Hacker News new | past | comments | ask | show | jobs | submit login

I don't mean that it sends the actual web traffic through some uBlock server, I mean that the uBlock browser extension sees all of the requests to load a webpage and decides what to do. It can decide to block them or not. It could also decide to scoop up all of your personal information and do bad things with it.

If someone were able to compromise the developer account and get a malicious version distributed through the Chrome browser gallery, that would be a huge problem. The kind of thing that has been making headlines with compromised npm modules recently.

Google has reviews in place to prevent malicious extensions from being distributed, but they can't be perfect. We've seen that repeatedly with both Chrome extensions and Android apps.

Every extension with permissions set for "This can read and change site data on all sites" has a huge target on it, and the fewer things using that level of access the better. Ad blocking extensions are an obvious place to look for improvement because they're so popular.

I hope that Google can put a blocking system together that will be able to perform as well as existing solutions without adding any huge security risks, but I also agree that it's problematic that their incentives are to do the exact opposite.

The latest version of Chrome allows for "read on a write site data" on a per-site basis. Not so useful for ad-blocking extensions, but a boon to any extensions I don't really want to give full access to.

So enforce human reviews for any update to extension with "read all requests" permission and over X users.

Nah. If they feel inclined to do something more powerful than the Content Blocker API then they should build the ad blocker themselves into Safari. It can be off by default and configurable by users.

It'd make the Content Blocker API kind of pointless but that'd be safer than letting third parties in.

I don't see much value in ecosystems that where only one party can build powerful tools

I don't think "ecosystems" are a priority in and of themselves for Apple.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact