Get the top HN stories in your inbox every day.
dessant
cookiengineer
I agree with you there. For my stealth browser I decided to go with a different JSON based format [1] that can rewrite the URL parameters via wildcards (for both * at the start and end of both key and val).
It has the idea that you can audit a website and only list the allowed parameters there, so that a website search or sorting order or filters can still work.
I built my browser on an allowlist based concept because it seemed too impossible to maintain all bad urls, domains, parameters on the web. Most websites have more tracking than content in them, so I decided on maintaining lists to select the content rather than the ads and trackers.
[1] https://github.com/tholian-network/stealth/blob/X0/profile/p...
scolby33
The developer addressed this comment here https://github.com/ClearURLs/Addon/issues/102#issuecomment-8...
mcovey
Check out Neat URL - it's more basic, uses a comma-separated list of rules, and comes with some hard-coded presets you can override. I maintain my list in a text file and just update that and copy/paste in when I want to create one.
Of the defaults, I only override "cid, mbid" as blocking those on every site has ended up breaking some.
neop1x
The last time I used it, it also disabled ETags by default. I lost many hours trying to figure out why those 10MB Kibana JS bundles are re-downloaded on every page load and only in my Firefox, checking about:config, etc... I know etags can be used for tracking and that Expires should be used instead but i did not expect CleanURLs to do anything more than just cleaning URLs...
dessant
I can no longer edit my comment, if someone has the time, please verify this vulnerability and follow up with the maintainer and Firefox reviewers, remote code execution is against add-on guidelines. My impression is that the maintainer is not malicious, though someone could exploit them or the filter list service, and hack the entire userbase of the extension.
userbinator
Security paranoia is ruining the independent Internet and putting more power in the hands of companies like Google.
antihero
I mean, you say paranoia, but I think back to the time I had to spend hours and hours unliking instagram posts made by a bot that had harvested our cookies by buying Nano Adblocker.
anonymousab
In this case, we know that extensions are sometimes sold and updated maliciously. Having external arbitrary code is a legitimately concerning vector because it bypasses Google verification of the extension.
Not that Google are great at their jobs in that case, but it's something.
So it's not paranoia in this case, it's "we can't have nice things" because of real bad actors.
gogopuppygogo
I remember back when adware, spyware, and viruses ran amuck on PC’s thanks to lax Windows XP security design and an open internet without any effort to protect users. It was bad.
We do need to decentralize the decision making but the progress toward making the web safer for average folks is good.
jimmaswell
Freedom isn't free. An open internet where users take reaponaibility for taking risks is preferable to a safe but locked down and centralized internet.
EvanAnderson
If we put everybody in jail we don't have to worry about crime anymore! That's a lot easier than trying to have an informed public who can exercise caution and learn to assess risk in their lives. Besides, only a very small market segment of hardcore freedom enthusiasts really care about freedom. There's not enough money in that market segment to be worth the investment. Most everybody will happy watching television in their cells. Anybody who doesn't like it is welcome to go to the jail run by our one competitor.
ORioN63
My hypothesis:
Any vulnerability-prone system, will either fade away or end up with a centralized arbiter quite inevitably.
lacker
It's not paranoia if the internet really is full of hackers out to get you
BuckRogers
Thanks for mentioning this. While I did install it upon seeing the news on removal, I'll go without it for now and hope for a similar project from the EFF.
BuckRogers
I'm seeing downvotes for this and I am here to learn- where am I misguided? Is there a convincing argument to install this program? Let me know, I just want to understand what I may be unaware of, to receive the new information, and then if it makes sense I will correct my decision.
fbelzile
If you don't like the risk this poses, don't use the extension. Your ability to make informed decisions about risk vs reward keeps getting chipped away when Google pulls this kind of stuff off. Google should warn you about the security risks (edit: or just remove it from the public facing store and only keep the hard to guess URL active) but don't tell me what extensions I'm allowed to use or not. Even adding local extensions I make myself are treated like a security threat with a popup every time I open Chrome.
Stop the helicopter computing. People keep saying they want the old Internet back, this is why.
SamBam
I disagree with this stance. Pulling extensions that have a large potential for abuse is absolutely in Google's prerogative, in my opinion.
Suppose our single maintainer decided to finally sell the extension, and the person who bought it made it so that all those links hijacked information or exposed you to malware. This would happen in one day without warning. How many people would be saying that was Google's fault for allowing this to happen?
You say people should determine for themselves based on risk, but most users of Chrome extensions are naive when it comes to understanding risk.
throwaway2048
Surely if this was the reason Google pulled the extension, they would say so.
They wouldn't be making it about the description being too detailed.
While this may be bad, I think it is merely incidental.
fbelzile
I agree, maybe removing the extension from the public facing web store is a better solution. But at the very least, allow the extension to be installed if you have the "hard to guess" URL. I do this with my app that requires a desktop app to be installed since it requires native app messaging.
jimmaswell
Google's perogative is to make as much money as possible, not make the web a better place.
stjohnswarts
You're getting downvoted but I agree. It's one thing if the maintainer abuses his power as an extension provider. Quite another if they have a history of putting out a perfectly good extension and google acting like they're guilty before proven innocent.
dessant
I don't think you understand the issue. There is an accidental backdoor in the extension. The maintainer can manipulate and access the pages you visit at will, without needing to release a malicious update. All these features can be implemented without the maintainer being able to hack you without a trace, there is no loss of functionality if the security issue is patched.
fbelzile
So you're saying Apple should pull Chrome's permission to run on macOS anytime there's an accidental zero day or vulnerability?
If Google wants to act like a platform, it should have some form of escalation with the developer to fix issues instead of complete removal without warning.
g_p
It looks like the developer may be in the EU. If they offer the add-on as a business, it may be worth looking at if any of the internet rights legal groups will help take the case up under the 2019 EU platform rules.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32...
These make various requirements around how Google act, and include requirements around removing products from platforms.
As an aside, it seems crazy that we allow platforms to take action when in positions of such clear conflict of interest, but that seems to be the way of the tech sector.
random5634
God - if remote code execution exploits are an EU right we are screwed!
etherealG
Except remote code execution wasn’t the reason google claims to take the add on down... come on, it’s a clear conflict of interest, and they could have easily asked to remove remote code execution possibility instead.
madeofpalk
I really struggle to believe that "Google" thinks this itty bitty extension that a rounding error % of their users use would have an impact on their buisness model, which was grounds to kick it off the store.
This "just" sounds like the typical story we hear so often of an overzealous "app" reviewer waking up on the wrong side of the bed and just decided to delete someone's product and/or business (which is a huge problem itself!)
Closi
One extension does not have an impact, but in aggregate across many extensions these things can make a huge difference.
The primary reason Google has Chrome and Android is to maintain ecosystem control and to continue tracking users to support it's Ad business (or reduce the threat that other browsers will diminish it's business in these areas).
m-p-3
One of my reason to stick with Firefox on both desktop and mobile.
subsubsub
Ad blockers were a rounding error once.
neilv
This reminded me of a library I released in January 2005. Part of the embedded docs from the 2011 release:
;;; The @b{urlskip} Racket library provides a function that translates some of
;;; the Web URLs that might be used to track a user across sites, by removing
;;; intermediate HTTP redirectors or information that might identify the user.
;;; Such a function might be used as part of a privacy-enhancing Web browser,
;;; or to canonicalize or un-obfuscate URLs for Web analysis projects.
;;;
;;; Note that @b{urlskip} is not intended to remove information used by
;;; ``affiliate'' referral programs to identify site operators that have sent
;;; users to a site. However, in some cases this affiliate ID information
;;; might be lost in the process of removing a intermediary URL that is used by
;;; a third party to track and profile users.
http://www.amazon.com/exec/obidos/redirect?tag=AAA&creative=111&camp=222\
&link_code=bn1&path=asin/b333
http://www.amazon.com/exec/obidos/redirect?tag=AAA&path=asin/b333
http://www.google.com/url?sa=l&q=http://www.shopping.com/xGS-AAA_BBB~NS\
-1~linkin_id-111&ai=REALLYLONGNONSENSESTRING&num=3
http://www.shopping.com/xGS-AAA_BBB~NS-1~linkin_id-111
karlicoss
Sounds like a great idea! I had a similar service in mind to resolve shortlinks like t.co/bit.ly, etc, this could also be a nice feature for web archiving like archive.org
shilgapira
Well it turns out that I just installed this addon on Firefox yesterday after hearing about it here or on Reddit.
This move does well to reinforce my loyalty to Firefox as my main browser. Hopefully it has the same effect on others.
0xfaded
I also just added it to firefox.
Thanks Barbara Streisand effect!
vertis
At the risk of a me too thread. I've added it to Firefox as well.
I think the final nail in the coffin for Chrome for me was the decision to hobble uBlock Origin several year back.
Firefox is far from perfect, but at least it's not completely owned by Google.
bsdubernerd
Mozilla has been playing a little bit better here, but let's not forget Mozilla could remove the addon on pretty much in the same way.
Case in point: Firefox on mobile has a selected _whitelist_ of addons you can install, and that's it.
Boltgolt
I was under the impression that the new Firefox for Android has not implemented all plugin APIs yet, and thus can't run most of the plugins. Of course there will be plugins that do work and are not whitelisted right now, and they need to get on that, but it's not just whitelisting for the sake of whitelisting
lopis
It's true that the new Firefox still only has a handful of addons available. But that's still a handful more than Chrome supports.
stjohnswarts
That's currently a technical limitation because they haven't built all the infrastructure into their "new" browser to handle all the available plugins and don't want to receive thousands of bug reports they can't do anything about.
emayljames
True, although you can sign in and add to a collection on the site then add to the browser.
eertami
>Firefox as my main browser
I tried last year, and honestly it isn't bad. But I use the Chrome "install this site as an App" functionality a lot and Firefox's "app tabs" didn't work nearly as well. Plus, I hear they've removed or are removing said single site browser functionality.
This might be a somewhat niche case but it makes it really hard to switch as much as FF does have some nice features (picture in picture for all video content is very nice).
urthor
On Firefox Android the same button for install this site as an app is right there?
It's called Add to Home Screen
raihansaputra
I think GP means on the desktop. I also use the same function so I can run the web version of Slack instead of the Electron one, on a separate window with the Slack icon. Firefox killed their efforts to support this (single site browser). https://news.ycombinator.com/item?id=25589177
nitrogen
I was trying to help a family member set up a new tablet for their kids, and we literally could not find any Add to Home Screen feature in Firefox anywhere. It's there on my phone, but like 80% of the menu items I have were just not there on this tablet.
speedgoose
I just added it to Microsoft Edge using the Microsoft Store.
ship_it
Likewise. Step up YC people!
skinkestek
As has been said by someone before:
There's a billion dollar niche waiting for the right company:
- make a search engine that works
- show text ads clearly distinguishable from results
- play nice, and maybe even use use a cool slogan like "we're not evil" or something (it used to be someone else's but it seems they don't use it anymore ;-)
ColinHayhurst
Self-disclosure: Mojeek CEO. On your points:
- Our search engine works and has been doing so for >15 years. Our search quality needs improving but does so gradually. And it's independent; our own crawler, index and infrastructure
- We just introduced non-tracking search ads: https://www.mojeek.com/support/ads/
- We use "No Tracking , Just Search" and "Search without Surveillance"
We've been building for 15 years; here's our founder story: https://news.ycombinator.com/item?id=26502140
passerby1
Do I understand correct that duckduckgo is there already?
jrbn
Me too. Installed right away.
emayljames
Have even went the extra effort of adding to Firefox Android (add to collection, then add in browser).
"Nothing to see here, you can't take photos of my mansion".
benhurmarcel
FYI, it breaks some websites, and doesn't have a whitelist. I removed it recently because of that.
andrewkdinh
For me, it only broke websites when I had the extra options enabled in settings (enabled by default). I’d recommend turning them all off and trying to use it again
tempaccount98
On Firefox it is "recommended" add on
astura
If you, like me, were wondering what that meant (or if it is an automatic distinction like "Amazon Choice"), this is what they say gets a "Recommend" badge.
>Recommended extensions are editorially curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff, along with community participation, selects each extension and manually reviews them for security and policy compliance before they receive Recommended status. These extensions may also qualify for promotions on the AMO homepage and other prominent locations. Developers cannot pay to have their extensions included in this program.
seqizz
Shows who prioritizes what. Installed.
achairapart
Just to add my own data point: I have some extensions in the Chrome Web Store and, from time to time, Google send me a notice that they violate privacy policies (but they don't collect any data) or some permissions are not used (but yes, they are).
So, after explaining and linking to the source code, they usually reply with another canned response:
Thank you for reaching out to us. We took a closer look at your item again and found it to be compliant with our policies. Your item has been reinstated and will be available in the store shortly. We apologise for the inconvenience caused to you in this matter. We value your contributions to the Chrome Web Store and look forward to working with you.
yjftsjthsd-h
Sufficient incompetence is indistinguishable from malice, and should be treated similarly (at least when dealing with companies). In my opinion, a company that regularly flags things that are complaint with the rules is Bad regardless of motives.
achairapart
From what I can see it may be:
- A bad or gone-bad automated system;
- Outsourced incompetent people;
- A try to soft push out what they don't like (it still takes patience and effort to deal with this);
- Some mix in between.
For sure, malice or not, it's flawed.
Hendrikto
> The reasons for this are ridiculous and probably only pretended because ClearURLs damages Google's business model. […]
> Among other things, it was claimed that the description of the addon is too detailed and thus violates the Chrome Web Store rules. The mention of all the people who helped to develop and translate ClearURLs is against Google's rules because it could "confuse" the user. Ridiculous.
> Also, Google has criticized that the description of the addon did not mention that there is a badged, an export/import function for the settings, a logging function for debugging, and a donation button. This would be "misleading".
> Last but not least, it was criticized that the "clipboardWrite" permission would not be necessary. But that's not true, and I've had a description for each permission in the Chrome Web Store Developer Dashboard for well over a year now. So the "clipboardWrite" permission is needed for writing clean links via the context menu into the clipboard.
gertrunde
> it was claimed that the description of the addon is too detailed and thus violates the Chrome Web Store rules.
This one does make me laugh more than the rest, coming from Google that names their apps in the Play store as follows: "Android Auto - Google Maps, Media & Messaging" "Files by Google: Clean up space on your phone" "Google Chrome: Fast & Secure" "Google Duo - High quality video calls" "Phone by Google - Caller ID and spam protection"
If this is a policy, perhaps they'll delist their own apps from the store?
rjmunro
Google reject plugin saying description is too long and wordy, and doesn't cover points that it should.
So either Google must be trying to block a plugin for evil business reasons or Google is trying to improve the Chrome Web Store, making it less confusing for users and easier to search.
Improving the description will probably make more people install it, not less.
dspillett
> Among other things, it was claimed that the description of the addon is too detailed ...
> Also, Google has criticized that the description of the addon did not mention <list of things> ...
So it was simultaneously too detailed, but needed more details.
nybble41
It needed different details. In the reviewer's opinion the description included irrelevant details while omitting information which would be relevant to someone trying to decide whether or not to install the addon. Which is a perfectly reasonable assessment IMHO. A small amount of "flavor text" is fine, but the main purpose of the description is to ensure that prospective users can make an informed decision. Anything else can go in the app's "about" page or on a separate website.
Now if we could just get app stores to mandate useful changelogs… No, Google, "Bug fixes and performance improvements" doesn't cut it. Describe the bugs that were fixed and where and by how much the performance was improved. Justify spending the effort and risk of updating the software to the new version. There is no point in a changelog message that could be applied equally well to every release of every software product ever made.
echelon
More fuel for the Google antitrust / breakup fire.
Google should not be allowed to develop Chrome or have any say in web standards. Every play they make favors themselves - unsemantic HTML5, AMP, crippled and removed extensions, progressive removal of the URL bar, https everywhere (no more self-hosted blogs unless you understand cert signing and automated renewal - why did the web stop being easy?), cookie standards that favor their moat, "acceptable ads" policies, ReCAPCHA, etc. etc.
Here's a laundry list of things they did to YouTube to hamper other, non-Chrome browsers: https://arstechnica.com/gadgets/2018/12/the-web-now-belongs-...
deallocator
I don't disagree with what you're saying, but I feel HTTPS everywhere does not belong in that list. Secure by default doesn't sound evil to me, and Let's Encrypt made it easy enough to get free HTTPS certificates (and for non technical people, almost all hosting services I've seen offer it out of the box)
BunsanSpace
A static blog that takes no user input/data doesn't need HTTPS.
Here's a good lecture about why HTTPS everywhere isn't as important as people think. http://n-gate.com/software/2017/07/12/0/
varispeed
Let's Encrypt has de facto monopoly. I think we could have added HTTPS if we had dozens of projects like Let's Encrypt otherwise this is just handing over too much control to one organisation.
Const-me
> Let's Encrypt made it easy enough to get free HTTPS certificates
Just checked.
My hosting provider asks 2x more money for SSL addon (which includes unique IP, unlimited subdomains, and free certificate). They wrote on the support forum I need that addon regardless on which certificate I gonna use, the included free one, or any other like lets encrypt.
Not gonna switch hosting nor pay 2x more for it just to please Google.
foepys
I agree with you except for the HTTPS part. In some nations it's not unheard of for ISPs to inject ads and tracking into webpages. This also opens the door for malware.
Let's Encrypt's with its certbot made it easy enough to get a cert and every major webserver supports HTTPS out of the box with good documentation.
happymellon
Not unheard of? Pretty sure Comcast at least used to do this. They are a pretty big player in a well know country that most people here would know of.
jeltz
The certbot client is pretty awful (it does not cooperate well with automization) but otherwise I agree 100%. HTTPS everywhere and Letsencrypt have been huge boons to security.
jiofih
Don’t know why you are being downvoted, this is absolutely true.
Handing web standards over to an advertising company has been of the most damaging things ever done to the internet.
lmilcin
I second that. The whole problem is that Google is supplying a trojan horse that they use to prevent people from developing solutions from protecting their privacy and in fact they use it to gather even more data about people -- something that ensures unfair advantage over competition.
yurielt
It seems as if google or is eh moles are monitoring this site because it is not the first time a reasonable anti google comments gets treated like this with no replies explaining why
undefined
theseanl
I did found that the codebase does not seem to be using any `browser.clipboard` API, so `clipboardWrite` permission seems to be unnecessary. According to [MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...), `browser.clipboard` API mainly exists to enable extensions to write image contents to clipboards, and all the ClearURL needs is writing texts. Also, [another MDN page on clipboard interactions](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...) states that extensions do not need `clipboardWrite` permissions to write to clipboards, e.g. by using `document.execCommand('copy')`.
Hopefully, removing this permission could help getting the extension restored.
Nicksil
It seems there's a line which requires such permission:
https://github.com/ClearURLs/Addon/blob/master/external_js/c...
document.execCommand("copy");
theseanl
Confusingly, according to the MDN document I linked, that permission is not needed.
Clipboard APIs are in general pretty permissive in writing, any websites can write anything to the clipboard without requesting any permission, if it's done within like 1000ms or so from user interaction. So you don't even need an extension to write to clipboard.
phnofive
Classic error message as well for the extension page in CWS:
> The requested URL was not found on this server. That’s all we know.
I suspect suspending an extension could be done with slightly more tact, if that was a goal.
xianwen
As an indirect effect of this, I got to know about ClearURLs and installed it on my firefox.
arkitaip
It's a shame that Firefox Android still hasn't got its shit together wrt add-ons. The current selection is abysmal. It would be nice to have the same addon setup on desktop and mobile and have settings sync across devices.
kuschku
You can create a collection on AMO and set that instead of the whitelist. It's been enabled on Firefox Nightly since october.
It does happen to break some addons, e.g. Greasemonkey, but most work just fine.
retyurt
Contrary to other posters here I'm not sure this is a conscious decision on Google's end. I know of plenty of add-ons that got delisted at random and that were promptly re-instated like ublock (https://github.com/uBlockOrigin/uBlock-issues/issues/745) or firenvim (https://github.com/glacambre/firenvim/issues/518 ).
SSLy
First time would be a coincidence, third time is a broken (or working well, depending on your PoV) process/culture.
Get the top HN stories in your inbox every day.
I'd love to use ClearURLs, though last I checked it had a major flaw: it allows arbitrary code execution by the provider of the filter list. Among other things, it can redirect script URLs to arbitrary sources, and the filter list is periodically updated from a GitLab page, which enables the filter list provider to perform a targeted attack by serving a malicious filter list to a specific device.
The only filter list provider is the extension maintainer, so this information should be safe to share. I have not had the time to set up a PoC, but I'm confident that the filter rules are way too powerful.
At the very minimum, the current filter list should be included in the extension package rather than periodically updated from a remote URL. That way the filter list can be audited and must pass a review, without having a negative impact on the effectiveness of the extension, since the filter list does not appear to frequently change.
https://github.com/ClearURLs/Addon/wiki/Rules
https://gitlab.com/anti-tracking/ClearURLs/rules
https://kevinroebert.gitlab.io/ClearUrls/data/data.minify.js...