Manifest V3 and Web Enviroment Integrity
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
-
- Newbie
- Posts: 3
- Joined: 2023-07-20, 19:21
Manifest V3 and Web Enviroment Integrity
Is Pale moon doing anything to prepare for/get around WEI? As far as I understand it, it basically locks out any web browser/OS combination other than chromium-based-something on windows/android/apple, and Manifest v3 would stop adblockers from working... but tell me if I'm misunderstanding?
I only recently found PM and am in love, I'd hate to see it be rendered useless by google and WEI
I only recently found PM and am in love, I'd hate to see it be rendered useless by google and WEI
-
- Moon lover
- Posts: 90
- Joined: 2017-07-28, 14:44
- Location: The Netherlands
Re: Manifest V3 and Web Enviroment Integrity
Google seems to have paused the WEI program.
https://www.techradar.com/pro/new-google-chrome-browser-security-plan-slammed-by-experts
https://www.techradar.com/pro/new-google-chrome-browser-security-plan-slammed-by-experts
We also asked Google whether it had anything further to add beyond last week’s comment, when a company spokesperson told us that the program had been paused, and directed us in the face of early backlash to a response by the explainer article’s author, which concluded: “We welcome collaboration on a solution for scaled anti-abuse that respects user privacy, while maintaining the open nature of the web.
Linux Mint 20.3 Mate 64bit
Pale Moon latest
Pale Moon latest
-
- Knows the dark side
- Posts: 4984
- Joined: 2015-12-09, 15:45
Re: Manifest V3 and Web Enviroment Integrity
For a change, Mozilla grew a pair and has refused to support this as well. Of course it remains to be seen what would've happened if it had got implemented.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
-
- Fanatic
- Posts: 108
- Joined: 2016-12-04, 22:01
Re: Manifest V3 and Web Enviroment Integrity
This try has failed, we're waiting for another one. And another, and another... Until the slime sticks to the hull.
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Manifest V3 and Web Enviroment Integrity
So, stay vigilant and keep track of these kinds of proposals to slam them down when they come back like the bad pimple they are.
We won't be implementing this. Period.
Also, the problem is you cannot "get around" it because "attestation" is based on cryptographic signing. Basically WEI will tell the browser to go and get permission from one on a very short list of entities, which will cryptographically sign the attestation so it can't be faked (which immediately shows you where the weight of this spec lies!) to be presented to the website. So a simple "give back an answer to satisfy the website's request" can't be done as the website end will be checking the signature.
WEI is a spec that should be optional for high-sec/protected environments in the corporate sphere. If applied to the web as a whole it will simply kill any freedom internet users have -- of course ultimately, this can be distilled down to Google wanting to control the web clients in use so they can make sure their ads and tracking are being delivered (especially when combined with locking down extensions with manifest v3). Any other claimed need for this or similar specs will be veils to try and obscure that fact, IMHO.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Manifest V3 and Web Enviroment Integrity
Maybe people should push for support of this stance: https://github.com/RupertBenWiser/Web-E ... issues/137
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Moonbather
- Posts: 50
- Joined: 2021-07-27, 04:20
Re: Manifest V3 and Web Enviroment Integrity
If this becomes a thing, how is it likely to affect Pale Moon development? Sorry, I'm not too conversant with the 'under-the-hood' aspect of this...OP mentioned that it could be used to whitelist Chromium and nothing else, but wouldn't a spoofed Username solve that? Or are deeper checks involved?
-
- Astronaut
- Posts: 666
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
Re: Manifest V3 and Web Enviroment Integrity
That was my point in the other WEI topic. Anything sent from a client can be spoofed. The best they could possibly do would be to introduce a client-side encryption key, which, the moment it's leaked, becomes useless.noellarkin wrote: ↑2023-08-07, 16:02If this becomes a thing, how is it likely to affect Pale Moon development? Sorry, I'm not too conversant with the 'under-the-hood' aspect of this...OP mentioned that it could be used to whitelist Chromium and nothing else, but wouldn't a spoofed Username solve that? Or are deeper checks involved?
-
- Lunatic
- Posts: 364
- Joined: 2023-06-28, 22:43
- Location: Australia
Re: Manifest V3 and Web Enviroment Integrity
I would be very surprised if Web Environment Integrity ever got into a mainstream browser, but I an no expert on the politics and process of internet standards.
But if it did, I could imagine a "black market" of free and premium internet proxies that can make any browser look legit. if that would be at all technically possible?
But if it did, I could imagine a "black market" of free and premium internet proxies that can make any browser look legit. if that would be at all technically possible?
Laptop 1: Windows 10 64-bit, i7 @ 2.80GHz, 16GB, NVIDIA GeForce MX450.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
-
- Astronaut
- Posts: 666
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
Re: Manifest V3 and Web Enviroment Integrity
The servers can't be forged - those would be a specific trusted list for each browser, likely with their public keys built-in, and unless there's some catastrophic security failure on their end (i mean when is there not a catastrophic security failure happening somewhere...) the private key for the server should never be known by anyone but that server. So any kind of proxy system is the wrong side of things to try to attack.suzyne wrote: ↑2023-08-08, 02:04I would be very surprised if Web Environment Integrity ever got into a mainstream browser, but I an no expert on the politics and process of internet standards.
But if it did, I could imagine a "black market" of free and premium internet proxies that can make any browser look legit. if that would be at all technically possible?
What can be forged is what the client sends to that server to be, essentially, "notarized" - there's no reliable way to achieve that without also allowing it to be emulated by a bad actor, resulting in a good server OK-ing a bad client, because the server only has the client's application's word for the information it receives.
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Manifest V3 and Web Enviroment Integrity
Of course this does mean that the "good server" gets a record of your site visits, and opens the door to very widespread censoring of both sites and clients/regions the potential for overreach is massive here. Let alone the obvious privacy concerns...RealityRipple wrote: ↑2023-08-08, 16:37resulting in a good server OK-ing a bad client, because the server only has the client's application's word for the information it receives.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Astronaut
- Posts: 666
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
Re: Manifest V3 and Web Enviroment Integrity
Oh, definitely. The use of the word "good" there was supposed to be analogous to "official". There's nothing good about it. Centralizing tracking is possibly the biggest threat to privacy since the internet itself.Moonchild wrote: ↑2023-08-09, 00:36Of course this does mean that the "good server" gets a record of your site visits, and opens the door to very widespread censoring of both sites and clients/regions the potential for overreach is massive here. Let alone the obvious privacy concerns...RealityRipple wrote: ↑2023-08-08, 16:37resulting in a good server OK-ing a bad client, because the server only has the client's application's word for the information it receives.
-
- Moonbather
- Posts: 62
- Joined: 2021-11-06, 11:10
- Location: Tyskland
Re: Manifest V3 and Web Enviroment Integrity
Half of this WEI pest is already reality. It is called Cloudflare, including other “cloud cybersecurity” hanky panky.
I'm sure Google will try to introduce WEI in a Salamitaktik way. Today there is an outcra of a view nerds, tomorrow most people will complain if a website “does not work” with webbrowser X when they can see it on Chrome somewhere else.
The Encrypted Media Extensions (EME) is even a W3C standard. Google still seem to make enough money with Youtube, otherwise they would have already switched to EME. (Above all, it is content created by other people, not Google.)
I'm happy Pale Moon does not jump on that WEI train as well.
I'm sure Google will try to introduce WEI in a Salamitaktik way. Today there is an outcra of a view nerds, tomorrow most people will complain if a website “does not work” with webbrowser X when they can see it on Chrome somewhere else.
The Encrypted Media Extensions (EME) is even a W3C standard. Google still seem to make enough money with Youtube, otherwise they would have already switched to EME. (Above all, it is content created by other people, not Google.)
I'm happy Pale Moon does not jump on that WEI train as well.
… tanning in dimmed LCD light. – Evry 1′s a beginner, baby, that's the truth…