Hacker News

7 months ago by dessant

I'd love to use ClearURLs, though last I checked it had a major flaw: it allows arbitrary code execution by the provider of the filter list. Among other things, it can redirect script URLs to arbitrary sources, and the filter list is periodically updated from a GitLab page, which enables the filter list provider to perform a targeted attack by serving a malicious filter list to a specific device.

The only filter list provider is the extension maintainer, so this information should be safe to share. I have not had the time to set up a PoC, but I'm confident that the filter rules are way too powerful.

At the very minimum, the current filter list should be included in the extension package rather than periodically updated from a remote URL. That way the filter list can be audited and must pass a review, without having a negative impact on the effectiveness of the extension, since the filter list does not appear to frequently change.




7 months ago by cookiengineer

I agree with you there. For my stealth browser I decided to go with a different JSON based format [1] that can rewrite the URL parameters via wildcards (for both * at the start and end of both key and val).

It has the idea that you can audit a website and only list the allowed parameters there, so that a website search or sorting order or filters can still work.

I built my browser on an allowlist based concept because it seemed too impossible to maintain all bad urls, domains, parameters on the web. Most websites have more tracking than content in them, so I decided on maintaining lists to select the content rather than the ads and trackers.

[1] https://github.com/tholian-network/stealth/blob/X0/profile/p...

7 months ago by scolby33

The developer addressed this comment here https://github.com/ClearURLs/Addon/issues/102#issuecomment-8...

7 months ago by mcovey

Check out Neat URL - it's more basic, uses a comma-separated list of rules, and comes with some hard-coded presets you can override. I maintain my list in a text file and just update that and copy/paste in when I want to create one.

Of the defaults, I only override "cid, mbid" as blocking those on every site has ended up breaking some.


7 months ago by neop1x

The last time I used it, it also disabled ETags by default. I lost many hours trying to figure out why those 10MB Kibana JS bundles are re-downloaded on every page load and only in my Firefox, checking about:config, etc... I know etags can be used for tracking and that Expires should be used instead but i did not expect CleanURLs to do anything more than just cleaning URLs...

7 months ago by g_p

It looks like the developer may be in the EU. If they offer the add-on as a business, it may be worth looking at if any of the internet rights legal groups will help take the case up under the 2019 EU platform rules.


These make various requirements around how Google act, and include requirements around removing products from platforms.

As an aside, it seems crazy that we allow platforms to take action when in positions of such clear conflict of interest, but that seems to be the way of the tech sector.

7 months ago by random5634

God - if remote code execution exploits are an EU right we are screwed!

7 months ago by etherealG

Except remote code execution wasn’t the reason google claims to take the add on down... come on, it’s a clear conflict of interest, and they could have easily asked to remove remote code execution possibility instead.

7 months ago by madeofpalk

I really struggle to believe that "Google" thinks this itty bitty extension that a rounding error % of their users use would have an impact on their buisness model, which was grounds to kick it off the store.

This "just" sounds like the typical story we hear so often of an overzealous "app" reviewer waking up on the wrong side of the bed and just decided to delete someone's product and/or business (which is a huge problem itself!)

7 months ago by Closi

One extension does not have an impact, but in aggregate across many extensions these things can make a huge difference.

The primary reason Google has Chrome and Android is to maintain ecosystem control and to continue tracking users to support it's Ad business (or reduce the threat that other browsers will diminish it's business in these areas).

7 months ago by m-p-3

One of my reason to stick with Firefox on both desktop and mobile.

7 months ago by subsubsub

Ad blockers were a rounding error once.

7 months ago by neilv

This reminded me of a library I released in January 2005. Part of the embedded docs from the 2011 release:

    ;;; The @b{urlskip} Racket library provides a function that translates some of
    ;;; the Web URLs that might be used to track a user across sites, by removing
    ;;; intermediate HTTP redirectors or information that might identify the user.
    ;;; Such a function might be used as part of a privacy-enhancing Web browser,
    ;;; or to canonicalize or un-obfuscate URLs for Web analysis projects.
    ;;; Note that @b{urlskip} is not intended to remove information used by
    ;;; ``affiliate'' referral programs to identify site operators that have sent
    ;;; users to a site.  However, in some cases this affiliate ID information
    ;;; might be lost in the process of removing a intermediary URL that is used by
    ;;; a third party to track and profile users.
It had special-case handlers for various URL server authorities and the paths under them. So, for

it was coded to preserve only certain query parameters, like:

A lot of the cases it handled were redirectors, which usually meant only the target URL, which was usually in a query parameter, but might be in the path, and might or might not be URL-escaped. So, for example,

would skip the redirector, to be simply:

I was going to link here to the code of `urlskip`, but it's no longer in the package repository where it used to be. (I added a lot of libraries to that repository, and don't recall whether there was some reason to remove this particular library.) It was a pretty niche library, and in a fringe language, so its impact might've only been as an example, pointing out that this could be done, and some rules for it.

7 months ago by karlicoss

Sounds like a great idea! I had a similar service in mind to resolve shortlinks like t.co/bit.ly, etc, this could also be a nice feature for web archiving like archive.org

7 months ago by shilgapira

Well it turns out that I just installed this addon on Firefox yesterday after hearing about it here or on Reddit.

This move does well to reinforce my loyalty to Firefox as my main browser. Hopefully it has the same effect on others.

7 months ago by 0xfaded

I also just added it to firefox.

Thanks Barbara Streisand effect!

7 months ago by vertis

At the risk of a me too thread. I've added it to Firefox as well.

I think the final nail in the coffin for Chrome for me was the decision to hobble uBlock Origin several year back.

Firefox is far from perfect, but at least it's not completely owned by Google.

7 months ago by bsdubernerd

Mozilla has been playing a little bit better here, but let's not forget Mozilla could remove the addon on pretty much in the same way.

Case in point: Firefox on mobile has a selected _whitelist_ of addons you can install, and that's it.

7 months ago by Boltgolt

I was under the impression that the new Firefox for Android has not implemented all plugin APIs yet, and thus can't run most of the plugins. Of course there will be plugins that do work and are not whitelisted right now, and they need to get on that, but it's not just whitelisting for the sake of whitelisting

7 months ago by lopis

It's true that the new Firefox still only has a handful of addons available. But that's still a handful more than Chrome supports.

7 months ago by stjohnswarts

That's currently a technical limitation because they haven't built all the infrastructure into their "new" browser to handle all the available plugins and don't want to receive thousands of bug reports they can't do anything about.

7 months ago by emayljames

True, although you can sign in and add to a collection on the site then add to the browser.

7 months ago by eertami

>Firefox as my main browser

I tried last year, and honestly it isn't bad. But I use the Chrome "install this site as an App" functionality a lot and Firefox's "app tabs" didn't work nearly as well. Plus, I hear they've removed or are removing said single site browser functionality.

This might be a somewhat niche case but it makes it really hard to switch as much as FF does have some nice features (picture in picture for all video content is very nice).

7 months ago by urthor

On Firefox Android the same button for install this site as an app is right there?

It's called Add to Home Screen

7 months ago by raihansaputra

I think GP means on the desktop. I also use the same function so I can run the web version of Slack instead of the Electron one, on a separate window with the Slack icon. Firefox killed their efforts to support this (single site browser). https://news.ycombinator.com/item?id=25589177

7 months ago by nitrogen

I was trying to help a family member set up a new tablet for their kids, and we literally could not find any Add to Home Screen feature in Firefox anywhere. It's there on my phone, but like 80% of the menu items I have were just not there on this tablet.

7 months ago by speedgoose

I just added it to Microsoft Edge using the Microsoft Store.

7 months ago by ship_it

Likewise. Step up YC people!

7 months ago by skinkestek

As has been said by someone before:

There's a billion dollar niche waiting for the right company:

- make a search engine that works

- show text ads clearly distinguishable from results

- play nice, and maybe even use use a cool slogan like "we're not evil" or something (it used to be someone else's but it seems they don't use it anymore ;-)

7 months ago by ColinHayhurst

Self-disclosure: Mojeek CEO. On your points:

- Our search engine works and has been doing so for >15 years. Our search quality needs improving but does so gradually. And it's independent; our own crawler, index and infrastructure

- We just introduced non-tracking search ads: https://www.mojeek.com/support/ads/

- We use "No Tracking , Just Search" and "Search without Surveillance"

We've been building for 15 years; here's our founder story: https://news.ycombinator.com/item?id=26502140

7 months ago by passerby1

Do I understand correct that duckduckgo is there already?

7 months ago by astura

If you, like me, were wondering what that meant (or if it is an automatic distinction like "Amazon Choice"), this is what they say gets a "Recommend" badge.

>Recommended extensions are editorially curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff, along with community participation, selects each extension and manually reviews them for security and policy compliance before they receive Recommended status. These extensions may also qualify for promotions on the AMO homepage and other prominent locations. Developers cannot pay to have their extensions included in this program.

7 months ago by seqizz

Shows who prioritizes what. Installed.

7 months ago by achairapart

Just to add my own data point: I have some extensions in the Chrome Web Store and, from time to time, Google send me a notice that they violate privacy policies (but they don't collect any data) or some permissions are not used (but yes, they are).

So, after explaining and linking to the source code, they usually reply with another canned response:

    Thank you for reaching out to us. We took a closer look at your item again and found it to be compliant with our policies. Your item has been reinstated and will be available in the store shortly. We apologise for the inconvenience caused to you in this matter. We value your contributions to the Chrome Web Store and look forward to working with you.
So maybe there is some Hanlon's razor at play here, too.

7 months ago by yjftsjthsd-h

Sufficient incompetence is indistinguishable from malice, and should be treated similarly (at least when dealing with companies). In my opinion, a company that regularly flags things that are complaint with the rules is Bad regardless of motives.

7 months ago by achairapart

From what I can see it may be:

- A bad or gone-bad automated system;

- Outsourced incompetent people;

- A try to soft push out what they don't like (it still takes patience and effort to deal with this);

- Some mix in between.

For sure, malice or not, it's flawed.

7 months ago by Hendrikto

> The reasons for this are ridiculous and probably only pretended because ClearURLs damages Google's business model. […]

> Among other things, it was claimed that the description of the addon is too detailed and thus violates the Chrome Web Store rules. The mention of all the people who helped to develop and translate ClearURLs is against Google's rules because it could "confuse" the user. Ridiculous.

> Also, Google has criticized that the description of the addon did not mention that there is a badged, an export/import function for the settings, a logging function for debugging, and a donation button. This would be "misleading".

> Last but not least, it was criticized that the "clipboardWrite" permission would not be necessary. But that's not true, and I've had a description for each permission in the Chrome Web Store Developer Dashboard for well over a year now. So the "clipboardWrite" permission is needed for writing clean links via the context menu into the clipboard.

7 months ago by gertrunde

> it was claimed that the description of the addon is too detailed and thus violates the Chrome Web Store rules.

This one does make me laugh more than the rest, coming from Google that names their apps in the Play store as follows: "Android Auto - Google Maps, Media & Messaging" "Files by Google: Clean up space on your phone" "Google Chrome: Fast & Secure" "Google Duo - High quality video calls" "Phone by Google - Caller ID and spam protection"

If this is a policy, perhaps they'll delist their own apps from the store?

7 months ago by rjmunro

Google reject plugin saying description is too long and wordy, and doesn't cover points that it should.

So either Google must be trying to block a plugin for evil business reasons or Google is trying to improve the Chrome Web Store, making it less confusing for users and easier to search.

Improving the description will probably make more people install it, not less.

7 months ago by dspillett

> Among other things, it was claimed that the description of the addon is too detailed ...

> Also, Google has criticized that the description of the addon did not mention <list of things> ...

So it was simultaneously too detailed, but needed more details.

7 months ago by nybble41

It needed different details. In the reviewer's opinion the description included irrelevant details while omitting information which would be relevant to someone trying to decide whether or not to install the addon. Which is a perfectly reasonable assessment IMHO. A small amount of "flavor text" is fine, but the main purpose of the description is to ensure that prospective users can make an informed decision. Anything else can go in the app's "about" page or on a separate website.

Now if we could just get app stores to mandate useful changelogs… No, Google, "Bug fixes and performance improvements" doesn't cut it. Describe the bugs that were fixed and where and by how much the performance was improved. Justify spending the effort and risk of updating the software to the new version. There is no point in a changelog message that could be applied equally well to every release of every software product ever made.

7 months ago by echelon

More fuel for the Google antitrust / breakup fire.

Google should not be allowed to develop Chrome or have any say in web standards. Every play they make favors themselves - unsemantic HTML5, AMP, crippled and removed extensions, progressive removal of the URL bar, https everywhere (no more self-hosted blogs unless you understand cert signing and automated renewal - why did the web stop being easy?), cookie standards that favor their moat, "acceptable ads" policies, ReCAPCHA, etc. etc.

Here's a laundry list of things they did to YouTube to hamper other, non-Chrome browsers: https://arstechnica.com/gadgets/2018/12/the-web-now-belongs-...

7 months ago by deallocator

I don't disagree with what you're saying, but I feel HTTPS everywhere does not belong in that list. Secure by default doesn't sound evil to me, and Let's Encrypt made it easy enough to get free HTTPS certificates (and for non technical people, almost all hosting services I've seen offer it out of the box)

7 months ago by BunsanSpace

A static blog that takes no user input/data doesn't need HTTPS.

Here's a good lecture about why HTTPS everywhere isn't as important as people think. http://n-gate.com/software/2017/07/12/0/

7 months ago by varispeed

Let's Encrypt has de facto monopoly. I think we could have added HTTPS if we had dozens of projects like Let's Encrypt otherwise this is just handing over too much control to one organisation.

7 months ago by Const-me

> Let's Encrypt made it easy enough to get free HTTPS certificates

Just checked.

My hosting provider asks 2x more money for SSL addon (which includes unique IP, unlimited subdomains, and free certificate). They wrote on the support forum I need that addon regardless on which certificate I gonna use, the included free one, or any other like lets encrypt.

Not gonna switch hosting nor pay 2x more for it just to please Google.

7 months ago by foepys

I agree with you except for the HTTPS part. In some nations it's not unheard of for ISPs to inject ads and tracking into webpages. This also opens the door for malware.

Let's Encrypt's with its certbot made it easy enough to get a cert and every major webserver supports HTTPS out of the box with good documentation.

7 months ago by happymellon

Not unheard of? Pretty sure Comcast at least used to do this. They are a pretty big player in a well know country that most people here would know of.

7 months ago by jeltz

The certbot client is pretty awful (it does not cooperate well with automization) but otherwise I agree 100%. HTTPS everywhere and Letsencrypt have been huge boons to security.

7 months ago by jiofih

Don’t know why you are being downvoted, this is absolutely true.

Handing web standards over to an advertising company has been of the most damaging things ever done to the internet.

7 months ago by lmilcin

I second that. The whole problem is that Google is supplying a trojan horse that they use to prevent people from developing solutions from protecting their privacy and in fact they use it to gather even more data about people -- something that ensures unfair advantage over competition.

7 months ago by yurielt

It seems as if google or is eh moles are monitoring this site because it is not the first time a reasonable anti google comments gets treated like this with no replies explaining why

7 months ago by undefined


Daily digest email

Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.