Bad news day for internet privacy...

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Blacklab
Board Warrior
Board Warrior
Posts: 1080
Joined: 2012-06-08, 12:14

Bad news day for internet privacy...

Unread post by Blacklab » 2022-11-22, 15:34

Yesterday, Monday 21st November 2022, was a pretty bad news day for internet privacy. :(

The arrival of Manifest Version 3 (MV3) has been a long time coming and sadly no discussions or protests have changed Google's original API design intentions. Thus, MV3 will effectively cripple all fully-functioning AdBlockers (e.g. Raymond Hill's excellent uBlock Origin) on all Chrome (Blink-engined) browsers when Manifest Version 2 (MV2) is phased-out and MV3 fully implemented in June 2023.

Regrettably, this includes all the 'cleaned' Chrome clones, based on the Blink engine, that have to-date promoted themselves as privacy-led browsers that are 'de-googled' and don't track or profile you, and don't phone home... e.g. Vivaldi and Brave.

Mozilla's Gecko browser engine in Firefox is caught too because of their previous adoption of Web Extensions. Mozilla state that Firefox is keeping the elements of MV2 which will allow fully-functioning AdBlockers to continue working properly on all Firefox versions and its clones/recompilations... e.g. LibreWolf... but one wonders for how long Mozilla will or can sustain this 'hold-out' position?

https://www.techspot.com/news/96719-man ... store.html

https://www.techradar.com/news/mozilla- ... extensions

As if that wasn't enough bad news we also learn that Microsoft is planning to turn the Windows 11 Start Menu into an Ad delivery system! Perhaps an inevitable development given the way Windows 11 was going anyway with regard to privacy and tracking. :(

https://www.ghacks.net/2022/11/21/micro ... ry-system/

User avatar
Mæstro
Lunatic
Lunatic
Posts: 463
Joined: 2019-08-13, 00:30
Location: Casumia

Re: Bad news day for internet privacy...

Unread post by Mæstro » 2022-11-22, 18:15

Could a firewall not filter outgoing requests as µBlock0 does now? (As a layman, feel free to tell me if what I think would fail on technical grounds beyond my ken.)
Browser: Pale Moon (Pusser’s repository for Debian)
Operating System: Linux Mint Debian Edition 4 (amd64)
※Receiving Debian 10 LTS security upgrades
Hardware: HP Pavilion DV6-7010 (1400 MHz, 6 GB)
Formerly user TheRealMaestro: æsc is the best letter.

User avatar
Pentium4User
Board Warrior
Board Warrior
Posts: 1113
Joined: 2019-04-24, 09:38

Re: Bad news day for internet privacy...

Unread post by Pentium4User » 2022-11-22, 18:27

TheRealMaestro wrote:
2022-11-22, 18:15
Could a firewall not filter outgoing requests as µBlock0 does now? (As a layman, feel free to tell me if what I think would fail on technical grounds beyond my ken.)
In times of TLS tunnels (HTTPS uses that) a firewall can only block by IP addresses, but cannot look inside the packages without breaking the TLS connection and destroying security.
The profile picture shows my Maico EC30 E ceiling fan.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Bad news day for internet privacy...

Unread post by Moonchild » 2022-11-22, 20:00

There are some options available, e.g. DNS-based advertiser host blocking. (for now...)

Google is playing an even longer game here, though. Next up will be further pushing of http traffic over UDP which is stateless and cannot be manipulated in transit as easily, and the end game plan is likely still "web packages" where everything is delivered as a self-contained packet that is delivered (including the ads) with only local references, which will effectively hard-bake ads into content delivered to users.
The future of the web is bleak, and Google having bought time to push for this kind of thing before their antitrust goes to court has been critical to further all that.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: Bad news day for internet privacy...

Unread post by vannilla » 2022-11-23, 02:03

If you use Pale Moon with eMatrix you are safe... for now.
Web Packages are going to kill every content blocker no matter what, at least in theory. Maybe if they ever land some kind of loophole can be found, but I'm pretty sure it'll be considered a bug to be fixed on the next revision of the "standard".
Never trust anything prefixed with "Web", just like you should think twice about organizations/initiatives whose name starts with "Open".

User avatar
LuftWafflePilot
Fanatic
Fanatic
Posts: 224
Joined: 2021-02-19, 20:46

Re: Bad news day for internet privacy...

Unread post by LuftWafflePilot » 2022-11-26, 06:42

Can anyone give me an idiot summary of what is this all about? I have no idea what does "manifest 3" mean.

Blacklab
Board Warrior
Board Warrior
Posts: 1080
Joined: 2012-06-08, 12:14

Re: Bad news day for internet privacy...

Unread post by Blacklab » 2022-11-26, 10:46

These two largely non-technical explanations by AdGuard are pretty good at describing what Manifest v3 (MV3) actually is and why it is a particular problem (threat) to how current fully-fledged AdBlockers work... not that MV3 is great news for a lot of other web extensions either:

How ad blocking is done: a look inside filter developing and why Manifest v3 is a threat: https://adguard.com/en/blog/how-ad-bloc ... -done.html
Objects in Manifest V3 are closer than they appear — and it's not good news: https://adguard.com/en/blog/manifestv3-timeline.html

Extract from AdGuard's blog article in link above... What is MV3 and how bad is it?

For those out of the loop: Manifest V3 is a name for the new upcoming browser extension API, essentially a large set of changes that will determine the next generation of Chrome browser extensions. We've already mentioned Manifest V3 in our blog a few times, and rarely in a positive way.

The goal, as it's stated by Google developers, is to "make extensions more secure, as well as performant". Security concerns are always listed as one of the main reasons behind Manifest V3, with claims that Chrome browser extensions possess too much browser and activity access. Which is not false — extensions indeed can do quite powerful stuff, and not always to the benefit of their user. But is dumbing them down a proper solution?

Unfortunately, this "dumbing down" is bound to commence. Chrome devs decided to solve the security problem by stripping extensions of access rights to web requests and, therefore, of many useful capabilities. Nearly all browser extensions as you know them today will be affected in some way: the more lucky ones will "only" experience problems, some will get crippled, and some will literally cease to exist.


--------------------

Much other comment online, some very technical, maybe start with the several blog articles posted by the Electronic Frontier Foundation (EFF)?

Google’s Plans for Chrome Extensions Won’t Really Help Security: https://www.eff.org/deeplinks/2019/07/g ... p-security
Manifest V3: Open Web Politics in Sheep's Clothing: https://www.eff.org/deeplinks/2021/11/m ... s-clothing
Chrome Users Beware: Manifest V3 is Deceitful and Threatening: https://www.eff.org/deeplinks/2021/12/c ... hreatening
Google’s Manifest V3 Still Hurts Privacy, Security, and Innovation: https://www.eff.org/deeplinks/2021/12/g ... innovation
EFF wrote:According to Google, Manifest V3 will improve privacy, security and performance. We fundamentally disagree.
--------------------

Both AdGuard and uBlock Origin (Raymond Hill) have recently released versions of their AdBlockers that will work, to the extent that they can, within the limitations of Google's new Manifest v3.

Martin Brinkmann's explanation of the problems AdGuard faced making an MV3 compliant AdBlocker are well described in his first Ghacks article below... or read this extract:
Work on the extension started in mid-2021. The (AdGuard) developers note that the new APIs of Manifest V3 caused a lot of headache during development. While they managed to produce a working content blocker based on Manifest V3, they concede that it has certain limitations that Manifest V2 content blockers did not have.

One of the main issues of Manifest V3 is that it imposes a fixed limit of 330,000 rules for all extensions installed in Chrome. Any one extension has guaranteed access to 30,000 rules. The number may sound like much, but when you realize that modern content blockers rely on tens of thousands of even hundred thousands of rules, the limitation becomes apparent right away.

Take uBlock Origin as an example. The default configuration of uBlock Origin uses 80435 network filters and 45243 cosmetic filters; that is already more than four times the minimum guaranteed rules limit. Users may add their own custom rules to many content blockers or subscribe to more rules listings. It is easy to reach the 330,000 rules limit with just one extension.

MV3 Rules.jpg

Now imagine that other extensions are installed that rely on rules. These compete with each other then when it comes to the limits.

Dynamic rules have an even stricter limit of 5000, which includes a limit of 1000 regular expression rules. When the limit is exceeded, only the first 5000 rules will be applied by the content blocker, while all other rules have no effect.

AdGuard MV3 Browser takes that into account. The developers have added warnings to the extension that inform users when the rules limitation is forcing the extension to reduce the number of rules that it supports. In fact, the developers note that even the basic filter lists, which is the primary list of AdGuard, may be disabled in the worst case, as it has more than 30,000 rules. For users, it can mean that the installed content blocker does nothing at all.
Ghack's article: 'AdGuard launches Manifest V3 compatible ad-blocker for Chrome': https://www.ghacks.net/2022/08/30/adgua ... or-chrome/
Ghack's article: 'uBlock Origin Minus: an experimental Manifest v3 compatible extension': https://www.ghacks.net/2022/09/09/ubloc ... extension/
Last edited by Blacklab on 2022-11-26, 14:30, edited 1 time in total.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Bad news day for internet privacy...

Unread post by Moonchild » 2022-11-26, 14:27

It ultimately means that for as far as WebExtensions already were limited as they were, they will be further reduced to "content manipulating scripts". So they will no longer be Browser Extensions (like we have, with full unfettered access to every part of the browser's UI, networking, etc. APIs) or Web Extensions (with limited APIs for browser interaction), but ultimately Page Extensions. They should really rename them to that to make clear how limited MV3 really is.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

jez9999
Fanatic
Fanatic
Posts: 106
Joined: 2015-05-30, 19:35
Location: UK

Re: Bad news day for internet privacy...

Unread post by jez9999 » 2022-11-27, 17:32

What sucks massively for me is the loss of user scripts. Things like Grease/Tamper/ViolentMonkey, as far as I understand it, will all be unable to continue. And just as I was getting into using them as well (YouTube is increasingly unviewable without my adding some CSS to hide all the crap). I seriously hope some way is found to maintain support for user scripts. I requested Brave implement it as a separate feature in their browser (they pointlessly ported Metamask over, after all) but so far, no response. Quelle surprise.

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: Bad news day for internet privacy...

Unread post by vannilla » 2022-11-27, 18:00

jez9999 wrote:
2022-11-27, 17:32
What sucks massively for me is the loss of user scripts. Things like Grease/Tamper/ViolentMonkey, as far as I understand it, will all be unable to continue.
Well, the new limited extensions complying with V3 are basically Greasemonkey userscripts running directly within the browser rather than within an extension, so chances are your userscripts can be simply ported over without losing anything.

Blacklab
Board Warrior
Board Warrior
Posts: 1080
Joined: 2012-06-08, 12:14

Re: Bad news day for internet privacy...

Unread post by Blacklab » 2022-11-27, 18:30

Similar to jez9999's thoughts above, I've been giving Raymond Hill's new 'uBlock Origin Lite' AdBlocker extension a trial run using the Vivaldi browser. (IMHO the best of the 'privacy-orientated' Chrome-clone browsers, Vivaldi has customisable toolbars and it's UI can be further modified to a degree with both CSS and JS scripts... but perhaps overly complex and encumbered by it's numerous 'built-in' tab options and mass of other 'extension-like' settings.)

uBlock Origin Lite is a rewritten version of Gorhill's current fully-fledged uBlock Origin (uBO)... but much altered (crippled?) to be compatible with the limitations of Google's new Manifest Version 3 (MV3) web extension API. Vastly reduced levels of AdBlocking rules aside, the item I immediately miss is uBO's excellent built-in 'Element Picker' (a simple right-click 'Block Element' option from a browser's Context menu)... without which I find the 'clutter' on so many websites and webpages makes them almost unusable.

For me, unless the 'Block Element' feature can be replaced or replicated by some other means, the introduction of MV3 will effectively cripple all browsers that will be solely dependent on MV3 from June 2023... so far only the Chrome-based/Blink-engined clones... but Mozilla's "keeping elements of MV2 for now" stance doesn't seem hugely robust long-term given Google's massive market dominance?

FWIW - I don't currently use GreaseMonkey or any of it's ilk... to-date I've always found the element blocker capabilities built-into uBO to be excellent, very quick and simple to use, modify, delete, etc. :thumbup: :D

PS. This Ghacks article 'uBlock Origin: how to remove any element from a page permanently' does what it says on the tin... and is a pretty good 'Howto' guide for anyone unfamiliar with uBO's built-in 'Element Blocker' function. :)

(Note: Raymond Hill initially released his trial MV3 compatible uBO version under the name 'uBlock Origin Minus' to reflect it's significantly reduced capabilities, however he has since renamed it to 'uBlock Origin Lite'.)

User avatar
basicuser
Fanatic
Fanatic
Posts: 108
Joined: 2018-09-01, 23:05

Re: Bad news day for internet privacy...

Unread post by basicuser » 2022-11-27, 23:47

I wonder if AdGuard and uBlock Origin will continue to be so good as to provide versions that will work with Pale Moon.
Stay away from crowds.

Blacklab
Board Warrior
Board Warrior
Posts: 1080
Joined: 2012-06-08, 12:14

Re: Bad news day for internet privacy...

Unread post by Blacklab » 2022-11-28, 12:48

For anyone interested in the technicalities of how future AdBlockers are constrained by working within Goggle's new Manifest Version 3 (MV3) API this link to Raymond Hill's (gorhill) comments regarding his own efforts to produce 'uBlock Origin Lite (uBOL)', and also explaining how his approach differed from that taken by AdGuard's 'AdBlocker MV3 Experimental' extension, is a worthwhile read:
Raymond Hill wrote:Technical notes following a ~2 weeks marathon to get something onto MV3, uBO Lite.
https://github.com/uBlockOrigin/uBlock- ... 1253893421
In conclusion Raymond Hill wrote:Many users of uBO will dislike the limitations of uBOL when compared to uBO. There is no point complaining about it, it's just not for you, it's meant for another kind of users -- you do not have to use it. For the record, it's not for me either (I want/need the full control uBO allows me), but I want to offer an option for those who use uBO as an install-and-forget blocker without ever interacting with it.

Burn_IT
Hobby Astronomer
Hobby Astronomer
Posts: 15
Joined: 2018-02-04, 18:17
Location: Polesworth

Re: Bad news day for internet privacy...

Unread post by Burn_IT » 2022-12-01, 17:46

I changed my settings to allow non-intrusive advertising. However the ad companies' definition of "non-intrusive" means that there was no change. So I now block all advertising.
I pay for my broadband and web access and I don't see why I should be bombarded with adverts that I have never fallen for anyway.

jangdonggun1234
Fanatic
Fanatic
Posts: 104
Joined: 2013-06-06, 01:29

Re: Bad news day for internet privacy...

Unread post by jangdonggun1234 » 2022-12-02, 04:13

vannilla wrote:
2022-11-23, 02:03
If you use Pale Moon with eMatrix you are safe... for now.
Web Packages are going to kill every content blocker no matter what, at least in theory. Maybe if they ever land some kind of loophole can be found, but I'm pretty sure it'll be considered a bug to be fixed on the next revision of the "standard".
Never trust anything prefixed with "Web", just like you should think twice about organizations/initiatives whose name starts with "Open".
Three upcoming adblock/privacy killer techs from Google:
- ManifestV3 for browser-side: Make adblockers as useless as possible, no more strong rule, only plain text url block
- Google First Party Sets to make any kind of tracker blocker, cookie blocker useless
- Web Packages: Impossible to block ads

Why do people trust Google to create the web standard, they literally change what the fuck ever they want to change. It's already too late because Chrome already took 90% of browser marketshare, unless people can replace HTTP and HTTPS procol with a new one and start from scratch, most important websites are full of Google technologies nowadays.

Blacklab
Board Warrior
Board Warrior
Posts: 1080
Joined: 2012-06-08, 12:14

Re: Bad news day for internet privacy...

Unread post by Blacklab » 2022-12-02, 09:15

The deliberate Chromification and monopolisation of the whole of the web by Google (Alphabet), and in sectors by the other FAANGs too, has been underway for years and has happened because of three different but interlinked 'problems' or 'weaknesses' in modern society and government.

Firstly, most people don't seem to care, not interested in the details, seem oblivious, complacent, even happy, about losing all their personal privacy.

Secondly, the great mass of internet users did not, and still do not, want to pay for internet use in any meaningful way. So the nascent industry had to find another way to pay for all the many costs involved, the hardware, the data centres, the cabling, the software design, the devs, etc, etc. If 'free' was all that the public was prepared to pay then advertising was the simplest, and perhaps the only way to cover costs and make the internet pay.

By luck, and then using its rapidly increasing financial power, Google fought its way to the top of the pile and has since used its monopoly position to crush all opposition. To further increase Google's, and a few others', advertising revenues all the intrusive and invasive aspects of the modern internet have been developed and come to fruition on the back of massive financial and technical investment... tracking, data mining, profiling, AI, addiction psychology, real-time auctioning of your eyeballs, etc. all of which has combined to create our world of intense surveillance capitalism.

Thirdly, all government 'regulators' have been hopelessly behind the technological curve and consequently almost useless in carrying out their principal task of keeping the public safe and protecting them from exploitation. In previous eras mega-corporations monopolising whole areas of commerce and industry have been forcefully broken-up and tightly regulated by law (one could argue about the oil industry?). The sheer speed of the development of the internet, and the size and power of the monopoly corporations created, has frankly caught all systems of government napping.

This all reminds me of the old Irish joke about a tourist asking directions... "Well, I wouldn't have started from here..." :)
Last edited by Blacklab on 2022-12-02, 12:21, edited 2 times in total.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Bad news day for internet privacy...

Unread post by Moonchild » 2022-12-02, 10:13

jangdonggun1234 wrote:
2022-12-02, 04:13
Why do people trust Google to create the web standard
I think most people aren't even aware that they are doing this. And those that are aware, but aren't a big corporation, can simply do nothing about it.

It's a money game, in the end. Even voting on standards by the W3C is, since you can't cast a vote without a membership which costs many thousands of dollars a year that can only be justified by big players, and then only those big players that directly benefit from voting on those standards. Other companies wouldn't be spending money on an arbitrary and expensive membership.
This is how EME got in, how the ES and HTML standards got fucked over by implementation-first entries, etc. and how the collection of web "standards" got so obscenely large and complex.
Everything has been stacked in Google's favour to expand and extend, for years, and they have made a lot of use of that situation. It's the same embrace, extend, extinguish tactic that has been used before only on a much larger scale with smart legal backing by also controlling standards bodies through bought influence.
Even with the antitrust process they were given multiple years leeway to strategically cement their monopoly and make plans for a potential split-up when it finally goes to court.

So yeah, it's not so much a matter of "people trusting Google" it's more of an abuse of the shielded nature of standards bodies that causes so much defining power in the Google corner.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

jez9999
Fanatic
Fanatic
Posts: 106
Joined: 2015-05-30, 19:35
Location: UK

Re: Bad news day for internet privacy...

Unread post by jez9999 » 2022-12-02, 10:32

Blacklab wrote:
2022-12-02, 09:15
Thirdly, all government 'regulators' have been hopelessly behind the technological curve and consequently almost useless in carrying out their principal task of keeping the public safe and protecting them from exploitation. In previous eras mega-corporations monopolising whole areas of commerce and industry have been forcefully broken-up and tightly regulated by law (one could argue about the oil industry?). The sheer speed of the development of the internet, and the size and power of the monopoly corporations created, has frankly caught all systems of government napping.
It's more sinister than that. Governments and corporations these days are generally melded together. One does the work of the other. I suspect that if Google don't want something regulated, in most parts of the world it doesn't get regulated, especially the US.
Moonchild wrote:
2022-12-02, 10:13
Everything has been stacked in Google's favour to expand and extend, for years, and they have made a lot of use of that situation. It's the same embrace, extend, extinguish tactic that has been used before only on a much larger scale with smart legal backing by also controlling standards bodies through bought influence.
The very phrase went through my head a few weeks ago. Speaking of which, I honestly don't know why Microsoft adopted the tactic they did with Edge of being a Blink wrapper. They must know they've given up a lot of power by doing that, and they certainly have the money and means to maintain their own browser engine even at a big loss. Perhaps they're in it with Google somehow.

User avatar
somdcomputerguy
Lunatic
Lunatic
Posts: 381
Joined: 2014-02-23, 17:25
Location: Greenbrier County, West Virginia
Contact:

Re: Bad news day for internet privacy...

Unread post by somdcomputerguy » 2022-12-02, 12:16

jez9999 wrote:
2022-12-02, 10:32
Perhaps they're in it with Google somehow.
Image
:cool: -bruce /* somdcomputerguy.com */
'If you change the way you look at things, the things you look at change.'

Blacklab
Board Warrior
Board Warrior
Posts: 1080
Joined: 2012-06-08, 12:14

Re: Bad news day for internet privacy...

Unread post by Blacklab » 2022-12-13, 13:49

Google has delayed the introduction of its restrictive Manifest Version 3 (MV3) extensions API... yet again...

https://www.ghacks.net/2022/12/13/googl ... nce-again/

https://www.theregister.com/2022/12/12/ ... extension/

https://groups.google.com/a/chromium.or ... Q77HkGmK9E

Locked