It’s a free country, you can use whatever you like. Respect yourself and your own intuition :)
The current situation (summer July–Sept 2023) is, you better switch to any browser that is not Chromium-based. The reason is “Web Environment Integrity” (WEI), which seems to mean, basically, Google is trying to DRM-lock the whole Internet to make sure you see their ads and they can track everyone. Freedom-loving users obviously don’t like that.
At the same time Firefox is getting more and more annoying, yet it’s better than Google. A safe bet for a general user might be LibreWolf. Another new option is Mullvad Browser.
Firefox’s answer, at the bottom of the article, smells like pure BS to me. Disabling an extension with something like a full browser-modal pop-up to warn users of the possibility of an untrustworthy Extension? Sure, fine, whatever, and maybe make that warning capable to be disabled by default, but why make the decision for us - silently - that Extensions are not to be trusted? Do we trust the website that asks if we pwetty please should allow the showing of ads, or maybe the malware provider that please should just disable all security Extensions and allow their malicious code to run, if you would be so kind?
I can think of one use for this: to disable malware to substitute clicking on a link to install your Extension of choice with one of their choice instead - although isn’t the Extensions store already treated specially by default anyway?
Otherwise, I don’t favor taking control away from the users. Especially if users cannot disable this new “feature”. There is far too much potential for misuse of this.
Which will fragment the Chrome & Chromium-alternative market further, if people cannot trust Firefox anymore.
Which will slow development of alternatives to Chrome.
Sadly my experience is that when it comes to security measures, user control often runs contrary to security. While we definitely should have the choice, you have to make it a bit difficult and non-obvious to disable security features, or people will unwittingly disable them for all sorts of bad reasons.
Thank you for the link. I understand somewhat what you mean about security, but also I get the other side too - security for who, and for what purpose? Google seems to have decided that it wants security to deliver ads to your browser, and also to track you everywhere you go (while offering no paid options to surf the internet without ads or tracking afaik?). This may fall under the umbrella of “security”, but not for the sake of the users, whose traffic is being monetized, and the only option is to go over to some other browser like Firefox, which now, conveniently for Google, seems to be doing the same? Or at least could, if anyone could spoof the service and pretending to be Firefox, ask for security adons to be disabled? Maybe I’m simply too jaded to easily trust anymore:-P.
Security for the user is obviously what we are talking about. Regular people do not have the knowledge or patience to make informed decisions regarding their technical security; any model that relies on that is going to fail because people will click whatever they need to make stuff work. Even people who do understand the technology do stuff like disabling SSL verification, rather than going through the effort of adding the new CA to their cert list.
Firefox is not doing the same as Chrome. Firefox is adding a feature to disable unverified add-ons on particular domains to stop attacks from malicious add-ons. Chrome is adding a feature that tracks the sites you visit and shares them with other sites to improve ad tracking.
It’s not like Google would ever take over anything - like let’s say oh I dunno, Android - and kill it from the inside. Remember how it said that its motto is don’t be evil? Oh wait…
While I don’t completely understand the use cases for Mozilla’s add-on domain blocklist, I also don’t see any reason to assume malicious intent. Malicious add-ons are a very real and serious threat and it’s obvious that Mozilla need a way to quickly and remotely protect users. Doing so on a domain level is much less impactful than completely shutting down an add-on.
Since it is obvious to the user if this is triggered, and the user has the option of disabling it per add-on or completely, what’s the real problem?
(That said I think it’s great that people are being skeptical even of Mozilla)
Edit: Sorry I misunderstood how this is displayed, it is not as obvious as I thought. Hopefully this will be improved. Though doing so might come with the drawback of making unwitting users more likely to disable the protection.
The current use cases are for Brazilian banking sites. Although free (libre) software users don’t like to be remotely monitored their browsing real-time, the technology itself can be helpful if used right.
The context is, even though Firefox is getting more and more annoying with telemetry, phoning home, etc. (imho the last good version was v52 ESR), it is still much better than Google. So use Firefox, if you don’t like other options.
Mozilla is financially supported by Google, and perhaps they can’t continue their projects without Google, so it’s kind of inevitable that sometimes they have to support that giant. Nevertheless, they still try not to be evil, explicitly against WEI.
Please do support Firefox and/or its forks (LibreWolf, Tor Browser, …). Stop cooperating with Google. They can do evil things because of their monopoly power. We can make Google less powerful, if we refuse to use their products, if we escape from their privacy-invading services.
That’s interesting. The first site on the list is the self-service login page for Banco do Brasil. Doing a little bit of digging suggests that attacking the users local environment to steal money via self-service is a widespread problem in Brazil. That would explain the need to block all add-ons that are not known safe for a page like this so they can’t swap that login QR-code. Here’s an (old) article detailing some of these types of attacks https://securelist.com/attacks-against-boletos/66591/
I wish Mozilla would be more transparent about this, but I speculate that they might be provided these domains under NDA from the Brazilian CERT or police.
TBH I think malicious add-ons are the new frontier of cybercrime. Most classic attacks methods are well mitigated these days, but browser add-ons are unaffected by pretty much all protections and all the sensitive business happens in the browser anyway.
remotely monitored their browsing real-time
it’s kind of inevitable that sometimes they have to support that giant
What more specifically are you talking about here? The functionality we are talking about can not be used for remote monitoring. Are you saying Mozilla added this feature under duress from Google?
Thanks for taking time to dig deeper and share the results. It’s ironic if big search engines are practically assisting those scams.
The main thing behind my previous comment is the SREN bill and Mozilla’s blog post about it.
I hope I am wrong, but I feel that Mozilla, while being against browser-side censorship, is strongly supporting Google-side restrictions. The situation becomes clearer if you actually read SREN, Art. 6, which is based on the premise that browser providers can and will monitor each user’s activity (my post about this on Lemmy). Conceptually similar to WEI.
The technology that restricts what a user can do can be useful, if unquestionably bad things are blocked. The fundamental problem is, in order for this to work, someone has to decide what is “bad” for you, and has to monitor your activities directly or indirectly so that you may not visit “bad” websites. Protecting users from malware may be important, but I don’t want forceful “protection” by for-profit big tech companies, especially when their OSes/services are not really privacy-respecting, if not themselves spyware. While “protection” might not involve real-time monitoring or anything privacy-invasive, the current situation feels preposterous. We should be free to customize programs, free to block what we don’t need; it’s not like they have freedom to block us from accessing info, to force us to use/view what they want us to.
It’s a free country, you can use whatever you like. Respect yourself and your own intuition :)
The current situation (
summerJuly–Sept 2023) is, you better switch to any browser that is not Chromium-based. The reason is “Web Environment Integrity” (WEI), which seems to mean, basically, Google is trying to DRM-lock the whole Internet to make sure you see their ads and they can track everyone. Freedom-loving users obviously don’t like that.At the same time Firefox is getting more and more annoying, yet it’s better than Google. A safe bet for a general user might be LibreWolf. Another new option is Mullvad Browser.
Firefox’s answer, at the bottom of the article, smells like pure BS to me. Disabling an extension with something like a full browser-modal pop-up to warn users of the possibility of an untrustworthy Extension? Sure, fine, whatever, and maybe make that warning capable to be disabled by default, but why make the decision for us - silently - that Extensions are not to be trusted? Do we trust the website that asks if we pwetty please should allow the showing of ads, or maybe the malware provider that please should just disable all security Extensions and allow their malicious code to run, if you would be so kind?
I can think of one use for this: to disable malware to substitute clicking on a link to install your Extension of choice with one of their choice instead - although isn’t the Extensions store already treated specially by default anyway?
Otherwise, I don’t favor taking control away from the users. Especially if users cannot disable this new “feature”. There is far too much potential for misuse of this.
Which will fragment the Chrome & Chromium-alternative market further, if people cannot trust Firefox anymore.
Which will slow development of alternatives to Chrome.
Which only benefits Google.
You can absolutely disable this feature, Mozilla provides instructions for how in their article https://support.mozilla.org/en-US/kb/quarantined-domains
Sadly my experience is that when it comes to security measures, user control often runs contrary to security. While we definitely should have the choice, you have to make it a bit difficult and non-obvious to disable security features, or people will unwittingly disable them for all sorts of bad reasons.
Thank you for the link. I understand somewhat what you mean about security, but also I get the other side too - security for who, and for what purpose? Google seems to have decided that it wants security to deliver ads to your browser, and also to track you everywhere you go (while offering no paid options to surf the internet without ads or tracking afaik?). This may fall under the umbrella of “security”, but not for the sake of the users, whose traffic is being monetized, and the only option is to go over to some other browser like Firefox, which now, conveniently for Google, seems to be doing the same? Or at least could, if anyone could spoof the service and pretending to be Firefox, ask for security adons to be disabled? Maybe I’m simply too jaded to easily trust anymore:-P.
Security for the user is obviously what we are talking about. Regular people do not have the knowledge or patience to make informed decisions regarding their technical security; any model that relies on that is going to fail because people will click whatever they need to make stuff work. Even people who do understand the technology do stuff like disabling SSL verification, rather than going through the effort of adding the new CA to their cert list.
Firefox is not doing the same as Chrome. Firefox is adding a feature to disable unverified add-ons on particular domains to stop attacks from malicious add-ons. Chrome is adding a feature that tracks the sites you visit and shares them with other sites to improve ad tracking.
How are these features comparable at all?
It’s almost like firefox get almost all their funding from google.
It’s not like Google would ever take over anything - like let’s say oh I dunno, Android - and kill it from the inside. Remember how it said that its motto is don’t be evil? Oh wait…
It’s a few months yet till summer, although it will be a hot one by all indications, it’s warm enough now.
Sorry, fixed that North hemisphere-centric expression. Next time I’ll be more careful. Thanks for pointing that out.
While I don’t completely understand the use cases for Mozilla’s add-on domain blocklist, I also don’t see any reason to assume malicious intent. Malicious add-ons are a very real and serious threat and it’s obvious that Mozilla need a way to quickly and remotely protect users. Doing so on a domain level is much less impactful than completely shutting down an add-on.
Since it is obvious to the user if this is triggered, and the user has the option of disabling it per add-on or completely, what’s the real problem?
(That said I think it’s great that people are being skeptical even of Mozilla)
Edit: Sorry I misunderstood how this is displayed, it is not as obvious as I thought. Hopefully this will be improved. Though doing so might come with the drawback of making unwitting users more likely to disable the protection.
The current use cases are for Brazilian banking sites. Although free (libre) software users don’t like to be remotely monitored their browsing real-time, the technology itself can be helpful if used right.
The context is, even though Firefox is getting more and more annoying with telemetry, phoning home, etc. (imho the last good version was v52 ESR), it is still much better than Google. So use Firefox, if you don’t like other options.
Mozilla is financially supported by Google, and perhaps they can’t continue their projects without Google, so it’s kind of inevitable that sometimes they have to support that giant. Nevertheless, they still try not to be evil, explicitly against WEI.
Please do support Firefox and/or its forks (LibreWolf, Tor Browser, …). Stop cooperating with Google. They can do evil things because of their monopoly power. We can make Google less powerful, if we refuse to use their products, if we escape from their privacy-invading services.
That’s interesting. The first site on the list is the self-service login page for Banco do Brasil. Doing a little bit of digging suggests that attacking the users local environment to steal money via self-service is a widespread problem in Brazil. That would explain the need to block all add-ons that are not known safe for a page like this so they can’t swap that login QR-code. Here’s an (old) article detailing some of these types of attacks https://securelist.com/attacks-against-boletos/66591/
I wish Mozilla would be more transparent about this, but I speculate that they might be provided these domains under NDA from the Brazilian CERT or police.
TBH I think malicious add-ons are the new frontier of cybercrime. Most classic attacks methods are well mitigated these days, but browser add-ons are unaffected by pretty much all protections and all the sensitive business happens in the browser anyway.
What more specifically are you talking about here? The functionality we are talking about can not be used for remote monitoring. Are you saying Mozilla added this feature under duress from Google?
Thanks for taking time to dig deeper and share the results. It’s ironic if big search engines are practically assisting those scams.
The main thing behind my previous comment is the SREN bill and Mozilla’s blog post about it.
I hope I am wrong, but I feel that Mozilla, while being against browser-side censorship, is strongly supporting Google-side restrictions. The situation becomes clearer if you actually read SREN, Art. 6, which is based on the premise that browser providers can and will monitor each user’s activity (my post about this on Lemmy). Conceptually similar to WEI.
The technology that restricts what a user can do can be useful, if unquestionably bad things are blocked. The fundamental problem is, in order for this to work, someone has to decide what is “bad” for you, and has to monitor your activities directly or indirectly so that you may not visit “bad” websites. Protecting users from malware may be important, but I don’t want forceful “protection” by for-profit big tech companies, especially when their OSes/services are not really privacy-respecting, if not themselves spyware. While “protection” might not involve real-time monitoring or anything privacy-invasive, the current situation feels preposterous. We should be free to customize programs, free to block what we don’t need; it’s not like they have freedom to block us from accessing info, to force us to use/view what they want us to.
Brave will not support WEI