Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome Privacy

EFF Warns Chrome Users: 'Manifest V3 Is Deceitful and Threatening' (eff.org) 46

In a recent blog post from the Electronic Frontier Foundation, the digital rights group warns that Google Chrome's latest specification for building Chrome extensions, known as Manifest V3, "is outright harmful to privacy efforts." EFF technologist Daly Barnett writes: Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks. [...] It will restrict the capabilities of web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these -- like some privacy-protective tracker blockers -- will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level... since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.

As for Chrome's other justification for Mv3 -- performance -- a 2020 study (PDF) by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance. The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.

This discussion has been archived. No new comments can be posted.

EFF Warns Chrome Users: 'Manifest V3 Is Deceitful and Threatening'

Comments Filter:
  • by Curtman ( 556920 ) * on Thursday December 09, 2021 @05:57PM (#62064321)
    Ever since Google locked Chromium browser out of bookmark/password sync, I have wondered why there isn't an ability to switch to a 3rd party (ideally self-hosted) sync mechanism? If Chromium is open source, why is it not possible to redirect the broken sync and even login mechanism to non-Google servers?
    • Re:Chromium? (Score:4, Informative)

      by Voyager529 ( 1363959 ) <voyager529 AT yahoo DOT com> on Thursday December 09, 2021 @07:28PM (#62064555)

      I have wondered why there isn't an ability to switch to a 3rd party (ideally self-hosted) sync mechanism?

      https://floccus.org/ [floccus.org]
      https://nextcloud.com/install/ [nextcloud.com]

      Is it 100% all-the-way integrated? Not in the same way a Google Account is...but it more than makes up for it by having the plugin available for Firefox and Opera, so cross-browser bookmark sync with a drop-down menu is "close enough" for me.

      • by Curtman ( 556920 ) *
        These sound great, I will check them out. I meant specifically, why is the functionality still in Chromium to log in, and it's broken. It just doesn't work, yet it doesn't "fail" with any sort of error message. It will happily let you log in 10 times in a row successfully, and the interface doesn't change.

        I've been just blindly using Chrome since I switched to that when Chromium broke. Then I attempted to use Chromium on the Pi400 I got to play with, and got reminded of how stupid this is. There is n
    • Have you tried installing Chromium? It's a miserable experience designed to be as confusing as possible, with a bunch of HTML 1.0 looking hyperlinks that direct you to a nightly build zip file that has no installer. It's all surrounded by links to Chrome, too.

      • by caseih ( 160668 )

        It's in the repos of all distros I've tried. On Fedora it's reasonably up to date also.

    • by AmiMoJo ( 196126 )

      You can do that via an extension, e.g. https://chrome.google.com/webs... [google.com]

  • On the other hand (Score:4, Insightful)

    by 93 Escort Wagon ( 326346 ) on Thursday December 09, 2021 @06:03PM (#62064337)

    No one who actually cares about their privacy is using Chrome anyway.

    • doublespeak (Score:3, Interesting)

      by epine ( 68316 )

      No one who actually cares about their privacy is using Chrome anyway.

      You've missed the entire ball of wax. People care about privacy, but they get systematically priced out of the conversation.

      People who "actually" care is just doublespeak for those who are too stubborn to allow themselves to get priced out of the conversation.

      I've been immersed in the software profession since the 1970s. I once won a math prize. I even won a writing prize. I spent much of the 1990s reading Applied Cryptography for light e

      • If greater society actually cared about people actually caring, then the government IT environment would permit the use of alternative browsers, at least within reason.

        I'm sorry that your family member works in part the of government that has mandated only Edge can be used, but that is not true everywhere in government. There are parts of the government where Firefox is viewed as any other software package - it is reviewed for security issues, then placed on the allowed software list, same as Chrome. We

  • A little more info. (Score:5, Informative)

    by Sleeping Kirby ( 919817 ) on Thursday December 09, 2021 @06:28PM (#62064401)
    Just providing a little more info. Google sent this out on Dec 2.


    Dear Developer,
    Last year, we announced the availability of Manifest V3 - a more secure, performant, and privacy-preserving iteration of the extension platform.
    <snip>
    This is a notice that beginning January 17, 2022, the Chrome Web Store will stop accepting any new Manifest V2 extensions with visibility set to “Public” or “Unlisted”.
    <snip>
    Additionally, beginning in June of 2022, this restriction on new extensions will expand to include items set to “Private” visibility as well.


    It's a real pain because I make my extensions for fun and having them on the chrome store provides a lot of benefits. But now I have to go through them reconfigure how they work just to satisfy manifest v3 for very little gain.
    • by AmiMoJo ( 196126 )

      Little gain to you perhaps, but good for your users. Manifest V3 brings Android style permissions which can be denied by the user. I'm sure your extensions are all benevolent, but you can appreciate that users want control.

      • I'm not saying it's all bad. In fact, neither the article listed here doesn't either. I'm just saying it's considerably inconvenient. One of the main sticklers for me is that there's no longer a persistent background page. Which was something that didn't exist before a certain point, but, by google's own V2 documentation (which, a lot of which is missing now since being replaced by V3 documentation), is the way they wanted you to do certain things. With that said, they could have provided android style perm
        • by AmiMoJo ( 196126 )

          I am hoping that the background page thing is preparation for introducing extensions on Android. Firefox has them but there are some noticeable performance issues.

          About the other thing, I screwed up. I usually try to post a correction but sometimes forget. My bad, I usually try not to get into stuff like that when I'm very tired but honestly the amount of sinophobic bullshit on here gets to me sometimes. It gets to me in real life too.

          • Honestly, Firefox and extensions on have performance issues on it whether it's on a phone or PC. I stopped making firefox versions of my extensions because of it. Which is a shame because the vetting process onto the firefox store is much, MUCH better than for chrome. Faster, get real human replies... free... (had to pay 20 USD to "validate" my account for Chrome.) It can take up to 1.5 weeks for any updates I sent up to chrome store to be posted sometimes. A day max for firefox. But, personally (and I'm n
  • V3 (Score:5, Interesting)

    by The MAZZTer ( 911996 ) <megazztNO@SPAMgmail.com> on Thursday December 09, 2021 @06:30PM (#62064407) Homepage

    Having done some development work in V2 and V3 it looks to me like the effort on V3 was one for performance. Stop extensions from running in the background sucking down CPU, RAM, and battery life. And stop extensions from slowing down all network requests (which is the big change most people don't like; you have to define ahead of time how network requests will be filtered or altered which can be impossible without being able to dynamically inspect it, depending on what you want to do). This sucks from a developer perspective since it limits what you can do but the changes they made make sense from a performance standpoint.

    That said I'm not sure why they don't monitor the performance of the older API and simply disable extensions (or give the user the option to) that are slowing down the browser too much.

    • > That said I'm not sure why they don't monitor the performance of the older API and simply disable extensions (or give the user the option to) that are slowing down the browser too much.

      Google is an ad company dealing a blow to adblockers and lying that they have no choice.

    • Re:V3 (Score:5, Insightful)

      by Luckyo ( 1726890 ) on Thursday December 09, 2021 @11:13PM (#62064961)

      Doing things that users want requires CPU, RAM and battery life. News at 11.

      Ad company uses the former excuse to limit ad blocker functionality. News at 12.

    • by AmiMoJo ( 196126 )

      The dynamic filtering stuff has been re-worked to address the issues most developers had with it. The EFF article and all the others I have found don't mention specifically what issue they have with the current Manifest V3 API. As far as I can tell Google has addressed the problems and privacy enhancing, ad filtering extensions should continue to work as they do currently, only faster.

      Yes it's work for the extension developers. Maybe that's what they are upset about, since none of them seem to be able to po

      • It takes malice to intentionally misread the article this way.

        ad filtering extensions should continue to work as they do currently, only faster.

        Only if you consider broken/removed code to be faster. The ability to filter out adware/spyware is gone, this is the issue. Your employer wants to spy on us and shove crap into our faces. And even "faster" is a lie, as remote accesses that would be blocked are so much slower than even somewhat inefficient local filtering.

        • by AmiMoJo ( 196126 )

          But what specific API change has scuppered the ability to filter adware/spyware?

          As I say, there was an issue but Google listened to extension developers and changed the API to resolve it. They were planning to allow extension to register up to 50k rules that the browser would evaluate, but vastly increased that limit and restored some other functionality to make the post-loading filtering work better.

          And yes, that means they build the ad blocking right into the browser itself, so it would be faster. They ac

    • What about the last paragraph where they bring up the study showing that the directly impacted privacy/ad-blocking extensions improved performance?
  • What other outcome would you expect?

  • by Pinky's Brain ( 1158667 ) on Thursday December 09, 2021 @08:40PM (#62064685)

    It was not clear to me that Firefox would maintain the old way for extensions to filter webpages in addition to the new one, in fact the article seems to suggest otherwise to me. EFF is doing their cause a disservice with this poorly written article.

    Both the article and the slashdot summary should really include this statement from Mozilla :
    "After discussing this with several content blocking extension developers, we have decided to implement DNR and continue maintaining support for blocking webRequest."

  • ... the more glad I am with my choice of using FireFox ESR (with Ublock and Badger) for work and productivity, and chrome only for entertainment....

    JM2C
    YMMV

  • If we can't control requests in the browser then we need adblockers which simply redirect everything to a localhost filtering agent where we have full control. This would probably be implemented in a way of an extension or a proxy. Perhaps some of us could use pfsense with a converter which would translate adblock rules to the pfsense format?

I THINK THEY SHOULD CONTINUE the policy of not giving a Nobel Prize for paneling. -- Jack Handley, The New Mexican, 1988.

Working...