[HN Gopher] Let's guess what Google requires in 14 days or they ...
___________________________________________________________________
Let's guess what Google requires in 14 days or they kill our
extension
Author : cimnine
Score : 948 points
Date : 2020-05-13 16:51 UTC (6 hours ago)
(HTM) web link (blog.pushbullet.com)
(TXT) w3m dump (blog.pushbullet.com)
| bvandewalle wrote:
| If you are an engineer those type of stories should make you
| rethink your usage of Google Chrome. Chrome having so many users
| empower them to implement those type of nonsensical policies.
|
| As said in other comments it is trivially easy to switch to
| Firefox (or any other browser you feel that fits your needs
| better).
| mtnGoat wrote:
| I know Google employees that have had their accounts on various
| Google Services shutdown and they couldn't even get them back
| themselves. The place is very siloed, something needs to give
| because these nightmare scenarios keep happening over and over.
| Crazyontap wrote:
| This is a good extension but here is a cool hack I've discovered
| that let's you do this anywhere without any chrome extensions:
|
| - Create a new whatsgroupp called 'ping self' and add your friend
| to it.
|
| - Then kick your friend out from this group
|
| - Open web.whatsapp.com and now you can access your messages,
| files, photos across any device anywhere, anytime! (telegram also
| does this and allows file up to 1gb)
| jeromegv wrote:
| My issue is that whatsapp really compress the photos. But
| decent workaround.
| djannzjkzxn wrote:
| For the more limited use case of "get a link from a desktop to
| my phone right now" I have really enjoyed using an extension on
| the desktop browser that pops up a QR code linking to the
| current tab. Then I just point my phone camera at the QR code
| on the monitor to open the link on my phone. I like this setup
| because it doesn't require any pre-configuration to link the
| desktop and the phone. Your friend sitting next to you can scan
| the QR code too.
|
| I'm not linking to any specific QR code extension because I
| haven't audited them for privacy but it's easy to find one that
| claims to generate the QR code locally.
| majewsky wrote:
| I use wl-paste | qrencode -s 20 -o - |
| display -
|
| for this purpose. Shows the contents of the current Wayland
| clipboard as a QR code. For X11, replace `wl-paste` with
| `xsel -b`.
| jmiserez wrote:
| Oooh nice. Better yet, you can show that QR code directly
| in the terminal: qrencode -t ansiutf8
| google.com
|
| Looks identical. In WSL, you can use 'powershell.exe Get-
| Clipboard': powershell.exe Get-Clipboard |
| qrencode -t ansiutf8
| Shounak wrote:
| I use Slack for this, using a chat window with myself.
| rampole wrote:
| What about SMS from desktop?
| calmchaos wrote:
| Those rejection emails are most likely sent by an AI. If you
| reply back and ask them to specify exactly what is wrong, you'll
| get the same generic email back. Ask again, and they'll send the
| same generic response without any details or comments written by
| a human. They simply can't specify the problem at all. That's how
| you know you are talking with an AI, not a human.
|
| The correct way to respond to those rejection emails is to ask
| for a "human being" (this is the keyword that works) to review
| the case. Also explain in the email why there isn't anything more
| you can do (if you have done every possible fix already).
|
| As a side note, when AI systems get more common, this will be a
| common nightmare for regular people. When an AI makes an
| incorrect decision regarding you, no-one can check the code why
| it happened because the code doesn't exist. All we may have are
| some weighted matrices and neural network data as bunch of
| numbers.
| necovek wrote:
| I am pretty confident there is no AI involved, but just a
| regular deterministic code analysis tool that flags potential
| discrepancies between code and demanded permissions.
|
| We usually simply call those bots (there can be AI bots too,
| but there seems to be no indication that this is one).
| raybb wrote:
| This is awful. I'm going to send GCP support a message with the
| small hope that someone can flag it up to the right team.
| snazz wrote:
| GCP and the rest of Google are separated from each other
| similarly to how YouTube and Google are separated.
| Unfortunately, the odds of that technique working are very low.
| janee wrote:
| Ironic reading this today. Got locked out of an old gsuite we
| manage for someone on Monday because I typed the recovery mail
| wrong 3 times...omg what a crazy battle to follow their recovery
| process.
|
| Sent them sooo much proof, answers, cname changes, invoices,
| emails, etc etc, but still get the same canned response back.
|
| The weird thing is I never got a single notification on the
| recovery mail that unauthorized access was attempted and that the
| account got locked.
|
| Honestly I feel like such a dumb ass for making our company use
| gsuite now. I don't think I'll ever recommend a google product to
| anyone again.
| aendruk wrote:
| We had a similar interaction with the Chrome Web Store out of the
| blue. After a few maddening rounds of requests for clarification
| and nonsensical canned responses, I finally just gave up and
| accused them of gaslighting me. Our extension was restored the
| next day, of course with no explanation for the ordeal.
| daveidol wrote:
| Thanks for posting this publicly. I'm all for the general idea of
| reigning in unnecessary data collection/prioritizing user
| privacy, but sometimes you just need certain features to make
| things work!
| Guzba wrote:
| Agreed. I really did see benefit to the changes I made that
| reduced our permissions requested based on the initial email we
| received from Google. When even that was rejected though, I
| kind of got slammed with a "well.... what do I do now?".
| gnicholas wrote:
| Consider yourself lucky that your extension wasn't pulled after 1
| day. I received a 7-day notice on a Sunday and complied same-day.
| My extension was pulled the next day, and I received an email
| stating that 7 days had elapsed.
|
| I managed to get reinstated because I know people on Chrome's
| accessibility team who promote my extension, but even with that
| assistance it was still months before I could push a new version
| without going into purgatory.
|
| FWIW, I've had even more issues on Firefox. It's like they're in
| a competition with the App Store for "most opaque review
| process".
| OJFord wrote:
| I stopped using pushbullet because I realised its access made me
| a bit uncomfortable, but had I had the 'So, can we cut any of
| these permissions?' paragraph to read at the time, that may have
| reassured me. Nice to see it not only being investigated (even if
| it took Google's vague threat to spur it on) but positively so;
| seen as 'A big win!'.
| consultSKI wrote:
| Is that why universal cut & paste has been flakey? I am dropping
| all Google stuff. They recently killed my Alexa Skill on Android
| (Samsung S9). With everything google deleted or permissions
| denied on my phone, they still hijack the word "contact." Try
| saying, "Alexa launch Contact Ski Man." Still works with Alexa on
| iPhone, but how do you use a smartphone without back button? We
| have reached the point where it is time to throw the baby out
| with the dirty water. Say, "Hey FireFox!"
| throwawayext wrote:
| Different extension developer here. The Chrome Extension store
| ecosystem has become a nightmare for developers over the past
| year. Some items:
|
| - Extension review times have gone from 1 hour to a variable
| amount of time ranging from 1 minute to 3 weeks or longer (try to
| plan a release or spot fix an issue when you have no idea how
| long it will take for a deploy to reach users)
|
| - User reviews of extensions have been disabled (how are you
| supposed to build an audience or build up trust without reviews?)
|
| - Manifest v3 was announced (this was actually longer than a year
| ago) which will completely break many types of extensions. Over a
| year later, it is still on the horizon but the beta releases of
| it are buggy so it is hard to even try to adapt to it at this
| point.
|
| - Persistent extension related bugs in Chrome are not being fixed
| and new regressions are being introduced breaking previously
| working extensions (which you then need to rush out a fix for but
| good luck with that when the reviewers may take weeks to approve
| the update)
|
| - Chrome is exploring hiding extensions by default so they no
| longer will show up automatically by the omnibar when you install
| them (say hello to a huge amount of confused users who don't know
| where your extension went)
|
| I understand the Chrome team is trying to address a user trust
| and fraud issue with extensions and we are grateful for that.
| However, the Google extension team appears to be massively
| understaffed and are having huge issues managing and evolving the
| ecosystem.
| ThrustVectoring wrote:
| > Extension review times have gone from 1 hour to a variable
| amount of time ranging from 1 minute to 3 weeks or longer (try
| to plan a release or spot fix an issue when you have no idea
| how long it will take for a deploy to reach users)
|
| This is potentially a _huge_ security issue, because the
| natural way to "fix" the problem is to download and run
| arbitrary code as an end-run around the review process.
| _fat_santa wrote:
| Fellow extension developer here as well. I've been trying to
| get an update approved since February or March.
|
| Submitted an update in late February and decided to update my
| screnshots. Remove the screenshots and add new ones only for
| Google to tell me "you can't add screenshots while you app is
| in review", fine, add them later after the review.
|
| 3-4 weeks go by and I check the approval status. Status has
| been rejected because....no screenshots provided. I've since
| updated the screenshots and resubmitted for review. Currently
| still waiting on approval.
|
| I've been planning on doing a Product Hunt Launch but that's
| been put on hold until I can get an updated version in the
| chrome web store (the current version is very old and buggy).
| I've even looked into distribution outside the store but turns
| out chrome will no longer let you do that.
| xg15 wrote:
| > _Chrome is exploring hiding extensions by default so they no
| longer will show up automatically by the omnibar when you
| install them (say hello to a huge amount of confused users who
| don 't know where your extension went)_
|
| Haven't heard about this change (more info at [1] for anyone
| interested) - wow! I really wonder if those are the first steps
| of the roadmap to get rid of extensions altogether.
|
| [1]
| https://www.theregister.co.uk/2020/04/07/chrome_hiding_exten...
| t0mas88 wrote:
| Chrome on Android already doesn't have extensions. That made
| me switch to Firefox on Android and within a week my laptop
| was also on Firefox because it's nice to have tab syncing etc
| between devices.
|
| If enough users do this I think Google will review their
| policy on extensions and specifically adblockers. Can't
| browse without one anymore after having used it for a while.
| iagovar wrote:
| Brave is also nice in Android, although I miss the FF
| extensions.
| dasm wrote:
| As a daily Pushbullet user, thank you for posting this! It's
| maddening that the best way to escalate a Google customer service
| issue is social media.
| renewiltord wrote:
| This is sad but they're just responding to market hysteria on
| permissions.
| luckylion wrote:
| The general idea of "please limit the permissions you request",
| maybe. The secrecy about what they don't like isn't part of
| that, that's just Google's preference for keeping things vague.
| danShumway wrote:
| > but they're just responding to market hysteria on
| permissions.
|
| And responding poorly.
|
| What the market wants is for companies to lay out
| understandable policies that protect their privacy. People I
| know want more clarity about what's happening in the extension
| store and on their devices, not less.
|
| As a consumer, it doesn't make me feel any better for Google to
| say in vague terms, "we booted off an app that doesn't respect
| your privacy." Okay, what was it doing? Are there other apps I
| should be concerned about? How bad did the app need to get
| before you booted it off? Are there exceptions to these
| standards? Are they being applied to internal apps as well?
|
| My feeling is that Google's inability to communicate with
| developers and users is its own problem; it's not the market's
| fault. Tech companies in general have had difficulty with
| customer support for a while, even before the media started
| picking up on privacy issues. Nothing has really changed,
| Google just happens to be notably bad at this.
| rurp wrote:
| I'm not mad about them increasing scrutiny on permissions, that
| seems fine. What sucks is Google giving a short deadline, no
| details, and zero response to the developer's repeated
| communication attempts; all with the threat of Google nuking
| every single Google resource tied to the developer if they step
| over some invisible line.
| sebastianconcpt wrote:
| _We at Pushbullet have received some bad news from Google. It
| appears our extension will be removed from the Chrome Web Store
| if we don't make required changes within 14 days. Not good! The
| bigger problem? Google hasn't told us what those required changes
| are. The Pushbullet Chrome extension has been on the Chrome Web
| store for over 6 years, currently has over 1,000,000 users, and
| has a 4.5 star average rating._
| boomboomsubban wrote:
| Does chrome already offer features like PushBullet? Firefox
| somewhat does with Pocket, so I assume chrome has something
| similar.
|
| If they do offer something of the sort, or start to shortly, this
| seems like a perfect antitrust case.
| beastman82 wrote:
| Zero chance this will happen without a much bigger party
| involved
| pkilgore wrote:
| Under the Clayton Act, the Sherman Act, or both? Is this a
| legal realism commentary on the comparative cost-benefit of
| civil antitrust litigation in modern America?
|
| Or are you just pretending you know things to feel good on
| the internet.
| deepender99 wrote:
| yes they offer https://messages.google.com/
| therealmarv wrote:
| Robots are in control here, follow their rules and get your
| accounts permanently deleted if you don't understand the robots
| rules and mindset...
| komali2 wrote:
| > This may also result in the suspension of related Google
| services associated with your Google account.
|
| Get all your emails off gmail ASAP, pushbullet developers. It may
| be more than your extension that gets nuked.
| Wowfunhappy wrote:
| > The other opportunity is the tabs permission. This permission
| lets extensions see what tabs are open. Pushbullet uses this
| permission to avoid opening new tabs for websites that are
| already open when mirrored notifications are clicked. This is a
| small sacrifice to make to let go of a big permission. Let's let
| it go!
|
| No, that "small sacrifice" sounds super annoying! I don't use
| Pushbullet, but if I did and this got removed in an update, I'd
| be pissed off! At least leave it behind an optional checkbox.
| Guzba wrote:
| Thanks for the feedback here. It strikes me as a little crazy I
| may be infuriating you with a change and never even know if
| that was something I had to do?
|
| An optional permission seems 100% reasonable.
| Wowfunhappy wrote:
| > It strikes me as a little crazy I may be infuriating you
| with a change and never even know if that was something I had
| to do?
|
| Oh, for sure! Just to be clear, I didn't intend my comment as
| a criticism.
|
| It's nuts that you, as the developer, actually went so far as
| to remove features in your first pass, and Google still
| rejected that attempt without additional instruction.
| madrox wrote:
| Stuff like this makes me wonder why Chrome's security model
| allows things if it can be scanned and deemed unsafe. Isn't it
| preferable to bake such restrictions into the extension API if
| Google didn't want PushBullet to go beyond it? Why does this need
| to be enforced by an app store?
| imhoguy wrote:
| 2020 and our browser privacy handling is like MS-DOS.
|
| Why the hell I can't disable all extensions when I enter my bank
| account or insurance page? As far as I know Firefox containers
| are close but still no fine grained control over extensions.
| sming wrote:
| the corporate gorilla beats its chest, demanding you comply!
|
| But with what, it does not say -\\_(-_-)_/-
| crankylinuxuser wrote:
| The answer is to run a campaign to work with Firefox and Safari
| only, and convert all users to either platform.
|
| Seriously, fuck google. I'm just done with them.
| [deleted]
| ajhurliman wrote:
| I had a friend who went through a similar, onerous process with
| Google which ended up killing his entire chrome extension (which
| had 400,000+ MAU). This iron-fisted control of the extension
| marketplace is not becoming to Google.
| saltedonion wrote:
| I too have deGoogled as much as I can, but I'm hesitant to jump
| on the hate wagon for this one.
|
| Consider the counter factual - what if google was highly specific
| about the changes required? Clarifing the boundaries of what's
| allow is prone to abuse. This is the same reason why the search
| algorithms are not explicitly published, but only the spirit is
| explained.
|
| I would say this is the best solution when there are no perfect
| solutions.
|
| Perhaps the 14 day period could be longer, but that's another
| point of contention.
| seanwilson wrote:
| For people focusing their comments on this particular extension +
| the permissions it asks for, please take a quick look at the
| numerous recent posts in the official forum for Chrome extension
| developers to see it's not an isolated issue:
|
| https://groups.google.com/a/chromium.org/forum/#!forum/chrom...
|
| It's a systematic issue that isn't specific to anything
| Pushbullet is doing and it's been like this before the pandemic:
|
| - Reviews can take up to 3 weeks. This in alone would be crazy
| enough if you have an urgent bug to fix.
|
| - Rejection emails are vague and don't tell you what to fix.
|
| - After you guess at what to fix, you've then got to join the up
| to 3 weeks review queue again.
|
| - If you try too many times, your extension gets pulled.
|
| - On top of this, they've recently disabled new Chrome Web Store
| paid items, and user reviews.
|
| Can anyone from Google escalate this and help extension
| developers? I can't speak for everyone but there's lots of
| complaints in the forum and little action beyond "we hear you and
| are looking to improve things".
| dilandau wrote:
| >We hear you and are eagerly looking to improve things.
|
| Joking aside, isn't this just what people should come to expect
| from the company that has always tried to normalize the "no
| support and no service" model?
|
| If these antics start causing GOOG to lose share in the browser
| market then they may review these policies, but I highly doubt
| it. At the end of the day GOOG is an ad company and publicly-
| traded at that. They have a bottom-line and a lot of
| shareholders watching it.
|
| Support channels/forums are probably not the way to go, in
| other words. Stop using their browser, stop using their search.
| That's probably the only way they will be incentivized to
| change.
| popup21 wrote:
| Chrome extension developers should start hosting them on Github.
|
| I use a flavor of Chrome called Ungoogled Chrome
| (https://ungoogled-software.github.io/) and the only way to
| install plugins is to manually install the CRX file.
| deepender99 wrote:
| Well this is my favorite Extension, If Google kills it then how
| will users gets its pushbullet chat data back.
| tiborsaas wrote:
| What's more is that chat history is broken, I can't see tons of
| messages on the web interface.
|
| You can still access some on the web.
|
| But your best option is to do a GDPR request to export you all
| your data.
| AlphaWeaver wrote:
| I'm also an extension developer, and Google has done this to me a
| few times too. We request permissions specifically for what we
| need, and our extension is unlisted and can only be installed
| from our website.
|
| Google is a bully, and they use their size and the threat of
| permanently removing access to your Google Account (and family
| photos) to terrorize small players without cause.
|
| How many people would Google need to hire to provide email
| support for extension review for extensions above a certain size?
| It can't be a huge dent in their budget.
| blihp wrote:
| Not going to happen. This is an issue people have been raising
| for at least the better part of a decade... don't expect
| anything to change now.
|
| A more productive approach would be to focus on web browsers
| that allow you to do what you need to and let Google fix what
| they need to encourage you back. I know, most extension
| developers will say 'we can't do that because it's where the
| users/customers/whoever are'. But as long as you encourage
| their bad behavior by supporting the platform, expect the bad
| behavior to continue since it's not hurting _Google_. As a
| result, it 's just a cost of doing business on Google's
| platform which is unlike to change for the better.
| AlphaWeaver wrote:
| Are you making a good faith suggestion that it's possible to
| build a business around a browser extension and not support
| Google Chrome?
|
| They have something like 70% market share dude...
| qznc wrote:
| I believe the suggestion is to incorporate this "bully
| risk" in your business plan. Some business models might not
| be profitable anymore if you do this. Others just need
| additional diversification or more risk capital.
| patwalls wrote:
| Chrome extension developer here.
|
| Google ripped my Chrome extension off the app store about a month
| ago.
|
| I got a similar cryptic message, and then I scrambled to fix it,
| like you're doing now. Somehow my extension reappeared the next
| day.
|
| Email me pat [at] trypigeon [dot] co and I can send you some of
| the things I did that maybe have helped.
|
| Tweeting my support as well:
| https://twitter.com/thepatwalls/status/1260638967793242113
| amasad wrote:
| I had a similar experience but it wasn't important to me and I
| let it go despite being a growing extension with 10s of
| thousands of users and lots of good reviews.
| WrtCdEvrydy wrote:
| I have written about this recently on the Android side.
|
| https://medium.com/@lazherrera/that-one-time-google-made-it-...
|
| If you use any of the words related to the COVID-19 pandemic,
| they will pull your app, suspend you and ding your account.
| cwhiz wrote:
| Google has effectively created a private monopoly on any
| Android applications related to Covid-19. And the last time
| this sort of information was posted to HN the comments
| section was a race to see who could do the best apology for
| Google.
|
| This policy by Google is hurting people and businesses.
|
| Meanwhile, Apple has a similar policy but all they do is just
| take extra care when reviewing your app. I suggest you port
| your app to iOS and submit it to the App Store. Apple will
| accept it and approve it.
| donatzsky wrote:
| "Sign in to view this draft" :/
|
| Seems like you hit the wrong button or something, when trying
| to publish it.
| nullc wrote:
| I tried to follow you link but just get prompted to make a
| medium account.
| nsgf wrote:
| > trypigeon [dot] co
|
| Unrelated, but you got multiple ids with value 'feature-1' on
| your landing page.
| jonny_eh wrote:
| > Email me pat [at] trypigeon [dot] co and I can send you some
| of the things I did that maybe have helped.
|
| Please post here so everyone else can learn too.
| celticninja wrote:
| I assume GP is trying not to help those the automated system
| intends to catch
| komali2 wrote:
| That's a lot of good faith you're giving these automated
| systems...
| tomsmeding wrote:
| Or, of course, said poster would like the maintainers of
| the automated system not to realise the workarounds for
| their system. :)
| patwalls wrote:
| Haha, my "workarounds" consisted of being persistent with
| a few different support emails I found, posting on the
| Chromium support forums, and a few other things. Pretty
| boring stuff, and I'm not really sure that it even
| worked.
|
| Weeks or months from now, I'm sure someone will get their
| extension removed from the store, and may come across
| this post scrambling for a solution. If that's you,
| please reach out to me and I can send you the support
| emails and everything I tried.
| Shorel wrote:
| No Chrome, no Google search and no Gmail as default email here.
|
| Hopefully, many others will follow.
| maartn wrote:
| I think that reading all of a users' cookies from all websites is
| pretty privacy invading...
| chrischen wrote:
| We spend a quite a bit on Google Ads yet they seem to refuse
| devoting even a few minutes of a knowledgable support staff's
| time to our account--even when we're trying to figure out how to
| give them more money. For 1-2 years our product shopping ads
| never displayed and we couldn't get anyone to tell us why. One
| day, it just started working by itself (perhaps some engineer
| pushed a fix).
|
| Contrast this with their sales strategy of aggressively making a
| human call me every quarter to try to up my budgets. I'm not sure
| why they are so against helping people succeed with their
| products...
|
| It's like they are allergic to manual human processes (unless
| it's sales).
| x86_64Ubuntu wrote:
| I was using Google Ads for a pet project of mine. I lost the
| password to one account, and then decided to set up another.
| Using the same CC (which is also my personal CC) on both
| accounts triggered something and they killed my account. I
| explained what happened, and told them to check the first
| account access patterns as they had abruptly stopped due to the
| loss of the password. They didn't care in the least.
| GuB-42 wrote:
| It is a common theme with Google, what they do makes sense, but
| communication is impossible.
|
| I don't know if it is an artifact of overusing machine learning
| "our neural network trained on a variety of malware gives your
| app a score of 4.3, you have 15 days to get it down to 4.0". How
| is that calculated? No one knows, maybe you shouldn't use the
| location permission if your icon is red and your domain is not in
| .org, or something like that.
|
| Or maybe it is a form of security by obscurity. Or maybe they
| just don't want to pay for people to support you. Who knows?
| Florin_Andrei wrote:
| > _It is a common theme with Google, what they do makes sense,
| but communication is impossible._
|
| You could say the same about some machine learning algorithms.
| shadowgovt wrote:
| It's that last one. Chrome Extensions, as a whole, are a value-
| add to Chrome. Individual Chrome extensions have negligible
| added value.
|
| As long as Chrome isn't killing extensions "everyone cares
| about," their system can bias pretty far towards making it had
| to get an extension accepted and maintained in the store
| without killing the whole ecosystem.
| Medicalidiot wrote:
| I left Android for iOS because of this type of behavior. Google
| is fickle with what it's policies and goals are.
| elwell wrote:
| I've had a Chrome extension removed from the store before, I
| suspect because it conflicted with Google's business model. I
| would be very wary of building a business on a foundation that
| another company controls.
| ThePowerOfFuet wrote:
| > Once you have made these changes you may submit and publish a
| new draft in the Chrome Web Store Developer Dashboard.
|
| > Your draft will then be reviewed for policy compliance. If the
| outcome of the review is successful, your existing store listing
| will get replaced by the approved draft. However, if the new
| draft fails to comply with our policies, both the draft and the
| existing store listing will be removed. Please note that the
| rectification window expires the moment a new draft is submitted.
| After this point, you will not be able to make iterative changes
| regardless of the days remaining in the warning period.
|
| Holy fuck, that's insane. You get one shot; if you miss, game
| over.
| danpalmer wrote:
| As much as we can criticise Google's handling of this situation,
| the fact that the developer was able to reduce permissions from
| accessing data on _all websites_ down to _their website_, as well
| as tighten up a few other permissions, shows that Google is
| correct that the extension is asking for more than it needs.
|
| I hope the developer finds another load of permissions they can
| tighten up, resubmits, and is approved. As long as it results in
| permissions being more correct this is a very positive thing for
| users because for every PushBullet there's hundreds of attempts
| at malicious Chrome extensions that are abusing permissions.
| andrewmutz wrote:
| Extension developers monetizing their extensions by selling the
| data that they get from users is a big problem. It's the reason
| that I don't freely install useful extensions that I find
| today. I have no way to distinguish those who sell my data from
| those who dont.
|
| I love that Google is starting to solve this problem, and from
| my perspective an extension that is sending and receiving SMS
| messages should not be requesting the ability to read and
| change all data on all websites that I access.
| Theory5 wrote:
| "Solve the problem" ok, so you're starting that this selling
| only happens when a third party dev does it?
|
| Do You have an android phone? Do You use google for anything?
| Gmail? Google docs/drive? Youtube? Chrome? ChromeOS? Anything
| google owns? Then they're selling your data.
|
| Try reading all those fun TOS agreements that come with using
| any of the aformentioned products, or heck, visiting sites
| that use google analytics.that won't tell you how much or
| what data google gets from you, but it'll tell you that you
| agreed to it.
| codegladiator wrote:
| > I love that Google is starting to solve this problem
|
| They aren't solving the problem. They are making sure only
| they can get all the user information.
|
| I would rather give all my information to everyone rather
| than giving all my information to google.
| onefuncman wrote:
| They aren't solving this problem, they're killing off
| extensions. And I say this having received many unsolicited
| attempts to "purchase" Chrome extensions.
| andrewmutz wrote:
| I disagree. I think this practice could be seen as anti-
| developer, but it is pro-consumer.
| AmericanChopper wrote:
| The bit that improves user's privacy is pro-consumer. The
| bit that removes user's access to products is anti-
| consumer.
| danpalmer wrote:
| It's obviously a balance, but you could use that argument
| to allow any plugin on the store. It gives more choice.
|
| I think it's important to remember that while PushBullet
| is known to many of us, is posting on Hacker News, is a
| valued part of "the community" in some respect, at Google
| scale this fact is not know. PushBullet is obviously good
| to _us_, and maybe just needs to tweak permissions a
| little, but to a reviewer at Google it probably looks
| very similar to the hundreds of extensions they may
| review a day, many of which may contain malware.
|
| They have to use certain metrics to sort the good from
| the bad, and abuse of the permission system - intentional
| or not - is a pretty good one when you care about the end
| user.
| AmericanChopper wrote:
| A lot of people would argue that any authority that
| controls what software you can run on your own hardware
| is depriving you of your freedom. I would personally
| suggest that while an authority that attempts to protect
| consumers from malfeasant (or incompetent) vendors is
| protecting a certain set of consumer interests, doing so
| by implementing a bureaucratic maze simply creates an
| entirely new set of anti-consumer issues. Because in that
| case the consumer isn't being denied a choice because the
| authority has decided the associated risks are too high,
| it's being denied a choice because the authority has
| failed to properly participate in the assessment and
| remediation of those risks (or really just failed to
| properly define the standards that must be met).
| Drew_ wrote:
| You can freely sideload any Chrome extension it doesn't
| have to be on the Chrome Web Store
| AmericanChopper wrote:
| The does dampen the freedom argument somewhat, but it's
| still a form of restricting consumer access.
| karlicoss wrote:
| I often wish for a separate browser for consumers that
| are also devs. I'd happily lift the permissions for some
| open source extensions I'm using if that means better
| functionality.
| bosswipe wrote:
| The big crime isn't the request to reduce permissions. The big
| crime is the lack of details and lack of communication. It's
| having to drop everything and work in a panic trying to guess
| how to please the faceless mysterious robot.
| wombat-man wrote:
| yeah, it would make way more sense to codify the policy and
| just tell devs that they are using banned functionality or
| something.
| sixothree wrote:
| This exemplifies Google's reputation well.
| duxup wrote:
| Permissions seem to be a pretty empty metric if you don't' know
| what the result is...
|
| What was the impact of fewer permissions?
|
| Let's assume PushBullet was doing something bad with some of
| those permissions and gathering data? Do they no longer have
| access to that data? I'm not sure that's the case, permissions
| alone don't determine that.
|
| If PushBullet wasn't doing anything bad, did anything change?
|
| Is it a positive thing for users when the extension disappears
| in a few days?
| fgonzag wrote:
| That's what you got out of it? Google doing a good job? They
| sent an email with no guidance whatsoever.
|
| These guys went above and beyond what most developers would've
| done, which would have been to contact support until they get a
| clear answer.
|
| This only alienates the extension ecosystem. And this was the
| primary reason I switched to Firefox. Google is the new
| Microsoft. If I remember correctly, they started Chrome exactly
| so this very thing wouldn't happen.
| jlarocco wrote:
| > They sent an email with no guidance whatsoever.
|
| Did they, though? The email seemed pretty clear that the
| problem was requesting more permissions than necessary.
|
| I'm no Google fan, by any means, but if it's _that_ hard for
| the developer to check which permissions their own app is
| requesting, I don 't know if it's Google's fault.
| megablast wrote:
| This is an unsafe extension that had access to every website
| but did not need it. Yes, that is what I got too.
| danpalmer wrote:
| As mentioned, I think Google have handled it poorly, but
| their fundamental position - that this extension is
| incorrectly using permissions - was significantly correct and
| may prove to be fully correct.
|
| Google deserve criticism for the lack of clarity in the
| communication, they deserve criticism for the lack of human
| touch, customer support and many other aspects.
|
| They do not deserve criticism for calling out incorrect
| permissions usage and forcing developers to do better.
| prox wrote:
| Do it properly or don't do it all is my motto. They could
| have been more forthcoming from the start. This is mystery
| meat communication.
|
| > the concealment of relevant information over basic
| practicality and functionality.
| dan-robertson wrote:
| I agree mostly. But why shouldn't the OP extension also
| be required to "do it properly"? Where should one draw
| the line?
| munk-a wrote:
| It's confusing because whatever system (whether human or
| automated) they're using to flag permission issues has more
| precise detection abilities than they chose to expose with
| a simple "Permission is too wide - fix it".
|
| The fact that the extension has over broad permission asks
| isn't good but I think saying their communication lacks
| clarity is underselling just how opaque they were with
| their feedback. It also concerns me a bit because it looks
| like their opaqueness might be an attempt at security via
| obscurity by trying to cloak what the rules actually are -
| which is a generally bad approach to trying to fight
| malevolent actors.
| danpalmer wrote:
| It's possible that the flagging has come from user
| submitted reports. In that case if Google trust the
| reports (and they have enough data about users to know if
| reports are likely to be genuine) then they don't
| necessarily need to know any more details.
|
| Alternatively it could be vague to restrict the
| possibility of bad actors circumventing the letter of the
| rules without adhering to the spirit of them, or even
| just protecting themselves from legal repercussions
| (perceived or real).
| munk-a wrote:
| Your later point is the one that concerns me.
| Organizations like governments have issues where the
| spirit of the law is valued over the letter due to
| inertial restrictions over revising the law - when it
| comes to private corporations the ability to restructure
| rules remains unless it's explicitly surrendered. In
| these cases keeping the set of rules exposed to the
| public (and even demoing changes) can allow revisions to
| those rules to increase their accuracy.
|
| And, when you get right down to it, any rule that isn't
| well structured will be exploited by bad actors, people
| looking to roll out malicious browser extensions have a
| strong motivation to try and discover those rules with a
| high level of accuracy by testing them - only the good
| actors remain uninformed.
| tedivm wrote:
| That may have been true for the first round, but after they
| fixed those permissions their extension was still rejected.
| Aperocky wrote:
| I disagree with you here because: 1. The
| article contains more relevant information that you did not
| show in your point. 2. Those relevant information
| made your point void 3. I think your point make no
| sense on the relevant information.
|
| There, I refuted your claim, you have 14 days to change it and
| show what you learned.
| adverbly wrote:
| > I hope the developer finds another load of permissions they
| can tighten up, resubmits, and is approved.
|
| You're missing the point here. The developer isn't given any
| guidance on what needs tightening. This shouldn't be guess and
| check. These rules impact this developer's livelihood. They
| should be well defined, documented, and communicated.
| danpalmer wrote:
| Well they did give details on what needs tightening, it's
| just that those details are in the form of policy points not
| being hit.
|
| What do you think they should be providing? Honest question,
| I have some ideas but they all feel very tricky/error prone
| to implement.
| laughinghan wrote:
| For comparison, some anecdotes elsewhere in the thread
| about how Apple attaches screengrabs and even decompiles
| apps to point to exact methods/lines of code in apps they
| reject from the iOS App Store, even small free ones:
| https://news.ycombinator.com/item?id=23170498
| laughinghan wrote:
| At the very, very least, they could identify which of the
| permissions are in violation and need to be made more
| restrictive, and which aren't. Someone at some point at
| Google clearly had that information when they decided to
| flag the extension, but Google's processes failed to ensure
| they communicated it.
|
| For the record, I actually agree with you that this is a
| good policy and will be a positive outcome for users. But
| while you seem to agree that Google could have handled this
| better, you're not doing a good job of acknowledging just
| how developer-hostile Google was here, which is why you're
| getting a lot of pushback.
| danpalmer wrote:
| Most of the discussion on this link is about how Google
| is being developer hostile. I think that's getting plenty
| of attention.
|
| > At the very, very least, they could identify which of
| the permissions are in violation
|
| If they've flagged this through user reports of the
| permissions being too wide then they may not actually
| know which permissions need to be changed. This is purely
| speculation though.
| rrss wrote:
| > they may not actually know which permissions need to be
| changed
|
| How can they not know? They decide whether the update is
| accepted or rejected, and there's somebody or something
| at google that makes that decision, so google has to
| know.
|
| If they didn't know what permissions need to be changed,
| how is the accept/reject decision made? Something like
| "accept the fourth try if the developer makes it that far
| because it is probably an improvement?"
| the_gipsy wrote:
| > These rules impact this developer's livelihood.
|
| Let this be the millionth lesson of "the perils of building
| on a platform instead of on a protocol".
| crankylinuxuser wrote:
| You misspelled "sharecropper".
| gowld wrote:
| Why can't Google provide support instead of vague threats?
| Provide a permissions audit tool, recommend ways to reduce
| permissions, provide a dev tool to automatically report on
| permissions that haven't been used while running an extension.
|
| Is _banning someone 's entire Google account across all
| services_ a proportionate response to a developmer having
| trouble with Google's confusing permissions API?
| jpalomaki wrote:
| Usual answer is that this would make it easier for malicious
| actors to bypass the limitations.
|
| Likely there is some automated system running these checks.
| freehunter wrote:
| Security through obscurity is no security at all.
|
| Edit - this is a basic principle of security:
| https://en.wikipedia.org/wiki/Security_through_obscurity
| ashtonkem wrote:
| Anti-cheat through obscurity on the other hand is
| absolutely a thing.
|
| As a metaphor, there's a damn good reason you can't just
| pay an Olympic anti-doping facility to test your urine;
| it would be trivial to develop protocols that evade the
| tests if you could do that.
| freehunter wrote:
| If anti-cheat through obscurity worked, there would be no
| cheaters. The fact that cheaters exist means it does not
| work.
| streb-lo wrote:
| Your logic does not follow.
|
| There are certainly less cheaters than if there were no
| anti-cheat methods. To use OP's example, an open source
| urine testing procedure would be trivial to game. The
| same thing goes for open-source multiplayer games.
| awinter-py wrote:
| Disagree that G's motivation here is to reduce permission
| footprint, because:
|
| - if G has the ability to automatically audit necessary
| permissions, they'd do it when you upload to the plugin store
|
| - if they're doing this manually for popular plugins, then (1)
| they'd publicly certify safe plugins and (2) the interaction
| would be way more high touch
|
| Plugins are inherently unsafe + require trusting the developer.
|
| Could be malicious, or G may not even _have_ a reason for this
| (it may be some forgotten dinosaur instinct to knock over other
| people 's stuff when it gets too big).
| ViViDboarder wrote:
| Also, Google could just block the permission and let the
| extension developers deal. Even that would be less hostile
| because at least the developers would know what to fix.
| danpalmer wrote:
| > - if G has the ability to automatically audit necessary
| permissions, they'd do it when you upload to the plugin store
|
| If they added it more recently then they are just back-
| applying it to an already existing extension.
|
| Alternatively, you can report plugins as requesting incorrect
| permissions - I've done this. Perhaps that's what's happened
| here, lots of reports triggering an investigation.
| TuringNYC wrote:
| >> As much as we can criticise Google's handling of this
| situation, the fact that the developer was able to reduce
| permissions from accessing data on _all websites_ down to
| _their website_, as well as tighten up a few other permissions,
| shows that Google is correct that the extension is asking for
| more than it needs.
|
| OK fair enough, but why aren't the big violators held to this?
| (I realize this example isn't Chrome, but it is Google Calendar
| -- ever try to add a Zoom meeting invitation to your Google
| calendar? Zoom wants access to read and write all events ever
| on your entire calendar!
| lvs wrote:
| Edit: I was the one who misread it. My mistake
| vntok wrote:
| > As I looked at the permissions and what our extension
| actually needs to operate, I noticed a great opportunity to
| reduce our permissions requests. We do not need to request
| access to data on https://*/* and http://*/*. Instead, we can
| simply request data access for https://*.pushbullet.com/*,
| http://*.pushbullet.com/*, and http://localhost/*. This is a
| huge reduction in the private data our extension could
| theoretically access. A big win!
|
| They were completely in the wrong there, and posing a huge
| security risk to all of their users.
| mkl wrote:
| I think you're the one misreading. From the article: "We do
| not need to request access to data on https://*/* and
| http://*/*. Instead, we can simply request data access for
| https://*.pushbullet.com/*, http://*.pushbullet.com/*, and
| http://localhost/*."
| gnu8 wrote:
| I'm trying to figure out why that was their setting to begin
| with.
|
| > We do not need to request access to data on https://*/* and
| http://*/*.
|
| Was this not determined before, or they changed their minds now
| that Google is threatening to pull their product? Either they
| thought that was appropriate before, or they didn't think about
| it at all. Inexcusable either way.
| xg15 wrote:
| I strongly disagree. If they were actually interested in this,
| they could simply tell the developers what to fix. This is
| beyond arrogant and counterproductive.
| ekanes wrote:
| Yes, it seems pretty bad that by default they were accessing
| user data everywhere. Gross.
| Guzba wrote:
| I really did try to call out the benefits that happened when I
| was told to "give permissions another look". Like all software,
| needs change and I was able to make a great improvement.
|
| The issue I have is that it's not clear if I'm even addressing
| the correct issue(s). If I don't make the Correct change, all
| other changes are irrelevant since they'll never get published.
| danpalmer wrote:
| Yeah, it's crap that they didn't give you guidance, although
| it seems like you managed to find plenty of issues quickly so
| perhaps the guidance is less necessary than it might seem.
|
| Ultimately you know your extension, codebase, and use-case,
| far better than Google does, so it may not really be possible
| for them to give you the detail that you're looking for - you
| may be the only person who can do that.
|
| I hope that they provide the support you need in
| understanding the problem to the point where the extension
| can continue to live on the Chrome store.
| foobarbazetc wrote:
| lol.
|
| We have the same problem, but on the Google Play Store.
|
| We have an brand name app used by millions of people. We uploaded
| an update where the only change was a new Firebase library.
|
| Google rejected the update for vague reasons ("violation of
| Google Play policies" but not telling us which one).
|
| Appealing the rejection, the CSR just pasted the vague policy
| thing back at us. We asked for more information and they just
| closed the ticket.
|
| So we took the exact build that was accepted, incremented the
| version number, and uploaded that. Rejected again.
|
| And there's no real human to talk to.
|
| No idea what's going on at Google.
| Florin_Andrei wrote:
| > _No idea what's going on at Google._
|
| It's like trying to troubleshoot a machine learning algorithm.
| sudoit wrote:
| Had the same problem when I made a fairly successful app in
| university. Whole account got deleted for a "3rd strike"
| meaning "3rd resubmission."
|
| I've made a new account and their AI black box still doesn't
| realize it's me...
| arseniclifeform wrote:
| By whole account deleted do you mean your Chrome dev
| "account" or your Google account including Gmail, Gcal, and
| YouTube? The latter is my greatest fear.
| FpUser wrote:
| Aside of youtube and search I am not using Google at all. And
| Chrome is on my computer only for testing.
| Baeocystin wrote:
| Another long-term PushBullet customer here.
|
| Anyone at Google who is listening- this kind of behavior _kills_
| my desire to continue using your products dead. I _need_
| functionality, of the type PushBullet has provided for years, to
| do my work. The recent nerfing of ublock origin has already had
| me feeling iffy on things. Behavior like this is simply
| unacceptable. If you want people to use your services, you need
| to have some way to communicate. Period. "If you use our tools,
| we can kill your livelihood at any time for any reason and tough
| shit if you want a why" doesn't exactly inspire, you know?
| moneywoes wrote:
| Can you elaborate on the ublock origin nerf?
| irrational wrote:
| They blocked ublock origin?! Really?! What was their stated
| rationale (I assume they didn't admit it is because they want
| people not to block ads)? Might I suggest using Firefox? I use
| it and don't have any trouble with it.
| gowld wrote:
| It's not true.
| ChuckMcM wrote:
| It would be interesting to hear Google's _actual_ reasoning but
| I don 't expect that we will. I will speculate that it is
| exactly the clipboard permissions as there have been apocryphal
| reports of Android apps and web extensions that use this to
| steal passwords that password managers put there for users to
| "paste" into their pages.
|
| If that is the case, then a much better solution would be for
| Chrome to implement a secure channel for password managers to
| use for just that purpose and make access really really
| explicit. But again, without them saying anything we won't
| know.
|
| My advice is to watch for a CVE regarding sniffing sensitive
| data off the clipboard to surface in the next 30 - 90 days.
| Aperocky wrote:
| > this kind of behavior kills my desire to continue using your
| products dead
|
| Having already moved to firefox for over a year since quantum
| came out, what are you waiting for?
| wlesieutre wrote:
| Chrome is a trivially easy product to switch off of compared to
| other Google properties like Gmail and YouTube. Have you tried
| Firefox recently?
| 29athrowaway wrote:
| I have a firewall appliance at home.
|
| One day I noticed that some of the stuff I blacklisted
| (mostly ads) started showing up again.
|
| Why? Firefox's new DNS over HTTPS was bypassing all my
| firewall DNS rules.
| eloff wrote:
| I switched when Google killed of ublock origin in Chrome.
| Firefox is quite nice these days. I just use chrome for
| development because I'm more familiar with their dev tools.
|
| I will very occasionally find a site that's broken in Firefox
| and works in Chrome though.
| gowld wrote:
| uBlock Origin isn't killed. Some changes are proposed,
| however.
| morrbo wrote:
| Check out Vivaldi, never looked back (chromium based so
| same dev tools, though admittedly I do.my dwv in edge these
| days just to keep stuff separate)
| minikites wrote:
| I've been using Fastmail for more than a decade and I don't
| know why someone would trust something as important as email
| to a company like Google.
| colejohnson66 wrote:
| Because when it first was released, they were one of (if
| not the only) (free) email providers to give _every_ user
| over a gigabyte of storage. At the time, most email
| providers only allowed mailboxes in the dozens of
| _megabytes_ range.
|
| Nowadays, everywhere gives you plenty of space, but for me
| personally, it's just been the fact that I've been using it
| for so long and switching is a hassle. I'm sure it's the
| same for a lot of other people, and for the majority, they
| probably also don't care enough.
| nucleardog wrote:
| Dozens of megabytes?
|
| Pretty sure Hotmail (which at the time was like 20% of
| all web traffic) was still offering a whopping 2MB of
| space when Gmail launched. It was only after Gmail came
| out that they started bumping the quota from where it had
| been since the mid-90s.
|
| Gmail was a HUGE deal. People were going nuts over the
| invites.
| Fezzik wrote:
| I second the Fastmail vote. I have been a happy user for...
| maybe 3 years now? A while at least. The web UI on mobile
| and desktop is second-to-none (I love not having an app)
| and the spam filtering is as good or better than gmail and
| the other big players.
| input_sh wrote:
| My current yearly subscription to Fastmail was about to
| expire today. Didn't think about it for a second before I
| renewed it for the third year.
| Icathian wrote:
| I have fastmail bookmarked waiting for me to find some time
| to switch over my gsuite admin and some cname redirects off
| of Google's platform. It's definitely past time for me to
| get a little less dependent on them.
| FpUser wrote:
| I am not sure why would one trust something as important as
| email to any company. Register and use your own domain.
| Then you are totally free in your choice and switching is
| no problem
| t-writescode wrote:
| Mailbox.org here. Happy customer so far.
| freehunter wrote:
| I've found the exact opposite to be true in my very specific
| experience. Five years ago I used every Google product under
| the sun, today the only Google product I use at all (even
| search) is Chrome because it's the only one I haven't been
| able to replace.
|
| I try Firefox with a fresh install on nearly every major
| release and I keep it installed as a secondary browser, but I
| can never manage to use it as my daily browser. For whatever
| reason, none of my company's (major tech company but not a
| competitor to Mozilla in any way) internal web pages load in
| Firefox. No error, no warning, nothing in the console, just
| zero content. Blank page. I've tried it on two computers with
| the same result and just nothing. No extensions installed,
| nothing I've installed on my network or computer to block
| anything. It just doesn't load anything.
|
| On the other hand I keep Firefox installed because Chrome
| refuses to load my dev environment with a self-signed
| certificate. Firefox will let me click "I accept the risk"
| but Chrome just refuses to load with a self-signed cert.
|
| I'd love to use just one (preferably Firefox) but I guess the
| web is still hard to get right.
| Bedon292 wrote:
| Assuming you are on a Windows domain, since they are able
| to control your Chrome. Chrome uses all the built in
| Windows settings. Have you check for proxy settings in
| internet options? Firefox I believe still uses standalone
| settings, and will need to be configured manually.
|
| Other thing they could be doing is adding certificates to
| the Windows certificate store, that Firefox does not trust.
| Though I expect you would see an error about invalid certs
| in that case.
| acomjean wrote:
| When I worked at a company Firefox worked then didn't. I
| think the web proxy needed to use the company installed
| cert or some such weirdness:
|
| https://security.stackexchange.com/questions/133254/how-
| does...
| heavyset_go wrote:
| Try sending your company's internal sites a Chrome User-
| Agent from Firefox. There are extensions that let you do
| this.
| bzb3 wrote:
| You can bypass the Chrome dialog by typing "thisisunsafe"
| in the error page.
| tracker1 wrote:
| Reminds me of the default admin password for an app I've
| worked on... "You should change me."
| freehunter wrote:
| That's a stupidly hidden way to go about it.
| dylz wrote:
| IIRC, the intent is that no one should be doing this and
| anyone doing it should be at least technical enough to
| figure out what they're doing and be reminded that it's a
| bad idea.
| jschwartzi wrote:
| On the other hand these stupid dialog tricks are why I
| stopped using Chrome. I'm not an idiot and I know what
| I'm doing. It's pretty arrogant to assume that I
| shouldn't be visiting my router's configuration page just
| because it uses a self-signed certificate. I don't care
| to set up an X.509 infrastructure at my house, thank you.
| Please stop mollycoddling me.
|
| Firefox continues to do a good job of just letting me
| visit the damn website after warning me.
| dylz wrote:
| I'm confused - Firefox and Chrome act completely
| identically to a self signed cert for me. Both let me
| click through after looking at the cert or expanding a
| section. I have never been "blocked" by some hidden modal
| unless the site chooses to be HSTS-enforcing, and in that
| case Firefox does not allow a clickthrough either.
|
| Both examples on latest current, taken right now:
|
| Firefox: https://i.imgur.com/4VMjDZ4.png
|
| Chrome: https://i.imgur.com/YosvXEu.png
|
| For HSTS, both Firefox and Chrome act identically and do
| not allow clickthrough: https://i.imgur.com/WPCTep1.png
| maest wrote:
| Youre confused because you're not using Chrome on OSX: on
| osx there's no "Proceed to <website>" option.
| gowld wrote:
| https://support.google.com/chrome/thread/23226743?hl=en
| dylz wrote:
| I'm now even more confused:
| https://i.imgur.com/jl9agwG.png
| necovek wrote:
| Your router's self-signed cert can be imported into your
| browser and trusted from thereon -- that will also stop
| any potential attacks from someone pretending to be your
| wifi ap nearby because I am pretty sure you are not
| double-checking the cert fingerprint every time you visit
| the router's admin interface. Provided you were not
| MITMed once you added the cert in the first place :)
| freehunter wrote:
| And instead many people will just do a Google search for
| "Chrome [insert error here]" and run the first command
| they find, while people like me will say "okay I'll just
| Firefox where I can click past this warning".
| dylz wrote:
| For what it's worth I've always been able to click
| straight through a self-signed cert on Chrome - in fact I
| just did it right now to log in to something internal. I
| am a nearly 50-50 split Firefox/Chrome user.
|
| Are you sure you aren't sending HSTS headers that demand
| the site be TLS in some way?
|
| Also, have you considered the slightly-saner way of doing
| it, which is making an internal self-signed CA, trusting
| that internal CA, and then having it sign the rest of
| your "self dev stuff" certs?
| freehunter wrote:
| If it was HSTS it wouldn't load in Firefox, would it?
| dylz wrote:
| If it was HSTS it would not load in both, with no button
| to bypass.
|
| If it was not HSTS you can click through a non-obvious
| button in both.
| freehunter wrote:
| Well Chrome has no button and Firefox has a button, so...
| Wowfunhappy wrote:
| Yeah, I actually think these sorts of strategies are
| clever. They're a way to protect normal users without
| outright barring power users from doing as they wish.
|
| macOS operates in a similar way. I really like how the
| difficulty increases depending on the task:
|
| * Want to allow one app through Gatekeeper? Instead of
| double-clicking the app icon directly, right click it and
| select "open".
|
| * Want to turn off Gatekeeper for all apps? You need to
| open the Terminal and execute a command.
|
| * Want to turn off System Integrity Protection? You need
| to reboot your computer into recovery mode and execute a
| Terminal command there.
| lostcolony wrote:
| Except for those of us who are finding out about it only
| via a Hacker News comment. As happened with this user,
| who seems, you know, sufficiently a power user to need
| that info. Even a "if you know this site to be safe,
| please read this knowledge base article (link)" and
| buried in that, amidst all the reasons you shouldn't use
| untrusted certs, are the instructions.
| londons_explore wrote:
| If you keep up to date with commits on the chromium code
| repo, you'd see them change it from time to time. For a
| while it was 'youshallnotpass'.
|
| You probably shouldn't be using an opensource project
| without at least a cursory glance at the code anyway,
| especially as a power user.
| lostcolony wrote:
| You're kidding right? You look at every commit of every
| open source app you use, or that a closed source app is
| built atop? For me, off the top of my head, that would
| mean, yes, Chrome, Firefox, the Linux Kernel, Libre
| Office, Android, VLC...probably plenty more that I am
| unaware are open source, and that's not even considering
| the dev tools to do my job. When would I actually have
| time to have a life?
| skykooler wrote:
| Exactly. Reading the source of every program you used was
| certainly possible back in the 80's when the FOSS
| movement started; but nowadays, with every program being
| millions of lines of code, it's implausible to get
| through all that and still have time to actually _use_
| the software.
| lostcolony wrote:
| Not to mention background updating. I don't even know
| when Chrome has updated half the time, unless something
| stops working.
| makapuf wrote:
| Im not sure a cursory glance at the 25 millions lines of
| code will do much if you dont already know what to
| search.
| dewey wrote:
| > No error, no warning, nothing in the console, just zero
| content. Blank page.
|
| Have you tried disabling the tracking protection, maybe
| it's mistakenly blocking some JS?
| arkades wrote:
| I transitioned to FFox myself. I occasionally have to use
| Chrome for work, and it's nothing I find myself missing. If
| Chrome is messing up your day, it's really easy to cut it
| out.
| swiley wrote:
| Firefox is actually a significantly better browser on
| GNU/Linux. Chrome is pretty awful.
| dleslie wrote:
| The only Google product I still use is Android. I won't
| switch to iOS, that's like cutting off your nose to spite
| your face. Sadly, the FOSS alternatives do not support
| Blackberry phones, and for physical reasons I _greatly_
| prefer a real keyboard.
| jtxx wrote:
| ProtonMail has come a long way as a replacement for Gmail as
| well. Suuuper happy with them, they're really responsive to
| feature requests and support inquiries. I requested for an
| iOS feature to choose browsers so I could open all links from
| PM in Firefox. They had it implemented in a month or
| something... it a quick fix but that impressed me. hence me
| shilling here They recently added ProtonCalendar too.
| spockz wrote:
| Is there a provider that lets you send emails from free
| format users on your domain? With catch all addresses the
| mail goes into my other@domain account. I use a different
| email address per site. Now with gmail if I want to reply
| with that account I first need to create it as an alias. If
| I want to reply from my phone it even needs to be a full
| account. Is there any way to fix this? Short of using mutt
| and write the from header myself?
| pinkythepig wrote:
| I can do this with fastmail, though fastmail is a
| subscription (like $5/month? IIRC, mine auto renews every
| 2 years so not sure). I have my primary email setup as
| <firstname>@<lastname>.org. If you set your dns records
| correctly with them, that allows you to use without any
| ahead of time setup
| <randomtag>@<firstname>.<lastname>.org. Setting a
| different tag where I have <firstname> is can be done
| too, but you need to set those up individually.
|
| replying to emails, I can change <randomtag> to whatever
| I want.
|
| They also offer random domains that you can setup burners
| under, though that does involve some ahead of time setup.
| ZacharyPitts wrote:
| I have happily paid for ProtonMail for the past couple of
| years. I moved all my important email (i.e. anything
| involving money) off of gmail.
| abnercoimbre wrote:
| ProtonMail user for years too. And non-tech people who
| get my e-mail immediately like (and ask about) the
| protonmail.com domain, which opens up an avenue to
| discuss privacy and the upside of non-Google products.
| cdurth wrote:
| I as well. Gmail is now my spam account. Very happy with
| ProtonMail.
| Klonoar wrote:
| I really wish they'd merge this, or implement it themselves
| (I wrote it, full disclaimer):
|
| https://github.com/ProtonMail/ios-mail/pull/16
|
| As I understand it (and don't quote me on it) they're in
| the middle of a refactor, so I guess I get it.
| mtnGoat wrote:
| I used protonmail for a week, but i got tired of waiting
| hours and days for some emails to arrive. some we so late
| the verification links were no longer active. ugh, if only
| proton mail was up to par with Gmail.
| vorpalhex wrote:
| I had similar issues early on but have been happy with
| Protonmail for the last year or so.
| bcrosby95 wrote:
| Switching email isn't nearly as friction-free as switching
| your browser. Not only do you have to change your email in
| every service you've registered for, you also need to
| convince your friends and other contacts to use the new
| email.
| theshrike79 wrote:
| It's a year-long project in the minimum:
|
| 1: Start up new email (for me it was Fastmail) and
| preferably get your own domain
|
| 2: Forward all mail from gmail to your new account
|
| 3: Create a rule that flags messages that are still
| delivered to gmail, go through them at your leisure and
| swap to the new address
| kadoban wrote:
| I'd stress the "get your own domain" part. This is a
| _requirement_, or you're going to be going through the
| same pain again in a few years.
|
| Also, make sure you take backups of your old emails every
| once in a while. Google Checkout should be able to
| provide those.
| thayne wrote:
| getting your own domain might be fine for tech-savvy
| people, but for the general population it isn't really an
| option.
| colejohnson66 wrote:
| What's the risk of losing your domain from a forgotten
| renewal?
| littlestymaar wrote:
| If your domain name provider is serious, almost none:
| there's a transition period (a few weeks) between the
| expiration date of your domain and when somebody else can
| buy it again. So if you forget to renew it, your emails
| stop working and you'll renew it really quickly ;).
|
| Source: it happened to me last month (the provider being
| OVH).
| prox wrote:
| I only work with a company who's team I can actually
| call. i pay a bit more, but that direct access is great.
|
| It's actually hard to lose a domain if you have a good
| registrar. There is 90 day quarantine period even if you
| cross the renewal treshold. You can also domain lock,
| which means you need to manually unlock a domain before
| moving.
| ashtonkem wrote:
| If a domain is important to you, you should have it set
| to autorenew.
| rietta wrote:
| I have all my domains on autorenew, probably many I
| should have let lapse now, and some of which I have
| regretted letting go of.
| tracker1 wrote:
| I feel your pain.. I accidentally let my main blog domain
| go a long while ago when I decided to drop most of the
| domains I was holding.
|
| Beyond this, I've had a few pretty good ones over the
| years... right now, I've got about 30 of them, and just
| keep thinking I should let most of them go.
| _-david-_ wrote:
| I would assume most domain registrars send you reminder
| emails as your expiration gets closer.
| imhoguy wrote:
| There is always a risk of loosing an asset, that includes
| hijacking. However to reduce forgeting of renewal there
| is the recipe I have once read here on HN:
|
| Renew your doman for 10 years now, and then every next
| year do 1 year renewal. If you forget it then you still
| have 9 years of buffer.
| jacobr1 wrote:
| I've used auto-renew ... but it turned out my biggest
| risk was actually the expiration data on my credit cards
| DelightOne wrote:
| I loaded up credits at my registrar to last a couple
| years because of this.
| aGeekGoneMad wrote:
| That's we something like PayPal is nice, your cards can
| expire and be replaced without interruption to automatic
| payments. And like the email problem, you don't have to
| go around changing it every couple of years.
| mrighele wrote:
| Some registrars let you enable automatic renewal, so in
| that case the only risk is to keep paying for a domain
| that you forgot of.
| trav4225 wrote:
| How is credit card expiration handled? Or do you suggest
| another payment method?
| nucleardog wrote:
| You'd probably have to really work at it.
|
| Most registrars are going to send you multiple emails
| leading up to the expiration, when it expires, and after
| it expires reminding you it expired. You'd have to miss a
| lot of emails.
|
| And once it has expired, you have (depending on the TLD)
| over a month of grace period where it's not available for
| general registration where you can still renew it. You'd
| have to miss the fact that all of your services were
| offline for over a month.
| dsanduleac wrote:
| I recall seeing this recently on another HN post, where
| they had set up a blanket forwarding rule from their
| Gmail to another email account. Their Gmail later got
| dinged but the forwarding rule continued to work.
| pletnes wrote:
| I did that years ago. The only downside is that every 2-3
| years some email gets stuck in gmail's spam folder.
| DavideNL wrote:
| You don't have to switch overnight, i simply forwarded
| all my incoming Gmail e-mails to my new account, and then
| reply to all my Friends (etc.) from my NEW e-mail
| address. That way they will all, eventually,
| automagically update me in their address book. It worked
| very well :)
| RcouF1uZ4gsC wrote:
| The most important change you can make for your email is
| to own your own domain. Once you own your own domain,
| changing providers is much easier since it is transparent
| to the people that email you.
|
| Even if you decide to keep Gmail, you should switch your
| email to your own domain.
| tracker1 wrote:
| I know some will reject the idea.. but if Google is your
| domain registrar, they'll do email forwarding without an
| extra charge.
|
| I've started using _@mydomain where the_ is the website
| /service I've registered for... doesn't help with my
| existing stack though.
| gumby wrote:
| You can just do forwarding. I've run my own mail service
| since the 80s, and when I need a google login to work
| with someone I just create it and forward my mail. When
| the project is over, just delete it. Easy-peasy.
|
| Unless a client wants to use google docs I've never found
| an account to add any value anyway. I don't use google
| search much any more but when I do it works fine without
| cookies.
|
| And I try chrome occasionally (it's needed to use google
| docs) but it uses too many resources to use as any kind
| of default. It's also harder to enforce privacy with it.
| tracker1 wrote:
| I was referring to google hosting the mail service, so no
| need to diy or pay for another server, and you don't need
| to use gmail with it.
| ThePowerOfFuet wrote:
| Google Docs works fine in Firefox and Safari.
| cpascal wrote:
| One worry about tying your identity to your own domain,
| is the security of your identity (aka your domain) hinges
| on the security of your registrar. If a bad actor can
| socially engineer their way into controlling your domain,
| your entire identity is compromised.
|
| Here's a blog post about this nightmare happening to
| someone: https://medium.com/@N/how-i-lost-
| my-50-000-twitter-username-...
| ashtonkem wrote:
| I agree that that would be catastrophic, but I'm not
| convinced that using custom DNS changes my risk factor.
| If someone took over <my name>@gmail.com, they could do
| as much damage as they could by taking over <my name>@<my
| domain>.
| Roujo wrote:
| Yes, but there's still an increase in the attack surface
| - it's a lot harder to convince a registrar to turn over
| gmail.com than <my domain>, for most values of <my
| domain>. It's not a deal breaker, of course, but it's
| something to consider when looking at the risk factor.
| cpascal wrote:
| If you use an email provider to host your domain's email
| (e.g. Fastmail, GSuite, etc.), I believe you're actually
| increasing your risk factor.
|
| The security of your identity will depend on your
| registrar, your DNS provider, and your email provider.
| toohotatopic wrote:
| So, which ones are the good registrars?
| ztjio wrote:
| Google is great for this because they will never actually
| let anyone talk to a human in order to apply social
| engineering techniques ;)
| toohotatopic wrote:
| But do you lose your domain if google bans your account?
|
| The requirement is being able to switch email providers,
| especially google, when they lock your account. You don't
| secure your flow of email with a domain if that domain is
| managed by google, too.
| ztjio wrote:
| So my statement was a total comedic effort not to be
| taken seriously, I'd never suggest anyone use a company
| on the basis of terrible customer support. That's what
| the semi-colon parentheses at the end was meant to
| signify.
|
| To attempt to actually answer your question, I believe
| the nature of the governance around registrars would
| ensure you have recourse to transfer your domain in the
| case that Google be Google. It might not be slick. I
| don't know. But, it's unlikely they can override the
| overarching policies for such things and continue being a
| registrar.
| wpietri wrote:
| I've been happy with Joker and AWS Route 53. I've used
| Joker for years and years; at the time they seemed sane
| both technically and as a business, and that's how it
| still feels. Route 53 is more recent, but it's been solid
| and reliable for me. And it's been very nice to control
| it declaratively with Terraform.
| nucleardog wrote:
| I generally trust the major cloud providers a bit more
| than the companies focused on acting as a domain
| registrar.
|
| The domain registrars are generally a race to the bottom
| and focused on "add-on" sales as most people are shopping
| on price and that's going to reflect in the overall
| quality of the things that most people don't really
| notice like, y'know, security and validation.
|
| You don't hear a lot of stories about Amazon/GCP/Azure
| handing over someone's entire account based on a couple
| digits of a credit card number and it would be a PR
| nightmare if they did (hell, look at the flak they catch
| just for the data that people leave public on their
| services that ends up released... imagine if they
| _handed_ it to someone). An active account with 2FA /etc
| enabled and a secure recovery email is probably safe
| enough for most people.
|
| Spend the extra couple bucks to register through one of
| those guys instead of JimbosDiscountDomains.
| mythrwy wrote:
| So use Google or Microsoft to register your domain?
|
| Doesn't that bring us back to the same potential problem
| though?
| justinholt wrote:
| I think the idea is to use their "enterprise", paid
| offerings as opposed to relying on the "free" services
| that Google or Microsoft offer.
| cpascal wrote:
| I use namecheap which has two-factor authentication,
| domain locks, and support pins.
| propogandist wrote:
| owning your domain and having control of a domain through
| a trusted registrar is better than relying on the worlds
| largest advertising company to manage your digital
| identity (email), which is offered as a free service,
| that's subject to a catch-all ToS.
| gowld wrote:
| The article is literally about a user who was attacked
| because Twitter, Facebook ad GoDaddy have bad security,
| while his Google account was safe.
| propogandist wrote:
| I've seen that article before. An isolated fail in 2014
| by one vendor, primarily due to poor support processes,
| is not a convincing argument to keep all digital
| identities in Google's possession.
|
| There's also the risk of Google shutting down your
| account because you do something they don't like. This
| will lead to a similiar outcome and you won't have any
| recourse.
| morrbo wrote:
| Have to respectfully disagree here...we tried protonmail
| for ages and it wasn't good. Wet feature adding it sounds
| like you got lucky but we ask for several features over
| the course of a year - ranging from simple things such as
| HTML signatures (that they fully support, they just hide
| the button on their editor) to more enterprisey user
| management 2fa enforcement style features and it just
| didn't hold up in the slightest. No features got added
| and we ended up going back to o365..for a personal email
| it's ok though but I wouldn't tout them as responsive to
| feature requests as this wasn't our experience at all. We
| were a sma the on their visionary package if that makes a
| difference.
| ori_b wrote:
| You can set up forwarding rules and switch gradually.
| It's pretty much painless.
| m-p-3 wrote:
| I switched from Pushbullet to Join and one of the hurdle the
| dev is having is that something regarding push messaging was
| severely lacking in Firefox compared to Chrome, hence the
| lack of an extension for it on Firefox.
| sciurus wrote:
| Do you know any more details about what's lacking?
| Baeocystin wrote:
| Sure, and I use it daily. But my frustration isn't about me
| particularly, it's about Google's increasingly hostile
| behavior. They're the 800-pound gorilla of the internet, and
| the way they behave affects all of us.
| ilrwbwrkhv wrote:
| Switch to Firefox. It has gotten much better.
| laumars wrote:
| I'm absolutely loving Firefox at the moment.
|
| I have temporary containers extension plus an extension to
| manage google and Facebook containers and the whole thing has
| become such a pleasurable experience. Combined with pihole it
| feels like I'm reclaiming the web back again. Such a blissful
| experience.
| yellowapple wrote:
| Yep, for me Multi-Account Containers and Tree Style Tabs
| are both killer features. Being able to load the same page
| with multiple accounts _within the same browser_ and
| without losing everything after each session is a game
| changer for all sorts of situations, as is being able to
| keep dozens or even hundreds of tabs open without squeezing
| and squishing them unreadably into the top of the window
| like some kind of maniac.
| yorwba wrote:
| And there's also a Pushbullet add-on for Firefox:
| https://addons.mozilla.org/en-US/firefox/addon/pushbullet/
|
| Not sure whether the functionality is the same.
| pmontra wrote:
| Thanks for the link. So it's a subset of
| kdeconnect/gsconnect for Linux/Android [1] [2] [3]. I'm
| using it to share files and tabs from my phones / tablets
| to my pc and viceversa. It does many other things including
| sms from the pc. It works with any browser or with no
| browser at all. There is no need for an extension.
|
| I'm sure Apple has had that too for a long time and I saw
| something like that from Microsoft a few days ago.
|
| [1] https://play.google.com/store/apps/details?id=org.kde.k
| decon...
|
| [2] https://community.kde.org/KDEConnect
|
| [3] https://extensions.gnome.org/extension/1319/gsconnect/
| ilrwbwrkhv wrote:
| Yup, exactly the same. That's what I use. The only thing
| Chrome was better in the past was audio pitch correction in
| sped up videos. Firefox recently fixed that so now for me
| there is absolutely no need to use Chrome anymore.
| syshum wrote:
| While Firefox is better than Chrome...
|
| Mozilla is becoming more and more Google Like as time
| progresses, where a few years ago I would have believed it
| would be unthinkable for Mozilla do so something like this to
| an extension, today I am not so sure I would trust them
| either
| JTbane wrote:
| Mozilla doesn't have the conflict of interest google does
| with ads...
|
| That alone makes me use Firefox over Chrome.
| pbhjpbhj wrote:
| Doesn't Mozilla get nearly all its money from Google;
| I've assumed that actions by Mozilla have been coloured
| by not wanting to ditch its multi-hundred-million dollar
| benefactor.
|
| Google has apparently paid Mitchell Baker personally
| multiple millions of dollars too.
|
| Seems Google know how to manage their risks.
|
| Mozilla seem perhaps even more beholden to ad revenue
| than Google.
| msla wrote:
| It does:
|
| https://www.theverge.com/2018/5/7/17326184/firefox-ads-
| spons...
| bromonkey wrote:
| Yep, the three clicks it takes to disable that really
| drives me nuts.
| strken wrote:
| I agree to some extent, e.g. the pocket integration and
| Mozilla burning cash on things that aren't related to
| Firefox, but Chrome's decision to limit/break key
| adblocking APIs across their whole ecosystem is much worse.
| I'd be willing to ignore almost any number of removed
| extensions to continue using a browser that's not owned by
| a glorified adtech company.
| skinnymuch wrote:
| What do they burn cash on? They've mostly stopped Phone
| stuff right? Is there other stuff?
| strken wrote:
| Some of the previous discussion when they had layoffs
| earlier this year:
| https://news.ycombinator.com/item?id=22057737
| skinnymuch wrote:
| Can you give a few examples of how Mozilla/Firefox have
| changed?
|
| We all know about FF Quantum. Yeah it sucks what happened.
| Maybe there was an alternative, but any one saying Firefox
| should've just stuck to not being compatible with Chromium
| extensions is kidding themselves on how badly that would've
| continued hurting Firefox's market share. The XUL powered
| extension I'm sure were powerful so the outcry in certain
| places was huge. Vocal minority.
|
| The Pocket integration got lots of outcry which seemed
| pretty silly to me. It's one product they own. Mozilla
| doesn't have a ton of products. Yes that is Google like.
| Much like any synergy or integrating is Google like. Which
| is really just being a modern internet corporation. If this
| is one of the reasons. Why would Mozilla of 5 years ago not
| have done that vs the Mozilla of today and whenever they
| did do it. 1-2 years ago I think?
| tialaramex wrote:
| Quantum wasn't even about Chrome compatibility. The XUL
| extension mechanism was permanent technical debt loaded
| onto the browser because of _how_ it exposed features,
| basically welding things directly onto the browser 's
| guts, which on the one hand is super-convenient for
| making radical changes in an extension and on the other
| hand is a nightmare to maintain.
|
| The analogy I've used is the Amiga operating system
| design versus Unix when it comes to multi-core / multi-
| processor versus multiprocessing. Amiga welds everything
| to the hardware, the Unix design has a "system call"
| mechanism cleanly separating your programs from the OS
| and vice versa.
|
| Because Unix has this relatively thick layer between the
| OS kernel and the rest of the world, you can just pick up
| your entire kernel, wrap it in a lock (in Linux this was
| called the Big Kernel Lock in some BSDs it was Giant Lock
| and other Unix systems gave it different names) and
| you've got a multi-processor capable system. Linux did
| this in about a year IIRC. For purely CPU bound software
| this minimal work gets you 99.9% of the performance of a
| custom built OS designed from the outset for multiple
| processors. Subsequent work to get rid of the BKL further
| improves performance on more sophisticated workloads, but
| you're off to a great start.
|
| Amiga couldn't do that, every part of their system could
| interact with every other part as it liked, so if you
| tried to just add one lock to protect things the
| resulting system might randomly deadlock, maybe only on
| systems with specific hardware or software combinations,
| and you basically needed to reconsider everything from
| the ground up.
|
| You need a degree of abstraction like this, the Chromium-
| style web extensions have it, the XUL extensions didn't,
| adding it to the latter would have been years of work
| only to deliberately be incompatible with both existing
| software on Firefox AND everybody else, madness.
|
| There are _definitely_ things we want in extensions. For
| example Firefox has a copy of the Public Suffix List
| baked inside it (all browsers should have this, in its
| absence you 'll get weird security behaviour around how
| domains and sub-domains work) and I'd like to access
| their copy from inside an extension to make it behave how
| users expect. But obviously the extension _can_ just ship
| its own copy of the PSL, and then keep that up-to-date it
| 's just a waste of resources.
| msla wrote:
| First of all, they deliberately destroyed my bookmarks.
|
| https://drewdevault.com/2017/12/16/Firefox-is-on-a-
| slippery-...
|
| > For a long time, it was just setting the default search
| provider to Google in exchange for a beefy stipend.
| Later, paid links in your new tab page were added. Then,
| a proprietary service, Pocket, was bundled into the
| browser - not as an addon, but a hardcoded feature. In
| the past few days, we've discovered an advertisement in
| the form of browser extension was sideloaded into user
| browsers. Whoever is leading these decisions at Mozilla
| needs to be stopped.
|
| > Here's a breakdown of what happened a few days ago.
| Mozilla and NBC Universal did a "collaboration" (read:
| promotion) for the TV show Mr. Robot. It involved
| sideloading a sketchy browser extension which will invert
| text that matches a list of Mr. Robot-related keywords
| like "fsociety", "robot", "undo", and "fuck", and does a
| number of other things like adding an HTTP header to
| certain sites you visit.
|
| https://www.theverge.com/2018/5/7/17326184/firefox-ads-
| spons...
|
| > Mozilla's motto is "internet for people, not profit,"
| however the realities of having to fund all of its
| ventures are forcing the company into adopting one of the
| web's less human-friendly aspects: sponsored content.
| Having acquired read-it-later service Pocket last year,
| Mozilla has been populating new tabs in Firefox with
| Pocket reading suggestions -- and those are now going to
| include links that an advertiser has paid for.
| fwn wrote:
| I'm not the previous commenter, but on Android Mozilla is
| removing the ability to install extensions from third
| parties (think GitHub, etc.) and will trim the only left
| official extension store down to a few extensions. (I
| think it's below 20 right now.)
|
| An ecosystem where all extensions need to be channelled
| through one central power broker is pretty much the main
| requirement to allow them to do what Google is doing in
| the linked Pushbullet case.
|
| edit: this is all factual, sadly downvotes won't change
| it.
| input_sh wrote:
| They've rebuilt their browser from scratch and are re-
| adding the APIs. It makes total sense to prioritize the
| most frequently used ones now and expand to the other
| ones later on.
|
| For me personally, Privacy Badger and uBlock Origin are
| already there. I don't think I need a third one at all.
| fwn wrote:
| You're not challenging anything of what I wrote.
|
| You seem to be more confident on their reestablishment of
| the extension ecosystem but didn't explain how you
| arrived at that conclusion.
| mintplant wrote:
| This is temporary while the Android team builds out and
| stabilizes the add-on APIs supported in the new Firefox
| for Android. Otherwise it'd be a total crapshoot whether
| an add-on you tried to install worked or broke randomly
| (potentially in gnarly ways).
| fwn wrote:
| If locking down on the extension ecosystem were only
| temporary they could just defer the nearing downgrade of
| their main line browser until their replacement is fully
| functional.
|
| But that's not what they do. Instead we do have a clear
| announcement on a feature removal and a vague hint that
| they might add it again in the future.
|
| It's absolutely not sure that disabling non-store
| extensions is only a temporary defect.
|
| If you have evidence that suggests otherwise, feel free
| to add it.
|
| It does not help that their marketing language feels
| designed to consistently avoid any meaning whatsoever.
| mintplant wrote:
| > If locking down on the extension ecosystem were only
| temporary they could just defer the nearing downgrade of
| their main line browser until their replacement is fully
| functional.
|
| The update is going ahead because the new Firefox for
| Android is such a dramatic improvement along all other
| axes, and because, from a development perspective, the
| incarnation it's replacing is saddled with legacy and
| technical debt. It never received most of the benefits
| from Quantum, for example.
| fwn wrote:
| > The update is going ahead because Firefox Preview is
| such a dramatic improvement along all other axes.
|
| ...and even the extension axis, from a power-aware
| Mozilla position. That's what makes it suspicious in the
| first place.
|
| A few years ago they had a bug that added seconds to
| every page load that they didn't fix for half a year, but
| once an update coincidentally consolidates power at
| Mozilla it needs to be pushed for all its supposed
| benefits and despite all its known drawbacks asap.
|
| We wouldn't buy that if it were Google or Microsoft and
| we shouldn't buy it in Mozillas case either. ... If they
| even announced that they plan to reopen the extension
| system, which they (to my knowledge) did not.
|
| Personally I don't notice any grave difference between
| Firefox and preview. Apparently scrolling should be
| different, but my mid-range phone scrolls just fine in
| both apps.
| mintplant wrote:
| FWIW, killing XUL extensions wasn't even really about
| Chromium compatibility. The changes in the Quantum
| rearchitecting were going to break everything _anyway_ ;
| the decision was made to move everything onto an add-on
| system which wouldn't just break again and again with
| every architectural change (which, yes, did have the
| benefit of Chromium compatibility).
| Merem wrote:
| Being in a country that was the last holdout for Firefox
| (majority usage) before it was also taken over by Chrome,
| I know that several others as well as I have issues with
| Mozilla. Personally, I've always used Firefox, without
| exception, and stayed with XUL, rather than switch to
| their new browser, as add-ons are the most important part
| of a browser for me. I don't care if one is half a second
| faster or not.
|
| Not to mention that stuff like stupid redesigns of logos
| as well as the Pocket issue made me basically lose all
| trust in Mozilla. Privacy is a huge deal here after all.
| Those who switched regularly complain about design issues
| (apparently the desktop browser is becoming somewhat
| "mobile-like") and most recently the address bar problem
| which upset everyone except for one person who didn't
| care about that. (Meanwhile, I'm happy with my address
| bar being my address bar and my search bar (being just
| right of it) being my search bar.[1]) If you would ask
| the people still using Firefox here whether they would
| recommend it...they would most likely say "no" but then
| would go on that while it isn't good, the alternatives
| aren't either.
|
| So the question of change in direction (which is
| obviously there) regarding Firefox begs the question
| which people they are actually targeting? It's certainly
| not your average Joe because Firefox will never be able
| to out-Google Google. They are also annoying the more
| advanced users who just want privacy as well as useful
| things (add-ons, proper baked-in features etc) with their
| shenanigans, so it can't be them either. The only people
| I see actually celebrating new releases all the time
| (regardless of negative changes) are the crowd on HN. So,
| to me, it seems like they are targeting some kind of tech
| bubble (no offense) while basically ignoring the users
| out there. This is, of course, also reflected in them
| continuously losing marketshare while all the back-
| patting is happening.
|
| [1] https://abload.de/img/address-search3hjh4.png
| ocdtrekkie wrote:
| DNS-over-HTTPS was the big one for me. Mozilla betrayed
| us here. They've pushed something browsers shouldn't do
| into the browser, and in my case, started to roll it out
| to my browsers despite my network device being set to
| block it.
|
| They actually managed to implement a policy that respects
| user choice and freedom less than Chrome, which only
| implements DoH if your set DNS provider supports it.
| j_koreth wrote:
| I don't think the Pocket was owned by Mozilla when they
| announced their integration. Looking it up, it looks like
| they bought it 2 years after the initial announcement so
| I can see it being controversial.
| MattGaiser wrote:
| Have they done it or is it just an uneasy feeling?
| the_jeremy wrote:
| Who do you trust? Certainly not Chromium-Edge. That leaves
| "only browse the internet on a Mac with Safari" or browsers
| with such tiny market share that they'll never be tested
| against, and sites will routinely be broken for you. My
| company doesn't do any non-Chrome compatibility testing, so
| all our intranet sites require Chrome.
| SahAssar wrote:
| Why not firefox?
| colejohnson66 wrote:
| In the past, it used to be (at least for me) because of
| Gecko. Websites didn't render the same as in WebKit.
| SahAssar wrote:
| Not sure when that was but I have no rendering issues
| with firefox. As a webdev I can say that FF's rendering
| these days is pretty much spot on.
| derefr wrote:
| > Who do you trust? Certainly not Chromium-Edge.
|
| Why not? Chromium (= Blink, plus some other stuff like a
| network request stack) development happens in the open,
| just like WebKit development. It might be steered by
| Google to such an extent that there's always the
| possibility of it going in a bad direction; but it's not
| like you're not going to hear about it if something
| privacy-violating is introduced into the Chromium
| codebase (rather than the downstream Chrome codebase.)
| And you can switch away from the browsers that use it
| if/when that happens.
|
| For that matter, if upstream Chromium ever _did_ start
| "going bad", those browsers that rely upon it would also
| likely switch away from it, either cooperatively forking
| it into a new community-maintained project, or switching
| over to WebKit (with which it is still mostly ABI-
| compatible.)
|
| > browsers with such tiny market share that they'll never
| be tested against, and sites will routinely be broken for
| you
|
| Even if you don't want to use anything based on Blink,
| WebKit is also a large ecosytem, and minor WebKit-based
| browsers can "inherit compatibility" from developers
| targeting (mostly Mobile) Safari. Several Linux browsers
| (GNOME Web, Falkon, Midori) use WebKit, for example. They
| render everything just fine (i.e. just like Safari does.)
| wayneftw wrote:
| I wanted to like Edge but...
|
| > The browser also sends unique hardware identifiers to
| Microsoft, which is a "strong and enduring identifier"
| that cannot be easily changed or deleted.
|
| https://www.bleepingcomputer.com/news/microsoft/research-
| fin...
| derefr wrote:
| Oh, ah; I thought the above meant "why not Chromium
| and/or Edge" rather than "why not the Chromium version of
| Edge."
|
| Yes, I can see why you'd avoid Edge specifically, same as
| avoiding Chrome specifically.
|
| But that's not an argument against using upstream
| Chromium (which is, in fact, a browser all on its own,
| stadnalone downloadable and shipping with several Linux
| distros); or against other Blink/Chromium-based browsers
| (e.g. Brave), no? Either choice would get you
| compatibility with anything Chrome itself is compatible
| with (in terms of websites; not _necessarily_ in terms of
| extensions--though the difference is just in the legacy
| Chrome extension APIs; WebExtensions work fine
| everywhere.)
| laumars wrote:
| Plus any smaller browser likely just another Chromium or
| Blink fork. There is very little out there these days
| that is truly independent.
| graham_paul wrote:
| elaborate on the ublock nerfing?
| AaronFriel wrote:
| Chrome's Extension v3 API will remove the ability for uBlock
| Origin to filter web requests in code, instead the
| application will have to submit a list of URLs to filter to
| an internal API and this list has a maximum size and limits
| the flexibility of the URL filtering.
|
| See the uBlock Origin author's post:
| https://github.com/uBlockOrigin/uBlock-
| issues/issues/338#iss...
|
| This is ironic, because uBlock implements an extremely
| efficient filter and is even looking into using WASM to speed
| it up even more. Google's public position is that
| implementing functionality in JS or WASM is unacceptably
| slow. They say "[Preventing or weakening ad blockers] is
| absolutely not the goal. In fact, this change is meant to
| give developers a way to create safer and more performant ad
| blockers."[1]
|
| Google's public position is also that WASM is "consistently
| fast"[2], fast enough to rewrite Google Earth to target
| it[3], and "It's entirely feasible to build a complex code-
| base to run performantly in the browser using
| WebAssembly"[4].
|
| So which is it? Is the Web Request API being deprecated
| because it's not possible to write performant code in
| extensions using Chrome's powerful JS and WASM engine, or is
| it possible but there might be some other, different reason
| that they're blocking it?
|
| [1] https://blog.chromium.org/2019/06/web-request-and-
| declarativ...
|
| [2]
| https://developers.google.com/web/updates/2019/02/hotpath-
| wi...
|
| [3] https://blog.chromium.org/2019/06/webassembly-brings-
| google-...
|
| [4] https://developers.google.com/web/updates/2018/08/wasm-
| av1#f...
| jaywalk wrote:
| > In fact, this change is meant to give developers a way to
| create safer and more performant ad blockers.
|
| Imagine anyone actually believing Google is trying to
| _help_ ad blockers. What a dumb thing for them to even say.
| jonas21 wrote:
| Why? When Apple made the exact same change in Safari,
| they also gave these reasons, and everyone believed them.
| danShumway wrote:
| uBlock Origin is not available for Safari in its original
| form. It only exists as a (somewhat neutered) fork that's
| basically dead[0].
|
| There's a disconnect in the sense that a lot of people
| think that adblocking in Safari is fine, even though it
| is pretty objectively less capable than Firefox/Chrome in
| this area right now. There's no disconnect in saying that
| Manifest v3 is going to hurt adblockers, because the same
| changes in Safari also hurt adblockers, and (as of last
| time I checked) Chrome's proposed changes go even farther
| than Safari's did.
|
| But in general, yes, you should already be avoiding
| Safari today if you want to use the best adblockers on
| the market. Safari suffers from the exact same problems,
| that's why I use Firefox even when I'm on a Mac --
| because the adblockers and security extensions for
| Firefox are just a lot better.
|
| https://github.com/el1t/uBlock-Safari/issues/158
| mkl wrote:
| Apple doesn't make their money selling ads.
| deckard1 wrote:
| These days Google's core value appears to be a Kafkaesque
| hypocrisy.
|
| They promote efficient websites to increase ranking with
| their search algorithm, while operating ad services that
| bog websites down. Not to mention the whole AMP business
| where they looked at Facebook and developed a severe case
| of walled garden envy after previously being a champion
| of open web standards.
| cft wrote:
| I switched to Firefox because of Google banning Bypass Paywalls
| extension that is available as a Firefox add-on. When I was
| building my bootstraped company, Google really taunted us with
| emails like this, when our AdSense monthly earnings reached
| $10,000 and we're my only source of income. We had 20 million
| user profile pages, and they were saying that something is
| wrong with some of them, without saying what, forcing us to
| "review" them all. We built sophisticated ML content filters,
| to receive more unspecified warnings and get the account shut
| down. I managed to reinstate the account, but it left a very
| evil taste. I am in the process of degoogling, using Bing as
| the default in Firefox.
| the_af wrote:
| > _The recent nerfing of ublock origin has already had me
| feeling iffy on things._
|
| What did they do to ublock origin? The single best Chrome
| extension _ever_. If it stops working and I must suffer YouTube
| ads again, it 's bye bye Chrome.
| AaronFriel wrote:
| Context and receipts are here:
| https://news.ycombinator.com/item?id=23170485
| creato wrote:
| If Youtube ads mean that much to you, why not just pay for
| it? I'm all for ad blocking (I use ublock too) but if I
| heavily use a site that offers me a way to pay a reasonable
| price, I think it's the right thing to do. Uploaders with
| monetized videos still get paid that way (and I don't want to
| bother with Patreon etc, that doesn't nearly scale to
| everyone I watch videos from).
| input_sh wrote:
| They're going down the Safari line of limiting the number of
| rules an extension can use, significantly reducing the
| efficiency of adblockers.
|
| If it goes as planned, you won't see ads on YouTube for sure,
| but there likely won't be enough space to add rules for less
| mainstream ad networks and some of the specific sites you
| visit.
| pixelHD wrote:
| I'm assuming this [0] is what the commenters are referring
| to. Google is proposing changing web request api, which can
| break how ublock origin works.
|
| Also, this [1] happened.
|
| [0]: https://www.xda-developers.com/google-chrome-
| manifest-v3-ad-... [1]:
| https://github.com/uBlockOrigin/uBlock-issues/issues/745
| [deleted]
| [deleted]
| icheishvili wrote:
| I whole-heartedly agree and this is why I give money to AWS and
| Azure will not give any to GCP until the lack of transparency
| and random product killings stop.
| Shorel wrote:
| So many people claim for change, but so few migrate to Firefox,
| DuckDuckGo, or another alternative.
| megablast wrote:
| You should have stopped using chrome years ago. What will it
| take for you to wake up?
| Baeocystin wrote:
| It's not about just me. I use a half-dozen different browsers
| during my work day. It's how the provider of the world's
| dominant browser is behaving, with ramifications that affect
| all of us.
| farooge wrote:
| (old dude here) I knew this attitude was coming when i saw the
| billboards recruiting PhD's back in 2008 (or so). I figured
| they'd be completely infected by arrogant (but clever) twats
| around 2015. i believe my guess proved to be true and it's been
| getting worse ever since. also, the fact that their (organic)
| search is so awesome also-also that they were allowed to buy
| Waze, ffs, get out of my life!.
| nikanj wrote:
| Google is the new Microsoft. Using it is mandatory, liking it
| is optional.
| gumby wrote:
| > I need functionality, of the type PushBullet has provided for
| years, to do my work.
|
| If you can use the Apple stack this functionality has been
| built in for years and is pretty robust.
|
| Just FYI as you say the functionality is _needed_ -- I know
| this won't help if you can't switch to Apple
| nicolasbistolfi wrote:
| I've been using PushBullet for years. Great product! It's not
| fair what big companies are doing to what it seems to be,
| prioritizing their own features over third party well-built
| products. It's abusive.
| boredgamer2 wrote:
| If you haven't switched to Firefox, you should! There were a
| few things I didn't like at first, but after searching
| StackOverflow and blog posts for how to change the settings, I
| am now fairly happy!
| crazygringo wrote:
| I understand that with many spam-related heuristics, a company
| like Google chooses not to share exactly why a site or e-mail
| server is blacklisted -- because an actual spammer can evade that
| metric and still get away with everything.
|
| But I don't believe that thinking applies whatsoever to apps or
| extensions. There are far fewer of them and parties need to work
| together. It's unfathomable to me why Google doesn't point out
| which specific permissions a reviewer has flagged as suspect, or
| given an option for the developer to give the justification
| specific to each option.
| inopinatus wrote:
| Counterpoint: there is a team within Google that got it right at
| least once. We have live import/export integration with Google
| Sheets and this requires additional OAuth scopes. The request for
| justification they sent was polite, specific about the scopes of
| concern (and why), and with no hard deadline. Our response was
| handled politely and promptly.
|
| I realise the GCP API team may not be dealing with as big of a
| swamp as a consumer-facing apps group, but it was nevertheless
| one of those few occasions when Google left me with an impression
| other than overwhelming hubris. It was more like talking to AWS
| service teams, or Cisco TAC when you have a CCIE on staff.
| nikolay wrote:
| Google are cutting the branch they are sitting on. I only use
| Chrome because certain extensions are not available on Firefox.
| During all these years, they've become impossible to deal with. I
| open Chrome with 10 tabs and after a couple of hours it's using
| gigabytes of RAM. From a thin client, it became the thickest
| client in the visible universe. It's time to consider options...
| not that there are many.
| narrator wrote:
| I can't wait till Google starts running contract tracing.
| majewsky wrote:
| Good news! They won't. They're only providing an API to give
| everyone who needs to run contact tracing access to the
| Bluetooth Beacon system.
|
| EDIT: /me wonders what "contract tracing" is going to be
| brazzy wrote:
| > clipboardRead
|
| I bet that this is it. Clipboard data is _extremely_ sensitive,
| as it can often contain passwords.
| softwarejosh wrote:
| even mozilla is terrible in this regard, its a losers game.
| thorum wrote:
| Does your browser extension really need to access localhost/* -
| as in, port 80 on my local machine? That would make me very
| uncomfortable about installing the extension.
|
| Would it be possible to restrict the extension to accessing a
| specific port or endpoint that is used by PushBullet?
| raegis wrote:
| Right, this suggests the app either (1) runs a web server on
| the client device, or (2) wants to access a third party
| webserver on the client device. I don't know if this is common.
| Or maybe I don't know/understand why this is needed.
|
| Also, isn't allowing access to the app's website the same as
| allowing access to any website? Can't you just redirect?
| shadowgovt wrote:
| Redirects shouldn't compromise the CORS / XSRF security
| model, which is the key item of concern from a Chrome
| Extension standpoint. Like if pushbullet.com redirects to
| foo.com, the crex is now looking at the foo.com page and its
| permissions will apply accordingly.
| lostinroutine wrote:
| Maybe I'm naive but what if pushbullet.com was just running
| a server-side fetch and returning the result? That would
| bypass CORS, essentially acting as a proxy server.
| wolfgang42 wrote:
| Pushbullet doesn't need a Chrome extension to tell their
| server to make a web request. But, their server doesn't
| have your cookies, so there's no security concern.
| shadowgovt wrote:
| That's a great question, and it's not limited to Chrome
| extensions.
|
| In general, for any resources that don't require
| credentials to access, pushbullet could hypothetically
| serve them at like pushbullet.com/proxy/gmail.com/favicon
| or something. But resources requiring credentials are
| another thing entirely.
|
| In general, the thing that prevents a third-party server
| from MITM'ing your interactions with a target server is a
| combination of domain names and SSL certificate. That
| doesn't prevent a site from _trying_ to get you to let it
| act as a MITM, but it prevents the site from acting as
| the MITM while claiming it 's something else.
|
| As a concrete example, let's imagine pushbullet.com
| wanted to act as MITM for your GMail account. If it has
| your username and password, then ( _handwaving here;
| GMail 's authentication model is complex_) it could do
| that; it could forge well-crafted requests that look like
| they come from your browser, and get proper responses
| back.
|
| But if it doesn't have your username and password,
| there's not a lot it can do. Your browser won't give
| pushbullet.com cookies scoped to gmail.com, and if
| pushbullet tries to ask you for your password, they can
| only do so much to make it look like GMail's the one
| asking (SSL certs make it hard for pushbullet to try and
| forge a GMail front-page with a gmail.com domain). It can
| still happen, but "user was tricked into ignoring the
| domain name and gave their password to another service"
| isn't something web security models can fix.
| lostinroutine wrote:
| Thanks for the explanation! I guess I was looking at it
| more from the perspective of merely making requests
| (without creds).
|
| My understanding is that if an extension has a wildcard
| 'https://*' origin listed in its manifest, then it can
| make cookie-populated requests to any domain that matches
| the wildcard. That's actually pretty scary from privacy
| and security perspectives. But I suppose that's part of
| the reason CWS has moderation in the first place.
| Guzba wrote:
| We use localhost to communicate with our desktop application
| which is commonly installed alongside our extension by users.
|
| An example of how we use this communication channel is
| preventing both our extension and desktop apps from showing
| notifications on the same computer. Our apps are all about
| notifications so this would get unacceptable very fast. We ping
| our local desktop app via localhost to see if it can manage the
| notification, and show it with our extension if it isn't
| running.
|
| Maybe if we limit it to just the local port we use? Seems like
| it can't hurt to try that too.
| [deleted]
| karlicoss wrote:
| It might be a bit trickier, because if you hardcode the port
| in the manifest, the user wouldn't be able to change it?
|
| Might be better than nothing I guess, but on the long term
| you'd need to add the port in settings and request the
| permission for localhost+port dynamically? But that's got
| another issue, e.g. last time I tried it [0] for my
| extension, Firefox didn't support dynamic URL permissions for
| URLs with ports.
|
| [0] https://github.com/karlicoss/grasp/blob/f24378ebae68c22be
| a03...
| paulirwin wrote:
| I believe you're supposed to use Native Messaging for that:
| https://developer.chrome.com/extensions/nativeMessaging
| rosywoozlechan wrote:
| This may be well what needs to change, but in any case the
| message from Google should have been explicit about it
| instead of the dev involved having to create a blog post,
| hope it gets traction on HN and that someone here knows
| what the problem is.
| maartn wrote:
| the docs are pretty explicit about it
| nolok wrote:
| Yes and no, I would be glad if Google in general could
| get much much better at this but in this specific case
| I'm sorry but http://* and localhost access is not a
| hidden small thing.
| VWWHFSfQ wrote:
| You can probably get around this by setting up some DNS like
| localhost.pushbullet.com -> 127.0.0.1. It's probably not in
| the spirit of what they're asking for though, if it is indeed
| the problem.
| stingraycharles wrote:
| This is a very good suggestion, and could very well be the root
| cause of these rejections. It's a potential security
| vulnerability that is triggering the violation.
|
| I hope the author sees thorum's comment!
| poopyKnoopers wrote:
| Nah, dude. Fuck that localhost access. Sorry, but I wouldn't
| install something that's running listeners on localhost:80 (or
| any other port) just because they want to route data from a
| browser extension to an installed program.
|
| That's a pretty bootleg hack, to be quite honest.
|
| Would you _dare_ touch my /etc/hosts mappings too?
|
| Guess again, Mark Shuttleworth! You wouldn't ever even get
| installed in the first place. You DON'T have root. Not anymore.
| [0]
|
| Google is correct to reject you. Localhost belongs to the
| individual.
|
| [0] http://security.stackexchange.com/questions/44512
| Animats wrote:
| It's inherent in what Pushbullet is doing that Google would not
| like it. It aggregates user data from multiple sources, including
| SMS, notifications, and chat, sends it to the Pushbullet servers,
| and sends it back out again. Only Google is allowed to aggregate
| data like that.
|
| _Fuhrer command! Suffer us to obey!_
| fourzs wrote:
| When I was sixteen years I received the exact same email from
| Google, and was then permanently banned from the chrome web
| store.
| gregsadetsky wrote:
| I went through the same hell a year ago [0]. My extension [1] now
| has 60k users (covid added 10k users in 1 month) and I'm also
| afraid that any insignificant update would trigger this hell.
|
| I'll contact PushBullet with a possible way forward (PB, if
| you're reading this -- contact me). Anyone else in this
| situation: my email is in my profile.
|
| [0] https://news.ycombinator.com/item?id=20186915
|
| [1] https://chrome.google.com/webstore/detail/dictation-for-
| gmai...
| Kikawala wrote:
| I've been using Pushbullet in FF and on my iOS devices for years,
| but need to find a replacement as the app was removed[1] from the
| App Store.
|
| [1]https://www.reddit.com/r/PushBullet/comments/eirc1m/not_avai..
| .
| moxylush wrote:
| You are the victim of an algorithm. No people and no
| accountability, thats how they roll.
| FriendlyNormie wrote:
| Meanwhile the Honey extension is fearlessly purchased for 4
| billion dollars. Something smells like shit here.
| ggm wrote:
| Don't they call this a "marketplace"? If so,the Regulator is the
| FTC not the FCC.
|
| If they walk like a duck and call it a duck then talk to the duck
| hunting authority?
| mgeyer wrote:
| Wait can some one please simply explain to me whats gong on here?
| I'm new to this but I absolutely love it! and I paid for it too.
| Why do all good things have to be taken away?
| Arcsech wrote:
| This kind of thing just keeps. Coming. Up. from Google and
| between ML black boxes making arbitrary judgements and random
| product shutdowns, a hard requirement for any personal projects
| of mine is "no Google dependency", because it might vanish at any
| time, with zero notice or recourse.
| pkaye wrote:
| What kind of people make these decision at Google? Engineers? Or
| did they automate everything with "machine learning"?
| snazz wrote:
| It's very automated, especially during the pandemic when many
| of the content moderators can't go to work.
| cirwin wrote:
| We went through the same problem at Superhuman (and as I write
| our latest extension update has been pending review for 2 weeks,
| so maybe we're about to hit it again).
|
| Simeon on the mailing list was quite re-assuring, and I would
| recommend reaching out to him, though there are limits to what he
| can help with.
|
| That said we found that the review process is quite arbitrary,
| resubmitting may work simply because you get a different
| reviewer. (We've seen identical copies of the extension with
| different version numbers where one was approved and one
| rejected).
|
| We've also observed that they use some kind of automated code-
| analysis to tell whether or not you're making use of the
| permission; so you may want to check that it's obvious from the
| code included in the extension bundle that you need the
| permissions you're asking for.
|
| We've also hypothesized that they apply different standards to
| extensions depending on the number of users - our staging
| extension (~50 users) usually gets approved quickly, but our
| production extension usually takes a while and is less likely to
| be approved. (This may just be luck of the draw coupled with
| arbitrariness though)
| sevencolors wrote:
| Damn that sounds like crazymaking :(
|
| Dunno why they can't be more explicit which part of the code is
| the issue
| binaryfour wrote:
| This literally just happened to me today...
| grwthckrmstr wrote:
| Yikes! I've used PushBullet for since several years and I can't
| imagine not using it.
|
| I can understand why Google is doing this though. They have a
| "Send to device" feature in Chrome. Killing the top 3rd party app
| is the perfect way to grow adoption of their new & in-built
| feature.
|
| "Do no evil"
| philsnow wrote:
| Neither here nor there but it was "Don't be evil", never "Do no
| evil". The latter evokes the Hippocratic Oath and sounds
| virtuous, but the former is a somewhat tongue-in-cheek
| reference to the (at the time) megacorps they wanted Google to
| not be like.
|
| (Mind, they're arguably not complying with the "Don't be evil"
| version _either_ , especially lately.)
| jerf wrote:
| You know, at the _very least_ it would be nice to get something
| a bit more direct, like, "We are no longer permitting
| extensions that do X on our marketplace", or heck, even just a
| "We're permanently rejecting this for unspecified reasons."
|
| But if that's what you're doing, don't claim that the extension
| is being rejected for "overbroad permissions". I understand
| that Google may not literally come out and say "We've decided
| to eat your extension's functionality and you can just burn."
| But don't _lie_ about why it 's being rejected... however much
| you may wrap the result up in marketingspeak, don't actively
| _lie_ about the reason for rejection, so that someone can burn
| the candle at both end for two weeks futilely trying to appease
| the lying error message.
|
| As for the fact it may not look that great no matter how much
| marketing-speak it gets wrapped up in for Google to just eat
| some functionality and kill all competition... yeah, well, suck
| it up Google. Don't _lie_ about it. I mean, you can always spin
| it as security security blah blah security if nothing else,
| which ought to be enough of a fig leaf.
| TheAdamAndChe wrote:
| Outright admitting this may cause issues with antitrust laws.
| geza wrote:
| I got the same notification yesterday morning for my own open-
| source extension HabitLab ( https://habitlab.stanford.edu/ ) -
| same vague request for "you're not using the minimal set of
| permissions" without mentioning what permissions they want me to
| stop using (HabitLab is already using the minimal set of
| permissions for the features it implements - any removal of
| permissions would have to be done at the expense of reduced
| functionality). Emailing just results in them sending me a link
| to the policy. So this is definitely not an isolated case.
| BFatts wrote:
| It says, in the email provided, exactly what must be done: Change
| the required permissions - your scope is too broad.
| extesy wrote:
| I'm in the same boat. My open source chrome extension[1] has just
| been taken down[2] after several years of no complaints because
| it apparently violated content policies related to nudity and
| pornography. Say what? Well, I guess you could view _any_ image
| using my extension, including nudes. Isn't that the problem with
| most other extensions which could be used on porn sites, like
| editing cookies, etc? I've submitted it for re-review but I'm not
| holding much hopes.
|
| [1] https://github.com/extesy/hoverzoom [2]
| https://github.com/extesy/hoverzoom/issues/512
| __s wrote:
| Only perverts use binoculars
| ChrisMarshallNY wrote:
| I am the proud recipient of _many_ Apple rejection notices from
| the App Store (I have been releasing iOS apps since 2012). I have
| not had an app pulled, but I have had many rejections to
| submitted apps (the latest were received yesterday).
|
| In all of the notices, Apple is usually quite explicit in what
| the problem is, including attaching screengrabs, and they will
| respond, if I ask them for further clarification.
| victorvation wrote:
| I've seen cases where Apple will actually decompile/debug your
| app and point you the exact feature / method / line that they
| find unacceptable. Despite all of my other complaints about iOS
| ecosystem, they _do_ keep their App Store walled garden fairly
| well tended.
| hutzlibu wrote:
| Out of curiosity, where those big name apps, or small ones? I
| assume that level of service is reserved or more important
| apps?
| victorvation wrote:
| Not a tiny app by any means, but we were definitely small
| enough that we were surprised at the level of depth in
| their analysis.
| ChrisMarshallNY wrote:
| Small ones. Most are free.
|
| Over the years, I've had over twenty apps in the store, but
| most are retired.
|
| I'm down to seven: https://littlegreenviper.com/AppDocs/
| ashtonkem wrote:
| I had Apple point out that I hadn't yet added a TOS for a
| trivia app I was making; they're very thorough.
| filleduchaos wrote:
| This is why I'm often amused when people gripe about the
| $99/year membership fee for the Apple Developer Program.
| Wowfunhappy wrote:
| As someone who gripes about it: I think $99/year is a
| perfectly reasonable fee in order to submit to the App Store.
| I just don't think it should be the only way to run my own
| code on my own phone (without jumping through the rediculous
| hoop of reinstalling an app every single week).
| sushid wrote:
| You just answered yourself. It's not a the only way to run
| your own code on your own phone. AFAIK that restriction is
| to prevent jailbreakers from easily sideloading paid apps
| as "their" apps on their phones.
| Wowfunhappy wrote:
| But it effectively is! There is no way for me to make
| _anything_ useful if I have to connect my phone to a
| computer and reinstall the app every seven days. If I
| forget, the app suddenly won 't open. If I go on vacation
| without a computer, the app won't open. The seven day
| thing is useful for testing and nothing more.
|
| If the goal is to prevent piracy, well, as with other
| forms of DRM, I as a paying customer don't appreciate
| being treated as a thief. Dedicated pirates can and do
| just buy stolen enterprise certs on the black market
| anyway.
| rosywoozlechan wrote:
| Xcode is free, Interface Builder is free, all the
| documentation for everything is free. I'm trying to get into
| Windows development and don't use Apple devices, but I agree
| $99 a year for everything Apple gives developers is not
| expensive considering the value and the cost of these tools
| on similar platforms.
| benhurmarcel wrote:
| They're "free" but you must buy Apple hardware to run them.
| ChrisMarshallNY wrote:
| I consider it a "token" amount, calculated to be just enough
| to keep people that aren't actually serious about releasing
| apps out.
|
| They sure aren't looking at developer account fees to hold
| their bottom line up.
|
| It's low enough that I can easily keep two organizational
| accounts going.
| wegs wrote:
| I just want to mention this is why I believe Google will never be
| able to compete with AWS, or otherwise be credible in the B2B
| space. You're relying on automated systems which can take down
| your business on a whim, with no recourse.
|
| Where I work uses Office 365, which is a horrible, horrible
| technology compared to Google Suite, but I can't, in good faith,
| argue for switching to Google. It's not a company I'd ever rely
| on in a business setting.
| MattGaiser wrote:
| Any reason that Google doesn't give reasons and ways to comply?
|
| I haven't ever had to deal with a Google person regarding Android
| development, but when I built stuff for Blackberry (miss that
| company), they always provided nice and detailed feedback.
| Blackberry famously let legal influence design, so I would be
| surprised if it was a cover your ass thing.
| 29083011397778 wrote:
| > Blackberry famously let legal influence design,
|
| Do you have a source or link for this at all for further
| reading? A quick search doesn't turn up anything, but it sounds
| like a great read
| MattGaiser wrote:
| Famously might be too broad and a bias from my own
| experience. I went to school in Ontario and knew a bunch of
| Blackberry interns and employees and people generally know a
| lot of absurd stories about RIM.
|
| An intern who I went to school with told me about how legal
| once chose the colors for a dashboard he worked on as they
| did not want to seem to be copying some other company.
|
| A co-op complained about them being in every meeting and
| constantly shooting stuff down.
|
| The one written reference to it I know about was in a 2011
| open letter.
|
| https://bgr.com/2011/06/30/open-letter-to-blackberry-
| bosses-...
| iaml wrote:
| Most likely an automated system to prevent abuse. For a company
| that takes pride in their machine learning they sure do have a
| lot of false positives.
| [deleted]
| patwalls wrote:
| Because they are attempting to automate all of it. This message
| is generic and based on some analysis of the "manifest.json".
|
| They have also _turned off_ all reviews in the Chrome Web
| Store: https://news.ycombinator.com/item?id=22935092
| gowld wrote:
| Huh? They turned off reviews because a _worldwide pandemic_
| eliminated their ability to maintain staff to moderate
| reviews. That 's the _opposite_ of "automating it".
| patwalls wrote:
| I'm not saying that's why they turned them off, just
| another sign that Google is not investing
| time/money/resources into the Chrome Web store.
| pgrote wrote:
| Is there a replacement for pushbullet?
|
| Long time user of pushbullet since I like to be able to text from
| the desktop. Google has released messages.google.com, which is a
| nightmare to use among various desktops.
|
| Microsoft released their Phone app, which disconnects so
| frequently it is unusable.
|
| I have no confidence Google will allow pushbullet back.
|
| Is there a replacement that allows notifications and texts from
| the desktop?
| yawniek wrote:
| i guess removing plaintext http and localhost should fix this.
| Guzba wrote:
| We never use plaintext http so that is a reasonable thing to
| remove for our first-part domain (pushbullet.com).
|
| We use localhost to communicate with our desktop application.
| An example is preventing both our extension and desktop apps
| from showing notifications on the same computer (our apps are
| all about notifications so this would get unacceptable very
| fast). Maybe if we limit it to just the local port we use?
| Seems like it can't hurt to try that too.
| frei wrote:
| You could try that. Long term, it should also be possible to
| route this communication through the internet, or use the
| Chrome/Firefox/WebExtension NativeMessaging API [0][1].
|
| 0. https://developer.chrome.com/apps/nativeMessaging.
|
| 1. https://developer.mozilla.org/en-US/docs/Mozilla/Add-
| ons/Web...
| duncan_bayne wrote:
| From a comment by Baeocystin:
|
| "If you use our tools, we can kill your livelihood at any time
| for any reason and tough shit if you want a why"
|
| It has always been thus with proprietary tools and platforms.
|
| Back in 2011 I switched careers from developing software on
| proprietary stacks - at the time C# 4.0, Silverlight, and MS
| Windows - to developing on open source stacks, starting with Ruby
| on Rails and JavaScript.
|
| It looks like the younger generation is busy rediscovering the
| vulnerability and helplessness of such systems themselves.
|
| A short time after I switched away from Silverlight, I found a
| bug in the open source XML library my team was using. I then
| submitted a PR to fix it, which was merged (with some revision
| :)) after a few days. The experience was a revelation after the
| combination of magic 8 ball and years-long wait times for non-
| critical bug fixes on Visual Studio.
|
| If you develop for Chrome, or the App Store, or Play Store, or
| iOS (and increasingly MacOS these days), or Windows... don't
| complain when the owners of those systems bite you in this
| fashion.
| dapids wrote:
| The fact that this team realized so simply that they shouldn't be
| reading data on every site the user visits while the extension is
| installed is deserving of a vague response from google. Sad
| really.
| mehrdadn wrote:
| My guess is 'cookies'. You really shouldn't need access to (say)
| the user's Google cookies. I don't expect Google likes extensions
| doing that without good reason.
| typenil wrote:
| Another reason to use Firefox.
| tonystubblebine wrote:
| I'd been in a similar issue on the Android store and found that
| the best solution was to try to game whatever bot is flagging
| you. Support was completely unable to provide clarity and getting
| escalated by internal Google employees just led to more unhelpful
| emails from higher levels of support.
|
| I was positive that I was in compliance but I could also see that
| a bot was flagging something. So I kept tweaking code and
| resubmitting. Eventually what worked was taking the offending
| code block and hiding it at the server level.
|
| It's such a face palm. I literally call out to the server to run
| some logic that should be completely safe to run in the app.
| ridewinter wrote:
| As the developer of an exposure notification app put on ice by
| Apple-Google, it's due time to take back the freedom of the
| internet that made it so powerful in the beginning.
|
| Is there anything happening around an all-web app phone? Seems
| like all the pieces are there..like native functionality in
| JavaScript with certain extensions.
| meraku wrote:
| Another happy PushBullet user here. Extremely useful for
| receiving text messages from my phone while on my laptop,
| especially for web apps that insist on sending security codes
| that way instead of TOTP.
|
| This sort of behavior from Google really is infuriating. How they
| can just decide to boot an app from the Chrome Store that is
| installed by over a million users is mind-boggling.
|
| It's a pity that Chrome doesn't allow extensions to be installed
| from the new Edge store, like Microsoft allow Edge to install
| extensions from the Chrome store. With both built on Chromium,
| that could've potentially been a workaround (though you may want
| to consider adding this extension to the Edge store anyway).
|
| Hopefully someone from Google will see this and stop the madness
| or be able to provide more details on exactly what needs to be
| done, though I wouldn't bet on it.
| driverdan wrote:
| > It's a pity that Chrome doesn't allow extensions to be
| installed from the new Edge store
|
| Why would anyone want to do that? What's a real pity is that
| they make every effort to block users from installing their own
| extensions. App stores are terrible.
| shadowgovt wrote:
| How does Chrome prevent people from installing their own
| extensions? Download-and-unpack still works fine, last I
| checked.
| Spivak wrote:
| No, they make every effort to ensure that installing
| extensions outside the store is annoying so that you can't
| push your malware by just having users download and install
| it. This kind of malware _plagued_ Firefox for years until
| they made extension signing mandatory
| kyriakos wrote:
| I switched to Edge chromium when the first production release
| came out and I am extremely happy. I use all my extensions
| including unlock origin straight from chrome Web store and it
| feels a bit snappier than chrome itself.
| jyfzbj wrote:
| This is concerning. Shouldn't Google's store have a dedicated
| support rep for extensions above a certain threshold?
| tbodt wrote:
| https://twitter.com/dotproto
| dathinab wrote:
| I'm always surprised that such a in-transparent behavior is even
| legal for the operator of a custom marked place (or whatever you
| call it).
|
| (I think the same about Google Play, the iOs App Store etc.)
| jlevers wrote:
| This happened to me, too. After emailing customer support several
| times asking for clarification, and getting the same
| uninformative answer every time, I decided to take down the
| (free) extension (which had 20,000+ users) rather than risk
| having my developer account deactivated for uploading a rejected
| extension too many times.
|
| I use Pushbullet every day, and would be gutted if it were killed
| for such a ridiculous reason as this.
| jaredandrews wrote:
| Slightly related, Google is also tightening up Android 11
| location permissions (with good reason). In this blog post[0]
| they outline a process for getting approval that was supposed to
| be underway by the start of May.
|
| So far I have not been able to locate this form nor have I been
| able to find any Android developers who have.
|
| If anyone here knows where it is or what the deal is, please let
| me know.
|
| [0] https://android-developers.googleblog.com/2020/02/safer-
| loca...
| 51Cards wrote:
| LONG term Pushbullet user here, big proponent of their services.
| I use it on Firefox myself so this doesn't affect me personally
| but still there are few services I will strongly advocate for.
| Pushbullet is one of them. Google, if you're listening this is
| going to make a lot of users very unhappy.
| throw1234651234 wrote:
| I just want to take this opportunity to complain about trying to
| send a gmail email from a service account, which required us to
| use G-Suite, and still doesn't work because it can't generate a
| token.
| geofft wrote:
| Uh, yikes:
|
| > _As I looked at the permissions and what our extension actually
| needs to operate, I noticed a great opportunity to reduce our
| permissions requests. We do not need to request access to data
| onhttps://*/* and http://*/*. Instead, we can simply request data
| access for https://*.pushbullet.com/*, http://*.pushbullet.com/*,
| and http://localhost/*. This is a huge reduction in the private
| data our extension could theoretically access. A big win!_
|
| While I agree with the larger part about the lack of transparency
| of what they want you to fix, this is an amazingly huge
| oversight, and the fact that the extension review process got an
| established, popular extension to go "Wait, we don't actually
| need to request access to every website ever" is a point _in
| favor_ of the review process - and, unfortunately, a (weak)
| argument in favor of the review process taking the attitude that
| they get lots of crap and don 't have the time to explain to all
| the authors of crap what they're doing wrong. How did the
| extension ever ask for this _in the first place_?
|
| Also why do you need http://localhost/? Is the extension running
| a web server on localhost with native code? If so, can you use
| the specific mechanism/permission for communicating with native
| code via a subprocess (because it turns out running a web server
| on localhost is very hard to do securely)? If not, what's it for?
|
| I'm sympathetic to the broader argument here, but given the
| provided information, all of this is consistent with an extension
| that _should_ be kicked off the app store within 14 days.
| factsaresacred wrote:
| Have been through a similar experience.
|
| Developing extensions for Google Chrome is a particular form of
| masochism. They really don't seem to care. And things took a turn
| for the worst last December when the approval process went from
| hours to weeks.
|
| Check out the Chrome Google group for a sample of the lost souls
| who hitched their wagon to the Chrome platform and now cry
| futilely into the abyss for support:
| https://groups.google.com/a/chromium.org/forum/#!forum/chrom...
| yorwba wrote:
| This one looks particularly relevant:
| https://groups.google.com/a/chromium.org/forum/#!topic/chrom...
|
| It seems like all extension developers play the same game of
| guess-and-check to find out which permissions they should
| remove, and the unlucky ones get banned for trying too often.
| thatguy0900 wrote:
| When I read something like this I have to assume Google is
| just trying to kill off extensions, it's such a glaringly
| obvious problem there's no way any human has seen and okay'd
| it with good intentions.
| aaanotherhnfolk wrote:
| I'm the person at $dayjob who has to chart a course through
| the recent chrome web store changes and this is honestly my
| conclusion too.
|
| These extensions don't make any money at all for Google, in
| fact some of them lose money for Google (privacy oriented
| extensions, ironically.)
|
| They are a security nightmare for Google, capable of side
| channel browser attacks or direct abuse via a permission
| (all_urls permission can read your emails to grandma.)
|
| Google doesn't want extensions to exist, and they also
| can't outright kill them without creating a new foothold
| for their competitors in the browser wars. So we get this
| intentionally masochistic process change. Jump this high or
| we'll ban you. Now jump higher but with your eyes closed.
| Okay, now backflip or you're banned. The extension
| developers have absolutely no power to fight back.
| devit wrote:
| The fact that they were requesting https://*/* and http://*/*
| (i.e. full control over all your accounts) without it being
| absolutely necessary reflects terribly on them.
|
| Still not clear why localhost (which can mean root access to the
| local machine since it may have localhost-only services that
| enable that) and cookies access is needed, also
| http://*.pushbullet.com is unnecessary since they should always
| use HTTPS.
|
| If they had properly implemented the extension they may not have
| this problem now.
| jeromegv wrote:
| Nobody is against enforcing better behaviors from developers,
| the issue is that they are not telling anyone what those issues
| are. I don't know why you can always count on someone to defend
| a multi-billion corporation against small companies, is there
| no empathy left?
| gowld wrote:
| Why doesn't Google notify all extension devs about these
| issues, to get it fixed, instead of sending vague threats?
| KCUOJJQJ wrote:
| Does Google send this message to random developers ([1]) and
| then look at the changes that developers make to get a list
| of things that developers apparently think are not so good?
|
| [1] https://en.wikipedia.org/wiki/Thirty-
| Six_Stratagems#Stomp_th...
___________________________________________________________________
(page generated 2020-05-13 23:00 UTC)