looks like rendering adblockers extensions obsolete with manifest-v3 was not enough so now they try to implement DRM into the browser giving the ability to any website to refuse traffic to you if you don’t run a complaint browser ( cough…firefox )
here is an article in hacker news since i’m sure they can explain this to you better than i.
They want to go back to the days of websites requiring internet explorer… just this time with their browser. Even though getting away from that culture is most of the reason people ever switched to chrome.
I will say though, just using firefox for everything you can isn’t enough of a protest. If this goes the way Google (Alphabet I guess) wants it to, you bank will require you to use a browser with DRM. You will be forced to use a browser whose source code you can’t verify as secure, to access your bank. And that is where the protest lines need to be drawn. If your bank does that? Send your message. Close the account. Take back your money.
Now I’d personally do this for everything possible, but that would be a looooot of time spent getting very little across to companies that don’t care if you visit their site. Taking money from banks though? Yeah it might be a whole process where you gotta request it, verify in person, wait a week to get the cash, and THEN close it, but so what? A couple hours of doing stuff and then a week of business as usual before a couple more hours opening a new bank account. That’s more than worth doing to send a REAL message.
Why do banks require "safety"net on their apps now? The safest roms specifically don’t have the security nightmare that is google play services, and banking apps are always the hardest to get working.
It is a symbiotic relationship. Regulators hear about the next wave of compromised online banking, add some law requiring whatever, banks are stuck having to comply and in comes google with “Hey this great webDRM/safetynet/playprotect totally complies with this”, which it doesn’t really but google has the capabilities to lock up any legal processes about it for years when they bring in the next thing and repeat. Banks in large part know it’s bullshit but don’t care, they’re off the hook (They are the ones doing 2 factor by making the banking app on your phone require a confirmation in your tan app on your phone to make a transaction, they don’t give a rats ass about the safety of their systems).
Banks get someone shielding them from regulations for cheap, google gets partners that can help them lock you in their proprietary system, and you get extra work on your rooted phone and can’t fully remove play services.
I’m using a SailfishOS (Linux) phone and on SFOS forums it’s one of the biggest complaints, they can’t use their bank through the Android compatibility layer because it doesn’t pass SafetyNet. I’m lucky enough that my bank doesn’t do this, but I had to fiddle with low level stuff for Revolut to work - they require you install the app from Play Store or the app doesn’t work.
I could go into the conspiratorial 4D chess I’m sure google is playing, but let me ask this instead: Does you bank not have any captchas, anywhere in the flow of accessing/using their website? Cause if they do, I hope you know google is absolutely going to advertise DRM requirements as the best tech for fighting bot traffic. Even if Google wasn’t doing anything like offering cheap training to their standards to influence the future of the cybersecurity space, that would be PLENTY to get a looooot of big corporations, including banks, to use it.
Huh, neat. Regardless, I think google will find a way to sell it or they wouldn’t be invested in it so much, but point taken. I just saw a lot of people commenting on other places about how this is hopeless and there’s no way to protest and wanted to give a solid example of how it could be done effectively.
Criminals will crack the DRM in short order—they always do—so that idea won’t last long.
And no, the DRM can’t be updated to fix the vulnerability if it’s implemented in firmware. Not without shutting out absolutely everyone whose computer/phone is more than 3 years old, and there’s not a snowball’s chance in hell that banks will do that when half of their customers are old farts with decade-old computers and an “if it ain’t broke, don’t fix it” attitude.
I was just expecting it to be something built into chrome, similar to how drivers need to be signed to run in windows, they’d force you to use browsers Signed By Google to be verifiably compliant with the DRM. It seems like the easiest option for them and the most well understood since it’s been used for drivers for so long
If they implement it in pure software, then it’s easy to crack.
They’re not going to wrap Chrome in Denuvo because that would ruin its performance. The last thing they want is for Firefox to be not only faster but dramatically faster. Performance is a big part of how Internet Explorer lost its market share. And even if they do wrap it in Denuvo, Empress will no doubt show them the error of their ways.
So yes, I expect they will use firmware/hardware, presumably TPM or Microsoft Pluton, to implement this.
Using two different browsers should be the norm imo. One for comfort, performance and compatibility, like Chrome, Edge or Opera, and the other one for privacy, like Firefox, UGC, Tor, DDG, etc.
First they established a new standard for extensions that makes it harder for adblockers to work in chrome, that’s manifest v3.
And now they want establish cryptographic verification of the environment so that you can’t have a custom environment in your browser, like having adblockers. Similar to how DRM works.
DRM is the thing in games, movies etc. that ensures only legitimate users can use the content. Now Google wants to do the same for webpages. It means that only approved browsers will have access and no extensions can interract with the page. So you won’t be able to view some pages from unapproved browsers, forcing you to switch to Chrome if you really want to see it. And no adblocker can interract with the page and block the ads there.
Not really a piracy question but I was doing some research and I kept getting the statement “firefox and other gecko based browsers are not as secure as chromium based ones on mobile” is that still the case? I know the lack of per site process isolation was something that everyone was using as evidence and whatnot a couple of years ago but I couldnt find any other info thats more modern
It was always more of a marketing statement than a security one. And then it was copied over and over because most sites don’t write original articles, they just remix other articles. Firefox is as safe as any software - there will be bugs and security issues but so will in Chrome and I wouldn’t say the rate of new bugs and security issues will be much different between the two projects.
–>since everyone is confused about this i’m gonna try to explain as best as i could and also clearing some misconceptions:
1# why this is such a big deal ?
if this gets implemented AND it gets widely adopted websites now can refuse to give you content if you are running a non complied browser, remember those website that say “oh you are using an ad blocker so disable it to access our site”
they can detect this by various methods but ultimately all of them rely on running a JavaScript into your browser. which you guessed it, its easy to modify and tamper with manually or using extensions
now what WEI-API does is that it can verify the integrity of the web page ( JavaScript/HTML/CSS has not been modified ) and even tell the website what extensions - ad blocker detected no content for you - you are using and what browser you are using - firefox or brave detected no content for you - and do not be fooled into thinking that this can be spoofed.
and website owners who think that they are running a business not a charity will implement this.
2#will using firefox save me?
if this gets widely adopted and you inevitably encounter a website that require this ( for your job ,school or your bank ) you have no choice but to use chrome just like when your banking apps refuse to work because your phone is rooted which means that SAFETY-NET is broken
3#why this is a threat to begin with?
this is only viable if the web adopt it so why bother?, well guess what google is famous for making its services very easy to integrate and well documented just look on how easy it is to integrate google analytics and google adsense* into websites and how many of them use it in the internet.
4#what can we do to prevent this?
this is my personal opinion but i think we simply can’t, this not like the reddit incident were very large portion of the user base was upset most people don’t know/care/give-a-fuck about web technologies and how they work.
#and Finally
“but google said they don’t plan to use this to fingerprint you (Device ID) or track your browser history or interfere with the work of extensions”
do you really believe that a company like google whose bread and butter is advertising would not make it easier for themselves, a company who has been exposed time and time again for lying and having ulterior motives ( you don’t need to look far just look into what manifest-v3 did )
remember those website that say “oh you are using an ad blocker so disable it to access our site”
I can easily imagine this not being a necessary, anymore. Just let the website using this WEI API automatically disable all browser extensions on a WEI-enabled site. Why not, after all? Why should you dictate the traffic you receive on your computer? Why should you own anything?
uBlock Origin is already less effective when running in Chrome than in Firefox. For example, it can’t detect CNAME cloaking on Chrome, while it can do that in Firefox. When Chrome finally enforce manifest V3, uBlock Origin will be even more neutered in chrome due to limited number of blocking rules.
Because that version of ublock is already less effective. The long play is ending ad blockers and this is another step to achieve those ends. If you can’t see that then I’m sorry but it can’t be much more obvious than it already is.
Hmm I think I need to read more about Manifest v3 as it appears my knowledge of the topic is pretty limited to literally just “v3 will kill ad blockers”, basing my understanding on a couple of comments and 2 news report videos is a bad thing to do, don’t you agree
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !piracy@lemmy.dbzer0.com
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Dude if they make youtube accessible only through Chrome we gonna have some problems.
Better archive videos now. Save your favourites and some more.
Oh man you’re not wrong. hiyaah
I’d have to stop using it. I’d even go to another service like Nebula, at that point, and pay for it.
But I am not going to start running Chrome on my home computer as a daily driver.
If they go after NewPipe and SmartTube I’m going to shill hard the alternatives.
There are alternatives for YouTube? PeerTube is great tech and all, but content is really rare there.
Yeah is the only good alternative.
Ever since I switched to Firefox, I have not looked back and I am glad I did it.
I’m the exact same. Firefox has been great. Switched about three years ago.
They want to go back to the days of websites requiring internet explorer… just this time with their browser. Even though getting away from that culture is most of the reason people ever switched to chrome. I will say though, just using firefox for everything you can isn’t enough of a protest. If this goes the way Google (Alphabet I guess) wants it to, you bank will require you to use a browser with DRM. You will be forced to use a browser whose source code you can’t verify as secure, to access your bank. And that is where the protest lines need to be drawn. If your bank does that? Send your message. Close the account. Take back your money. Now I’d personally do this for everything possible, but that would be a looooot of time spent getting very little across to companies that don’t care if you visit their site. Taking money from banks though? Yeah it might be a whole process where you gotta request it, verify in person, wait a week to get the cash, and THEN close it, but so what? A couple hours of doing stuff and then a week of business as usual before a couple more hours opening a new bank account. That’s more than worth doing to send a REAL message.
Why would my bank care which browser I use? Their business model isn’t based on showing me ads.
Why do banks require "safety"net on their apps now? The safest roms specifically don’t have the security nightmare that is google play services, and banking apps are always the hardest to get working.
It is a symbiotic relationship. Regulators hear about the next wave of compromised online banking, add some law requiring whatever, banks are stuck having to comply and in comes google with “Hey this great webDRM/safetynet/playprotect totally complies with this”, which it doesn’t really but google has the capabilities to lock up any legal processes about it for years when they bring in the next thing and repeat. Banks in large part know it’s bullshit but don’t care, they’re off the hook (They are the ones doing 2 factor by making the banking app on your phone require a confirmation in your tan app on your phone to make a transaction, they don’t give a rats ass about the safety of their systems).
Banks get someone shielding them from regulations for cheap, google gets partners that can help them lock you in their proprietary system, and you get extra work on your rooted phone and can’t fully remove play services.
I notice the big American banks’ apps don’t care, as long as a compatible implementation of Google Play Services is available. Nor does my American bank seem to care that I do my desktop banking in Firefox on Linux. Is this an issue only in specific countries?
I’m afraid I don’t know what you’re talking about here. I don’t have to give any kind of confirmation to make a transaction. What’s a “tan app”?
I’m using a SailfishOS (Linux) phone and on SFOS forums it’s one of the biggest complaints, they can’t use their bank through the Android compatibility layer because it doesn’t pass SafetyNet. I’m lucky enough that my bank doesn’t do this, but I had to fiddle with low level stuff for Revolut to work - they require you install the app from Play Store or the app doesn’t work.
Can you take your business elsewhere, to a company that doesn’t require you to compromise your security and privacy?
I could go into the conspiratorial 4D chess I’m sure google is playing, but let me ask this instead: Does you bank not have any captchas, anywhere in the flow of accessing/using their website? Cause if they do, I hope you know google is absolutely going to advertise DRM requirements as the best tech for fighting bot traffic. Even if Google wasn’t doing anything like offering cheap training to their standards to influence the future of the cybersecurity space, that would be PLENTY to get a looooot of big corporations, including banks, to use it.
No captcha’s for any of my banking services. I don’t know how effective captcha’s are anyways. I suspect slow cooldowns are probably more secure.
Huh, neat. Regardless, I think google will find a way to sell it or they wouldn’t be invested in it so much, but point taken. I just saw a lot of people commenting on other places about how this is hopeless and there’s no way to protest and wanted to give a solid example of how it could be done effectively.
Criminals will crack the DRM in short order—they always do—so that idea won’t last long.
And no, the DRM can’t be updated to fix the vulnerability if it’s implemented in firmware. Not without shutting out absolutely everyone whose computer/phone is more than 3 years old, and there’s not a snowball’s chance in hell that banks will do that when half of their customers are old farts with decade-old computers and an “if it ain’t broke, don’t fix it” attitude.
Wait were they seriously looking to implement it at a FIRMWARE level? jesus that’s just stupid.
If they implement it in hardware, then fixing vulnerabilities is completely impossible instead of only mostly impossible.
I was just expecting it to be something built into chrome, similar to how drivers need to be signed to run in windows, they’d force you to use browsers Signed By Google to be verifiably compliant with the DRM. It seems like the easiest option for them and the most well understood since it’s been used for drivers for so long
If they implement it in pure software, then it’s easy to crack.
They’re not going to wrap Chrome in Denuvo because that would ruin its performance. The last thing they want is for Firefox to be not only faster but dramatically faster. Performance is a big part of how Internet Explorer lost its market share. And even if they do wrap it in Denuvo, Empress will no doubt show them the error of their ways.
So yes, I expect they will use firmware/hardware, presumably TPM or Microsoft Pluton, to implement this.
Using two different browsers should be the norm imo. One for comfort, performance and compatibility, like Chrome, Edge or Opera, and the other one for privacy, like Firefox, UGC, Tor, DDG, etc.
Can someone please ELI5 this?
First they established a new standard for extensions that makes it harder for adblockers to work in chrome, that’s manifest v3.
And now they want establish cryptographic verification of the environment so that you can’t have a custom environment in your browser, like having adblockers. Similar to how DRM works.
As long as average Joe uses chrome, we’re doomed.
Also thanks for your comment, now I fully get the meme
Is it possible to circumvent by running two environments and reporting only one?
It’s still a proposal. Nothing concrete yet. But from the looks of it, you can’t play such games since it’s cryptographically verified.
Why can’t we have nice things? I switch to Lemmy, about a month after that, Meta joins the fediverse.
I switch to Firefox ( thanks to the hype in this community, because I am average Joe after all) and yeah, it feels nicer. But wait- now these news…
Sorry everyone it’s my fault. I switched to Firefox and Lemmy recently so Google and Facebook felt pressured to bring me back.
We forgive you. Don’t give in
All fine. We’ll tell them you’re not here.
DRM is the thing in games, movies etc. that ensures only legitimate users can use the content. Now Google wants to do the same for webpages. It means that only approved browsers will have access and no extensions can interract with the page. So you won’t be able to view some pages from unapproved browsers, forcing you to switch to Chrome if you really want to see it. And no adblocker can interract with the page and block the ads there.
Feels like a great way of close sourcing chromium without actually doing it.
That’s screwed up. Thanks for explaining
Not really a piracy question but I was doing some research and I kept getting the statement “firefox and other gecko based browsers are not as secure as chromium based ones on mobile” is that still the case? I know the lack of per site process isolation was something that everyone was using as evidence and whatnot a couple of years ago but I couldnt find any other info thats more modern
It was always more of a marketing statement than a security one. And then it was copied over and over because most sites don’t write original articles, they just remix other articles. Firefox is as safe as any software - there will be bugs and security issues but so will in Chrome and I wouldn’t say the rate of new bugs and security issues will be much different between the two projects.
–>since everyone is confused about this i’m gonna try to explain as best as i could and also clearing some misconceptions:
1# why this is such a big deal ?
if this gets implemented AND it gets widely adopted websites now can refuse to give you content if you are running a non complied browser, remember those website that say “oh you are using an ad blocker so disable it to access our site” they can detect this by various methods but ultimately all of them rely on running a JavaScript into your browser. which you guessed it, its easy to modify and tamper with manually or using extensions
now what WEI-API does is that it can verify the integrity of the web page ( JavaScript/HTML/CSS has not been modified ) and even tell the website what extensions - ad blocker detected no content for you - you are using and what browser you are using - firefox or brave detected no content for you - and do not be fooled into thinking that this can be spoofed. and website owners who think that they are running a business not a charity will implement this.
2#will using firefox save me?
if this gets widely adopted and you inevitably encounter a website that require this ( for your job ,school or your bank ) you have no choice but to use chrome just like when your banking apps refuse to work because your phone is rooted which means that SAFETY-NET is broken
3#why this is a threat to begin with?
this is only viable if the web adopt it so why bother?, well guess what google is famous for making its services very easy to integrate and well documented just look on how easy it is to integrate google analytics and google adsense* into websites and how many of them use it in the internet.
4#what can we do to prevent this?
this is my personal opinion but i think we simply can’t, this not like the reddit incident were very large portion of the user base was upset most people don’t know/care/give-a-fuck about web technologies and how they work.
#and Finally “but google said they don’t plan to use this to fingerprint you (Device ID) or track your browser history or interfere with the work of extensions”
do you really believe that a company like google whose bread and butter is advertising would not make it easier for themselves, a company who has been exposed time and time again for lying and having ulterior motives ( you don’t need to look far just look into what manifest-v3 did )
I can easily imagine this not being a necessary, anymore. Just let the website using this WEI API automatically disable all browser extensions on a WEI-enabled site. Why not, after all? Why should you dictate the traffic you receive on your computer? Why should you own anything?
This is scary
www.getfirefox.com
Unfortunately they will also have to adapt to this. Or some popular websites will stop working and most common users won’t care and leave firefox.
Giving into this billionaire blackmail won’t help. We have to come together and crush google.
That’s why I’m not using chromium based browser.
Vivaldi is pretty great about scraping all this crap out of their chromium based browser.
I predict this standard will die the way of Flash and Silverlight. If it makes the web more fragile and less accessible it will fail.
Will this fly with GDPR?
This code will only ever be installed on my machines by force against my will.
No benefit to any users at all, all benefit only to Google and their Advertisers.
There is already a manifest v3 compatible version of ublock origin so can someone explain to me how it gonna end ad blockers?
uBlock Origin is already less effective when running in Chrome than in Firefox. For example, it can’t detect CNAME cloaking on Chrome, while it can do that in Firefox. When Chrome finally enforce manifest V3, uBlock Origin will be even more neutered in chrome due to limited number of blocking rules.
That’s a pretty interesting thing to know! Thanks
Because that version of ublock is already less effective. The long play is ending ad blockers and this is another step to achieve those ends. If you can’t see that then I’m sorry but it can’t be much more obvious than it already is.
Hmm I think I need to read more about Manifest v3 as it appears my knowledge of the topic is pretty limited to literally just “v3 will kill ad blockers”, basing my understanding on a couple of comments and 2 news report videos is a bad thing to do, don’t you agree
That version can do much, much less.
Edit: see my other comment here: https://beehaw.org/comment/727017
Thanks will look into it
Also it’s not kinda drm, it is drm. Like fr
yeah i used “kinda” to avoid the infamous :
well AcutUaLly…
Then you got “well actually’d” for it.
The internet is an unforgiving place.