Chrome disabling uBlock Origin is a serious security threat (opens in new tab)

(nuage.quimerch.com)

100 pointsewenquim1y ago83 comments

83 comments

"There are a few alternatives available. Unfortunately, moving to Firefox may not be a viable option for her, especially given Mozilla’s recent behavior."

The world has gone crazy. So this relative has casually used the most bloated spyware disguised as a browser for literally a decade, but she can't switch to firefox because 'Mozilla’s recent behavior'.

ewenquimOP1y ago

She can't switch to firefox because she's used to Chrome and she's 80.

TBH I added the sentence about recent Mozilla behaviour because it pisses me off but it shouldn't be an argument, you're right.

jajko1y ago

What special feature does she use that is absolutely untransferable to FF?

I have both browsers icons next to each other and sometimes I launch the other by mistake. For normal browsing I only spot the difference due to various pages having different logins ie from my wife or not being logged in.

If somebody is able to use internet (god forbid even do some payments on it) then I am pretty sure they could understand the concept of another, very similar app with same behavior. Sometimes new releases change UI at least as much as those browsers differ between each other.

2 more replies

barotalomey1y ago

> Unfortunately, moving to Firefox may not be a viable option for her, especially given Mozilla’s recent behavior.

This is such an unfair comparison, where Google made billions on your user data and Mozilla is barely living off the scraps.

Clearly we should support Mozilla and not Google here.

nijave1y ago

Isn't the simple middle ground to use a Chrome fork that doesn't block uBlock?

Edit: Chromium forks/derivatives

soraminazuki1y ago

Advocating for the entire browser landscape to be taken over by Chromium is definitely not a middle ground. It's letting the world's largest ad company be the dictator of the web.

1 more reply

pcdoodle1y ago

Brave is awesome. My Mom runs it on a 2014 macbook air just fine and she can't stand ads now.

m-p-31y ago

The problem is that any forks wanting to keep MV2 addons available, is to backport the code for each update. The user would need to sideload the addon since it won't be in the Chrome addon store, and that if the uBo dev even maintain the Chrome version after official support is dropped.

baq1y ago

define 'simple'. if chrome ripped the whole extension framework out of the source code, a 'simple' fork will suffer the same fate. (notably Edge also doesn't support uBlock Origin anymore.)

1 more reply

phito1y ago

It's crazy the mental gymnastics people will go through to justify not using Firefox. They should just be honest and say they're too lazy to switch.

nijave1y ago

I've been using Firefox for nearly 15 years and there's technical reasons, too. Mainly memory leaks (which I haven't noticed for a few years anymore) and loading just "feels" slower. Webrender with GPU acceleration helped but it was much more complicated poking at about:config than it "just working"

Recently, I've noticed a "this SaaS only works in Chrome" trend again. Usually that means "only works in Blink" but it still sucks if you need to use SaaS (for work) that has this silly limitation. I've noticed cheaper restaurant web ordering software tends to have problems in Firefox.

For technical or even semi-technical folks those aren't an issue. For non-technical folks, those issues above can easily lead to a poorer web experience without them understanding why. On the other hand, the author didn't actually call out technical issues

2 more replies

aceazzameen1y ago

At this point, I wouldn't be surprised if the complaints I see against Firefox is a campaign to keep people on Chrome. But more likely it's just an excuse due to laziness. Either way these people can be dismissed outright.

maximecrp1y ago

For those who can, i'd say migrate to firefox-based privacy respecting browsers (librewolf, zen, waterfox, ironfox, ...) And help those who can't find alternatives to uBlock Origin and keep some of their privacy

paulryanrogers1y ago

Security fixes to Firefox may take days or weeks to reach downstream forks. That tradeoff may be worse than just setting them up with some privacy settings in Firefox itself.

irjustin1y ago

I'll go against the grain and say this is not a security threat. if missing ublock is a true security concern you shouldn't be using chrome. Because the opposite is not true - that chrome+ublock is keeping you secure from tracking.

We just don't want to see ads. Isn't that enough?

nijave1y ago

There are malicious ads and dark patterns around ad design to trick users into clicking them. I don't think it's security in the "vulnerability" sense or "privacy" sense but more in the "phishing prevention" sense.

Think of those "click here to OPTIMIZE YOUR PC" adware junk you'd prefer anyone you provide tech support for to never see

gruez1y ago

Those ads aren't being blocked by ublock lite?

1 more reply

MortyWaves1y ago

Then you also get absolute scum bags pushing that stuff via push notifications too https://www.lloydatkinson.net/posts/2022/consider-disabling-...

blendergeek1y ago

The article is about blocking ads that contain malware (which are surprisingly common). Preventing tracking is a whole different ballgame that isn't covered by the article

ewenquimOP1y ago

Exactly!

tjpnz1y ago

Google has shown itself to be perfectly happy taking money from criminals and their ad network does push malware. To that end their ad business is a security threat.

nijave1y ago

Not a big deal on the desktop and a small deal on the laptop, ad blocking gives a noticeable performance gain on Android.

Years ago when I had one of those Intel Atom netbooks you could tell a pretty big difference since it was pretty RAM constrained.

everdrive1y ago

This is unpopular every time I say it, but by in large people just shouldn't be browsing the web on mobile. Every single aspect of the experience is worse, and is likely to continue to get worse over time:

- tiny phone screen

- objectively worse mobile-site

- far worse touch-screen-based UI

- the entire iOS side of things has far fewer choices for any sort of effective ad blocking

Is it possible for a savvy technologist to overcome these problems? Yes, but it's like disabling junk in Windows: you're playing a game of cat and mouse and slowly losing the battle over time.

6 more replies

ewenquimOP1y ago

> if missing ublock is a true security concern you shouldn't be using chrome

Dude there are ads on every browsers. And the goal here is to protect her from malwares, not trackers (well at least that's not a priority).

mschuster911y ago

> And the goal here is to protect her from malwares, not trackers (well at least that's not a priority).

Given how intransparent the programmatic advertising industry is and how often malicious actors have abused such advertising networks to spread malware... there is no distinction to make.

never_inline1y ago

Many people here install ublock for elders and / or children and leave it. Now they might become target of ads that download malware.

Havoc1y ago

It's probably a threat to your mind & sanity more than security. This is very obviously aimed at streaming more ads into your head. I don't doubt google's security/engineering chops but if google could prop up your eyelids with toothpicks to ensure continuous ad watching they would...

ewenquimOP1y ago

Yeah but that's another topic (maybe more important, but less immediate and actionnable). yesterday my relative just downloaded a malware. That's something we can do something about!

Gigachad1y ago

Some people would just be better off with an iPad where you can't download malware.

exiguus1y ago

I am confused. uBlock Origin is still available in the webstore <https://chromewebstore.google.com/detail/ublock-origin/cjpal...>. Do we talk about the same extension and/or is it just disabled for Chrome and not for Chromium/Brave etc.? Just curious.

exiguus1y ago

I answered the questions half way myself.The ext. gets disabled because it is manifest 2 not manifest 3. Manifest 2 will be disabled by ~mid 2025 in the Store.

Seeing: seeing https://github.com/uBlockOrigin/uBlock-issues/wiki/About-Goo...

And asking: What are the diff between manifest 2 and manifest 3 ext?

Answer: https://chat.mistral.ai/chat/9e66fbc8-0df2-4248-a252-5acb6fb...

What is the problem to move to M3? And why is this a ban?

exiguus1y ago

I stopped using Google services at the beginning of this year. I transitioned from Chrome to Firefox and from a standard Android device to one without Google accounts and apps. While this setup is suitable for tech-savvy individuals, it can be challenging for someone like my mom.

To address this, I bought her a Fairphone with a de-googled Android operating system installed out of the box. This solution works well, especially for those who prefer not to use Apple products.

For enhanced ad-blocking and security, I set up an OpenWRT router in front of the provider's router. This includes features like Adblock, DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt. This setup has been running smoothly in my parents' house for over three years without any issues.

1vuio0pswjnm71y ago

Maybe in part due to regulatory pressures over privacy, IDN, Chrome includes "site settings" to disable Javascript, etc. on a site by suite basis. It also includes "request blocking" in DevTools. These settings can provide some of the blocking that uBlock provides. To some this can be quite useful. Why there is no way to export and import these settings. It is commmon with open source mobile apps in the www/networking category for example to have the ability to import and export settings.

TekMol1y ago

I guess it would be easy to block ads via a proxy?

An http proxy in Python is just a few lines of code. It could simply drop the requests to known ad servers.

And in Chrome, there is a setting to use a proxy.

So all one had to do is run ./my_ad_blocking_proxy.py and set the proxy in Chrome to something like 127.0.0.1:8080?

solardev1y ago

No, it takes way more than that. That's basically what running a Pihole does, which barely blocks anything these days.

Good ad blocking requires you to be able to look at decrypted HTTPS traffic and remove content from the DOM, including stuff added after the fact by Javascript. That's why uBlock Origin works better than Adguard (which is a https MITM ad blocker) and why Adguard works better than Pihole (which doesn't usually MITM HTTPS).

Simple hosts blocking used to work OK two decades ago but these days so many ads are served directly from the same servers within the same HTTPS connection that it's just not enough.

kmlx1y ago

> Good ad blocking requires you to be able to look at decrypted HTTPS traffic and remove content from the DOM, including stuff added after the fact by Javascript.

ironically this also sounds like a security nightmare.

1 more reply

TekMol1y ago

Ok, but the proxy could insert JS code into the html page which does what uBlock Origin does, couldn't it?

This would give the same flexibility without the need for a browser plugin.

2 more replies

tjpnz1y ago

AdGuard does a good job if you're happy sending them your DNS queries. You'll still want to adopt a layered approach however, and that will involve a browser based ad blocker.

nickthegreek1y ago

I second setting up AdGuard. It is the simplest solution for non-techies to use to help mitigate the problem here wihtout switching browsers. Although I would recommend doing both.

nijave1y ago

uBlock can do fairly sophisticated content blocking and rules that rely on the page being rendered out. Even with tls MiTM you'd need to fully render the page and run JS

Just yesterday I noticed it managed to block self hosted Snowplow (clickstream analytics) JS library without blocking other scripts on the same CDN/domain.

ale421y ago

This is what I was doing around 25 years ago before ad blockers were a thing, and the web was not encrypted... (Python didn't exist yet, the proxy was a lot of code in Object Pascal, i.e. Delphi)

ewenquimOP1y ago

Good idea! But I'll have to install this on my relative's computer or router, that's not as convenient as a browser extension

tkzed491y ago

I run a pihole and I don't regret it, but it's nowhere near ublock in capability. Ublock's more important filters are selecting individual scripts and even page elements.

Fokamul1y ago

Nope, cannot be done like this. You can block just some of the ADs on websites. But for example YouTube requests for video chunks, is same domain as ADs. So you would have Youtube with ADs.

Much easier solution, which everyone should made years ago, STOP using Chrome crapbrowser.

TekMol1y ago

For same-domain ads you could use content-inspection. That is probably how in-browser adblockers do it too.

salzig1y ago

up next: chrome ignores proxy configurations if content is available without.

speckx1y ago

I thought chrome was already doing this for some google domains and using their own DNS vs. the operating DNS? Maybe I’m wrong, but I thought this was a thing.

kennysoona1y ago

It really isn't, because Lite is practically as effective, just less efficient.

tim3331y ago

They don't mention uBlock Origin Lite which does much the same and works with v3. It's a bit disingenuous not to do so.

timbit421y ago

I have clients who use Chrome and when uBO was removed, I installed the Lite version and now some of them have gotten malware. It's not good enough. Will need to switch to another browser.

ewenquimOP1y ago

I just didn't know. Thanks for the info, I'll have a look at it!

baq1y ago

Sad realization: blocking ad blockers is copy protection from a decade or two ago and blocking ads is nowadays basically cracking websites and browsers.

pacifika1y ago

HTML is a human readable source editable interactive document format, which can be optimised for reading.

When I peel an apple to optimise it for eating I’m not cracking an apple.

baq1y ago

Good luck doing that on a WASM <canvas>

j / k navigate · click thread line to collapse

83 comments

asterios331y ago

"There are a few alternatives available. Unfortunately, moving to Firefox may not be a viable option for her, especially given Mozilla’s recent behavior."

ewenquimOP1y ago

She can't switch to firefox because she's used to Chrome and she's 80.

TBH I added the sentence about recent Mozilla behaviour because it pisses me off but it shouldn't be an argument, you're right.

jajko1y ago

What special feature does she use that is absolutely untransferable to FF?

2 more replies

barotalomey1y ago

> Unfortunately, moving to Firefox may not be a viable option for her, especially given Mozilla’s recent behavior.

This is such an unfair comparison, where Google made billions on your user data and Mozilla is barely living off the scraps.

Clearly we should support Mozilla and not Google here.

nijave1y ago

Isn't the simple middle ground to use a Chrome fork that doesn't block uBlock?

Edit: Chromium forks/derivatives

soraminazuki1y ago

Advocating for the entire browser landscape to be taken over by Chromium is definitely not a middle ground. It's letting the world's largest ad company be the dictator of the web.

1 more reply

pcdoodle1y ago

Brave is awesome. My Mom runs it on a 2014 macbook air just fine and she can't stand ads now.

m-p-31y ago

baq1y ago

define 'simple'. if chrome ripped the whole extension framework out of the source code, a 'simple' fork will suffer the same fate. (notably Edge also doesn't support uBlock Origin anymore.)

1 more reply

phito1y ago

It's crazy the mental gymnastics people will go through to justify not using Firefox. They should just be honest and say they're too lazy to switch.

nijave1y ago

2 more replies

aceazzameen1y ago

maximecrp1y ago

paulryanrogers1y ago

Security fixes to Firefox may take days or weeks to reach downstream forks. That tradeoff may be worse than just setting them up with some privacy settings in Firefox itself.

irjustin1y ago

We just don't want to see ads. Isn't that enough?

nijave1y ago

Think of those "click here to OPTIMIZE YOUR PC" adware junk you'd prefer anyone you provide tech support for to never see

gruez1y ago

Those ads aren't being blocked by ublock lite?

1 more reply

MortyWaves1y ago

Then you also get absolute scum bags pushing that stuff via push notifications too https://www.lloydatkinson.net/posts/2022/consider-disabling-...

blendergeek1y ago

The article is about blocking ads that contain malware (which are surprisingly common). Preventing tracking is a whole different ballgame that isn't covered by the article

ewenquimOP1y ago

Exactly!

tjpnz1y ago

Google has shown itself to be perfectly happy taking money from criminals and their ad network does push malware. To that end their ad business is a security threat.

nijave1y ago

Not a big deal on the desktop and a small deal on the laptop, ad blocking gives a noticeable performance gain on Android.

Years ago when I had one of those Intel Atom netbooks you could tell a pretty big difference since it was pretty RAM constrained.

everdrive1y ago

- tiny phone screen

- objectively worse mobile-site

- far worse touch-screen-based UI

- the entire iOS side of things has far fewer choices for any sort of effective ad blocking

Is it possible for a savvy technologist to overcome these problems? Yes, but it's like disabling junk in Windows: you're playing a game of cat and mouse and slowly losing the battle over time.

6 more replies

ewenquimOP1y ago

> if missing ublock is a true security concern you shouldn't be using chrome

Dude there are ads on every browsers. And the goal here is to protect her from malwares, not trackers (well at least that's not a priority).

mschuster911y ago

> And the goal here is to protect her from malwares, not trackers (well at least that's not a priority).

Given how intransparent the programmatic advertising industry is and how often malicious actors have abused such advertising networks to spread malware... there is no distinction to make.

never_inline1y ago

Many people here install ublock for elders and / or children and leave it. Now they might become target of ads that download malware.

Havoc1y ago

ewenquimOP1y ago

Yeah but that's another topic (maybe more important, but less immediate and actionnable). yesterday my relative just downloaded a malware. That's something we can do something about!

Gigachad1y ago

Some people would just be better off with an iPad where you can't download malware.

exiguus1y ago

I answered the questions half way myself.The ext. gets disabled because it is manifest 2 not manifest 3. Manifest 2 will be disabled by ~mid 2025 in the Store.

Seeing: seeing https://github.com/uBlockOrigin/uBlock-issues/wiki/About-Goo...

And asking: What are the diff between manifest 2 and manifest 3 ext?

Answer: https://chat.mistral.ai/chat/9e66fbc8-0df2-4248-a252-5acb6fb...

What is the problem to move to M3? And why is this a ban?

exiguus1y ago

To address this, I bought her a Fairphone with a de-googled Android operating system installed out of the box. This solution works well, especially for those who prefer not to use Apple products.

1vuio0pswjnm71y ago

TekMol1y ago

I guess it would be easy to block ads via a proxy?

An http proxy in Python is just a few lines of code. It could simply drop the requests to known ad servers.

And in Chrome, there is a setting to use a proxy.

So all one had to do is run ./my_ad_blocking_proxy.py and set the proxy in Chrome to something like 127.0.0.1:8080?

solardev1y ago

No, it takes way more than that. That's basically what running a Pihole does, which barely blocks anything these days.

Simple hosts blocking used to work OK two decades ago but these days so many ads are served directly from the same servers within the same HTTPS connection that it's just not enough.

kmlx1y ago

> Good ad blocking requires you to be able to look at decrypted HTTPS traffic and remove content from the DOM, including stuff added after the fact by Javascript.

ironically this also sounds like a security nightmare.

1 more reply

TekMol1y ago

Ok, but the proxy could insert JS code into the html page which does what uBlock Origin does, couldn't it?

This would give the same flexibility without the need for a browser plugin.

2 more replies

tjpnz1y ago

AdGuard does a good job if you're happy sending them your DNS queries. You'll still want to adopt a layered approach however, and that will involve a browser based ad blocker.

nickthegreek1y ago

I second setting up AdGuard. It is the simplest solution for non-techies to use to help mitigate the problem here wihtout switching browsers. Although I would recommend doing both.

nijave1y ago

uBlock can do fairly sophisticated content blocking and rules that rely on the page being rendered out. Even with tls MiTM you'd need to fully render the page and run JS

Just yesterday I noticed it managed to block self hosted Snowplow (clickstream analytics) JS library without blocking other scripts on the same CDN/domain.

ale421y ago

This is what I was doing around 25 years ago before ad blockers were a thing, and the web was not encrypted... (Python didn't exist yet, the proxy was a lot of code in Object Pascal, i.e. Delphi)

ewenquimOP1y ago

Good idea! But I'll have to install this on my relative's computer or router, that's not as convenient as a browser extension

tkzed491y ago

I run a pihole and I don't regret it, but it's nowhere near ublock in capability. Ublock's more important filters are selecting individual scripts and even page elements.

Fokamul1y ago

Nope, cannot be done like this. You can block just some of the ADs on websites. But for example YouTube requests for video chunks, is same domain as ADs. So you would have Youtube with ADs.

Much easier solution, which everyone should made years ago, STOP using Chrome crapbrowser.

TekMol1y ago

For same-domain ads you could use content-inspection. That is probably how in-browser adblockers do it too.

salzig1y ago

up next: chrome ignores proxy configurations if content is available without.

speckx1y ago

I thought chrome was already doing this for some google domains and using their own DNS vs. the operating DNS? Maybe I’m wrong, but I thought this was a thing.

kennysoona1y ago

It really isn't, because Lite is practically as effective, just less efficient.

tim3331y ago

They don't mention uBlock Origin Lite which does much the same and works with v3. It's a bit disingenuous not to do so.

timbit421y ago

I have clients who use Chrome and when uBO was removed, I installed the Lite version and now some of them have gotten malware. It's not good enough. Will need to switch to another browser.

ewenquimOP1y ago

I just didn't know. Thanks for the info, I'll have a look at it!

baq1y ago

Sad realization: blocking ad blockers is copy protection from a decade or two ago and blocking ads is nowadays basically cracking websites and browsers.

pacifika1y ago

HTML is a human readable source editable interactive document format, which can be optimised for reading.

When I peel an apple to optimise it for eating I’m not cracking an apple.

baq1y ago

Good luck doing that on a WASM <canvas>

j / k navigate · click thread line to collapse