Hacker News new | past | comments | ask | show | jobs | submit login

I'd love to use ClearURLs, though last I checked it had a major flaw: it allows arbitrary code execution by the provider of the filter list. Among other things, it can redirect script URLs to arbitrary sources, and the filter list is periodically updated from a GitLab page, which enables the filter list provider to perform a targeted attack by serving a malicious filter list to a specific device.

The only filter list provider is the extension maintainer, so this information should be safe to share. I have not had the time to set up a PoC, but I'm confident that the filter rules are way too powerful.

At the very minimum, the current filter list should be included in the extension package rather than periodically updated from a remote URL. That way the filter list can be audited and must pass a review, without having a negative impact on the effectiveness of the extension, since the filter list does not appear to frequently change.




I agree with you there. For my stealth browser I decided to go with a different JSON based format [1] that can rewrite the URL parameters via wildcards (for both * at the start and end of both key and val).

It has the idea that you can audit a website and only list the allowed parameters there, so that a website search or sorting order or filters can still work.

I built my browser on an allowlist based concept because it seemed too impossible to maintain all bad urls, domains, parameters on the web. Most websites have more tracking than content in them, so I decided on maintaining lists to select the content rather than the ads and trackers.

[1] https://github.com/tholian-network/stealth/blob/X0/profile/p...

The developer addressed this comment here https://github.com/ClearURLs/Addon/issues/102#issuecomment-8...

Check out Neat URL - it's more basic, uses a comma-separated list of rules, and comes with some hard-coded presets you can override. I maintain my list in a text file and just update that and copy/paste in when I want to create one.

Of the defaults, I only override "cid, mbid" as blocking those on every site has ended up breaking some.


The last time I used it, it also disabled ETags by default. I lost many hours trying to figure out why those 10MB Kibana JS bundles are re-downloaded on every page load and only in my Firefox, checking about:config, etc... I know etags can be used for tracking and that Expires should be used instead but i did not expect CleanURLs to do anything more than just cleaning URLs...

I can no longer edit my comment, if someone has the time, please verify this vulnerability and follow up with the maintainer and Firefox reviewers, remote code execution is against add-on guidelines. My impression is that the maintainer is not malicious, though someone could exploit them or the filter list service, and hack the entire userbase of the extension.

Security paranoia is ruining the independent Internet and putting more power in the hands of companies like Google.

I mean, you say paranoia, but I think back to the time I had to spend hours and hours unliking instagram posts made by a bot that had harvested our cookies by buying Nano Adblocker.

In this case, we know that extensions are sometimes sold and updated maliciously. Having external arbitrary code is a legitimately concerning vector because it bypasses Google verification of the extension.

Not that Google are great at their jobs in that case, but it's something.

So it's not paranoia in this case, it's "we can't have nice things" because of real bad actors.

I remember back when adware, spyware, and viruses ran amuck on PC’s thanks to lax Windows XP security design and an open internet without any effort to protect users. It was bad.

We do need to decentralize the decision making but the progress toward making the web safer for average folks is good.

Freedom isn't free. An open internet where users take reaponaibility for taking risks is preferable to a safe but locked down and centralized internet.

What is even scarier is one controlled by Google because it's the only browser in town. A company that wants to know everything about you and sell it to the highest bidder in order to maximize profits for their stock holders. Everything else is noise to them except for an occasional public outrage which the fix with a slight course correction.

If we put everybody in jail we don't have to worry about crime anymore! That's a lot easier than trying to have an informed public who can exercise caution and learn to assess risk in their lives. Besides, only a very small market segment of hardcore freedom enthusiasts really care about freedom. There's not enough money in that market segment to be worth the investment. Most everybody will happy watching television in their cells. Anybody who doesn't like it is welcome to go to the jail run by our one competitor.

My hypothesis:

Any vulnerability-prone system, will either fade away or end up with a centralized arbiter quite inevitably.

It's not paranoia if the internet really is full of hackers out to get you

Thanks for mentioning this. While I did install it upon seeing the news on removal, I'll go without it for now and hope for a similar project from the EFF.

I'm seeing downvotes for this and I am here to learn- where am I misguided? Is there a convincing argument to install this program? Let me know, I just want to understand what I may be unaware of, to receive the new information, and then if it makes sense I will correct my decision.

If you don't like the risk this poses, don't use the extension. Your ability to make informed decisions about risk vs reward keeps getting chipped away when Google pulls this kind of stuff off. Google should warn you about the security risks (edit: or just remove it from the public facing store and only keep the hard to guess URL active) but don't tell me what extensions I'm allowed to use or not. Even adding local extensions I make myself are treated like a security threat with a popup every time I open Chrome.

Stop the helicopter computing. People keep saying they want the old Internet back, this is why.

I disagree with this stance. Pulling extensions that have a large potential for abuse is absolutely in Google's prerogative, in my opinion.

Suppose our single maintainer decided to finally sell the extension, and the person who bought it made it so that all those links hijacked information or exposed you to malware. This would happen in one day without warning. How many people would be saying that was Google's fault for allowing this to happen?

You say people should determine for themselves based on risk, but most users of Chrome extensions are naive when it comes to understanding risk.

Surely if this was the reason Google pulled the extension, they would say so.

They wouldn't be making it about the description being too detailed.

While this may be bad, I think it is merely incidental.

Fair point.

I agree, maybe removing the extension from the public facing web store is a better solution. But at the very least, allow the extension to be installed if you have the "hard to guess" URL. I do this with my app that requires a desktop app to be installed since it requires native app messaging.

If you really want to use the extension, you can clone the extension's repo, enable Developer Mode on the extensions page in Chrome, and then load the extension.

You can probably do this in under 30 seconds, but it's enough of a barrier to keep naive users from doing it.

Google's perogative is to make as much money as possible, not make the web a better place.

You can level this charge at almost anyone. It might be true in certain ways, but it’s not an informative criticism.

With google it's especially true since their entire existence is centered around gathering intelligence on people and then selling ads with it (and also hoarding it for future use)

That description fits Facebook just as well, which means it doesn’t tell us much about Google.

You're getting downvoted but I agree. It's one thing if the maintainer abuses his power as an extension provider. Quite another if they have a history of putting out a perfectly good extension and google acting like they're guilty before proven innocent.

I don't think you understand the issue. There is an accidental backdoor in the extension. The maintainer can manipulate and access the pages you visit at will, without needing to release a malicious update. All these features can be implemented without the maintainer being able to hack you without a trace, there is no loss of functionality if the security issue is patched.

So you're saying Apple should pull Chrome's permission to run on macOS anytime there's an accidental zero day or vulnerability?

If Google wants to act like a platform, it should have some form of escalation with the developer to fix issues instead of complete removal without warning.

No, I'm not saying that, and the potential issue I have shared has nothing to do with the current takedown of the extension.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact