which is something we know for a fact uBlock Origin doesn't do. It's open source, you can check the code yourself. MV3, on the other hand, doesn't do much to assure me that an addon isn't phoning home. Why not just give the user to ability to block network requests on a per-addon basis? Too difficult a task for the trillion dollar company? Or could it be that forcing users to switch to MV3 addons isn't about safety at all?

63. mossTechnician ◴[11 Oct 24 20:59 UTC] No.41813685[source]
I've been checking browser stat counters religiously, looking for evidence that this change is driving their numbers down. No luck so far.

Am I missing any? https://gs.statcounter.com https://analytics.usa.gov https://www.w3counter.com

64. pixl97 ◴[11 Oct 24 21:03 UTC] No.41813719{3}[source]
The problem is one of balance.

Write insecure software and you'll get screwed by hackers. Write secure locked down software nobody can touch or modify, and you'll get doubly screwed by a large corporation that wants to pound every penny they can out of your bloody corpse, upto the point your device is compromised by the corporation who can do whatever they want, but you cannot tell.

There is no win situation here, there are only trade offs.

65. Spunkie ◴[11 Oct 24 21:25 UTC] No.41813902{4}[source]
Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?

These limits are easy targets for ad networks to overwhelm or outmaneuver.

    That's what everyone was saying
Everyone was saying that the new API is less capable than the old API at blocking things. DeclarativeNetRequest IS less capable; that's just a fact.

No one was saying that adblockers would literally stop working, so it's beyond disingenuous to dismiss people's issues with these changes by just saying 'works for me'.

What evidence would you actually accept anyway? Do you need a leaked internal document from Google saying literally 'devs, go neuter adblockers' before you believe Google might have bad intentions surrounding people's ability to block ads and tracking?

If security and performance were the actual driving forces of DeclarativeNetRequest, then they would have simply added it in addition to the existing webRequest block functionality. uBlock Origin and most extensions would have happily moved the majority of their rules to the static list if it meant better performance and privacy while keeping around the webRequest blocks for the things that actually need it.

Google has gone from having only one nuclear-level option for influencing adblockers (aka delisting) to now having its boot softly pressed against their necks and plenty of levers to pull. And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior by the world's biggest ad company'?

replies(2): >>41814624 #>>41815861 #
66. Spunkie ◴[11 Oct 24 21:34 UTC] No.41813988{4}[source]
It can only accomplish #1 and #2 for 30k rules, most of which must de defined at the time of the extension release/update. As soon as that limit is exceeded an adblocker loses it's ability to accomplish #1, #2, #3, #4, or #5 effectively.

And if we are being honest about those limits, they have already been exceeded. Ublock origin is going from 100,000 to 500,000 dynamic rules to just 30k rules(only 5k of those can be dynamic) in the lite version.

Adblockers have absolutely been neutered in v3.

67. crazygringo ◴[11 Oct 24 22:47 UTC] No.41814624{5}[source]
> Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?

I don't know and I don't have to. All I know is uBlock Origin Lite is still blocking everything. So it seems like 30K rules is plenty? Like it's not a meaningful difference for end users if it's blocking 99.99% vs 99.9999% of ads?

> No one was saying that adblockers would literally stop working

That's sure what it sounded like. That it would literally be so bad you'd have to switch browsers because of how degraded the experience would be.

> What evidence would you actually accept anyway?

The fact that the adblocking experience was significantly degraded for the average user -- e.g. that now 10% or 25% of ads were getting through.

> And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior...

Yeah, pretty much. As far as I can tell, security and performance seem to justify the Manifest v3 changes. Occam's Razor says you don't need anything else. If you think there's malicious intention, then the onus of proof is on you.

I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it, that Google was cracking down on adblockers to neuter them. Now that it's here and my adblocking works just as well, maybe even better (if it's sped up page loading times) -- then sorry, as far as I can tell the malicious intention was made-up.

replies(1): >>41815821 #
68. j_maffe ◴[11 Oct 24 23:34 UTC] No.41814967{4}[source]
They were pushing from the very start. They knew the potential of taking over the browser market share.
69. crazygringo ◴[11 Oct 24 23:43 UTC] No.41815045{3}[source]
> Where V3+UBL still makes the calls it just doesn't display the results. So while you might not see the ads, the ads see you.

That's not what the docs say [1]:

  A single rule does one of the following:

  - Block a network request.
  - Upgrade the schema (http to https).
  - Prevent a request from getting blocked by negating any matching blocked rules.
  - Redirect a network request.
  - Modify request or response headers.
Does "block" not mean block? Can you provide a source? Or am I looking at the wrong docs? I'm searching online and can't find anything that says the request is still sent.

[1] https://developer.chrome.com/docs/extensions/reference/api/d...

70. aftbit ◴[12 Oct 24 00:39 UTC] No.41815373{4}[source]
Well to some extent they did make it Mv3 an option, not forever but for an extra few months, with that enterprise policy flag. Enterprises used their weight to demand not a more secure browser, but an extra flag to allow them to keep running old software longer. Enterprises too are treated as a security threat by Google, who still plans to depreciate Mv2 format, forcing them to move to "more secure" extensions.
71. userbinator ◴[12 Oct 24 01:47 UTC] No.41815654[source]
I think it's part of a much bigger trend in tech in general but also in Google: Removing user control. When you look at the "security" things they are doing, many of them have a common philosophy underpinning them that the user (aka device owner) is a security threat and must be protected against.

IMHO that's actually part of an even bigger societal trend. "You will own nothing and be happy."

The ones in power want to control everyone and turn them into mindless sheeple to be exploited and milked. It's not just tech. There's another comment around here that mentions features being requested by large corporations and governments.

72. userbinator ◴[12 Oct 24 01:53 UTC] No.41815683{3}[source]
Ironically, the FBI recommends using an ad blocker: https://news.ycombinator.com/item?id=41483581
replies(1): >>41815932 #
73. Zak ◴[12 Oct 24 01:57 UTC] No.41815701{3}[source]
Yes. Thanks adblock!
74. Zak ◴[12 Oct 24 02:03 UTC] No.41815738[source]
I can take this question.

They removed webRequestBlocking, used mainly by adblockers, but left webRequest. The security implications are the same for both, but only the former is optimized for content blocking.

75. Dylan16807 ◴[12 Oct 24 02:19 UTC] No.41815821{6}[source]
> That's sure what it sounded like. That it would literally be so bad you'd have to switch browsers because of how degraded the experience would be.

> I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it

Once enough ads catch up with the new limitations. Right or wrong, we're still too early for that.

76. pkasting ◴[12 Oct 24 02:21 UTC] No.41815834{4}[source]
So many replies in this sub thread opining authoritatively. Share your source. Did you have access to the data on Chrome's user growth and which marketing campaigns were the sources of which users?

From my perspective, all of you are saying a lot of things as if you know them to be true, but you have no idea whether they're true or not; really, you just find them to be plausible.

replies(1): >>41817573 #
77. pkasting ◴[12 Oct 24 02:28 UTC] No.41815861{5}[source]
> Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?

I will take this one.

First, your limits are out of date. The static minimum is 30k, but can now escalate to an order of magnitude higher depending on how many extensions are installed. The dynamic limit is now 30k, of which at most 5k can be "unsafe". Source: https://developer.chrome.com/docs/extensions/reference/api/d...

Second, even if the limits were correct: consider the possibility that 99% of those rules are irrelevant, out of date garbage that blocks nothing anymore but haven't been removed because there is neither process nor incentive on the extension dev's part to do so.

Ad uses pattern. UBO adds matching pattern. Ad switches to new pattern. Cat and mouse.

This happens widely, rapidly, and on an ongoing basis. The result is that the rule set is large and grows rapidly, but very little of it is actually useful day to day. From the user's perspective, the only cost is that the browser very slowly gets continually less performant, which they will not attribute to the extension.

This isn't hypothetical. I'm on the Chrome team. We analyzed the rule set contents. This is why we proposed the initial limits we did: they were plenty large enough to allow all the extensions we analyzed to do everything they actually wanted to do, if only you stripped the cruft.

The rule size increases since then primarily come out of a dialog process with ad blocking devs about their process and needs and what they see in the wild coupled with what we think we can manage to keep performant. There are compromises. I'm not on that team so I can't speak to details. But it's part of an honest attempt to have a dialog.

There are usually simple explanations for things, if people were truly willing to consider them without bias.

replies(2): >>41815961 #>>41823867 #
78. kbolino ◴[12 Oct 24 02:40 UTC] No.41815932{4}[source]
A lot of enterprises run MITM on all HTTPS connections and can just block the ad-serving domains or even remove the ads from the page without any help from the browser. Ad blocker extensions are a low-infrastructure solution that's more useful for home users and small companies.
79. crazygringo ◴[12 Oct 24 02:45 UTC] No.41815961{6}[source]
Thank you for providing this valuable explanation -- I haven't heard this perspective expressed elsewhere. The fact that old rules would never get deleted but continue to drain resources makes some design decisions make a lot more sense.
replies(2): >>41816019 #>>41816538 #
80. cookiengineer ◴[12 Oct 24 02:55 UTC] No.41816016[source]
You should stop seeing the Browser as a software as a program that's controlled by the user. This idea was over when Microsoft started to display ads in the file manager program (explorer).

The modern Web Browser is an advertisement terminal. If Google would manage to eliminate having to serve content, they would certainly do it.

81. pkasting ◴[12 Oct 24 02:56 UTC] No.41816019{7}[source]
One particularly pernicious outcome is that some ad blockers tout their rule set sizes as a feature, and users choose among blockers based on it, when if anything it is probably negatively correlated with blocker quality -- it's not necessarily a sign you're comprehensive so much as that you don't care about efficiency or cleaning up after yourself.

That's of course an oversimplification. But people who believe they're technically knowledgeable and adept are just as likely as other folks to fall for bullshit and be convinced to do things contrary to their own self interests. It's just a different type of bullshit.

No one wants to hear that, because we all want to tell ourselves that maybe everyone else is gullible, but WE'RE smart and rational. To a close approximation, though, none of us are.

82. akira2501 ◴[12 Oct 24 03:46 UTC] No.41816240[source]
> and it's (partly) your fault

Punching down into a brutal labor environment instead of punching up into a Congress which was blatently bought off to foment this outcome? Odd choice.

83. eviks ◴[12 Oct 24 04:57 UTC] No.41816538{7}[source]
Now consider that the extra drain can be practically zero, and you get back to those decisions making less sense
84. icehawk ◴[12 Oct 24 05:35 UTC] No.41816693[source]
The adoption of firefox was driven by word of mouth.

I still can't search on google with them trying to shove chrome down my throat

85. lucianbr ◴[12 Oct 24 08:43 UTC] No.41817573{5}[source]
Is this really something particular to this thread? I feel like most comments on HN are "opining authoritatively".
86. BiteCode_dev ◴[12 Oct 24 10:30 UTC] No.41818090[source]
Haven'y tested, is it blocking youtube ads?
87. jauntywundrkind ◴[12 Oct 24 12:03 UTC] No.41818486{5}[source]
The prohibitions against running code dynamically are quite severe. It took a long long time & there's some work to make sure userscript/contrntScript extensions aren't totally shit out of luck (after years and years of delay & nothing), but whole domains of extension - anything where you run code on the fly - have been outlawed.
88. heelix ◴[12 Oct 24 14:00 UTC] No.41819139[source]
This is sort of like planting trees. I cut bait on chrome when they first announced they were dropping/impacting adblockers. For the most part, things are good enough the only time I spin up chrome is confirming something renders as expected on a personal site. Firefox works well enough for streaming and surfing.
89. Arch-TK ◴[12 Oct 24 17:18 UTC] No.41820741{4}[source]
> I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.

I thought about this a bit and I think that at the end of the day, the entire OS is just a bunch of these APIs. And I do think there's even a market for these APIs, they just don't want to set that precedent, I don't think it has anything to do with it being a lot more work than anything else they expose. They already have some very privileged APIs you can bless some apps (e.g. think of MDM) except not for everything and in the case of the MDM APIs it's very difficult to use it as a normal end-power-user.

90. matheusmoreira ◴[12 Oct 24 20:22 UTC] No.41822203[source]
Manifest v3 changes are pretty reasonable. Declarative filtering that prevents untrustworthy software from getting access to data is objectively a good thing.

It's just that uBlock Origin is so important and trusted it should have access to everything. Truth be told it should be literally built into the browser itself and deeply integrated with it. Only conflicts of interest prevent that. Can't trust an ad company to maintain ad blockers after all.

replies(2): >>41823854 #>>41823952 #
91. imiric ◴[12 Oct 24 20:54 UTC] No.41822470{3}[source]
> Compromise of a device can destroy someone’s life.

So in order to prevent a hypothetical hacker bogeyman from getting our data we gladly entrust it to corporations that actively squeeze every possible cent out of it by, among other things, giving access to it to other corporations and uncountable "partners" that will feed us content with the goal of psychologically manipulating us into buying things we don't need, or thinking things someone else wants us to think, destroying the very fabric of society in the process.

I somehow find all of that delusional, our acceptance and support of it nightmarish, and trust hackers to be less diabolical in their schemes.

Computers should serve us, not the other way around. The solution to these problems is tech education, not tech babysitters.

92. quotemstr ◴[12 Oct 24 23:54 UTC] No.41823854[source]
The problem isn't the declarative filtering per se. The problem is the draconian limit on the number of filters. Given that we can compile regular expressions to DFAs and evaluate them in O(len(url)) time no matter how many patterns we have, there's little reason to place an arbitrary cap on the sophistication of an extension's filtering.
93. quotemstr ◴[12 Oct 24 23:56 UTC] No.41823867{6}[source]
Google lifting the arbitrary rule count limit would go a long way towards building trust.
94. 10000truths ◴[13 Oct 24 00:09 UTC] No.41823952[source]
There was already an established solution for running untrusted code - the WebAssembly engine sandbox. Data can't be exfiltrated if imported functions are forbidden, which would be very easy to verify via static analysis of the WASM module. All of this hullabaloo about Manifest v3 could have been avoided if the Chrome team did the sane thing and exposed an API for using a WebAssembly module for filtering.
95. hyperdimension ◴[13 Oct 24 16:27 UTC] No.41829302{5}[source]
Tellingly, that very bundling is how Sundar got into the spotlight at Google.
96. account42 ◴[15 Oct 24 10:20 UTC] No.41847021{4}[source]
On the other hand, even weak DRM trains users to accept it while power users are less likely to rally against it if they can find workarounds for themselves. So you don't really end up delaying the implementation of good DRM but helping prime its acceptance.
97. account42 ◴[15 Oct 24 10:25 UTC] No.41847036{3}[source]
> That was a world where the user base was much more limited and devices were less capable. Now we have children, grandparents, educated, and uneducated users with access to web connected devices. These devices now contain everything about you. Compromise of a device can destroy someone’s life.

Kids these days have much worse computer skills BECAUSE of the locked up platforms they are exposed to from a young age. Meanwhile two decades ago my non-technical grandpa learned to use a real PC just fine in his old age. Don't underestimate regular users ability to deal with technology when there is a will.

98. kmlx ◴[25 Oct 24 11:43 UTC] No.41944294{3}[source]
my adblocker on Safari blocks everything, including trackers. no idea about Chrome.