To be fair, adblockers have an inordinate amount of access. We all trust uBlock’s creator but I’ve never met him. So it’s a realistic risk but we (hope) not a threat
>To be fair, chromium has an inordinate amount of access. We all trust chromium’s developers but I’ve never met them. So it’s a realistic risk but we (hope) not a threat.
>To be fair, Windows has an inordinate amount of access. We all trust Microsoft developers but I’ve never met them. So it’s a realistic risk but we (hope) not a threat.
I can keep going to point out how flawed this line of reasoning is, especially the second one with forced push for Recall.
It’s weakly worse to trust your OS + Browser + third party, than just OS + Browser.
Moreover, small projects can be purchased more easily. See PIA. Users need to stay updated about ownership changes. It might be viable for us, but not for everyone.
The ones using declarative blocking (like everything compatible with Safari or newer Manifest V3 web extensions for Chrome and Firefox) don't need access to your browsing context.
They're not as powerful as the ones that are able to inject content into visited pages or programmatically inspect and block/alter HTTP requests, but personally I think it's a reasonable tradeoff for the reasons you mentioned.
Chrome/Google got a very bad rep for pushing this change, and I don't want to speculate about their actual motivations, but the security aspect of it seems sound to me.
With uBlock Lite (which uses MV3), it's also possible to additionally grant "full site access" on a site by site base in case the rules-based blocking alone isn't enough; that seems ideal to me.
It really is not a reasonable tradeoff because it effectively freezes the tools the blockers have in the ongoing arms race while the advertisers are able to adopt new tricks. Which is also why advertising companies (which includes all major browser makers) would like to pass it off a reasonable tradeoff.
That would be the express road to long-term unpatched vulnerabilities.
There's basically two ways to have safe web extensions: Carefully control their entire supply chain (which could easily cause big antitrust problems for Google as the vendor of the most popular browser), or minimize the things they have access to.
It is the better road, and the road chosen by most other things that aren't SaaS, including Google's other most popular thing, Android. Keep the default to auto-update, fine, but let me disable that, as the Android app store does. Attacks from previously trusted extensions (and apps) being updated and then doing malicious things (requesting new permissions to do them is not significant friction) are worse and more frequent than old unpatched extensions being vulnerable to something. (That "something" likely being in the realm of XSS or click-jacking from a malicious page, much harder to widely exploit.)
I'm sure it's happened, but I haven't heard of an extension suffering from a significant "unpatched vulnerability" and being exploited in the wild -- I have heard of things like this click-jacking issue in Privacy Badger: https://blog.lizzie.io/clickjacking-privacy-badger.html No wild exploits afaik, just the PoC, and the ultimate worst-case impact was just (reversibly) disabling the extension for the page or a site, which isn't very severe. Perhaps a more advanced extension like Ruffle that uses Rust and WASM has a more severe attack surface than the majority of extensions written in JavaScript, but even if it does, it must be exploited by a malicious page targeting it, vs. the alternative of auto-updating to a malicious version and doing whatever it can get away with immediately.
Extensions getting taken over or just transferred to new owners and updating to do something new and malicious is quite routine and multiple examples come readily to my mind. The first to come to mind is Stylish, several years ago: https://robertheaton.com/2018/07/02/stylish-browser-extensio... (I was not impacted because I didn't update the extension during its vulnerable window, which was months, and apparently over a year for Chrome.)
The safe way to handle these issues is to let users turn off auto-updating, and to have actual policies to mitigate the damages from malicious extensions. Firefox itself will disable extensions that become known to be defective in someway, this can be independent of whether the issue is an unpatched vulnerability, whether there's a patch/update to address it, whether the extension isn't just bugged but doing something malicious, whether it always was malicious from first install or just suddenly became malicious... See https://support.mozilla.org/en-US/kb/add-ons-cause-issues-ar...
You're taking about access you're afraid an extension might be exploited to expose versus ad networks and social media plugins that are known to expose.
I'll take the potential bogeyman over the real one, thanks.
I am pretty sure most extensions (or at least ublock) can be set to stay off on specific websites? The extension can have an extra list of known safe sites that don't have ads where the extension stays off by default (should still be turn on-able because the list might be outdated).
In uBlock's case, when you first install it on Firefox you are peomoted to give it permission to "Access data for all websites that you visit". Even if you disable adblocking on a specific website Unlock still has access to it and can see it.
If you go to your government’s office and they give you a list of names of known advertisers, then walk along your merry way and use the list to not engage those advertisers, the only trust you need is the source of the information on that list, not the list or your observance to it.
Your observance of it is open source in the case of ublock. The list should still be scrutinized, it’s a local system with an unverified source. That’s all.
