Google is pushing back on claims that an upcoming change to Chrome will cripple ad blocking extensions over the browser.

“No, Chrome isn’t killing ad blockers — we’re making them safer,” according to Chrome engineer Devlin Cronin.

On Wednesday, Google published a pair of blog posts, defending the company’s decision to limit access to a key Chrome feature called the webRequest API, which many ad blockers rely on to filter out content over the browser. But according to Cronin, the API is simply too powerful; it can effectively allow a Chrome extension to intercept and modify sensitive data flowing through the browser, including emails, photos and other confidential information.

“While this API is used by good actors to implement powerful features like content blockers, it can also be —and has been— abused,” wrote Chrome extensions advocate Simeon Vincent in a separate blog post.

One such case involved hackers infiltrating a popular Chrome extension for Mega.nz, a cloud storage service. The mysterious attackers were able to upload a malicious version of the extension designed to secretly lift passwords from login pages at Amazon, Google and Microsoft.

“Because all of the request data is exposed to the extension, it makes it very easy for a malicious developer to abuse that access to a user’s credentials, accounts, or personal information,” Vincent added. “Since January 2018, 42 percent of malicious extensions use the Web Request API.”

Attempts to upload hacker-rigged Chrome extensions continue to this day. According to Google, the company blocks about 1,800 of them to the Chrome Store each month.

As a result, the company is limiting the API for what it claims to be a better alternative: The “Declarative Net Request API.” According to Google, it can let a third-party extension still filter out content, but without the need to access all the sensitive user data flowing through the browser.

“Instead of Chrome sending all the information about a request to the listening extensions at the time of the request, extensions register rules that tell Chrome what to do if certain types of requests are seen,” Vincent said.

Chrome Change Extension2

The new API promises to make Chrome run faster as well by exposing less data to third-party extensions. “Because we are able to cut substantial overhead in the browser, the Declarative Net Request API can have significant, system-level performance benefits over Web Request,” Cronin said.

But not everyone is buying the claims from Google, a company that profits on online ads. For months now, the makers behind several ad blockers and other third-party extensions have been speaking out against the API change. According to them, the webRequest feature is crucial to making their extensions work.

The Net Request API, on the other hand, has a key limitation: Originally, Google capped the number of rules a Chrome extension could register to 30,000, when some ad blockers would need far more. uBlock Origin, for instance, relies on over 100,000 network filters.

The limitations of the new API may effectively prevent content blockers from using several filter lists at once,” Extension provider Adguard told PCMag last month.

Nevertheless, third-party developers may have no choice but to accept the change. Chrome is currently the most popular browser in the world. “Ad blocking is not going away. Blocking quality will become worse, but even in the worst case scenario, we will eventually be able to catch up and restore most of the functionality,” Adguard said.

Others have been more optimistic. “The ecosystem of ad blockers is very adaptive and there are many different trade-offs that come with these changes,” said Jeremy Tillman, head of product at privacy ad blocking provider Ghostery.

“The amount of lead time we’re receiving to make these modifications gives us the opportunity to develop more clever, innovative tools that will continue to better protect our users’ privacy from unwanted third-party trackers in a faster, safer and cleaner way,” he added.

That all said, browser makers including Brave and Opera, which rely on Google’s Chromium engine, may skip the upcoming API change, according to a report from ZDNet. Some users angered by Google’s plan have also vowed to drop Chrome for competing products.

To address the concerns, Google plans on revising the Net Request API to support a maximum of 150,000 rules. Developers can also now register and remove dynamic rules from their extension as it runs. The company plans on releasing a developer preview of the Chrome changes in the coming months.





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here