Spotlight7573 @ Spotlight7573 @lemmy.world

Posts

7

Comments

265

Joined

2 yr. ago

An extension having access to everything on every page you visit is a potential security issue.

Whether that's an acceptable risk for you in order to have an extension that blocks ads is another question.

They changed it in the article after it was originally posted: https://web.archive.org/web/20231116232800/https://www.theverge.com/2023/11/16/23964509/google-manifest-v3-rollout-ad-blockers

They have a note about it at the bottom:

Correction November 16th, 9:41PM ET: Firefox is based on Gecko, not Chromium. We regret the error.

Regarding what a browser like Firefox can do, they aren't allowed to impose any stricter checks or requirements than what the EU's standards body permits and they must trust them, according to these rules. That means that the warning you suggested likely wouldn't be allowed.

As for it not happening passively, your right that it would need to be actively man in the middled. It would be fairly easy to detect but what could be done about it? The browser is required to trust it, additional checks can't be enforced, and the CA involved wouldn't be allowed to be distrusted without the relevant government's permission. It then becomes a game of who blinks first, the browser vendors potentially pulling out of a country or the EU entirely or a government that for some reason thinks it's in the right by intercepting traffic for the children, against terrorism, or whatever excuse they come up with.

I think you're right. I got some people to start using Hangouts and then Google killed it. I don't even bother to learn what Google has available now for chats because I know now there's no point to trying to get people to switch, no matter how good/bad it may be.

And that's a bad thing?

The desktop is finally catching up with the more restrictive permissions model where an app doesn't just have the ability to do anything the user can do but instead only has access to what it needs.

Going with a familiar interface style like the ones people already use on mobile just makes sense.

What would you want it to look like instead?

Get the error:

Error: temporarily_disabled

I know someone who is non-technical who asked how to remove the ad blocker they had when YouTube displayed the message, as they didn't know you could turn it off per site, so anecdotally that is something that does happen.

They haven't released the text publicly but they're voting on it in less than a week. That's also one of the many objections that Mozilla et al has to this whole thing: it's basically being done in secret in a way that won't give the public any time to react or object.

Historically, the browser vendors have only distrusted certificate authorities when they had reason to not trust them, not some arbitrary reason.

One of the examples of them preventing a CA from being trusted is Kazakhstan's, which was specifically set up to enable them to intercept users' traffic: https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-root-2020/

Even if all of the EU states turn out to be completely trustworthy, forcing browser vendors to trust the EU CAs would give more political cover for other states to force browser vendors to trust their CAs. Ones that definitely should not be trusted.

I think there wouldn't be nearly the same level of objection if it was limited to each country's CC TLD, rather than any domain on the internet.

How is giving any EU state the ability to be a certificate authority in your browser for issing a certificate for any site, without them needing to follow the rules the browser vendors have for what makes an authority trustworthy, with no option to disable them or add additional checks to their validity, "protecting their citizens from (American) corporate abuse"?

From the Mozilla post:

Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission.

[...]

There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.

[...]

The text goes on to ban browsers from applying security checks to these EU keys and certificates except those pre-approved by the EU’s IT standards body - ETSI.

Vizio makes twice as much profit from those ads and tracking services than the actual TVs:

https://www.theverge.com/2021/11/10/22773073/vizio-acr-advertising-inscape-data-privacy-q3-2021

I can see warning fatigue being a problem and trying to avoid the use of the interstitial pages because of that. That don't want to display the big warning when they're not confident as then people might ignore those in other contexts (cert errors, phishing/dangerous sites, etc).

How it works: Chrome only displays the lookalike phishing protection screens for sites with similar domains to the ones you visit, which can be detected by a server when the site doesn't load (the warning first appears instead).

Summary from the conclusion:

Lookalike Warnings are arguably a great safety feature that protects users from common threats on the web. It's hard to balance effectiveness and good user experience, making Site Engagement a vital source of information. However, since disabling Site Engagement or Lookalike Warnings is impossible, we believe it's important to discuss these features' privacy implications. For some people, the risk of exposing their browsing history to a targeted attack might be far worse than being tricked by lookalike phishing websites. Especially given that site engagement is also copied into incognito sessions.

Just checked an 11 Home computer that has Device Encryption turned on:

Get-BitLockerVolume reports that it is on for the main drive with RecoveryPassword and Tpm protectors.

It's definitely just a rebranded, less featured BitLocker.

It's SSD dependent and implementation quality may vary between manufacturers and models. Some may not actually protect your data all that well from someone trying to access your data, hence Microsoft defaulting to software they know works.

I'd argue it's similar to the debate over whether HTTPS is needed for most sites (it is and there's little excuse not to at this point). It also matches what is expected from other devices like phones that are encrypted by default now.

As for data loss: for Home users at least, a recovery key is backed up to the user's Microsoft account.

What was telling for me was the article from the same site from a few years ago about Microsoft disabling the use of hardware encryption by default because they couldn't trust the drive manufacturers to do it right.

Do they want things to be secure or fast?

From your article:

Difference between Device Encryption and BitLocker

Both are fundamentally the same, but there are some differences between Device Encryption and BitLocker on Windows. The limitation with Device Encryption is that you have no options to configure and no way to require preboot-authentication – you have to rely on the TPM chip alone.

I'm pretty sure it just uses BitLocker under the hood and doesn't let you configure some things:

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d

https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview#device-encryption

BitLocker can be configured to use the encryption provided by the SSD, so you can still use it, you just need to make sure that the SSD model you have supports it and doesn't have any flaws/insecurities in its implementation.

I'm not sure what options are available for that NAS though.

There's a reason they default to software though, the hardware can't be trusted:

https://www.tomshardware.com/news/bitlocker-encrypts-self-encrypting-ssds,40504.html

Those people were actually worse off than anticipated because Microsoft set up BitLocker to leave these self-encrypting drives to their own devices. This was supposed to help with performance--the drives could use their own hardware to encrypt their contents rather than using the CPU--without compromising the drive's security. Now it seems the company will no longer trust SSD manufacturers to keep their customers safe by themselves.

Linked from that article:

https://www.zdnet.com/google-amp/article/flaws-in-self-encrypting-ssds-let-attackers-bypass-disk-encryption/

Researchers at Radboud University in the Netherlands have revealed today vulnerabilities in some solid-state drives (SSDs) that allow an attacker to bypass the disk encryption feature and access the local data without knowing the user-chosen disk encryption password.

The vulnerabilities only affect SSD models that support hardware-based encryption, where the disk encryption operations are carried out via a local built-in chip, separate from the main CPU.

Don't they have standardized resolutions and the file broken into hundreds/thousands of parts anyways? Couldn't they just add in ads to some of those parts in those same resolutions?

e.g: https://en.wikipedia.org/wiki/Dynamic_Adaptive_Streaming_over_HTTP

Similar to Apple's HTTP Live Streaming (HLS) solution, MPEG-DASH works by breaking the content into a sequence of small segments, which are served over HTTP.