Skip Navigation
Google is Killing uBlock Origin. No Chromium Browser is Safe.
  • You mean like https://acceptableads.com/ which is only supported so far by Adblock Plus (and its parent company)?

    The problem is until there is some kind of penalty for being too annoying or too resource consuming, it will always be a race to the bottom with more, worse ads. As people add ad blockers to their browsers, the user pool that isn't running them begins to dry up and more ads are needed to keep the same revenue. This results in even more people blocking them.

    Two of the things I had hope for on the privacy side was Mozilla's Privacy-Preserving Attribution for ad attribution and Google's Privacy Sandbox collection of features for targeting like the Topics API. Both would have been better for privacy than the current system of granular, individual user tracking across sites.

    If those two get wide enough adoption, regulation could be put in place to limit the old methods as there would be a better replacement available without killing the whole current ad supported economy of most sites. I get that strictly speaking from a privacy perspective 'more anonymous/private tracking' < 'no tracking' but I really don't want perfect to be the enemy of better.

  • The War on Passwords Is One Step Closer to Being Over
  • While the defaults are typically to use what the browser or OS has for storage and sync of the passkeys, you can use other things.

    Like KeePassXC:

    https://keepassxc.org/blog/2024-03-10-2.7.7-released/

    As for attestation to how the key is stored securely (like in a hardware key), Apple's implementation doesn't support it for iCloud ones, so any site that tries to require it wouldn't work for millions of people. That pretty much kills it except for managed environments (such as when a company provides a hardware key and wants to make sure that's the only thing that's used).

  • Passwords have problems, but passkeys have more
  • I think you mean that passkeys potentially skip the something you know. The something you have is the private key for the passkey (however it's stored, in hardware or in software, etc). Unlocking access to that private key is done on the local device such as through a PIN/password or biometrics and gives you the second factor of something you know or something you are. If you have your password manager vault set to automatically unlock on your device for example, then that skips the something you know part.

  • Google Chrome’s uBlock Origin phaseout has begun
  • Only for ones that are explicitly a replacement for them.

    gorhill's reasoning from the FAQ:

    Will uBO automatically transition to uBO Lite in the Chrome Web Store?

    No.

    You will have to find an alternative to uBO before Google Chrome disables it for good.

    I consider uBO Lite to be too different from uBO to be an automatic replacement. You will have to explicitly find a replacement to uBO according to what you expect from a content blocker. uBO Lite may or may not fulfill your expectations.

  • Google Chrome’s uBlock Origin phaseout has begun
  • A Chromium thing. Some Chromium-based browsers are going to keep some kind of internal ad blocker that has more functionality than MV3 allows for but I don't know of any that are keeping the older functionality for extensions in general.

  • Passwords have problems, but passkeys have more
  • Your vault is encrypted on your device before it's sent to Bitwarden's servers, so even they don't have access to your passwords and passkeys.

    More info on how it is encrypted is here:

    https://bitwarden.com/help/what-encryption-is-used/

    Pretty much every password manager works like this. Having access to your data would be a liability for them.

  • Passwords have problems, but passkeys have more
  • Does it work like that? Everything I see says they’re tied to that device.

    It depends on what kind you want to use. If you want the most security, you can store them on something like a Yubikey, with it only being on that device and not exportable. If you get a new device, you'll need to add that new device to your accounts. For less security but more convenience, you can have them stored in a password manager that can be synced to some service (self-hosted or in the cloud) or has a database file that can be copied.

    Fair, I guess I’ve never lost a password because it’s just a text string in my PW manager, not some auth process that can fail if things don’t work just right.

    That's fair. It can be a bit of a mess with different browser, OS, and password manager support and their interactions but it has continued to get better as there is more adoption and development.

  • Passwords have problems, but passkeys have more
  • If it makes you feel better, most PINs on modern devices are hardware backed in some way (TPM, secure enclave, etc) and do things like rate limiting. They'll lock out using a PIN if it's entered incorrectly too many times.

  • Passwords have problems, but passkeys have more
  • you can’t just share passkey between your devices like you can with a password

    You would just sign into your password manager or browser on both devices and have access to them?

    Additionally, whatever app or service you're storing them in can provide sharing features, like how Apple allows you to share them with groups or via AirDrop.

    there’s very little to no documentation about what you do if you lose access to the passkeys too.

    If you lose your password, there are recovery options available on almost all accounts. Nothing about passkeys means the normal account recovery processes no longer apply.

  • Bitwarden, Dashlane, 1Password and others have joined together to make passkeys portable
  • When most sites refer to passkeys, they're typically talking about the software-backed kind that are stored in password managers or browsers. There are still device-bound passkeys though. Also since they're just FIDO/WebAuthn credentials under the hood, you can still use hardware-backed systems to store them if you really want.

    While you're right that device bound and non-exportable would be best from a security standpoint, there needs to be sufficient adoption of the tech by sites for it to be usable at all and sufficient adoption requires users to have options that have less friction/cost associated with them, like browser and password-manager based ones.

    Looking at it through the lens of replacing passwords instead of building the absolutely highest-security system helps explain why they're not limited to device-bound anymore.

  • Passwords have problems, but passkeys have more
  • The passkey stored locally in some kind of hardware backed store on your device or in your password manager is the first factor: something you have.

    The PIN/password or fingerprint/face to unlock the device and access the stored passkey is the second factor: something you know or something you are, respectively.

    Two factors gets you to 2FA.

  • Passwords have problems, but passkeys have more
  • And the fewer times that people are entering their password or email/SMS-based 2FA codes because they're using passkeys, the less of an opportunity there is to be phished, even if the older authentication methods are still usable on the account.

  • Anonymous texts threaten college students with prison time if they vote: report
  • There was the one case with the scammers in the UK using a homemade cell tower to essentially send out phishing texts directly to cell phones in an area, completely bypassing the phone company. It seems like this scare texts scenario would fit that kind of tech even better, as you only need to send out a message once to a large amount of people and you don't need to collect information in response like in a phishing scenario.

  • www.techdirt.com Congress Wants To Let Private Companies Own The Law

    It sounds absolutely batty that there is a strong, bipartisan push to lock up aspects of our law behind copyright. But it’s happening. Even worse, the push is on to include this effort to lock up t…

    Congress Wants To Let Private Companies Own The Law

    The Pro Codes Act has been submitted as an amendment to the "must pass" National Defense Authorization Act (NDAA). It allows copyrighted standards to be incorporated by reference into the law, preventing people from accessing or sharing these standards except through the systems the standards development organizations have that "makes all portions of the standard so incorporated publicly accessible online at no monetary cost and in a format that includes a searchable table of contents and index, or equivalent aids to facilitate the location of specific content. " Note that that does not include searchable text, the ability to access it without a login, or any ability to host it elsewhere (such as alongside the laws that incorporate it).

    The NDAA bill:

    https://rules.house.gov/bill/118/hr-8070

    The amendment:

    https://amendments-rules.house.gov/amendments/ISSA_180_xml240531155108634.pdf

    2
    arstechnica.com Microsoft is reworking Recall after researchers point out its security problems

    Windows Hello authentication, additional encryption being added to protect data.

    Microsoft is reworking Recall after researchers point out its security problems

    > the company says that Recall will be opt-in by default, so users will need to decide to turn it on

    73
    www.bbc.com Google must face £13bn advertising lawsuit - UK court

    The search giant's parent Alphabet called the case 'incoherent' in arguments to get the case dropped.

    Google must face £13bn advertising lawsuit - UK court

    From the article: > Google must face a £13.6bn lawsuit alleging it has too much power over the online advertising market, a court has ruled. > > The case, brought by a group called Ad Tech Collective Action LLP, alleges the search giant behaved in an anti-competitive way which caused online publishers in the UK to lose money.

    And the actual case at the UK's Competition Appeal Tribunal:

    https://www.catribunal.org.uk/cases/15727722-15827723-ad-tech-collective-action-llp

    > The claims by Ad Tech Collective Action LLP are for loss and damage allegedly caused by the Proposed Defendants’ breach of statutory duty by their infringement of section 18 of the Competition Act 1998 and Article 102 of the Treaty on the Functioning of the European Union. The PCR seeks to recover damages to compensate UK-domiciled publishers and publisher partners, for alleged harm in the form of lower revenues caused by the Proposed Defendants' conduct in the ad tech sector.

    0
    Chrome Root Store policy update looking to require an automated option for obtaining certificates
    blog.chromium.org Unlocking the power of TLS certificate automation for a safer and more reliable Internet

    TL;DR: Automated certificate issuance and management strengthens the underlying security assurances provided by Transport Layer Security (TL...

    Unlocking the power of TLS certificate automation for a safer and more reliable Internet

    > Upcoming Policy Changes > > One of the major focal points of Version 1.5 requires that applicants seeking inclusion in the Chrome Root Store must support automated certificate issuance and management. [...] It’s important to note that these new requirements do not prohibit Chrome Root Store applicants from supporting “non-automated” methods of certificate issuance and renewal, nor require website operators to only rely on the automated solution(s) for certificate issuance and renewal. The intent behind this policy update is to make automated certificate issuance an option for a CA owner’s customers.

    5
    blog.chromium.org Unlocking the power of TLS certificate automation for a safer and more reliable Internet

    TL;DR: Automated certificate issuance and management strengthens the underlying security assurances provided by Transport Layer Security (TL...

    Unlocking the power of TLS certificate automation for a safer and more reliable Internet

    Google is looking to change the policy of the Chrome Root Store (used by Chrome to verify TLS certificates that protect websites and other services) to require "that applicants seeking inclusion in the Chrome Root Store must support automated certificate issuance and management". They can still provide a manual method for sites that want to get certificates the old way but they will need to have some kind of automated method available.

    0
    Google is enabling Chrome real-time phishing protection for everyone

    > [...] > > To provide better security, Google introduced an Enhanced Safe Browsing feature in 2020 that offers real-time protection from malicious sites you are visiting. It does this by checking in real-time against Google's cloud database to see if a site is malicious and should be blocked. > > [...] > > Google announced today that it is rolling out the Enhanced Safe Browsing feature to all Chrome users over the coming weeks without any way to go back to the legacy version. > > The browser developer says it's doing this as the locally hosted Safe Browsing list is only updated every 30 to 60 minutes, but 60% of all phishing domains last only 10 minutes. This creates a significant time gap that leaves people are unprotected from new malicious URLs. > > [...]

    6
    Chromium Blog: Towards HTTPS by default
    blog.chromium.org Towards HTTPS by default

    For the past several years, more than 90% of Chrome users' navigations have been to HTTPS sites, across all major platforms. Thankfully, th...

    Towards HTTPS by default

    cross-posted from: https://lemmy.world/post/3301227

    > Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for "high-risk files" (example given is an exe). They're also planning on enabling it by default for Incognito Mode and "sites that Chrome knows you typically access over HTTPS".

    28
    Chromium Blog: Towards HTTPS by default
    blog.chromium.org Towards HTTPS by default

    For the past several years, more than 90% of Chrome users' navigations have been to HTTPS sites, across all major platforms. Thankfully, th...

    Towards HTTPS by default

    Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for "high-risk files" (example given is an exe). They're also planning on enabling it by default for Incognito Mode and "sites that Chrome knows you typically access over HTTPS".

    1
    blog.chromium.org Protecting Chrome Traffic with Hybrid Kyber KEM

    Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography. Continuing with our strategy f...

    Protecting Chrome Traffic with Hybrid Kyber KEM

    A hybrid quantum-resistant Key Encapsulation Method combined with a regular elliptic curve backup will be available in Chrome 116 for securing connections.

    3
    blog.chromium.org Protecting Chrome Traffic with Hybrid Kyber KEM

    Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography. Continuing with our strategy f...

    Protecting Chrome Traffic with Hybrid Kyber KEM

    Google Chrome will soon be supporting a hybrid elliptic curve + quantum-resistant Kyber-768 system for key exchange in Chrome 116. This should provide some protection in case the quantum-resistant part has flaws, like some other proposed solutions have had. They're looking into this now to give time for it to get implemented by browsers, servers, and middleboxes, and hopefully prevent Harvest Now, Decrypt Later attacks.

    0
    InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)SP
    Spotlight7573 @lemmy.world
    Posts 10
    Comments 227