
Google forbids login with niche Linux browsers - neoromantique
https://www.omgubuntu.co.uk/2019/12/couldnt-sign-you-in-google-browser-error-linux
======
dang
[https://news.ycombinator.com/item?id=21765615](https://news.ycombinator.com/item?id=21765615)

[https://news.ycombinator.com/item?id=21791337](https://news.ycombinator.com/item?id=21791337)

[https://news.ycombinator.com/item?id=21786672](https://news.ycombinator.com/item?id=21786672)

------
magicalist
Sounds like it's

> _However, one form of phishing, known as “man in the middle” (MITM), is hard
> to detect when an embedded browser framework (e.g., Chromium Embedded
> Framework - CEF) or another automation platform is being used for
> authentication.... Because we can’t differentiate between a legitimate sign
> in and a MITM attack on these platforms, we will be blocking sign-ins from
> embedded browser frameworks starting in June._

(tldr have to use oauth now)

[https://security.googleblog.com/2019/04/better-protection-
ag...](https://security.googleblog.com/2019/04/better-protection-against-man-
in-middle.html)

cause Falkon and Konquerer use embedded Chromium via QtWebEngine 5.

(If it's not triggered by switching to a Firefox UA string, though, sounds
like detection isn't that robust[1])

[1]
[https://old.reddit.com/r/kde/comments/e7136e/google_bans_fal...](https://old.reddit.com/r/kde/comments/e7136e/google_bans_falkon_and_konqueror_browsers/faicv9g/)

~~~
deogeo
Is this okay, even assuming it is true? I'm sure they could improve security
somewhat using some form of remote attestation, so (hypothetically) only non-
jailbroken phones and PCs with UEFI signed by a trusted (by Google) key could
log in.

Start with a service open to everyone, and when you have enough market share,
shut out everyone except major players. And of course, they don't give users
the choice on whether they want this added security.

~~~
magicalist
> _so (hypothetically) only non-jailbroken phones and PCs with UEFI signed by
> a trusted (by Google) key could log in._

They could also ban everyone without their dna on file, but I don't see any
evidence for a move toward that particular scenario either :)

Sounds like there's known riskier clients that have to use a different
authentication band (oauth) instead. There is a line there at some point where
requirements become onerous, but this doesn't seem like it to me.

~~~
buzzkillington
First they came for the api users but I said nothing because I wasn't an api
user.

Then they came for the text based browsers users but I said nothing because I
wasn't a text based browser user.

Then they came for the small browsers but I said nothing because I didn't use
a small browser.

When they came for me there was no one left to speak.

Googles behavior is clearly anti-competitive. At this point it is in
everyone's interests for google to be broken up into multiple companies. One
might even figure out a way to be good at search again.

~~~
shadowgovt
But the "they" in this story is hostile third-parties trying to steal users'
Google password.

------
okasaki
>Google is known for A/B testing changes to its various web services all the
time, so this specific hiccup could resolve itself in time.

>“Couldn’t sign you in. This browser or app may not be secure. Try using a
different browser. If you’re already using a supported browser, you can
refresh your screen and try again to sign in.”

A/B testing security? Is this what peak A/B looks like?

Can we go back to giving users a consistent experience and develop software
based on some other type of reasoning, rather than this A/B gaslighting?

~~~
shadowgovt
You get a consistent experience with a consistent user agent. Anything else is
best effort, trusting developers to successfully implement standards
correctly, and hoping they all made similar decisions in places the standard
is open.

~~~
danShumway
This amounts to a "best viewed in Chrome" philosophy. It's an argument against
Open Standards draped in worry about security.

It's no different than Google's policies of restricting apps on Jailbroken
phones, a practice that was ostensibly introduced for security, but quickly
expanded to be used for DRM and to discourage users from taking control of
their own devices.

The whole point of Open standards, the only reason we built these things in
the first place, was so companies like Google couldn't decide which browsers
worked with the web.

You might as well rephrase your first sentence to read, "you get a consistent
experience with a current Chrome browser" \-- and I have no doubt that there
are people at Google who would be happy to have that policy if they thought
they could get away with it.

After all, why should Google's security team trust that Mozilla's browser is
secure, given that they don't get to pre-vet new versions? Even if a current
version is implementing the standard correctly, there's no guarantee that a
future Firefox version won't have problems. And Mozilla is already refusing to
deprecate old APIs with Manifest V3, when according to Google that deprecation
is super necessary to make extensions secure.

~~~
shadowgovt
You also get a consistent user experience with a current Firefox browser; it
might be slightly different than the one you get with a consistent Chrome
browser. There's a reason a lot of companies standardize on a single browser
for their internal web applications.

The purpose of avoiding browser monoculture was to avoid a world where a
single company deploying a single closed-source browser owned the gateway to
the World wide Web. The goal was never to make it easy for an arbitrary number
of browsers to operate independently of each other; in fact, browsers are very
complex software to get right and service providers have a responsibility to
make it hard for users to get their accounts compromised even if they bring a
browser with implementation errors into the loop.

I'd be more concerned if Google was blocking, say, Firefox, or if the block
was harder to overcome than changing the UA. This block is inconsequential.
Change the UA and be done with it.

~~~
danShumway
> The purpose of avoiding browser monoculture was to avoid a world where a
> single company deploying a single closed-source browser owned the gateway to
> the World wide Web. The goal was never to make it easy for an arbitrary
> number of browsers to operate independently of each othe

Making it easier to build browsers is _how_ we avoid a monoculture. If we were
OK with there being 2 browser engines (Firefox and Chrome) we wouldn't need to
make all of these standards. Mozilla and Google are perfectly capable of
collaborating on their own in private, and it would be faster for them to do
so -- its just everyone else that would be left out.

Open standards are why we can have interesting browser experiments like
Beaker. It's important that there be multiple software projects pushing the
web forward. Of course browsers are hard to build, just like Operating Systems
are hard to build. It doesn't follow that there should only be two of them.

> Change the UA and be done with it.

To be honest, you're right on this point. This is a kind of pointless debate
-- because what will actually happen here is all of the insecure browsers
you're worried about are just going to take Vivaldi's route and by-default
mock a different user agent for Google login screens. End users don't know or
care what user agent is being sent to the remote server.

Let's be honest -- the Kmail devs are not going to throw their hands up in the
air and say, "well I guess we just abandon the project now." They're going to
push a change that invisibly mocks the user agent for all of their users.

Because, again, you can't trust an insecure browser. If you can't trust a
browser-maker to implement the standard correctly, you also can't trust them
to voluntarily go along with a scheme that will make a nontrivial portion of
the web unusable for the majority of their current user-base.

~~~
shadowgovt
While it doesn't follow that there should be only two browsers, it also
doesn't make sense that Google should expose its end users to other people's
lab projects if that increased the security risk of those end-users. Security
is a balancing game and always in flux.

------
pmlnr
This is really bad. First: UA is unreliable, and is a complete mess. Second:
it can kill competition. Third: it should be possible for anyone to write a
browser. We need more of them, not less.

The web is one step away from needing to buy secure boot UEFI key like
permissions for accessing it.

EDIT oh. This could also explain my constant token refresh issues with
Evolution to access google calendars.

~~~
smitty1e
> We need more of them, not less.

While not sacrificing security, of course.

~~~
danShumway
What security? The very narrow instance where your browser allows a MITM
attack, and for some bizarre reason the attacker can't change the user agent
to match Chrome's?

I am of the feeling that if Google's security practices require trusting an
attacker not to change a user agent -- well frankly, in that case I am
skeptical these changes are actually about security. Because the Google
security team is smart, and I assume they wouldn't do stupid things.

But I am cautious about jumping to "this is malicious." There is certainly
enough anecdotal evidence for a reasonable person to claim that Google targets
competitors and tries to use changes like this to hurt them. However, it's not
(currently) enough evidence for me. I am still naive enough to believe there
is some semblance of good will at the company.

But I feel very comfortable saying that this is security change won't do much
good, and the Google security team probably just thought, "why not turn it
on?" without caring about potential consequences to competitors, because they
don't think about anything outside of Google's ecosystem. I generally don't
get the feeling that Google engineers are malicious, just that they're
thoughtless and/or careless. I don't get the feeling that they're trying to
mess up the web ecosystem, just that they act impulsively and feel very
strongly that people shouldn't be questioning them; and that when people do
question them, they tend to dig in their heels and become very condescending
very quickly.

But again, I know there are Edge devs and Vivaldi devs that would call me
naive.

~~~
shadowgovt
If the browsers in question don't correctly implement all necessary standards
to guard against XSS, frame-busting, and MITM attacks, Google will do what it
can to protect its users against foot-shooting.

Changing the UA is equivalent to "voiding the warranty," so I'm not surprised
Google isn't taking extraordinary measures. At some point, if your users
really want to shoot their feet, there's only but so much you can do to stop
them.

~~~
danShumway
If a browser doesn't implement the standards to guard against MITM attacks,
what makes you think it implements the standards to guard against user-agent
manipulation _during_ the MITM attack?

You've misunderstood what I'm getting at here. It's not the _user_ that's
going to purposefully change their agent -- it's that a browser that is
insecure to the point that you can't trust it to log in is also insecure to
the point that you can't trust its user agent to be reported correctly.

The entire security exercise is pointless because compromised browsers lie.
They don't respect user preferences. An attacker who intercepts and modifies a
request isn't going to suddenly start being honest with you when you ask what
browser that request came from.

~~~
shadowgovt
The code paths to change UA and implement XSS protection are different code
paths.

~~~
danShumway
No, User-Agent is no longer a forbidden header for Javascript fetch
requests[0].

To be fair, both Chrome and Firefox have outstanding bugs where they haven't
yet implemented the correct specs. But there is no reason to assume that a
spec-compliant browser will block Javascript from setting the User Agent for a
request. It's _likely_ to allow it, because allowing it is the correct
behavior.

Even if it wasn't the correct behavior, it's silly to assume that a browser
that doesn't implement XSS protection is suddenly going to get good security
when it comes to implementing UA freezing in request headers. I don't think
there's a world where a browser maintainer says, "it's too much work for me to
respect CORS, but I really want to make sure I'm following this obscure
forbidden headers list".

[0]: [https://developer.mozilla.org/en-
US/docs/Glossary/Forbidden_...](https://developer.mozilla.org/en-
US/docs/Glossary/Forbidden_header_name)

------
nunodonato
I, for one, am happy that 3 months ago I decided to start my transition away
from Google products and services. Subscribed to a Fastmail account and
couldn't be happier. Firefox is my browser of choice both in desktop & mobile,
so I don't have any of these issues, but for how long until google decides
otherwise?

I'm still quite a heavy user of maps, it's hard to step away from all the
convenience, but OsmAnd is already installed on my phone and I'm getting used
to it too.

~~~
ljm
I moved most of the important stuff away the other year. Went with Protonmail
and then Fastmail since their IMAP support was better. I really prefer to use
a native email client over the web interface; I don't need to be online to
sift through my archive.

Ended up with a Google account still because I get value out of youtube, and
of course I don't have a choice at work since most startups seem to go G-Suite
by default (I'd take the MS offering over that too; they're not in the ad
business).

At risk of going off topic, I hope that if one day I have children (if at
all), I will remember enough of the old internet back in the late 90s/early
2000s to be able to describe just how weird and wonderful that world used to
be. Not all of it was good or great but they'll be forgotten relics of an
ancient era, in tech terms. You know, like getting on the internet by picking
up a free AOL CD from the local supermarket; not being able to use the
internet and make a phone call at the same time; cracks and keygens with the
epic graphics and music; making a really bad website with frames and tables
with Macromedia Dreamweaver or MS FrontPage...

Feels like these days that the internet, in the mainstream (so not HN or
similar), is just an advertising and surveillance platform.

~~~
mavhc
> I'd take the MS offering over that too; they're not in the ad business

Have you seen Windows 10 (even the Pro version)?

~~~
ljm
I have, and I've used it. I thought it was tasteless to put ads in windows
explorer and stuff but it was all obvious. Telemetry in and of itself isn't
bad if they don't connect it to an IP or account or other kind of fingerprint,
they just look at what is interacted with and what isn't without knowing who
did it.

------
endemic
Unsurprising. When I was using an Android phone with Firefox, Google search
always served me the “bare bones” degraded layout; changing the UA got me the
same content as Chrome.

~~~
davidgerard
They don't do that any more, after they were called out hard enough on
deliberately sending broken layout to Firefox.

~~~
solarkraft
I don't see why they would need to be called out on anything regarding this. I
just thought "oh, Google looks like shit" and would prefer using DuckDuckGo
even more.

------
3xblah
Good to know they are monitoring the User-Agent header for security.

A Chrome user changes her User-Agent header in Developer Tools, logs in to
Gmail and finds that Google has sent her a "Security alert" e-mail message
that a "new device" has logged into her account.

Maybe the e-mail should inform her that Google has stored a new device
fingerprint
([https://en.wikipedia.org/wiki/Device_fingerprint](https://en.wikipedia.org/wiki/Device_fingerprint))
and the ways in which Google can use it are not limited to "security". It will
be used to further Google's business, online advertising services.

Sure, Google can argue these fingerprints will be used for "security purposes"
and are not being gathered for online advertising services, but what are the
real risks to Google of "less-than-perfect" Gmail security.

With over 60% of webmail users on Gmail how easy would it be for a user to
protest Gmail insecurity by moving to a competitor, one who would not also be
taking fingerprints.

------
ape4
Is it just checking the user agent?

~~~
DennisP
> simply changing the browser user agent in an ‘excluded’ browser to that of a
> supported one, like Firefox, instantly lifts the bar and lets the
> app/service/site to load.

> Where, surprise, surprise, it works fine without any major issues.

~~~
mikelward
> You are trying to sign in with a browser or app that doesn't allow us to
> keep your account secure.

Sounds like it's not just a question of whether the page renders correctly?

~~~
NotSammyHagar
Google almost seems like they are trying to be Microsoft number 2. They can't
stop themselves from being overly competitive. I predict they will get hit
with a serious us govt case that causes them to allow more competition, just
like Microsoft in the next 5 years. Blocking ad blockers, controlling Android,
banning unions, it's sad to see them coming to this.

~~~
brewdad
Unlike Microsoft of the 90s, Google knows everything our lawmakers do online.
Every sordid search, the location and participants in every late-night tryst.
Pretty much anything that could embarrass or bring down anyone who might
oppose them is available to them through our phones, browsers, and search
histories. I think we are a long way away from any serious repercussions for
Google's actions.

/tinfoil hat off

~~~
shaki-dora
If there’s been one positive development in politics in the last few years
it’s the disappearance of the sex-scandal.

Sure, anything too extreme, funny, or illegal would still be problematic. But
someone’s run-of-the-mill pornhub playlist is unlikely to make much of a
difference, even on the Republican side. The reputable (and influential) media
wouldn’t even report it.

------
eyegor
Google has been hostile to niche Linux browsers for a long time. The worst
offender in my experience is their recaptcha service. Almost every site which
supports it will hand you one of those horrible "click on all the pictures of
cheese" where after every click it takes 3-5 seconds to decide if it wants to
give you more pictures.

------
davidgerard
This is incompetent behaviour.

(I'm sure someone from Google will now argue no no it's _malice_ not
_incompetence!!_ )

If they're worried about capabilities, test on capabilities.

Filtering on user-agent strings - which is what they seem to be doing - is the
act of an incompetent, and it doesn't matter how big the company is.

Can Google not hold on to competent people any more?

~~~
shadowgovt
There have been quite a few threads on HN about why Google uses a combination
of capability and UA sniffing. The tl;dr is it's the Wild West out there and
both approaches are unreliable (also, capability testing requires pushing more
code than the client can use and harms latency).

------
boring_twenties
I'm using Waterfox and gmail still seems to be working. For how much longer
though?

------
Jamwinner
If they could stop putting me in captcha hell for not connecting to their
servers that would be phenomenonal.

------
unlinked_dll
Devil’s advocate, whitelisting is often much more effective than blacklisting.

~~~
ChrisSD
Whitelisting or blacklisting UA strings is meaningless. Any actually malicious
person is going to spoof that without even giving it much thought. It's only
the honest people who are affected.

Funnily enough Google itself used to advocate against detecting UA strings (I
don't know if they still do). Mind you, groups within Google don't always
listen to each other.

~~~
lucb1e
Indeed, I'll happily (and honestly) report my user agent as PHP to you and add
my email address to it so you can reach out if there are any problems, but if
I notice you're blocking my proxy that removes your crap and turns a multi-
megabyte news page (which I'm paying for) into something that loads instantly
even on GPRS/EDGE, I'm just going to spoof it.

------
amelius
Webmasters could help to fight back and give Chrome users a crappy experience
on their website (e.g. add 3 seconds to every page load), until Google fixes
this.

~~~
qzx_pierri
>Webmasters Now that's a word I haven't heard in a long time...

