Bypassing Google's big anti-adblock update

(0x44.xyz)

1034 points deryilz | 2 comments | 12 Jul 25 19:06 UTC | HN request time: 0s | source

Show context

krackers ◴[12 Jul 25 19:41 UTC] No.44544544[source]▶

>They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.

So they admit that MV3 isn't actually any more secure than MV2?

replies(4): >>44544732 #>>44547024 #>>44548392 #>>44548589 #

Neywiny ◴[12 Jul 25 20:07 UTC] No.44544732[source]▶

>>44544544 #

I'd be shocked if anyone actually believes them. This article starts with the obvious conflict of interest. Of course letting an extension know what websites you visit and what requests are made is an insecure lifestyle. But I still do it because I trust uBO more than I trust the ad companies and their data harvesters.

replies(6): >>44544764 #>>44544794 #>>44544922 #>>44546339 #>>44547722 #>>44548288 #

matheusmoreira ◴[12 Jul 25 20:12 UTC] No.44544764[source]▶

>>44544732 #

I believe them. The restrictions are reasonable and appropriate for nearly everyone. Extensions are untrusted code that should have as little access as possible. If restrictions can be bypassed, that's a security bug that should be fixed because it directly affects users.

I also think uBlock Origin is so important and trusted it should not only be an exception to the whole thing but should also be given even more access in order to let it block things more effectively. It shouldn't even be a mere extension to begin with, it should be literally built into the browser as a core feature. The massive conflicts of interest are the only thing that prevent that. Can't trust ad companies to mantain ad blockers.

replies(6): >>44544946 #>>44545186 #>>44545270 #>>44545513 #>>44546144 #>>44546298 #

1. jowea ◴[12 Jul 25 21:09 UTC] No.44545186[source]▶

>>44544764 #

Why am I not allowed to trust an extension just as much as I trust the platform it is running on? This is the same logic behind mobile OSes creators deciding what apps can do.

replies(1): >>44547108 #

2. matheusmoreira ◴[13 Jul 25 02:52 UTC] No.44547108[source]▶

>>44545186 (TP) #

It's a logic I fully agree with. As the owner of the computer, you should of course be able to do whatever you want. The APIs should still be designed around sandboxing and security though.

I only trust free software, and only after I have read its source code and evaluated the distribution channel. I don't want proprietary obfuscated third party code running on my computer without some serious sandboxing and virtualization limiting access to everything. I went so far as to virtualize an entire Linux system because I wanted to play video games and didn't trust video game companies with any sort of privileged or low level access to my real Linux system.

Malicious actors are known for buying up popular extensions that are already trusted by their user base and replacing them with malware via updates. The proper technological solition to such abuses is to make them literally impossible. Exceptions can and should be made for important technologies such as uBlock Origin.

↑