Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Google Just Gave 2B Chrome Users a Reason to Switch to Firefox (forbes.com/sites/kateoflahertyuk)
128 points by axiomdata316 on May 30, 2019 | hide | past | favorite | 60 comments

Possible dupe from yesterday perhaps?


And not a bogus story in my opinion.

It is worth noting that revamping the browser extension permissions model is something that should definitely be done. Browser extensions up until this point have been a massive security hole: they basically get read/write permissions on every web page you visit.

Of course, content blocking could've been part of that new security model.

As Google tightens its grip, I wouldn't be surprised if someone starts a genuine fork of Chromium. Not just Chromium plus some extra stuff like Brave and Vivaldi, but a real, doesn't-rely-on-upstream-changes-fork. Microsoft seems like the most likely candidate for doing so.

> Browser extensions up until this point have been a massive security hole

No, that's a very misleading use of the term "security hole". By that definition, every piece of software on your computer is a "massive security" risk. Heck, even Chrome itself is a massive security hole since it can see the content of every page you visit.

I think it's worth reacting strongly to this argument because it's exactly the kind of statement that muddies the waters to convincing people that they shouldn't have the option of having full control of their own devices.

And I'm not saying there haven't been huge security issues with extensions. Just as there have been massive issues with any manner of software downloaded and installed. But requiring them to be open source and needing explicit user approval before install (unlike in older IE versions) addressed those issues pretty well, imo.

Edit: I would like to see changes that make it easier to observe when an extension is active and/or communicating with third party servers and/or writing to local storage for later transmittal (if that's possible).

> By that definition, every piece of software on your computer is a "massive security" risk.

Well, yes. There’s a reason sandboxing is coming more and more to the desktop.

I think Huawei should start an open-source community-based fork of Chrome and Android as an offset to Google and American monopoly on the web. (kidding, sort of).

No need to be kidding IMHO. This could be a perfect opportunity for Huawei to show that there is life without google. Basically the only thing ROMs like Cyanogenmod were lacking was the support of a hardware maker, coming preinstalled by default. Today with F-Droid, Nextcloud, Openstreetmaps and Mastodon it would be doable.

Content blocking is definitely part of the new security model; they wrote a "declarativeNetRequest" API designed to enable content blocking. The debate is just over whether that API is sufficiently expressive.

>they basically get read/write permissions on every web page you visit.

But you can select on which sites the extension is active. You can even make it only active when you click on it.

This isn't a browser feature, it's an AdBlock Plus feature. You're just switching off the blocking for certain sites, not turning off the extension itself in any meaningful way.

You are wrong, sir. This is a browser feature.


No, I'm talking about the browser feature in Chrome that can be applied to all extensions.

Is this a new thing? Most of the time when I've installed extensions I've just seen an initial prompt that says the extension can view and modify your data on any page, so either agree & add, or get out.

Depends on whether you consider a 7 months old feature new or not.


Oh wow yeah that's recent. I haven't installed new extensions in a while. Thanks.

Edit: I don't like that it seems to not be the default though... if you don't see this option then it's the same situation as before.

Wouldn't that defeat the purpose of an adblocker?

For an adblocker maybe, for other maybe less.

And even the adblocker might be disabled on the online banking site.

Cory Doctorow was right... it wasn't copyright that brought out the big guns in the War On General Purpose Computing. The real battles started when people utilizing the full power of heir computing devices started to threaten currently-profitable business models.

The media companies saw media piracy and asked[2]:

> "Can't you just make us a general-purpose computer that runs all the programs, except the ones that scare and anger us?"

Google (and advertisers in general) is now asking ""Can't you just make us a general-purpose browser that runs all the programs, except the ones that programs that interfere with our business model?"

[1] https://boingboing.net/2012/01/10/lockdown.html

[2] Ibid.

I use Adguard DNS. It can help because it work at DNS Level to block Advertiser Domain.


This was insightful from Pieter Levels Twitter:


> The accidental thing nobody noticed is how @Cloudflare is suddenly in the best position now to take over the Web Analytics industry now that adblockers are all blocking JS-level Google Analytics, since Cloudflare can track users on the DNS-level

So once DNS blocking becomes the norm, the power to do evil will switch from Google to Cloudflare.

DNS analytics are pretty much useless for web analytics due to wildcard records, multi layer caching,etc.

Umm....Agree....maybe is worst than google.

In principle this is a good service, but in practice why would one trust a closed source third party if privacy and content blocking is a major concern?

A pfSense machine with pfBlockerNG is open source, fully customizable, and can block at the DNS and IP level.

Since blocking content effectively changes how the web looks, and can occasionally break web sites, I'd rather have full control over the service than to pay someone to configure it for me.

Plus, the BSD camp has yet to let me down. :)

I just started using https://www.nextdns.io/ that offers so much customization and a whitelist

Before I opened this, I really couldn't think of ANYTHING that would be big enough for me to care enough about to switch.

But disabling ad block?

That's insane. If that really comes to fruition, there is no way I'm sticking around.

> But disabling ad block?

That's the fear. The reality is they want to use the AdBlock+ (ABP) model of getting a trickle cashflow of adblocking users (and allowing so-called "Acceptable Ads").

If you are seeing this as the thin edge of a very hard wedge into the concept of adblocking, you're in good company.

Google/ABP need to start small, offend as few users as possible then make it acceptable and move the conversation to "which ads should/n't be blocked" instead of "all ads should be blocked", all while preserving their revenue stream.

After all the outrage I am sure they won't follow through.

Or so I hope...

> Google is planning to restrict modern ad blocking Chrome extensions to enterprise users only

> the software giant is not backing down: It says the only people that can use ad blockers following the change will be Google’s enterprise users.

> Google sent me a statement by email, which reads: "Chrome supports the use and development of ad blockers. We’re actively working with the developer community to get feedback and iterate on the design of a privacy-preserving content filtering system that limits the amount of sensitive browser data shared with third parties."

These can't all be true. Which is it?

The last one sounds weasel-wordy to me: it might be saying that they want to allow people to block targeted ads and see random ones instead, which is obviously not ad-blocking and would make "Chrome supports the use and development of ad blockers" a bald-faced lie.

They have implemented a system that works on rulesets similar to those used in AdBlock Plus (with whom Google has a business relationship). Rather than allow extensions to examine web requests they have to provide matching rules for the content to be blocked, and the browser engine will block requests that match those rules.

The implementation breaks the model of the most effective blockers like uBlock Origin, which are able to inspect every request and block it based on a much more comprehensive set of factors. The claim they are making is that allowing extensions to inspect web traffic makes them vulnerable to abuse by bad actors who can, for example, offer an innocuous extension then later turn it effectively into a keylogger. There are numerous better solutions to this problem that don't require breaking blockers like uBO, but this choice seems to tick a large number of boxes for decisions that benefit Google and their partners at the expense of their users. And the "Enterprise users" part (which really seems to belie the stated reasoning) was only abounded after it became clear that there was a backlash against this terrible decision.

Google isn't banning any ad blockers directly. They're just deprecating an API which many major ad blockers use, and the replacement API is different enough that those ad blockers can't be ported to it. They claim that the deprecation is about security and performance.

In particular, I don't think it's true that Google said "only people that can use ad blockers following the change will be Google’s enterprise users".

> They claim that the deprecation is about security

I mean, it kind of obviously is. Giving random extensions downloaded from the internet access to the URLs of every request ever made by the browser is a pretty insane security hole.

My impression is that other browsers (Safari) already removed this kind of API, or never had it in the first place.

As far as I can tell, they're not deprecating the API allowing extensions to snoop, only the piece that lets an extension say "don't process that request until I tell you it's okay". (In the design doc's terms, they're deprecating only the blocking version of webRequest.)

> Giving random extensions downloaded from the internet access to the URLs of every request ever made by the browser is a pretty insane security hole.

The observer APIs will still be enabled in V3 and extensions will still be able to access that list.

There is a valid case to be made that we should rethink the extension security model, but the V3 manifest doesn't address of any of its biggest problems. It's gimping the parts that enable you to block requests, but extensions will still be able to other spy on you the same way they already can today.

This is very clearly not about security.

Do 2B users use uBO, or do most of them use ABP or uBlock? Because I don't see much pushback from the authors of the later, and it anything they have a vested interest in design choices that negate the power of their greatest competitor.

2B is probably the total number of Chrome users. I'd be curious how many Ublock Origin users there are though. The # of installs counter on the Chrome extension store maxes out at "10,000,000+".

Adblocking estimates are around 30% total.

All the more reason to use Host block lists such as https://github.com/StevenBlack/hosts

yeah that's actually the point of the outrage. Using block lists is nice, but modern adlockers can do much, much more. If you just use lists, chances are the Ad industry - with the help of Google, will find a way to circumvent it. They probably already have, see anti-adblock-blockers.

Nowadays, you can invent clever ways to get around all this. With the new Chrome - you probably can't.

In the future, it'll probably be such that every website asks you to disable adblocking or you are blocked from the site.

The interesting thing about ditching all of your ad blocking users is that you’ve ditched the segment that shows the slightest interest in improving their ux.

Hyperbole to assume all will leave of course, but I wonder what this will do to user expectations

This could also be a boon to external ad-blockers like Privoxy.[1]

Using Privoxy, you could have ad-blocking and continue to use Chrome.

[1] - http://www.privoxy.org

That's a bit hyperbolic though. I imagine a high percentage of HN users block ads, but the overall rate is more like 25%[1] I suppose Forbes' editors weren't so excited about "Google gives about 500M Chrome users a reason to switch..."

1: https://www.statista.com/statistics/804008/ad-blocking-reach...

As far as I know on Android Firefox is the only one that does ad blocking well. That't because it supports plugins, including uBlock Origin. It's market share is 0.36%

It was ad blocking that drove me to Firefox on Android. Screen space is precious on mobile, and ads taking up a lot of it drove me nuts. I found I preferred the UI but sorely missed Chrome's "translate page option". (I changed my search engine to DuckDuckGo for the same reason - google search now shows so much "useful" ancillary information I have to scroll past to get to the actual search results I switched to DuckDuckGo just to avoid the scrolling).

But at 0.36% I'm in the noise region as far as browsers concerned, which I assume means most people don't care about ad blocking or noisy search results, apparently.

I have fellow developers that live in ad-infested browsers... Like wtf!?

Consumers have demonstrated repeatedly that they will react strongly to losing the option to do something even if they're not currently doing it.

And it's even worse coming from an ad company. Undermines trust massively, even for people who've never changed a default (no) privacy setting.

It's more like "25% and counting". It was ~3% 10 years ago. Tendency is pretty obvious and omnious for Google and like.

Add blocking is not consistent between browsers. Desktop chrome users are much more likely to block advertising.

I bet they'll backdown!

There's no way they'll loose control over their users.

This will be changed and they'll find another way to force ads on their users without loosing them.

Wait and see!

Now, for sure ad publishers are happy with this and for sure will make their services usable only with chrome.

Thank God we can change browser user agents :)

Time for someone to start mass-producing pihole boxes and selling them online for $50-$100 and make a killing.

If I had the time i’d do it!

freakin' done converted!

Okay, so they are crippling the webRequest API. I'm sure we can still block ads by injecting some masterfully crafted jQuery cocktails. Ad blocking will still be possible.

(Edit: Whoever just downvoted me -- you work on the Chrome team, I guess?)

There was a time where I had to use some outdated ad blocker. ALL news sites would display this "Disable your Ad blocker if you want to read this site" full screen block (that was, of course, not blockable with an easy host list).

This is probably Google's roundabout way to defeat adblocking as a whole.

Disable your adblock, or don't visit any website with Google Ads. Your choice.

Yeah I think Fortune magazine did that to me. I just installed another plugin to automatically inject some JavaScript to get rid of the "disable your adblocker" curtain.

As long as bytes of content are being sent over my Ethernet cables, I will find a way to render them.

What a bogus story.

The issue google is trying to address here is that the adblockers get permissions to basically all browsing data.

Google specifically says "Chrome supports the use and development of ad blockers."

There is going to be a content filtering approach that doesn't require folks give full access to all browser activity to a third party. For example, google could provide hooks for a pattern list that the extension could populate to block content. But no browsing data would be shared with the extension.

I know it's fun to go to immediate outrage - but Forbes is not the first place I'd be looking for thoughtful / balanced stories.

With what we know since January, the only reason Google implements it is because it will not allow sophisticated ad-blockers and anti-tracking extensions to work.

Google does this such that you can install some sort of pseudo adblock, while Google Ads and Google Tracking (especially) still work - at least behind the scenes.

And this comes directly from the dev of uBlock Origin.

The article is absolutely correct, only that 2B users will of course not switch.

But this move from Google is absolutely, 100%, meant to defeat effective ad blocking and any further privacy extensions that people may come up with in the future.

This has zero to do with privacy and security, because the APIs being removed only have to do with modifying pages, the ability to read data from pages is unaffected. The only real consumer of these APIs are ad blockers, they are quite obviously being specifically targeted.

Painting this as all about user safety when it handsomely rewards Google's largest profit center is farcical. (the new static list of 50k filters will be completely trivial to workaround).

The only thing that is bogus here is the people denying it has nothing to do with ad blocking.

The extensions that want to do blocking would then not need to request permission to read and modify pages.

As users we could pick adblockers that didn't require permission to ready all our activity.

How is reducing the required permissions (significantly) not an enhancement to user safety.

Your argument that we always must give extension authors full permissions to get anything done is a pathetic one frankly.

Chrome could easily enable this new API without crippling the old one, if that's what users really wanted (its not).

> There is going to be a content filtering approach that doesn't require folks give full access to all browser activity to a third party.

FWIW that's how content blockers in Safari have worked for while now. I've always been surprised at how accepting people are of using a browser from an ad company.

Right, iOS also historically had a finer grained / more on point permission model than android, and I've liked that approach. Apps can request permissions that reasonably connect with their activity. The pop ups to provide that permission usually make sense (I generally say no to access all my contacts etc).

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact