Conversation

Notices

1. Embed this notice
   Sexy Moon (moon@shitposter.club)'s status on Wednesday, 18-Oct-2023 18:59:54 JST Sexy Moon

   in reply to

   • lcamtuf :verified: :verified: :verified:
   @lcamtuf For a really long time this was true of _all_ browser extensions, until Chrome Manifest V2 in 2012 (similar functionality in 2016 in Firefox.) Prior to this it was possible for even a page to exploit flaws in extension JavaScript, and for a malicious extension to steal all your data. Manifest V2 and WebExtensions locked down extension security.
   
   Following Manifest V2 and WebExtensions API, it wasn't really possible to do this, so from a practical perspective you could have started adblocking in August 2016 in Firefox or Chrome. The only other relevant thing I can think of is that in 2019(!) Google and Mozilla finally equired extension authors to have two-factor to publish extensions.
   
   So yeah it is still a security tradeoff but it's not so bad for a while now.
   • Embed this notice
     lcamtuf :verified: :verified: :verified: (lcamtuf@infosec.exchange)'s status on Wednesday, 18-Oct-2023 18:59:55 JST lcamtuf :verified: :verified: :verified:

     You know, I *really* dislike ad blockers from the security perspective. They need exceptionally broad permissions that make the extension a juicy target for attacks. Pop one of the maintainers' Google or Github accounts and own hundreds of millions of people overnight - their email, bank accounts, social media identities, and all that.

     The consequences of simple coding errors are similarly disastrous - and I bet that there are some good UXSS bugs lurking in all that JavaScript.

     For these reasons, I resisted ad blockers for 20+ years, and I endured countless cookie prompts, subscription interstitials, "sponsored results", and unskippable ads. But around 2020, the anti-user patterns on the web have gotten unbearable. And I say this as a person who grew up in the era of auto-playing Flash-based pop-under ads.

     I'm not a security absolutist. It's all about trade-offs: the convenience of using a modern web browser, for example, generally outweighs the risks of living with its massive attack surface. But in the case of ad blockers, you gotta take a hit just to continue to browse in peace. It blows.