I'm now routing my traffic through a PiHole via a VPN to cut down the worst ads and will probably never install another extension.
Be aware that if you use these "passive" blocking methods, there are some sites like YouTube where you will see ads, because in these cases it's necessary to actually manipulate page content to hide them. What you can do is use a traditional adblocker but enable it only for these few sites where the declarative approach is not enough, take a look at [3] for more details.
[1] https://github.com/uBlockOrigin/uBOL-home
[2] https://github.com/StevenBlack/hosts
[3] https://seirdy.one/posts/2022/06/04/layered-content-blocking...
For TGS I use the last known good version, as an "unpacked" extension.
I think this approach of taking ownership of the code (i.e. running the extension "manually") is the best option, aside from two critical factors: skill and effort.
(Not very much of either is needed, if you know basic JavaScript, but it's a significant "mental hurdle".)
(I've never heard of them; this is a fundamental problem with using centralized "privacy preserving" services.)
https://en.wikipedia.org/wiki/Watering_hole_attack
I think ublock origin is a bit better, in that it is open source. Does it support reproducible builds though?
https://github.com/orgs/nextdns/repositories?type=all
https://github.com/AdguardTeam/AdGuardSDNSFilter
If you don't trust their DNS servers for whatever reason, you can simply add these entries to your hosts file to replicate their functionality locally.
If you want to have all the data under you control, there's this: https://github.com/AdguardTeam/AdGuardHome
Regarding open source, AdGuard DNS actually is: https://github.com/AdguardTeam/AdGuardDNS
In the case of AdGuard DNS being open source does not change the fact that it is a centralized service and using such a service is a matter of trust.
They have more variations like social media block and instructions for using it at https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
Sure, Google wants to architect things so that ad blockers as we know them now aren't really feasible. But I think that we can conceded that Google has a good point in saying these world-read-write-anything extensions are not good for us.
If you have an established extension and push an update, odds are there will be no human review of the code changes. That is how most malicious extensions happen.
Sure, Mozilla historically had less malicious extensions than Chrome. But that's for the same reason that Linux has less viruses than Windows: hackers will target the 90% of users and not waste time on the rest.
I say all this as a staunch Firefox user and maintainer of a handful of extensions.
Mozilla mostly doesn't review source code either, except for a small number of select, popular extensions.
That's bullshit. My extensions are not malware. I sell upfront paid extensions to end users. As always, if you're not the customer, you're the product. That's the problem with all of these free extensions: they have no clear business model.
I don't recall ever receiving an offer to acquire my extensions. I'm not sure why: perhaps because they're Safari, perhaps because they're upfront paid, perhaps because the user base is smaller than free extensions, or some combination of those factors. In any case, these scammers are looking for volume, as many users as possible, because the amount of money they can make per user is small, especially compared to how much I can make per user from a direct purchase.
While I appreciate your point about the business model, your statement that your extensions are not malware is not verifiable.
Well, my "malware" had its 5th anniversary earlier this year. So I must be one of the world's greatest malware authors.
Not to mention that I scammed a bunch of members of the tech media into publishing recommendations of my malware.
All too often you can be the customer and still be the product. It's great if you genuinely aren't selling out your paying users, but you're increasingly the outlier there
> That's the problem with all of these free extensions: they have no clear business model.
Not every extension needs a business model. Many exist just because someone was passionate enough about a problem to come up with a solution and they were happy to share what works for them with others. Not everything has to be about getting rich. Many of the best things aren't.
True, but just as money can run out, so can passion. And everyone needs to make a living somehow.
Most of the big open source projects have corporate funding and engineers who are paid to work on them. I continue to be puzzled about how Raymond Hill, the developer of uBlock Origin, makes a living, and how he has time to continue to work on the extension. Does anyone know?
Note that even Hill's passion wanes. "The uBlock project official repository was transferred to Chris Aljoudi by original developer Raymond Hill in April 2015, due to frustration of dealing with requests." https://en.wikipedia.org/wiki/UBlock_Origin?#uBlock This is how uBlock became uBlock Origin, and Hill's trust in Aljoudi turned out to be misplaced. Open source is no savior.
More recently, Hill said this: "What would actually help is that people help to completely investigate existing issues instead of keep asking me to add yet more features. Turns out people willing to step in the code to investigate and pinpoint exactly where is an issue (or that there is no issue) is incredibly rare." https://www.reddit.com/r/uBlockOrigin/comments/i240ds/commen...
Thus, I still think a business model is important, even crucial. Without sustainable funding, the future of any software project becomes highly questionable.
FOSS is the exception to that rule.
1: https://chrome.google.com/webstore/detail/little-rat/oiopkpa...
How do you deal with side channels when the page is running javascript that's being served by the attacker?
(Little Rat sounds like a great tool; I've been meaning to check it out.)
I'm a little puzzled why we only get the speaker icon, yet the screenshots all show the blocking options.
the chrome store version only has blocking. if you install it from github you get all the other options
The best Mozilla can say about the security of their browser when using extensions (even ones that they recommend) is: "While there is an element of risk to installing any third-party software, there are a few simple best practices you can follow to reduce it. Is the extension made by a reputable developer? Are the user ratings high?" From: https://blog.mozilla.org/addons/2018/02/01/understanding-ext...
I don't want to rely on reputation and user ratings as these are ephemeral and easily faked. I want a browser to include necessary features out of the box and I want their code to be independently audited.
If this chaotic mess is simply because of the need to monetize I would gladly pay for a trustworthy, feature rich browser.
Browser extensions can exist to fill needs which are specific to one web site (e.g. "Clickbait Remover for Youtube"), or which are so esoteric and/or ridiculous that they shouldn't be a core component of a web browser (e.g. "Cloud to Butt").
See this article (not by myself) and comment thread from two weeks ago for further details:
But more often than not, the author of the extension was fully aware of all the consequence came with the deal, the money was just too good to say no.
The developers are accepting cash offers to inject malware into their extension. They know damn well what they're doing, and the good ones... don't.
The developers accepting these offers aren't some maligned, innocent party - they are the people spying on you...
That's the only famous example I can think of though.
Saying they don’t know is like saying a courier who delivers packages from Mexico never knew they were delivering narcotics. That defense doesn’t really hold up in court. Extension devs who do it should be banned from the store.
Are you sure?
Lots of developers are highly trained but poorly educated. It took at least a decade for a lot of them to catch on to the scam called "crypto" --- and some still haven't.
"I want to introduce an exclusive... I'm thrilled to inform you that..."
that should ring some bells for even my parents these days, let alone developers?
In fact, some of the worst offenders are people who absolutely should know better. I only know a handful of people who have agreed with me on this. Unbelievable.
An extension I will never install is one that interfaces with my password manager. I've seen way too many exploits that begin with a bug in such an extension to feel comfortable with it. I prefer the security of my clipboard, where I can copy/paste from my password manager - if my clipboard is compromised then at least only one password will be stolen, and a separate exploit would be required to even know into which website I entered the password. This does leave me vulnerable to phishing, since I don't get the automated URL->password retrieval, but I've never liked that feature of password manager extensions anyway.
You have a lot more faith that Google isn't collecting data on every last website you visit than I do.
But I do disable as much Chrome telemetry as possible, including features like auto-suggest and pre-loading, and I don't "log in" to the browser with my Google account (despite the constantly changing dark patterns trying to trick me into doing that). It's not much but it's good enough.
That said - The title as written is just complete bullshit.
If the developers are taking monetization offers and injecting code in response - the developers are fucking spying on you. There's not some malicious way to monetize an upstanding developer's extension.
Really - the title is bad enough I'd consider pulling this... It's just lying to get clicks.
You may think you can detect any scam, but scam may be targeted and complex
Anyone developing software who takes cash money to inject code they have not reviewed (or worse is remotely hosted and subject to change - although at least this is getting removed with manifest v3...) is actively participating in screwing over their users.
Shoving your fingers in your ears and going "nah nah nah, I can't see it so I don't know" is bullshit. You took cash... to add code. You are actively complicit.
You download the source when you install the extension. It's a zip file. You can unzip it and examine it yourself. Even if the developer provides a GitHub repo, how do you know it's the same as the version in the extension store?
Maybe there's a server component too, but again how would you know that the source provided is what's actually running on the server?
Browser extensions won’t spy on you, if you use trusted extensions by trusted members of the community.
What the author described was very much not that. What they described was developers making a conscious decision to add untrusted code to their extension without properly verifying it or following security best practices.
A more accurate title would be something like "It's hard to trust browser extensions, developers are bombarded with offers of easy money and may negligently add malware/adware"
It seems there should be a way to allow a lot of customizability/power to these tools without actually letting the extension send data home or even see the actual data
This may indeed be the same: https://en.wikipedia.org/wiki/Adbusters
Similar, but for convicted monopolist.
And you have no choice if you're using Apple.
The only 'not terrible' choice is Firefox. But again, Mozilla Org has made constantly terrible choices that smell like adtech, kind of bad.
Degoogled chrome can be better, as can de-mozilla'd Firefox (Ice weasel, etc).
Also forbids code downloading from external sources.
So downloading from the store should be more secure.
