>They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.
So they admit that MV3 isn't actually any more secure than MV2?
replies(4):
I also think uBlock Origin is so important and trusted it should not only be an exception to the whole thing but should also be given even more access in order to let it block things more effectively. It shouldn't even be a mere extension to begin with, it should be literally built into the browser as a core feature. The massive conflicts of interest are the only thing that prevent that. Can't trust ad companies to mantain ad blockers.
Make Signal video call to someone in front of a laptop, provide verbal instructions on what to click on, read to my liking, and hang up to be connected with someone else next time.
(EFF’s Cover Your Tracks seems to suggest fresh private tabs w/iCloud Private Relay & AdGuard is ineffective. VMs/Cloud Desktops exist but there are apparently telltale signs when those are used, though not sure how easily linkable back to acting user. Human-in-the-loop proxy via encrypted video calls seems to solve _most_ things, except it’s stupid and would be really annoying even with an enthusiastic pool of volunteers. VM + TOR/I2P should be fine for almost anybody though I guess, just frustrated the simple commercial stuff is ostensibly partially privacy theater.)
UBO is absolutely incredibly important. Figure you might know more than me about how journalists and reviewers and the like can still earn a keep in a world with adblockers built in to every browser.
Absolutely. The web is mostly ad funded. Advertising in turn fuels surveillance capitalism and is the cause of countless dark patterns everywhere. Ads are the root cause of everything that is wrong with the web today. If you reduce advertising return on investiment to zero, it will fix the web. Therefore blocking ads is a moral imperative.
> Worry about the interim where some publishers would presumably cease to exist.
Let them disappear. Anyone making money off of advertising cannot be trusted. They will never make or write anything that could get their ad money cut off.
People used to pay to have their own websites where they published their views and opinions, not the other way around. I want that web back. A web made up of real people who have something real to say, not a web of "creators" of worthless generic attention baiting "content" meant to fill an arbitrary box whose entire purpose is to attract you so that you look at banner ads.
It's entirely possible to manually vet extension code and extension updates in the same way that Mozilla does as part of their Firefox recommended extensions program.
> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
Other factors taken into consideration:
Does the extension function at an exemplary level?
Does the extension offer an exceptional user experience?
Is the extension relevant to a general, international audience?
Is the extension actively developed?
Besides, there's ways of having powerful extensions WITH security, but this would obviously go against Google's data harvesting ad machine. The Firefox team has a handful of "trusted" extensions that they manually vet themselves on every update, and one of these is uBlock Origin. They get a little badge on the FF extension store marking them as Verified and Trusted, and unless Mozilla's engineers are completely incompetent, nobody has to worry about gorhill selling his soul out to Big Ad in exchange for breaking uBlock or infecting people's PCs or whatever.
Because it's a dishonest point. Ad blocking still works. All the same ads can still be removed from the page. Tracker blocking doesn't. This is still a huge problem for privacy. But while nearly everyone dislikes seeing ads that interrupt your content, people who actually care about tracking privacy are a much smaller group. The latter group are trying to smuggle concern for the latter issue by framing it as the more favorable issue to garner more support from the former.
I only trust free software, and only after I have read its source code and evaluated the distribution channel. I don't want proprietary obfuscated third party code running on my computer without some serious sandboxing and virtualization limiting access to everything. I went so far as to virtualize an entire Linux system because I wanted to play video games and didn't trust video game companies with any sort of privileged or low level access to my real Linux system.
Malicious actors are known for buying up popular extensions that are already trusted by their user base and replacing them with malware via updates. The proper technological solition to such abuses is to make them literally impossible. Exceptions can and should be made for important technologies such as uBlock Origin.
I thought the core vulnerability of Manifest v2 is the new code can be loaded by an extension on the fly without any extension update. How would you vet that?
Force those extensions to have an prominent icon on the UI with a clear tooltip asking "did you install this yourself [No]" for easy removal, in case someone else did install it without you knowing.
There are so many ways to make this work, but they have zero interest in it.
Looking at https://developer.chrome.com/docs/webstore/troubleshooting#a... it seems most of the heavily lifting is done with some combination of static/dynamic analysis during extension review. The same analysis (plus trivially catching eval) could be done with V2 as well.
It’s almost comical how weak the security/privacy argument for MV3 is. Chrome could have developed a sandboxed web request inspection framework to prevent data exfiltration, but they didn’t even try. Instead they nerfed ad blockers without adding any security.
IMO those organizations should pay the taxes for all the people in the country they're being used at. This will create the best incentive for them to succeed.
I should already be sharing iCloud Private Relay nodes with thousands upon thousands of people. Yet:
“Your browser fingerprint appears to be unique among the [~240k] tested in the past 45 days.
Currently, we estimate that your browser has a fingerprint that conveys at least [over a dozen] bits of identifying information.”
-Cover Your Tracks results
Apparently VPN is one thing, but then sites will analyze “operating system, graphics card, firmware version, graphics driver version, installed fonts”, and more. Creepy even though I’m quite vanilla.
You could build this yourself with relative ease[1], just add some software in the mix to tweak the typing and cursor movements. Have the "controller" connect via mobile network, Starlink or similar if you really want to separate concerns.
>Keep in mind that uBO's own JavaScript-based network filtering engine has been measured to be faster than a well-known Rust-based filtering engine (though the measured difference back then was low single-digit µs, not something that will ever be perceivable by a end user).
Uhg making reasonable-cost investments to protect my privacy before it costs me more in other ways, what a drag. (I know myself here… need to motivate myself to at least try to do better than a cheap VPN and a private tab… will come back to this sometime)
—
Also did you see the post about North Korean IT workers? Mini KVMs cited in the thread, shown in “The first time I was visited by the FBI” by ‘Level 2 Jeff’ on YT. May severely hamper my efforts to find takers on who’ll put spare laptops behind their residential IPs “but just so I can meme more privately I swear!”
Downloading on a remote machine is great for read-only needs!
I'm just saying that I think this is good interface design. Virtualization, sandboxing and gating access to data and computing resources are good things.