I’m the last person who is going to defend the security architecture of browser plugins.
But, when Google tried to implement an ad blocking architecture that wouldn’t allow third parties access to your browsing history similar to that of Safari, geeks were up in arms.
The ad blocking changes also prevented blocking the request to the ad servers, which is what people were upset about (or at least, why I was upset). I don't remember seeing anyone be upset about anything related to browsing history.
No one was upset about a plug in not getting access to your browsing history. People were upset about the declarative ad blocking that took away some of the features that they ad blockers previously had and said Google was doing it to protect their business.
I’m not going to defend Google’s overall business practices, but from what I understand, it’s the same type of architecture that Apple has had for four years and no one said Apple’s intentions were nefarious.
Some also claim that Google kills innovation. Synchronous interception of requests allows developers to program sophisticated rules to fight malicious resources. In the future, they will only have a regular expressions list to block domains. It will be much easier for malicious actors to bypass this feature.
It’d be interesting to have one sandbox that can synchronously intercept requests, and one sandbox that can make its own requests, but only a one way communication channel between them. So the interceptor part can have its own stateful logic and access the blacklist, but not exfiltrate your history.
It also allows developers to intercept your entire browsing history. If you care about your privacy, why would you let a random third party intercept all of your browsing history?
I consider everything to be a matter of risk in terms for example of privacy. By installing an extension like uBlock, I am indeed taking the risk you mentioned. However, I consider that the risk will be much higher when installing an extension that is based only on a list of regular expressions for the reason I mentioned.
If uBlock did a bad thing, I'll know very quickly and all I'll have to do is install an alternative extension.
I am also a developer. I would like to continue to have the right to code such extensions for myself.
Why is better to fix adblocking capabilities at model that is borderline insufficient now let alone in 10 years.
There is arms race and you want adblockers (good guys) to give up any improvements in perpetuity, that is a recipe for losing.
Me installing uBlock for parents has improved their browser experience and security. I'd rather risk uBlock being compromised and having to phone them to uninstall it than have them being at the mercy of adtech, spyware, and scammers companies in 5 years.
How many incidents have we seen where the ad blockers are the bad guys? I don’t recall seeing any third party ads when browsing with Safari on iOS with 1Blocker that uses this architecture.
Edge for Android has that model. While trying it, I frequently got stopped by adblocker blockers. Firefox for Android runs uBlock Origin and never has that problem.
Google would remove uBlock from my PC before I even know it and I would notice it very quickly (unfortunately).
A personal computer has always been very complicated and using it has always been a risk in itself. I remember a time when a virus could damage the computer's hardware, and someone who knew how to program in BASIC (edit: or LOGO) was not considered as a "minority".
My point of view is that we need to make users aware of the risks and make them more responsible because things will not get any easier.
No need to optimize, I switched to Firefox, the browser for the minorities ;). I really liked Chrome though.
My point of view is that we need to make users aware of the risks and make them more responsible because things will not get any easier.
How has that been working for the last 30 years? Why would it start now?
Computers have been mainstream consumer appliances since the “multimedia PCs” were a thing in the mid 90s. Most people no more want to program computers than they want to fix their own cars.
With respect, Google is not Apple, and Apple is not Google.
I think a lot of people would say that Google is a pretty evil company in many respects, whereas Apple isn't exactly 100% saintly, but at least their profit and business goals align more closely with what is generally considered to be good for customers.
I’m definitely an Apple customer - our cell phone plan has 6 devices and we have two AppleTVs. But playing devil’s advocate, Apple’s business model only allows a small percentage of upper income people globally to be able to afford their products. Android and Google have done a lot more to bring computing to the masses than Apple. The cheapest iPhone that you can buy is $475 over $200 more than the average selling price of an Android phone.
The proposed change that would have made ad blocking impossible still allowed non blocking request interception, it would have absolutely 0 impact on people trying to sell your browsing data via an extension, and a huge net increase in people selling your browsing data by people selling your browsing data by website embedded trackers.
Not sure if you're talking about the recent Chrome drama, but if so, "geeks were up in arms" because the new architecture essentially neutered ad blockers through the limits imposed on the block lists.
It's worked well on safari because most of its users are people who don't care about those limits. Traditionally safari has been a relatively closed ecosystem (I haven't used it in a long time but I remember an entire lack of support for extensions at one point), so the people who would care about these changes never used it to begin with.
So now, when safari comes in with these changes that only add value compared to their previous offering (which again was substantially behind the competitors), users respond positively because the only users that remain don't know the difference between blocking the rendering of an ad and blocking the request to the ad server. So, when they hear "Ads are blocked", they don't understand the nuances that reveal to you that ads are not really blocked at all from a privacy perspective.
The reason Chrome didn't have a similar response is because the people who cared about these changes were already using chrome. So, when chrome announced an update that removes these privacy-protecting features, the users were knowledgeable enough to realize what the changes actually meant from a privacy perspective, and so responded poorly.
And even if the users were the same, safari added a feature (you can now kind of block ads in safari, compared to the zero adblocking you could do before), whereas chrome is removing a feature (you can no longer block requests to ad servers, something you could do for years). So of course the reaction to safari will be at worst lukewarm, because compared to the previous editions of safari it was an improvement.
It's nowhere, which is the point. I bet if they were to add manifest V3 (the thing people are upset about) to chrome for Android, it would be received much more positively than this.
