[HN Gopher] Let's guess what Google requires in 14 days or they ... ___________________________________________________________________ Let's guess what Google requires in 14 days or they kill our extension Author : cimnine Score : 948 points Date : 2020-05-13 16:51 UTC (6 hours ago) (HTM) web link (blog.pushbullet.com) (TXT) w3m dump (blog.pushbullet.com) | bvandewalle wrote: | If you are an engineer those type of stories should make you | rethink your usage of Google Chrome. Chrome having so many users | empower them to implement those type of nonsensical policies. | | As said in other comments it is trivially easy to switch to | Firefox (or any other browser you feel that fits your needs | better). | mtnGoat wrote: | I know Google employees that have had their accounts on various | Google Services shutdown and they couldn't even get them back | themselves. The place is very siloed, something needs to give | because these nightmare scenarios keep happening over and over. | Crazyontap wrote: | This is a good extension but here is a cool hack I've discovered | that let's you do this anywhere without any chrome extensions: | | - Create a new whatsgroupp called 'ping self' and add your friend | to it. | | - Then kick your friend out from this group | | - Open web.whatsapp.com and now you can access your messages, | files, photos across any device anywhere, anytime! (telegram also | does this and allows file up to 1gb) | jeromegv wrote: | My issue is that whatsapp really compress the photos. But | decent workaround. | djannzjkzxn wrote: | For the more limited use case of "get a link from a desktop to | my phone right now" I have really enjoyed using an extension on | the desktop browser that pops up a QR code linking to the | current tab. Then I just point my phone camera at the QR code | on the monitor to open the link on my phone. I like this setup | because it doesn't require any pre-configuration to link the | desktop and the phone. Your friend sitting next to you can scan | the QR code too. | | I'm not linking to any specific QR code extension because I | haven't audited them for privacy but it's easy to find one that | claims to generate the QR code locally. | majewsky wrote: | I use wl-paste | qrencode -s 20 -o - | | display - | | for this purpose. Shows the contents of the current Wayland | clipboard as a QR code. For X11, replace `wl-paste` with | `xsel -b`. | jmiserez wrote: | Oooh nice. Better yet, you can show that QR code directly | in the terminal: qrencode -t ansiutf8 | google.com | | Looks identical. In WSL, you can use 'powershell.exe Get- | Clipboard': powershell.exe Get-Clipboard | | qrencode -t ansiutf8 | Shounak wrote: | I use Slack for this, using a chat window with myself. | rampole wrote: | What about SMS from desktop? | calmchaos wrote: | Those rejection emails are most likely sent by an AI. If you | reply back and ask them to specify exactly what is wrong, you'll | get the same generic email back. Ask again, and they'll send the | same generic response without any details or comments written by | a human. They simply can't specify the problem at all. That's how | you know you are talking with an AI, not a human. | | The correct way to respond to those rejection emails is to ask | for a "human being" (this is the keyword that works) to review | the case. Also explain in the email why there isn't anything more | you can do (if you have done every possible fix already). | | As a side note, when AI systems get more common, this will be a | common nightmare for regular people. When an AI makes an | incorrect decision regarding you, no-one can check the code why | it happened because the code doesn't exist. All we may have are | some weighted matrices and neural network data as bunch of | numbers. | necovek wrote: | I am pretty confident there is no AI involved, but just a | regular deterministic code analysis tool that flags potential | discrepancies between code and demanded permissions. | | We usually simply call those bots (there can be AI bots too, | but there seems to be no indication that this is one). | raybb wrote: | This is awful. I'm going to send GCP support a message with the | small hope that someone can flag it up to the right team. | snazz wrote: | GCP and the rest of Google are separated from each other | similarly to how YouTube and Google are separated. | Unfortunately, the odds of that technique working are very low. | janee wrote: | Ironic reading this today. Got locked out of an old gsuite we | manage for someone on Monday because I typed the recovery mail | wrong 3 times...omg what a crazy battle to follow their recovery | process. | | Sent them sooo much proof, answers, cname changes, invoices, | emails, etc etc, but still get the same canned response back. | | The weird thing is I never got a single notification on the | recovery mail that unauthorized access was attempted and that the | account got locked. | | Honestly I feel like such a dumb ass for making our company use | gsuite now. I don't think I'll ever recommend a google product to | anyone again. | aendruk wrote: | We had a similar interaction with the Chrome Web Store out of the | blue. After a few maddening rounds of requests for clarification | and nonsensical canned responses, I finally just gave up and | accused them of gaslighting me. Our extension was restored the | next day, of course with no explanation for the ordeal. | daveidol wrote: | Thanks for posting this publicly. I'm all for the general idea of | reigning in unnecessary data collection/prioritizing user | privacy, but sometimes you just need certain features to make | things work! | Guzba wrote: | Agreed. I really did see benefit to the changes I made that | reduced our permissions requested based on the initial email we | received from Google. When even that was rejected though, I | kind of got slammed with a "well.... what do I do now?". | gnicholas wrote: | Consider yourself lucky that your extension wasn't pulled after 1 | day. I received a 7-day notice on a Sunday and complied same-day. | My extension was pulled the next day, and I received an email | stating that 7 days had elapsed. | | I managed to get reinstated because I know people on Chrome's | accessibility team who promote my extension, but even with that | assistance it was still months before I could push a new version | without going into purgatory. | | FWIW, I've had even more issues on Firefox. It's like they're in | a competition with the App Store for "most opaque review | process". | OJFord wrote: | I stopped using pushbullet because I realised its access made me | a bit uncomfortable, but had I had the 'So, can we cut any of | these permissions?' paragraph to read at the time, that may have | reassured me. Nice to see it not only being investigated (even if | it took Google's vague threat to spur it on) but positively so; | seen as 'A big win!'. | consultSKI wrote: | Is that why universal cut & paste has been flakey? I am dropping | all Google stuff. They recently killed my Alexa Skill on Android | (Samsung S9). With everything google deleted or permissions | denied on my phone, they still hijack the word "contact." Try | saying, "Alexa launch Contact Ski Man." Still works with Alexa on | iPhone, but how do you use a smartphone without back button? We | have reached the point where it is time to throw the baby out | with the dirty water. Say, "Hey FireFox!" | throwawayext wrote: | Different extension developer here. The Chrome Extension store | ecosystem has become a nightmare for developers over the past | year. Some items: | | - Extension review times have gone from 1 hour to a variable | amount of time ranging from 1 minute to 3 weeks or longer (try to | plan a release or spot fix an issue when you have no idea how | long it will take for a deploy to reach users) | | - User reviews of extensions have been disabled (how are you | supposed to build an audience or build up trust without reviews?) | | - Manifest v3 was announced (this was actually longer than a year | ago) which will completely break many types of extensions. Over a | year later, it is still on the horizon but the beta releases of | it are buggy so it is hard to even try to adapt to it at this | point. | | - Persistent extension related bugs in Chrome are not being fixed | and new regressions are being introduced breaking previously | working extensions (which you then need to rush out a fix for but | good luck with that when the reviewers may take weeks to approve | the update) | | - Chrome is exploring hiding extensions by default so they no | longer will show up automatically by the omnibar when you install | them (say hello to a huge amount of confused users who don't know | where your extension went) | | I understand the Chrome team is trying to address a user trust | and fraud issue with extensions and we are grateful for that. | However, the Google extension team appears to be massively | understaffed and are having huge issues managing and evolving the | ecosystem. | ThrustVectoring wrote: | > Extension review times have gone from 1 hour to a variable | amount of time ranging from 1 minute to 3 weeks or longer (try | to plan a release or spot fix an issue when you have no idea | how long it will take for a deploy to reach users) | | This is potentially a _huge_ security issue, because the | natural way to "fix" the problem is to download and run | arbitrary code as an end-run around the review process. | _fat_santa wrote: | Fellow extension developer here as well. I've been trying to | get an update approved since February or March. | | Submitted an update in late February and decided to update my | screnshots. Remove the screenshots and add new ones only for | Google to tell me "you can't add screenshots while you app is | in review", fine, add them later after the review. | | 3-4 weeks go by and I check the approval status. Status has | been rejected because....no screenshots provided. I've since | updated the screenshots and resubmitted for review. Currently | still waiting on approval. | | I've been planning on doing a Product Hunt Launch but that's | been put on hold until I can get an updated version in the | chrome web store (the current version is very old and buggy). | I've even looked into distribution outside the store but turns | out chrome will no longer let you do that. | xg15 wrote: | > _Chrome is exploring hiding extensions by default so they no | longer will show up automatically by the omnibar when you | install them (say hello to a huge amount of confused users who | don 't know where your extension went)_ | | Haven't heard about this change (more info at [1] for anyone | interested) - wow! I really wonder if those are the first steps | of the roadmap to get rid of extensions altogether. | | [1] | https://www.theregister.co.uk/2020/04/07/chrome_hiding_exten... | t0mas88 wrote: | Chrome on Android already doesn't have extensions. That made | me switch to Firefox on Android and within a week my laptop | was also on Firefox because it's nice to have tab syncing etc | between devices. | | If enough users do this I think Google will review their | policy on extensions and specifically adblockers. Can't | browse without one anymore after having used it for a while. | iagovar wrote: | Brave is also nice in Android, although I miss the FF | extensions. | dasm wrote: | As a daily Pushbullet user, thank you for posting this! It's | maddening that the best way to escalate a Google customer service | issue is social media. | renewiltord wrote: | This is sad but they're just responding to market hysteria on | permissions. | luckylion wrote: | The general idea of "please limit the permissions you request", | maybe. The secrecy about what they don't like isn't part of | that, that's just Google's preference for keeping things vague. | danShumway wrote: | > but they're just responding to market hysteria on | permissions. | | And responding poorly. | | What the market wants is for companies to lay out | understandable policies that protect their privacy. People I | know want more clarity about what's happening in the extension | store and on their devices, not less. | | As a consumer, it doesn't make me feel any better for Google to | say in vague terms, "we booted off an app that doesn't respect | your privacy." Okay, what was it doing? Are there other apps I | should be concerned about? How bad did the app need to get | before you booted it off? Are there exceptions to these | standards? Are they being applied to internal apps as well? | | My feeling is that Google's inability to communicate with | developers and users is its own problem; it's not the market's | fault. Tech companies in general have had difficulty with | customer support for a while, even before the media started | picking up on privacy issues. Nothing has really changed, | Google just happens to be notably bad at this. | rurp wrote: | I'm not mad about them increasing scrutiny on permissions, that | seems fine. What sucks is Google giving a short deadline, no | details, and zero response to the developer's repeated | communication attempts; all with the threat of Google nuking | every single Google resource tied to the developer if they step | over some invisible line. | sebastianconcpt wrote: | _We at Pushbullet have received some bad news from Google. It | appears our extension will be removed from the Chrome Web Store | if we don't make required changes within 14 days. Not good! The | bigger problem? Google hasn't told us what those required changes | are. The Pushbullet Chrome extension has been on the Chrome Web | store for over 6 years, currently has over 1,000,000 users, and | has a 4.5 star average rating._ | boomboomsubban wrote: | Does chrome already offer features like PushBullet? Firefox | somewhat does with Pocket, so I assume chrome has something | similar. | | If they do offer something of the sort, or start to shortly, this | seems like a perfect antitrust case. | beastman82 wrote: | Zero chance this will happen without a much bigger party | involved | pkilgore wrote: | Under the Clayton Act, the Sherman Act, or both? Is this a | legal realism commentary on the comparative cost-benefit of | civil antitrust litigation in modern America? | | Or are you just pretending you know things to feel good on | the internet. | deepender99 wrote: | yes they offer https://messages.google.com/ | therealmarv wrote: | Robots are in control here, follow their rules and get your | accounts permanently deleted if you don't understand the robots | rules and mindset... | komali2 wrote: | > This may also result in the suspension of related Google | services associated with your Google account. | | Get all your emails off gmail ASAP, pushbullet developers. It may | be more than your extension that gets nuked. | Wowfunhappy wrote: | > The other opportunity is the tabs permission. This permission | lets extensions see what tabs are open. Pushbullet uses this | permission to avoid opening new tabs for websites that are | already open when mirrored notifications are clicked. This is a | small sacrifice to make to let go of a big permission. Let's let | it go! | | No, that "small sacrifice" sounds super annoying! I don't use | Pushbullet, but if I did and this got removed in an update, I'd | be pissed off! At least leave it behind an optional checkbox. | Guzba wrote: | Thanks for the feedback here. It strikes me as a little crazy I | may be infuriating you with a change and never even know if | that was something I had to do? | | An optional permission seems 100% reasonable. | Wowfunhappy wrote: | > It strikes me as a little crazy I may be infuriating you | with a change and never even know if that was something I had | to do? | | Oh, for sure! Just to be clear, I didn't intend my comment as | a criticism. | | It's nuts that you, as the developer, actually went so far as | to remove features in your first pass, and Google still | rejected that attempt without additional instruction. | madrox wrote: | Stuff like this makes me wonder why Chrome's security model | allows things if it can be scanned and deemed unsafe. Isn't it | preferable to bake such restrictions into the extension API if | Google didn't want PushBullet to go beyond it? Why does this need | to be enforced by an app store? | imhoguy wrote: | 2020 and our browser privacy handling is like MS-DOS. | | Why the hell I can't disable all extensions when I enter my bank | account or insurance page? As far as I know Firefox containers | are close but still no fine grained control over extensions. | sming wrote: | the corporate gorilla beats its chest, demanding you comply! | | But with what, it does not say -\\_(-_-)_/- | crankylinuxuser wrote: | The answer is to run a campaign to work with Firefox and Safari | only, and convert all users to either platform. | | Seriously, fuck google. I'm just done with them. | [deleted] | ajhurliman wrote: | I had a friend who went through a similar, onerous process with | Google which ended up killing his entire chrome extension (which | had 400,000+ MAU). This iron-fisted control of the extension | marketplace is not becoming to Google. | saltedonion wrote: | I too have deGoogled as much as I can, but I'm hesitant to jump | on the hate wagon for this one. | | Consider the counter factual - what if google was highly specific | about the changes required? Clarifing the boundaries of what's | allow is prone to abuse. This is the same reason why the search | algorithms are not explicitly published, but only the spirit is | explained. | | I would say this is the best solution when there are no perfect | solutions. | | Perhaps the 14 day period could be longer, but that's another | point of contention. | seanwilson wrote: | For people focusing their comments on this particular extension + | the permissions it asks for, please take a quick look at the | numerous recent posts in the official forum for Chrome extension | developers to see it's not an isolated issue: | | https://groups.google.com/a/chromium.org/forum/#!forum/chrom... | | It's a systematic issue that isn't specific to anything | Pushbullet is doing and it's been like this before the pandemic: | | - Reviews can take up to 3 weeks. This in alone would be crazy | enough if you have an urgent bug to fix. | | - Rejection emails are vague and don't tell you what to fix. | | - After you guess at what to fix, you've then got to join the up | to 3 weeks review queue again. | | - If you try too many times, your extension gets pulled. | | - On top of this, they've recently disabled new Chrome Web Store | paid items, and user reviews. | | Can anyone from Google escalate this and help extension | developers? I can't speak for everyone but there's lots of | complaints in the forum and little action beyond "we hear you and | are looking to improve things". | dilandau wrote: | >We hear you and are eagerly looking to improve things. | | Joking aside, isn't this just what people should come to expect | from the company that has always tried to normalize the "no | support and no service" model? | | If these antics start causing GOOG to lose share in the browser | market then they may review these policies, but I highly doubt | it. At the end of the day GOOG is an ad company and publicly- | traded at that. They have a bottom-line and a lot of | shareholders watching it. | | Support channels/forums are probably not the way to go, in | other words. Stop using their browser, stop using their search. | That's probably the only way they will be incentivized to | change. | popup21 wrote: | Chrome extension developers should start hosting them on Github. | | I use a flavor of Chrome called Ungoogled Chrome | (https://ungoogled-software.github.io/) and the only way to | install plugins is to manually install the CRX file. | deepender99 wrote: | Well this is my favorite Extension, If Google kills it then how | will users gets its pushbullet chat data back. | tiborsaas wrote: | What's more is that chat history is broken, I can't see tons of | messages on the web interface. | | You can still access some on the web. | | But your best option is to do a GDPR request to export you all | your data. | AlphaWeaver wrote: | I'm also an extension developer, and Google has done this to me a | few times too. We request permissions specifically for what we | need, and our extension is unlisted and can only be installed | from our website. | | Google is a bully, and they use their size and the threat of | permanently removing access to your Google Account (and family | photos) to terrorize small players without cause. | | How many people would Google need to hire to provide email | support for extension review for extensions above a certain size? | It can't be a huge dent in their budget. | blihp wrote: | Not going to happen. This is an issue people have been raising | for at least the better part of a decade... don't expect | anything to change now. | | A more productive approach would be to focus on web browsers | that allow you to do what you need to and let Google fix what | they need to encourage you back. I know, most extension | developers will say 'we can't do that because it's where the | users/customers/whoever are'. But as long as you encourage | their bad behavior by supporting the platform, expect the bad | behavior to continue since it's not hurting _Google_. As a | result, it 's just a cost of doing business on Google's | platform which is unlike to change for the better. | AlphaWeaver wrote: | Are you making a good faith suggestion that it's possible to | build a business around a browser extension and not support | Google Chrome? | | They have something like 70% market share dude... | qznc wrote: | I believe the suggestion is to incorporate this "bully | risk" in your business plan. Some business models might not | be profitable anymore if you do this. Others just need | additional diversification or more risk capital. | patwalls wrote: | Chrome extension developer here. | | Google ripped my Chrome extension off the app store about a month | ago. | | I got a similar cryptic message, and then I scrambled to fix it, | like you're doing now. Somehow my extension reappeared the next | day. | | Email me pat [at] trypigeon [dot] co and I can send you some of | the things I did that maybe have helped. | | Tweeting my support as well: | https://twitter.com/thepatwalls/status/1260638967793242113 | amasad wrote: | I had a similar experience but it wasn't important to me and I | let it go despite being a growing extension with 10s of | thousands of users and lots of good reviews. | WrtCdEvrydy wrote: | I have written about this recently on the Android side. | | https://medium.com/@lazherrera/that-one-time-google-made-it-... | | If you use any of the words related to the COVID-19 pandemic, | they will pull your app, suspend you and ding your account. | cwhiz wrote: | Google has effectively created a private monopoly on any | Android applications related to Covid-19. And the last time | this sort of information was posted to HN the comments | section was a race to see who could do the best apology for | Google. | | This policy by Google is hurting people and businesses. | | Meanwhile, Apple has a similar policy but all they do is just | take extra care when reviewing your app. I suggest you port | your app to iOS and submit it to the App Store. Apple will | accept it and approve it. | donatzsky wrote: | "Sign in to view this draft" :/ | | Seems like you hit the wrong button or something, when trying | to publish it. | nullc wrote: | I tried to follow you link but just get prompted to make a | medium account. | nsgf wrote: | > trypigeon [dot] co | | Unrelated, but you got multiple ids with value 'feature-1' on | your landing page. | jonny_eh wrote: | > Email me pat [at] trypigeon [dot] co and I can send you some | of the things I did that maybe have helped. | | Please post here so everyone else can learn too. | celticninja wrote: | I assume GP is trying not to help those the automated system | intends to catch | komali2 wrote: | That's a lot of good faith you're giving these automated | systems... | tomsmeding wrote: | Or, of course, said poster would like the maintainers of | the automated system not to realise the workarounds for | their system. :) | patwalls wrote: | Haha, my "workarounds" consisted of being persistent with | a few different support emails I found, posting on the | Chromium support forums, and a few other things. Pretty | boring stuff, and I'm not really sure that it even | worked. | | Weeks or months from now, I'm sure someone will get their | extension removed from the store, and may come across | this post scrambling for a solution. If that's you, | please reach out to me and I can send you the support | emails and everything I tried. | Shorel wrote: | No Chrome, no Google search and no Gmail as default email here. | | Hopefully, many others will follow. | maartn wrote: | I think that reading all of a users' cookies from all websites is | pretty privacy invading... | chrischen wrote: | We spend a quite a bit on Google Ads yet they seem to refuse | devoting even a few minutes of a knowledgable support staff's | time to our account--even when we're trying to figure out how to | give them more money. For 1-2 years our product shopping ads | never displayed and we couldn't get anyone to tell us why. One | day, it just started working by itself (perhaps some engineer | pushed a fix). | | Contrast this with their sales strategy of aggressively making a | human call me every quarter to try to up my budgets. I'm not sure | why they are so against helping people succeed with their | products... | | It's like they are allergic to manual human processes (unless | it's sales). | x86_64Ubuntu wrote: | I was using Google Ads for a pet project of mine. I lost the | password to one account, and then decided to set up another. | Using the same CC (which is also my personal CC) on both | accounts triggered something and they killed my account. I | explained what happened, and told them to check the first | account access patterns as they had abruptly stopped due to the | loss of the password. They didn't care in the least. | GuB-42 wrote: | It is a common theme with Google, what they do makes sense, but | communication is impossible. | | I don't know if it is an artifact of overusing machine learning | "our neural network trained on a variety of malware gives your | app a score of 4.3, you have 15 days to get it down to 4.0". How | is that calculated? No one knows, maybe you shouldn't use the | location permission if your icon is red and your domain is not in | .org, or something like that. | | Or maybe it is a form of security by obscurity. Or maybe they | just don't want to pay for people to support you. Who knows? | Florin_Andrei wrote: | > _It is a common theme with Google, what they do makes sense, | but communication is impossible._ | | You could say the same about some machine learning algorithms. | shadowgovt wrote: | It's that last one. Chrome Extensions, as a whole, are a value- | add to Chrome. Individual Chrome extensions have negligible | added value. | | As long as Chrome isn't killing extensions "everyone cares | about," their system can bias pretty far towards making it had | to get an extension accepted and maintained in the store | without killing the whole ecosystem. | Medicalidiot wrote: | I left Android for iOS because of this type of behavior. Google | is fickle with what it's policies and goals are. | elwell wrote: | I've had a Chrome extension removed from the store before, I | suspect because it conflicted with Google's business model. I | would be very wary of building a business on a foundation that | another company controls. | ThePowerOfFuet wrote: | > Once you have made these changes you may submit and publish a | new draft in the Chrome Web Store Developer Dashboard. | | > Your draft will then be reviewed for policy compliance. If the | outcome of the review is successful, your existing store listing | will get replaced by the approved draft. However, if the new | draft fails to comply with our policies, both the draft and the | existing store listing will be removed. Please note that the | rectification window expires the moment a new draft is submitted. | After this point, you will not be able to make iterative changes | regardless of the days remaining in the warning period. | | Holy fuck, that's insane. You get one shot; if you miss, game | over. | danpalmer wrote: | As much as we can criticise Google's handling of this situation, | the fact that the developer was able to reduce permissions from | accessing data on _all websites_ down to _their website_, as well | as tighten up a few other permissions, shows that Google is | correct that the extension is asking for more than it needs. | | I hope the developer finds another load of permissions they can | tighten up, resubmits, and is approved. As long as it results in | permissions being more correct this is a very positive thing for | users because for every PushBullet there's hundreds of attempts | at malicious Chrome extensions that are abusing permissions. | andrewmutz wrote: | Extension developers monetizing their extensions by selling the | data that they get from users is a big problem. It's the reason | that I don't freely install useful extensions that I find | today. I have no way to distinguish those who sell my data from | those who dont. | | I love that Google is starting to solve this problem, and from | my perspective an extension that is sending and receiving SMS | messages should not be requesting the ability to read and | change all data on all websites that I access. | Theory5 wrote: | "Solve the problem" ok, so you're starting that this selling | only happens when a third party dev does it? | | Do You have an android phone? Do You use google for anything? | Gmail? Google docs/drive? Youtube? Chrome? ChromeOS? Anything | google owns? Then they're selling your data. | | Try reading all those fun TOS agreements that come with using | any of the aformentioned products, or heck, visiting sites | that use google analytics.that won't tell you how much or | what data google gets from you, but it'll tell you that you | agreed to it. | codegladiator wrote: | > I love that Google is starting to solve this problem | | They aren't solving the problem. They are making sure only | they can get all the user information. | | I would rather give all my information to everyone rather | than giving all my information to google. | onefuncman wrote: | They aren't solving this problem, they're killing off | extensions. And I say this having received many unsolicited | attempts to "purchase" Chrome extensions. | andrewmutz wrote: | I disagree. I think this practice could be seen as anti- | developer, but it is pro-consumer. | AmericanChopper wrote: | The bit that improves user's privacy is pro-consumer. The | bit that removes user's access to products is anti- | consumer. | danpalmer wrote: | It's obviously a balance, but you could use that argument | to allow any plugin on the store. It gives more choice. | | I think it's important to remember that while PushBullet | is known to many of us, is posting on Hacker News, is a | valued part of "the community" in some respect, at Google | scale this fact is not know. PushBullet is obviously good | to _us_, and maybe just needs to tweak permissions a | little, but to a reviewer at Google it probably looks | very similar to the hundreds of extensions they may | review a day, many of which may contain malware. | | They have to use certain metrics to sort the good from | the bad, and abuse of the permission system - intentional | or not - is a pretty good one when you care about the end | user. | AmericanChopper wrote: | A lot of people would argue that any authority that | controls what software you can run on your own hardware | is depriving you of your freedom. I would personally | suggest that while an authority that attempts to protect | consumers from malfeasant (or incompetent) vendors is | protecting a certain set of consumer interests, doing so | by implementing a bureaucratic maze simply creates an | entirely new set of anti-consumer issues. Because in that | case the consumer isn't being denied a choice because the | authority has decided the associated risks are too high, | it's being denied a choice because the authority has | failed to properly participate in the assessment and | remediation of those risks (or really just failed to | properly define the standards that must be met). | Drew_ wrote: | You can freely sideload any Chrome extension it doesn't | have to be on the Chrome Web Store | AmericanChopper wrote: | The does dampen the freedom argument somewhat, but it's | still a form of restricting consumer access. | karlicoss wrote: | I often wish for a separate browser for consumers that | are also devs. I'd happily lift the permissions for some | open source extensions I'm using if that means better | functionality. | bosswipe wrote: | The big crime isn't the request to reduce permissions. The big | crime is the lack of details and lack of communication. It's | having to drop everything and work in a panic trying to guess | how to please the faceless mysterious robot. | wombat-man wrote: | yeah, it would make way more sense to codify the policy and | just tell devs that they are using banned functionality or | something. | sixothree wrote: | This exemplifies Google's reputation well. | duxup wrote: | Permissions seem to be a pretty empty metric if you don't' know | what the result is... | | What was the impact of fewer permissions? | | Let's assume PushBullet was doing something bad with some of | those permissions and gathering data? Do they no longer have | access to that data? I'm not sure that's the case, permissions | alone don't determine that. | | If PushBullet wasn't doing anything bad, did anything change? | | Is it a positive thing for users when the extension disappears | in a few days? | fgonzag wrote: | That's what you got out of it? Google doing a good job? They | sent an email with no guidance whatsoever. | | These guys went above and beyond what most developers would've | done, which would have been to contact support until they get a | clear answer. | | This only alienates the extension ecosystem. And this was the | primary reason I switched to Firefox. Google is the new | Microsoft. If I remember correctly, they started Chrome exactly | so this very thing wouldn't happen. | jlarocco wrote: | > They sent an email with no guidance whatsoever. | | Did they, though? The email seemed pretty clear that the | problem was requesting more permissions than necessary. | | I'm no Google fan, by any means, but if it's _that_ hard for | the developer to check which permissions their own app is | requesting, I don 't know if it's Google's fault. | megablast wrote: | This is an unsafe extension that had access to every website | but did not need it. Yes, that is what I got too. | danpalmer wrote: | As mentioned, I think Google have handled it poorly, but | their fundamental position - that this extension is | incorrectly using permissions - was significantly correct and | may prove to be fully correct. | | Google deserve criticism for the lack of clarity in the | communication, they deserve criticism for the lack of human | touch, customer support and many other aspects. | | They do not deserve criticism for calling out incorrect | permissions usage and forcing developers to do better. | prox wrote: | Do it properly or don't do it all is my motto. They could | have been more forthcoming from the start. This is mystery | meat communication. | | > the concealment of relevant information over basic | practicality and functionality. | dan-robertson wrote: | I agree mostly. But why shouldn't the OP extension also | be required to "do it properly"? Where should one draw | the line? | munk-a wrote: | It's confusing because whatever system (whether human or | automated) they're using to flag permission issues has more | precise detection abilities than they chose to expose with | a simple "Permission is too wide - fix it". | | The fact that the extension has over broad permission asks | isn't good but I think saying their communication lacks | clarity is underselling just how opaque they were with | their feedback. It also concerns me a bit because it looks | like their opaqueness might be an attempt at security via | obscurity by trying to cloak what the rules actually are - | which is a generally bad approach to trying to fight | malevolent actors. | danpalmer wrote: | It's possible that the flagging has come from user | submitted reports. In that case if Google trust the | reports (and they have enough data about users to know if | reports are likely to be genuine) then they don't | necessarily need to know any more details. | | Alternatively it could be vague to restrict the | possibility of bad actors circumventing the letter of the | rules without adhering to the spirit of them, or even | just protecting themselves from legal repercussions | (perceived or real). | munk-a wrote: | Your later point is the one that concerns me. | Organizations like governments have issues where the | spirit of the law is valued over the letter due to | inertial restrictions over revising the law - when it | comes to private corporations the ability to restructure | rules remains unless it's explicitly surrendered. In | these cases keeping the set of rules exposed to the | public (and even demoing changes) can allow revisions to | those rules to increase their accuracy. | | And, when you get right down to it, any rule that isn't | well structured will be exploited by bad actors, people | looking to roll out malicious browser extensions have a | strong motivation to try and discover those rules with a | high level of accuracy by testing them - only the good | actors remain uninformed. | tedivm wrote: | That may have been true for the first round, but after they | fixed those permissions their extension was still rejected. | Aperocky wrote: | I disagree with you here because: 1. The | article contains more relevant information that you did not | show in your point. 2. Those relevant information | made your point void 3. I think your point make no | sense on the relevant information. | | There, I refuted your claim, you have 14 days to change it and | show what you learned. | adverbly wrote: | > I hope the developer finds another load of permissions they | can tighten up, resubmits, and is approved. | | You're missing the point here. The developer isn't given any | guidance on what needs tightening. This shouldn't be guess and | check. These rules impact this developer's livelihood. They | should be well defined, documented, and communicated. | danpalmer wrote: | Well they did give details on what needs tightening, it's | just that those details are in the form of policy points not | being hit. | | What do you think they should be providing? Honest question, | I have some ideas but they all feel very tricky/error prone | to implement. | laughinghan wrote: | For comparison, some anecdotes elsewhere in the thread | about how Apple attaches screengrabs and even decompiles | apps to point to exact methods/lines of code in apps they | reject from the iOS App Store, even small free ones: | https://news.ycombinator.com/item?id=23170498 | laughinghan wrote: | At the very, very least, they could identify which of the | permissions are in violation and need to be made more | restrictive, and which aren't. Someone at some point at | Google clearly had that information when they decided to | flag the extension, but Google's processes failed to ensure | they communicated it. | | For the record, I actually agree with you that this is a | good policy and will be a positive outcome for users. But | while you seem to agree that Google could have handled this | better, you're not doing a good job of acknowledging just | how developer-hostile Google was here, which is why you're | getting a lot of pushback. | danpalmer wrote: | Most of the discussion on this link is about how Google | is being developer hostile. I think that's getting plenty | of attention. | | > At the very, very least, they could identify which of | the permissions are in violation | | If they've flagged this through user reports of the | permissions being too wide then they may not actually | know which permissions need to be changed. This is purely | speculation though. | rrss wrote: | > they may not actually know which permissions need to be | changed | | How can they not know? They decide whether the update is | accepted or rejected, and there's somebody or something | at google that makes that decision, so google has to | know. | | If they didn't know what permissions need to be changed, | how is the accept/reject decision made? Something like | "accept the fourth try if the developer makes it that far | because it is probably an improvement?" | the_gipsy wrote: | > These rules impact this developer's livelihood. | | Let this be the millionth lesson of "the perils of building | on a platform instead of on a protocol". | crankylinuxuser wrote: | You misspelled "sharecropper". | gowld wrote: | Why can't Google provide support instead of vague threats? | Provide a permissions audit tool, recommend ways to reduce | permissions, provide a dev tool to automatically report on | permissions that haven't been used while running an extension. | | Is _banning someone 's entire Google account across all | services_ a proportionate response to a developmer having | trouble with Google's confusing permissions API? | jpalomaki wrote: | Usual answer is that this would make it easier for malicious | actors to bypass the limitations. | | Likely there is some automated system running these checks. | freehunter wrote: | Security through obscurity is no security at all. | | Edit - this is a basic principle of security: | https://en.wikipedia.org/wiki/Security_through_obscurity | ashtonkem wrote: | Anti-cheat through obscurity on the other hand is | absolutely a thing. | | As a metaphor, there's a damn good reason you can't just | pay an Olympic anti-doping facility to test your urine; | it would be trivial to develop protocols that evade the | tests if you could do that. | freehunter wrote: | If anti-cheat through obscurity worked, there would be no | cheaters. The fact that cheaters exist means it does not | work. | streb-lo wrote: | Your logic does not follow. | | There are certainly less cheaters than if there were no | anti-cheat methods. To use OP's example, an open source | urine testing procedure would be trivial to game. The | same thing goes for open-source multiplayer games. | awinter-py wrote: | Disagree that G's motivation here is to reduce permission | footprint, because: | | - if G has the ability to automatically audit necessary | permissions, they'd do it when you upload to the plugin store | | - if they're doing this manually for popular plugins, then (1) | they'd publicly certify safe plugins and (2) the interaction | would be way more high touch | | Plugins are inherently unsafe + require trusting the developer. | | Could be malicious, or G may not even _have_ a reason for this | (it may be some forgotten dinosaur instinct to knock over other | people 's stuff when it gets too big). | ViViDboarder wrote: | Also, Google could just block the permission and let the | extension developers deal. Even that would be less hostile | because at least the developers would know what to fix. | danpalmer wrote: | > - if G has the ability to automatically audit necessary | permissions, they'd do it when you upload to the plugin store | | If they added it more recently then they are just back- | applying it to an already existing extension. | | Alternatively, you can report plugins as requesting incorrect | permissions - I've done this. Perhaps that's what's happened | here, lots of reports triggering an investigation. | TuringNYC wrote: | >> As much as we can criticise Google's handling of this | situation, the fact that the developer was able to reduce | permissions from accessing data on _all websites_ down to | _their website_, as well as tighten up a few other permissions, | shows that Google is correct that the extension is asking for | more than it needs. | | OK fair enough, but why aren't the big violators held to this? | (I realize this example isn't Chrome, but it is Google Calendar | -- ever try to add a Zoom meeting invitation to your Google | calendar? Zoom wants access to read and write all events ever | on your entire calendar! | lvs wrote: | Edit: I was the one who misread it. My mistake | vntok wrote: | > As I looked at the permissions and what our extension | actually needs to operate, I noticed a great opportunity to | reduce our permissions requests. We do not need to request | access to data on https://*/* and http://*/*. Instead, we can | simply request data access for https://*.pushbullet.com/*, | http://*.pushbullet.com/*, and http://localhost/*. This is a | huge reduction in the private data our extension could | theoretically access. A big win! | | They were completely in the wrong there, and posing a huge | security risk to all of their users. | mkl wrote: | I think you're the one misreading. From the article: "We do | not need to request access to data on https://*/* and | http://*/*. Instead, we can simply request data access for | https://*.pushbullet.com/*, http://*.pushbullet.com/*, and | http://localhost/*." | gnu8 wrote: | I'm trying to figure out why that was their setting to begin | with. | | > We do not need to request access to data on https://*/* and | http://*/*. | | Was this not determined before, or they changed their minds now | that Google is threatening to pull their product? Either they | thought that was appropriate before, or they didn't think about | it at all. Inexcusable either way. | xg15 wrote: | I strongly disagree. If they were actually interested in this, | they could simply tell the developers what to fix. This is | beyond arrogant and counterproductive. | ekanes wrote: | Yes, it seems pretty bad that by default they were accessing | user data everywhere. Gross. | Guzba wrote: | I really did try to call out the benefits that happened when I | was told to "give permissions another look". Like all software, | needs change and I was able to make a great improvement. | | The issue I have is that it's not clear if I'm even addressing | the correct issue(s). If I don't make the Correct change, all | other changes are irrelevant since they'll never get published. | danpalmer wrote: | Yeah, it's crap that they didn't give you guidance, although | it seems like you managed to find plenty of issues quickly so | perhaps the guidance is less necessary than it might seem. | | Ultimately you know your extension, codebase, and use-case, | far better than Google does, so it may not really be possible | for them to give you the detail that you're looking for - you | may be the only person who can do that. | | I hope that they provide the support you need in | understanding the problem to the point where the extension | can continue to live on the Chrome store. | foobarbazetc wrote: | lol. | | We have the same problem, but on the Google Play Store. | | We have an brand name app used by millions of people. We uploaded | an update where the only change was a new Firebase library. | | Google rejected the update for vague reasons ("violation of | Google Play policies" but not telling us which one). | | Appealing the rejection, the CSR just pasted the vague policy | thing back at us. We asked for more information and they just | closed the ticket. | | So we took the exact build that was accepted, incremented the | version number, and uploaded that. Rejected again. | | And there's no real human to talk to. | | No idea what's going on at Google. | Florin_Andrei wrote: | > _No idea what's going on at Google._ | | It's like trying to troubleshoot a machine learning algorithm. | sudoit wrote: | Had the same problem when I made a fairly successful app in | university. Whole account got deleted for a "3rd strike" | meaning "3rd resubmission." | | I've made a new account and their AI black box still doesn't | realize it's me... | arseniclifeform wrote: | By whole account deleted do you mean your Chrome dev | "account" or your Google account including Gmail, Gcal, and | YouTube? The latter is my greatest fear. | FpUser wrote: | Aside of youtube and search I am not using Google at all. And | Chrome is on my computer only for testing. | Baeocystin wrote: | Another long-term PushBullet customer here. | | Anyone at Google who is listening- this kind of behavior _kills_ | my desire to continue using your products dead. I _need_ | functionality, of the type PushBullet has provided for years, to | do my work. The recent nerfing of ublock origin has already had | me feeling iffy on things. Behavior like this is simply | unacceptable. If you want people to use your services, you need | to have some way to communicate. Period. "If you use our tools, | we can kill your livelihood at any time for any reason and tough | shit if you want a why" doesn't exactly inspire, you know? | moneywoes wrote: | Can you elaborate on the ublock origin nerf? | irrational wrote: | They blocked ublock origin?! Really?! What was their stated | rationale (I assume they didn't admit it is because they want | people not to block ads)? Might I suggest using Firefox? I use | it and don't have any trouble with it. | gowld wrote: | It's not true. | ChuckMcM wrote: | It would be interesting to hear Google's _actual_ reasoning but | I don 't expect that we will. I will speculate that it is | exactly the clipboard permissions as there have been apocryphal | reports of Android apps and web extensions that use this to | steal passwords that password managers put there for users to | "paste" into their pages. | | If that is the case, then a much better solution would be for | Chrome to implement a secure channel for password managers to | use for just that purpose and make access really really | explicit. But again, without them saying anything we won't | know. | | My advice is to watch for a CVE regarding sniffing sensitive | data off the clipboard to surface in the next 30 - 90 days. | Aperocky wrote: | > this kind of behavior kills my desire to continue using your | products dead | | Having already moved to firefox for over a year since quantum | came out, what are you waiting for? | wlesieutre wrote: | Chrome is a trivially easy product to switch off of compared to | other Google properties like Gmail and YouTube. Have you tried | Firefox recently? | 29athrowaway wrote: | I have a firewall appliance at home. | | One day I noticed that some of the stuff I blacklisted | (mostly ads) started showing up again. | | Why? Firefox's new DNS over HTTPS was bypassing all my | firewall DNS rules. | eloff wrote: | I switched when Google killed of ublock origin in Chrome. | Firefox is quite nice these days. I just use chrome for | development because I'm more familiar with their dev tools. | | I will very occasionally find a site that's broken in Firefox | and works in Chrome though. | gowld wrote: | uBlock Origin isn't killed. Some changes are proposed, | however. | morrbo wrote: | Check out Vivaldi, never looked back (chromium based so | same dev tools, though admittedly I do.my dwv in edge these | days just to keep stuff separate) | minikites wrote: | I've been using Fastmail for more than a decade and I don't | know why someone would trust something as important as email | to a company like Google. | colejohnson66 wrote: | Because when it first was released, they were one of (if | not the only) (free) email providers to give _every_ user | over a gigabyte of storage. At the time, most email | providers only allowed mailboxes in the dozens of | _megabytes_ range. | | Nowadays, everywhere gives you plenty of space, but for me | personally, it's just been the fact that I've been using it | for so long and switching is a hassle. I'm sure it's the | same for a lot of other people, and for the majority, they | probably also don't care enough. | nucleardog wrote: | Dozens of megabytes? | | Pretty sure Hotmail (which at the time was like 20% of | all web traffic) was still offering a whopping 2MB of | space when Gmail launched. It was only after Gmail came | out that they started bumping the quota from where it had | been since the mid-90s. | | Gmail was a HUGE deal. People were going nuts over the | invites. | Fezzik wrote: | I second the Fastmail vote. I have been a happy user for... | maybe 3 years now? A while at least. The web UI on mobile | and desktop is second-to-none (I love not having an app) | and the spam filtering is as good or better than gmail and | the other big players. | input_sh wrote: | My current yearly subscription to Fastmail was about to | expire today. Didn't think about it for a second before I | renewed it for the third year. | Icathian wrote: | I have fastmail bookmarked waiting for me to find some time | to switch over my gsuite admin and some cname redirects off | of Google's platform. It's definitely past time for me to | get a little less dependent on them. | FpUser wrote: | I am not sure why would one trust something as important as | email to any company. Register and use your own domain. | Then you are totally free in your choice and switching is | no problem | t-writescode wrote: | Mailbox.org here. Happy customer so far. | freehunter wrote: | I've found the exact opposite to be true in my very specific | experience. Five years ago I used every Google product under | the sun, today the only Google product I use at all (even | search) is Chrome because it's the only one I haven't been | able to replace. | | I try Firefox with a fresh install on nearly every major | release and I keep it installed as a secondary browser, but I | can never manage to use it as my daily browser. For whatever | reason, none of my company's (major tech company but not a | competitor to Mozilla in any way) internal web pages load in | Firefox. No error, no warning, nothing in the console, just | zero content. Blank page. I've tried it on two computers with | the same result and just nothing. No extensions installed, | nothing I've installed on my network or computer to block | anything. It just doesn't load anything. | | On the other hand I keep Firefox installed because Chrome | refuses to load my dev environment with a self-signed | certificate. Firefox will let me click "I accept the risk" | but Chrome just refuses to load with a self-signed cert. | | I'd love to use just one (preferably Firefox) but I guess the | web is still hard to get right. | Bedon292 wrote: | Assuming you are on a Windows domain, since they are able | to control your Chrome. Chrome uses all the built in | Windows settings. Have you check for proxy settings in | internet options? Firefox I believe still uses standalone | settings, and will need to be configured manually. | | Other thing they could be doing is adding certificates to | the Windows certificate store, that Firefox does not trust. | Though I expect you would see an error about invalid certs | in that case. | acomjean wrote: | When I worked at a company Firefox worked then didn't. I | think the web proxy needed to use the company installed | cert or some such weirdness: | | https://security.stackexchange.com/questions/133254/how- | does... | heavyset_go wrote: | Try sending your company's internal sites a Chrome User- | Agent from Firefox. There are extensions that let you do | this. | bzb3 wrote: | You can bypass the Chrome dialog by typing "thisisunsafe" | in the error page. | tracker1 wrote: | Reminds me of the default admin password for an app I've | worked on... "You should change me." | freehunter wrote: | That's a stupidly hidden way to go about it. | dylz wrote: | IIRC, the intent is that no one should be doing this and | anyone doing it should be at least technical enough to | figure out what they're doing and be reminded that it's a | bad idea. | jschwartzi wrote: | On the other hand these stupid dialog tricks are why I | stopped using Chrome. I'm not an idiot and I know what | I'm doing. It's pretty arrogant to assume that I | shouldn't be visiting my router's configuration page just | because it uses a self-signed certificate. I don't care | to set up an X.509 infrastructure at my house, thank you. | Please stop mollycoddling me. | | Firefox continues to do a good job of just letting me | visit the damn website after warning me. | dylz wrote: | I'm confused - Firefox and Chrome act completely | identically to a self signed cert for me. Both let me | click through after looking at the cert or expanding a | section. I have never been "blocked" by some hidden modal | unless the site chooses to be HSTS-enforcing, and in that | case Firefox does not allow a clickthrough either. | | Both examples on latest current, taken right now: | | Firefox: https://i.imgur.com/4VMjDZ4.png | | Chrome: https://i.imgur.com/YosvXEu.png | | For HSTS, both Firefox and Chrome act identically and do | not allow clickthrough: https://i.imgur.com/WPCTep1.png | maest wrote: | Youre confused because you're not using Chrome on OSX: on | osx there's no "Proceed to <website>" option. | gowld wrote: | https://support.google.com/chrome/thread/23226743?hl=en | dylz wrote: | I'm now even more confused: | https://i.imgur.com/jl9agwG.png | necovek wrote: | Your router's self-signed cert can be imported into your | browser and trusted from thereon -- that will also stop | any potential attacks from someone pretending to be your | wifi ap nearby because I am pretty sure you are not | double-checking the cert fingerprint every time you visit | the router's admin interface. Provided you were not | MITMed once you added the cert in the first place :) | freehunter wrote: | And instead many people will just do a Google search for | "Chrome [insert error here]" and run the first command | they find, while people like me will say "okay I'll just | Firefox where I can click past this warning". | dylz wrote: | For what it's worth I've always been able to click | straight through a self-signed cert on Chrome - in fact I | just did it right now to log in to something internal. I | am a nearly 50-50 split Firefox/Chrome user. | | Are you sure you aren't sending HSTS headers that demand | the site be TLS in some way? | | Also, have you considered the slightly-saner way of doing | it, which is making an internal self-signed CA, trusting | that internal CA, and then having it sign the rest of | your "self dev stuff" certs? | freehunter wrote: | If it was HSTS it wouldn't load in Firefox, would it? | dylz wrote: | If it was HSTS it would not load in both, with no button | to bypass. | | If it was not HSTS you can click through a non-obvious | button in both. | freehunter wrote: | Well Chrome has no button and Firefox has a button, so... | Wowfunhappy wrote: | Yeah, I actually think these sorts of strategies are | clever. They're a way to protect normal users without | outright barring power users from doing as they wish. | | macOS operates in a similar way. I really like how the | difficulty increases depending on the task: | | * Want to allow one app through Gatekeeper? Instead of | double-clicking the app icon directly, right click it and | select "open". | | * Want to turn off Gatekeeper for all apps? You need to | open the Terminal and execute a command. | | * Want to turn off System Integrity Protection? You need | to reboot your computer into recovery mode and execute a | Terminal command there. | lostcolony wrote: | Except for those of us who are finding out about it only | via a Hacker News comment. As happened with this user, | who seems, you know, sufficiently a power user to need | that info. Even a "if you know this site to be safe, | please read this knowledge base article (link)" and | buried in that, amidst all the reasons you shouldn't use | untrusted certs, are the instructions. | londons_explore wrote: | If you keep up to date with commits on the chromium code | repo, you'd see them change it from time to time. For a | while it was 'youshallnotpass'. | | You probably shouldn't be using an opensource project | without at least a cursory glance at the code anyway, | especially as a power user. | lostcolony wrote: | You're kidding right? You look at every commit of every | open source app you use, or that a closed source app is | built atop? For me, off the top of my head, that would | mean, yes, Chrome, Firefox, the Linux Kernel, Libre | Office, Android, VLC...probably plenty more that I am | unaware are open source, and that's not even considering | the dev tools to do my job. When would I actually have | time to have a life? | skykooler wrote: | Exactly. Reading the source of every program you used was | certainly possible back in the 80's when the FOSS | movement started; but nowadays, with every program being | millions of lines of code, it's implausible to get | through all that and still have time to actually _use_ | the software. | lostcolony wrote: | Not to mention background updating. I don't even know | when Chrome has updated half the time, unless something | stops working. | makapuf wrote: | Im not sure a cursory glance at the 25 millions lines of | code will do much if you dont already know what to | search. | dewey wrote: | > No error, no warning, nothing in the console, just zero | content. Blank page. | | Have you tried disabling the tracking protection, maybe | it's mistakenly blocking some JS? | arkades wrote: | I transitioned to FFox myself. I occasionally have to use | Chrome for work, and it's nothing I find myself missing. If | Chrome is messing up your day, it's really easy to cut it | out. | swiley wrote: | Firefox is actually a significantly better browser on | GNU/Linux. Chrome is pretty awful. | dleslie wrote: | The only Google product I still use is Android. I won't | switch to iOS, that's like cutting off your nose to spite | your face. Sadly, the FOSS alternatives do not support | Blackberry phones, and for physical reasons I _greatly_ | prefer a real keyboard. | jtxx wrote: | ProtonMail has come a long way as a replacement for Gmail as | well. Suuuper happy with them, they're really responsive to | feature requests and support inquiries. I requested for an | iOS feature to choose browsers so I could open all links from | PM in Firefox. They had it implemented in a month or | something... it a quick fix but that impressed me. hence me | shilling here They recently added ProtonCalendar too. | spockz wrote: | Is there a provider that lets you send emails from free | format users on your domain? With catch all addresses the | mail goes into my other@domain account. I use a different | email address per site. Now with gmail if I want to reply | with that account I first need to create it as an alias. If | I want to reply from my phone it even needs to be a full | account. Is there any way to fix this? Short of using mutt | and write the from header myself? | pinkythepig wrote: | I can do this with fastmail, though fastmail is a | subscription (like $5/month? IIRC, mine auto renews every | 2 years so not sure). I have my primary email setup as | <firstname>@<lastname>.org. If you set your dns records | correctly with them, that allows you to use without any | ahead of time setup | <randomtag>@<firstname>.<lastname>.org. Setting a | different tag where I have <firstname> is can be done | too, but you need to set those up individually. | | replying to emails, I can change <randomtag> to whatever | I want. | | They also offer random domains that you can setup burners | under, though that does involve some ahead of time setup. | ZacharyPitts wrote: | I have happily paid for ProtonMail for the past couple of | years. I moved all my important email (i.e. anything | involving money) off of gmail. | abnercoimbre wrote: | ProtonMail user for years too. And non-tech people who | get my e-mail immediately like (and ask about) the | protonmail.com domain, which opens up an avenue to | discuss privacy and the upside of non-Google products. | cdurth wrote: | I as well. Gmail is now my spam account. Very happy with | ProtonMail. | Klonoar wrote: | I really wish they'd merge this, or implement it themselves | (I wrote it, full disclaimer): | | https://github.com/ProtonMail/ios-mail/pull/16 | | As I understand it (and don't quote me on it) they're in | the middle of a refactor, so I guess I get it. | mtnGoat wrote: | I used protonmail for a week, but i got tired of waiting | hours and days for some emails to arrive. some we so late | the verification links were no longer active. ugh, if only | proton mail was up to par with Gmail. | vorpalhex wrote: | I had similar issues early on but have been happy with | Protonmail for the last year or so. | bcrosby95 wrote: | Switching email isn't nearly as friction-free as switching | your browser. Not only do you have to change your email in | every service you've registered for, you also need to | convince your friends and other contacts to use the new | email. | theshrike79 wrote: | It's a year-long project in the minimum: | | 1: Start up new email (for me it was Fastmail) and | preferably get your own domain | | 2: Forward all mail from gmail to your new account | | 3: Create a rule that flags messages that are still | delivered to gmail, go through them at your leisure and | swap to the new address | kadoban wrote: | I'd stress the "get your own domain" part. This is a | _requirement_, or you're going to be going through the | same pain again in a few years. | | Also, make sure you take backups of your old emails every | once in a while. Google Checkout should be able to | provide those. | thayne wrote: | getting your own domain might be fine for tech-savvy | people, but for the general population it isn't really an | option. | colejohnson66 wrote: | What's the risk of losing your domain from a forgotten | renewal? | littlestymaar wrote: | If your domain name provider is serious, almost none: | there's a transition period (a few weeks) between the | expiration date of your domain and when somebody else can | buy it again. So if you forget to renew it, your emails | stop working and you'll renew it really quickly ;). | | Source: it happened to me last month (the provider being | OVH). | prox wrote: | I only work with a company who's team I can actually | call. i pay a bit more, but that direct access is great. | | It's actually hard to lose a domain if you have a good | registrar. There is 90 day quarantine period even if you | cross the renewal treshold. You can also domain lock, | which means you need to manually unlock a domain before | moving. | ashtonkem wrote: | If a domain is important to you, you should have it set | to autorenew. | rietta wrote: | I have all my domains on autorenew, probably many I | should have let lapse now, and some of which I have | regretted letting go of. | tracker1 wrote: | I feel your pain.. I accidentally let my main blog domain | go a long while ago when I decided to drop most of the | domains I was holding. | | Beyond this, I've had a few pretty good ones over the | years... right now, I've got about 30 of them, and just | keep thinking I should let most of them go. | _-david-_ wrote: | I would assume most domain registrars send you reminder | emails as your expiration gets closer. | imhoguy wrote: | There is always a risk of loosing an asset, that includes | hijacking. However to reduce forgeting of renewal there | is the recipe I have once read here on HN: | | Renew your doman for 10 years now, and then every next | year do 1 year renewal. If you forget it then you still | have 9 years of buffer. | jacobr1 wrote: | I've used auto-renew ... but it turned out my biggest | risk was actually the expiration data on my credit cards | DelightOne wrote: | I loaded up credits at my registrar to last a couple | years because of this. | aGeekGoneMad wrote: | That's we something like PayPal is nice, your cards can | expire and be replaced without interruption to automatic | payments. And like the email problem, you don't have to | go around changing it every couple of years. | mrighele wrote: | Some registrars let you enable automatic renewal, so in | that case the only risk is to keep paying for a domain | that you forgot of. | trav4225 wrote: | How is credit card expiration handled? Or do you suggest | another payment method? | nucleardog wrote: | You'd probably have to really work at it. | | Most registrars are going to send you multiple emails | leading up to the expiration, when it expires, and after | it expires reminding you it expired. You'd have to miss a | lot of emails. | | And once it has expired, you have (depending on the TLD) | over a month of grace period where it's not available for | general registration where you can still renew it. You'd | have to miss the fact that all of your services were | offline for over a month. | dsanduleac wrote: | I recall seeing this recently on another HN post, where | they had set up a blanket forwarding rule from their | Gmail to another email account. Their Gmail later got | dinged but the forwarding rule continued to work. | pletnes wrote: | I did that years ago. The only downside is that every 2-3 | years some email gets stuck in gmail's spam folder. | DavideNL wrote: | You don't have to switch overnight, i simply forwarded | all my incoming Gmail e-mails to my new account, and then | reply to all my Friends (etc.) from my NEW e-mail | address. That way they will all, eventually, | automagically update me in their address book. It worked | very well :) | RcouF1uZ4gsC wrote: | The most important change you can make for your email is | to own your own domain. Once you own your own domain, | changing providers is much easier since it is transparent | to the people that email you. | | Even if you decide to keep Gmail, you should switch your | email to your own domain. | tracker1 wrote: | I know some will reject the idea.. but if Google is your | domain registrar, they'll do email forwarding without an | extra charge. | | I've started using _@mydomain where the_ is the website | /service I've registered for... doesn't help with my | existing stack though. | gumby wrote: | You can just do forwarding. I've run my own mail service | since the 80s, and when I need a google login to work | with someone I just create it and forward my mail. When | the project is over, just delete it. Easy-peasy. | | Unless a client wants to use google docs I've never found | an account to add any value anyway. I don't use google | search much any more but when I do it works fine without | cookies. | | And I try chrome occasionally (it's needed to use google | docs) but it uses too many resources to use as any kind | of default. It's also harder to enforce privacy with it. | tracker1 wrote: | I was referring to google hosting the mail service, so no | need to diy or pay for another server, and you don't need | to use gmail with it. | ThePowerOfFuet wrote: | Google Docs works fine in Firefox and Safari. | cpascal wrote: | One worry about tying your identity to your own domain, | is the security of your identity (aka your domain) hinges | on the security of your registrar. If a bad actor can | socially engineer their way into controlling your domain, | your entire identity is compromised. | | Here's a blog post about this nightmare happening to | someone: https://medium.com/@N/how-i-lost- | my-50-000-twitter-username-... | ashtonkem wrote: | I agree that that would be catastrophic, but I'm not | convinced that using custom DNS changes my risk factor. | If someone took over <my name>@gmail.com, they could do | as much damage as they could by taking over <my name>@<my | domain>. | Roujo wrote: | Yes, but there's still an increase in the attack surface | - it's a lot harder to convince a registrar to turn over | gmail.com than <my domain>, for most values of <my | domain>. It's not a deal breaker, of course, but it's | something to consider when looking at the risk factor. | cpascal wrote: | If you use an email provider to host your domain's email | (e.g. Fastmail, GSuite, etc.), I believe you're actually | increasing your risk factor. | | The security of your identity will depend on your | registrar, your DNS provider, and your email provider. | toohotatopic wrote: | So, which ones are the good registrars? | ztjio wrote: | Google is great for this because they will never actually | let anyone talk to a human in order to apply social | engineering techniques ;) | toohotatopic wrote: | But do you lose your domain if google bans your account? | | The requirement is being able to switch email providers, | especially google, when they lock your account. You don't | secure your flow of email with a domain if that domain is | managed by google, too. | ztjio wrote: | So my statement was a total comedic effort not to be | taken seriously, I'd never suggest anyone use a company | on the basis of terrible customer support. That's what | the semi-colon parentheses at the end was meant to | signify. | | To attempt to actually answer your question, I believe | the nature of the governance around registrars would | ensure you have recourse to transfer your domain in the | case that Google be Google. It might not be slick. I | don't know. But, it's unlikely they can override the | overarching policies for such things and continue being a | registrar. | wpietri wrote: | I've been happy with Joker and AWS Route 53. I've used | Joker for years and years; at the time they seemed sane | both technically and as a business, and that's how it | still feels. Route 53 is more recent, but it's been solid | and reliable for me. And it's been very nice to control | it declaratively with Terraform. | nucleardog wrote: | I generally trust the major cloud providers a bit more | than the companies focused on acting as a domain | registrar. | | The domain registrars are generally a race to the bottom | and focused on "add-on" sales as most people are shopping | on price and that's going to reflect in the overall | quality of the things that most people don't really | notice like, y'know, security and validation. | | You don't hear a lot of stories about Amazon/GCP/Azure | handing over someone's entire account based on a couple | digits of a credit card number and it would be a PR | nightmare if they did (hell, look at the flak they catch | just for the data that people leave public on their | services that ends up released... imagine if they | _handed_ it to someone). An active account with 2FA /etc | enabled and a secure recovery email is probably safe | enough for most people. | | Spend the extra couple bucks to register through one of | those guys instead of JimbosDiscountDomains. | mythrwy wrote: | So use Google or Microsoft to register your domain? | | Doesn't that bring us back to the same potential problem | though? | justinholt wrote: | I think the idea is to use their "enterprise", paid | offerings as opposed to relying on the "free" services | that Google or Microsoft offer. | cpascal wrote: | I use namecheap which has two-factor authentication, | domain locks, and support pins. | propogandist wrote: | owning your domain and having control of a domain through | a trusted registrar is better than relying on the worlds | largest advertising company to manage your digital | identity (email), which is offered as a free service, | that's subject to a catch-all ToS. | gowld wrote: | The article is literally about a user who was attacked | because Twitter, Facebook ad GoDaddy have bad security, | while his Google account was safe. | propogandist wrote: | I've seen that article before. An isolated fail in 2014 | by one vendor, primarily due to poor support processes, | is not a convincing argument to keep all digital | identities in Google's possession. | | There's also the risk of Google shutting down your | account because you do something they don't like. This | will lead to a similiar outcome and you won't have any | recourse. | morrbo wrote: | Have to respectfully disagree here...we tried protonmail | for ages and it wasn't good. Wet feature adding it sounds | like you got lucky but we ask for several features over | the course of a year - ranging from simple things such as | HTML signatures (that they fully support, they just hide | the button on their editor) to more enterprisey user | management 2fa enforcement style features and it just | didn't hold up in the slightest. No features got added | and we ended up going back to o365..for a personal email | it's ok though but I wouldn't tout them as responsive to | feature requests as this wasn't our experience at all. We | were a sma the on their visionary package if that makes a | difference. | ori_b wrote: | You can set up forwarding rules and switch gradually. | It's pretty much painless. | m-p-3 wrote: | I switched from Pushbullet to Join and one of the hurdle the | dev is having is that something regarding push messaging was | severely lacking in Firefox compared to Chrome, hence the | lack of an extension for it on Firefox. | sciurus wrote: | Do you know any more details about what's lacking? | Baeocystin wrote: | Sure, and I use it daily. But my frustration isn't about me | particularly, it's about Google's increasingly hostile | behavior. They're the 800-pound gorilla of the internet, and | the way they behave affects all of us. | ilrwbwrkhv wrote: | Switch to Firefox. It has gotten much better. | laumars wrote: | I'm absolutely loving Firefox at the moment. | | I have temporary containers extension plus an extension to | manage google and Facebook containers and the whole thing has | become such a pleasurable experience. Combined with pihole it | feels like I'm reclaiming the web back again. Such a blissful | experience. | yellowapple wrote: | Yep, for me Multi-Account Containers and Tree Style Tabs | are both killer features. Being able to load the same page | with multiple accounts _within the same browser_ and | without losing everything after each session is a game | changer for all sorts of situations, as is being able to | keep dozens or even hundreds of tabs open without squeezing | and squishing them unreadably into the top of the window | like some kind of maniac. | yorwba wrote: | And there's also a Pushbullet add-on for Firefox: | https://addons.mozilla.org/en-US/firefox/addon/pushbullet/ | | Not sure whether the functionality is the same. | pmontra wrote: | Thanks for the link. So it's a subset of | kdeconnect/gsconnect for Linux/Android [1] [2] [3]. I'm | using it to share files and tabs from my phones / tablets | to my pc and viceversa. It does many other things including | sms from the pc. It works with any browser or with no | browser at all. There is no need for an extension. | | I'm sure Apple has had that too for a long time and I saw | something like that from Microsoft a few days ago. | | [1] https://play.google.com/store/apps/details?id=org.kde.k | decon... | | [2] https://community.kde.org/KDEConnect | | [3] https://extensions.gnome.org/extension/1319/gsconnect/ | ilrwbwrkhv wrote: | Yup, exactly the same. That's what I use. The only thing | Chrome was better in the past was audio pitch correction in | sped up videos. Firefox recently fixed that so now for me | there is absolutely no need to use Chrome anymore. | syshum wrote: | While Firefox is better than Chrome... | | Mozilla is becoming more and more Google Like as time | progresses, where a few years ago I would have believed it | would be unthinkable for Mozilla do so something like this to | an extension, today I am not so sure I would trust them | either | JTbane wrote: | Mozilla doesn't have the conflict of interest google does | with ads... | | That alone makes me use Firefox over Chrome. | pbhjpbhj wrote: | Doesn't Mozilla get nearly all its money from Google; | I've assumed that actions by Mozilla have been coloured | by not wanting to ditch its multi-hundred-million dollar | benefactor. | | Google has apparently paid Mitchell Baker personally | multiple millions of dollars too. | | Seems Google know how to manage their risks. | | Mozilla seem perhaps even more beholden to ad revenue | than Google. | msla wrote: | It does: | | https://www.theverge.com/2018/5/7/17326184/firefox-ads- | spons... | bromonkey wrote: | Yep, the three clicks it takes to disable that really | drives me nuts. | strken wrote: | I agree to some extent, e.g. the pocket integration and | Mozilla burning cash on things that aren't related to | Firefox, but Chrome's decision to limit/break key | adblocking APIs across their whole ecosystem is much worse. | I'd be willing to ignore almost any number of removed | extensions to continue using a browser that's not owned by | a glorified adtech company. | skinnymuch wrote: | What do they burn cash on? They've mostly stopped Phone | stuff right? Is there other stuff? | strken wrote: | Some of the previous discussion when they had layoffs | earlier this year: | https://news.ycombinator.com/item?id=22057737 | skinnymuch wrote: | Can you give a few examples of how Mozilla/Firefox have | changed? | | We all know about FF Quantum. Yeah it sucks what happened. | Maybe there was an alternative, but any one saying Firefox | should've just stuck to not being compatible with Chromium | extensions is kidding themselves on how badly that would've | continued hurting Firefox's market share. The XUL powered | extension I'm sure were powerful so the outcry in certain | places was huge. Vocal minority. | | The Pocket integration got lots of outcry which seemed | pretty silly to me. It's one product they own. Mozilla | doesn't have a ton of products. Yes that is Google like. | Much like any synergy or integrating is Google like. Which | is really just being a modern internet corporation. If this | is one of the reasons. Why would Mozilla of 5 years ago not | have done that vs the Mozilla of today and whenever they | did do it. 1-2 years ago I think? | tialaramex wrote: | Quantum wasn't even about Chrome compatibility. The XUL | extension mechanism was permanent technical debt loaded | onto the browser because of _how_ it exposed features, | basically welding things directly onto the browser 's | guts, which on the one hand is super-convenient for | making radical changes in an extension and on the other | hand is a nightmare to maintain. | | The analogy I've used is the Amiga operating system | design versus Unix when it comes to multi-core / multi- | processor versus multiprocessing. Amiga welds everything | to the hardware, the Unix design has a "system call" | mechanism cleanly separating your programs from the OS | and vice versa. | | Because Unix has this relatively thick layer between the | OS kernel and the rest of the world, you can just pick up | your entire kernel, wrap it in a lock (in Linux this was | called the Big Kernel Lock in some BSDs it was Giant Lock | and other Unix systems gave it different names) and | you've got a multi-processor capable system. Linux did | this in about a year IIRC. For purely CPU bound software | this minimal work gets you 99.9% of the performance of a | custom built OS designed from the outset for multiple | processors. Subsequent work to get rid of the BKL further | improves performance on more sophisticated workloads, but | you're off to a great start. | | Amiga couldn't do that, every part of their system could | interact with every other part as it liked, so if you | tried to just add one lock to protect things the | resulting system might randomly deadlock, maybe only on | systems with specific hardware or software combinations, | and you basically needed to reconsider everything from | the ground up. | | You need a degree of abstraction like this, the Chromium- | style web extensions have it, the XUL extensions didn't, | adding it to the latter would have been years of work | only to deliberately be incompatible with both existing | software on Firefox AND everybody else, madness. | | There are _definitely_ things we want in extensions. For | example Firefox has a copy of the Public Suffix List | baked inside it (all browsers should have this, in its | absence you 'll get weird security behaviour around how | domains and sub-domains work) and I'd like to access | their copy from inside an extension to make it behave how | users expect. But obviously the extension _can_ just ship | its own copy of the PSL, and then keep that up-to-date it | 's just a waste of resources. | msla wrote: | First of all, they deliberately destroyed my bookmarks. | | https://drewdevault.com/2017/12/16/Firefox-is-on-a- | slippery-... | | > For a long time, it was just setting the default search | provider to Google in exchange for a beefy stipend. | Later, paid links in your new tab page were added. Then, | a proprietary service, Pocket, was bundled into the | browser - not as an addon, but a hardcoded feature. In | the past few days, we've discovered an advertisement in | the form of browser extension was sideloaded into user | browsers. Whoever is leading these decisions at Mozilla | needs to be stopped. | | > Here's a breakdown of what happened a few days ago. | Mozilla and NBC Universal did a "collaboration" (read: | promotion) for the TV show Mr. Robot. It involved | sideloading a sketchy browser extension which will invert | text that matches a list of Mr. Robot-related keywords | like "fsociety", "robot", "undo", and "fuck", and does a | number of other things like adding an HTTP header to | certain sites you visit. | | https://www.theverge.com/2018/5/7/17326184/firefox-ads- | spons... | | > Mozilla's motto is "internet for people, not profit," | however the realities of having to fund all of its | ventures are forcing the company into adopting one of the | web's less human-friendly aspects: sponsored content. | Having acquired read-it-later service Pocket last year, | Mozilla has been populating new tabs in Firefox with | Pocket reading suggestions -- and those are now going to | include links that an advertiser has paid for. | fwn wrote: | I'm not the previous commenter, but on Android Mozilla is | removing the ability to install extensions from third | parties (think GitHub, etc.) and will trim the only left | official extension store down to a few extensions. (I | think it's below 20 right now.) | | An ecosystem where all extensions need to be channelled | through one central power broker is pretty much the main | requirement to allow them to do what Google is doing in | the linked Pushbullet case. | | edit: this is all factual, sadly downvotes won't change | it. | input_sh wrote: | They've rebuilt their browser from scratch and are re- | adding the APIs. It makes total sense to prioritize the | most frequently used ones now and expand to the other | ones later on. | | For me personally, Privacy Badger and uBlock Origin are | already there. I don't think I need a third one at all. | fwn wrote: | You're not challenging anything of what I wrote. | | You seem to be more confident on their reestablishment of | the extension ecosystem but didn't explain how you | arrived at that conclusion. | mintplant wrote: | This is temporary while the Android team builds out and | stabilizes the add-on APIs supported in the new Firefox | for Android. Otherwise it'd be a total crapshoot whether | an add-on you tried to install worked or broke randomly | (potentially in gnarly ways). | fwn wrote: | If locking down on the extension ecosystem were only | temporary they could just defer the nearing downgrade of | their main line browser until their replacement is fully | functional. | | But that's not what they do. Instead we do have a clear | announcement on a feature removal and a vague hint that | they might add it again in the future. | | It's absolutely not sure that disabling non-store | extensions is only a temporary defect. | | If you have evidence that suggests otherwise, feel free | to add it. | | It does not help that their marketing language feels | designed to consistently avoid any meaning whatsoever. | mintplant wrote: | > If locking down on the extension ecosystem were only | temporary they could just defer the nearing downgrade of | their main line browser until their replacement is fully | functional. | | The update is going ahead because the new Firefox for | Android is such a dramatic improvement along all other | axes, and because, from a development perspective, the | incarnation it's replacing is saddled with legacy and | technical debt. It never received most of the benefits | from Quantum, for example. | fwn wrote: | > The update is going ahead because Firefox Preview is | such a dramatic improvement along all other axes. | | ...and even the extension axis, from a power-aware | Mozilla position. That's what makes it suspicious in the | first place. | | A few years ago they had a bug that added seconds to | every page load that they didn't fix for half a year, but | once an update coincidentally consolidates power at | Mozilla it needs to be pushed for all its supposed | benefits and despite all its known drawbacks asap. | | We wouldn't buy that if it were Google or Microsoft and | we shouldn't buy it in Mozillas case either. ... If they | even announced that they plan to reopen the extension | system, which they (to my knowledge) did not. | | Personally I don't notice any grave difference between | Firefox and preview. Apparently scrolling should be | different, but my mid-range phone scrolls just fine in | both apps. | mintplant wrote: | FWIW, killing XUL extensions wasn't even really about | Chromium compatibility. The changes in the Quantum | rearchitecting were going to break everything _anyway_ ; | the decision was made to move everything onto an add-on | system which wouldn't just break again and again with | every architectural change (which, yes, did have the | benefit of Chromium compatibility). | Merem wrote: | Being in a country that was the last holdout for Firefox | (majority usage) before it was also taken over by Chrome, | I know that several others as well as I have issues with | Mozilla. Personally, I've always used Firefox, without | exception, and stayed with XUL, rather than switch to | their new browser, as add-ons are the most important part | of a browser for me. I don't care if one is half a second | faster or not. | | Not to mention that stuff like stupid redesigns of logos | as well as the Pocket issue made me basically lose all | trust in Mozilla. Privacy is a huge deal here after all. | Those who switched regularly complain about design issues | (apparently the desktop browser is becoming somewhat | "mobile-like") and most recently the address bar problem | which upset everyone except for one person who didn't | care about that. (Meanwhile, I'm happy with my address | bar being my address bar and my search bar (being just | right of it) being my search bar.[1]) If you would ask | the people still using Firefox here whether they would | recommend it...they would most likely say "no" but then | would go on that while it isn't good, the alternatives | aren't either. | | So the question of change in direction (which is | obviously there) regarding Firefox begs the question | which people they are actually targeting? It's certainly | not your average Joe because Firefox will never be able | to out-Google Google. They are also annoying the more | advanced users who just want privacy as well as useful | things (add-ons, proper baked-in features etc) with their | shenanigans, so it can't be them either. The only people | I see actually celebrating new releases all the time | (regardless of negative changes) are the crowd on HN. So, | to me, it seems like they are targeting some kind of tech | bubble (no offense) while basically ignoring the users | out there. This is, of course, also reflected in them | continuously losing marketshare while all the back- | patting is happening. | | [1] https://abload.de/img/address-search3hjh4.png | ocdtrekkie wrote: | DNS-over-HTTPS was the big one for me. Mozilla betrayed | us here. They've pushed something browsers shouldn't do | into the browser, and in my case, started to roll it out | to my browsers despite my network device being set to | block it. | | They actually managed to implement a policy that respects | user choice and freedom less than Chrome, which only | implements DoH if your set DNS provider supports it. | j_koreth wrote: | I don't think the Pocket was owned by Mozilla when they | announced their integration. Looking it up, it looks like | they bought it 2 years after the initial announcement so | I can see it being controversial. | MattGaiser wrote: | Have they done it or is it just an uneasy feeling? | the_jeremy wrote: | Who do you trust? Certainly not Chromium-Edge. That leaves | "only browse the internet on a Mac with Safari" or browsers | with such tiny market share that they'll never be tested | against, and sites will routinely be broken for you. My | company doesn't do any non-Chrome compatibility testing, so | all our intranet sites require Chrome. | SahAssar wrote: | Why not firefox? | colejohnson66 wrote: | In the past, it used to be (at least for me) because of | Gecko. Websites didn't render the same as in WebKit. | SahAssar wrote: | Not sure when that was but I have no rendering issues | with firefox. As a webdev I can say that FF's rendering | these days is pretty much spot on. | derefr wrote: | > Who do you trust? Certainly not Chromium-Edge. | | Why not? Chromium (= Blink, plus some other stuff like a | network request stack) development happens in the open, | just like WebKit development. It might be steered by | Google to such an extent that there's always the | possibility of it going in a bad direction; but it's not | like you're not going to hear about it if something | privacy-violating is introduced into the Chromium | codebase (rather than the downstream Chrome codebase.) | And you can switch away from the browsers that use it | if/when that happens. | | For that matter, if upstream Chromium ever _did_ start | "going bad", those browsers that rely upon it would also | likely switch away from it, either cooperatively forking | it into a new community-maintained project, or switching | over to WebKit (with which it is still mostly ABI- | compatible.) | | > browsers with such tiny market share that they'll never | be tested against, and sites will routinely be broken for | you | | Even if you don't want to use anything based on Blink, | WebKit is also a large ecosytem, and minor WebKit-based | browsers can "inherit compatibility" from developers | targeting (mostly Mobile) Safari. Several Linux browsers | (GNOME Web, Falkon, Midori) use WebKit, for example. They | render everything just fine (i.e. just like Safari does.) | wayneftw wrote: | I wanted to like Edge but... | | > The browser also sends unique hardware identifiers to | Microsoft, which is a "strong and enduring identifier" | that cannot be easily changed or deleted. | | https://www.bleepingcomputer.com/news/microsoft/research- | fin... | derefr wrote: | Oh, ah; I thought the above meant "why not Chromium | and/or Edge" rather than "why not the Chromium version of | Edge." | | Yes, I can see why you'd avoid Edge specifically, same as | avoiding Chrome specifically. | | But that's not an argument against using upstream | Chromium (which is, in fact, a browser all on its own, | stadnalone downloadable and shipping with several Linux | distros); or against other Blink/Chromium-based browsers | (e.g. Brave), no? Either choice would get you | compatibility with anything Chrome itself is compatible | with (in terms of websites; not _necessarily_ in terms of | extensions--though the difference is just in the legacy | Chrome extension APIs; WebExtensions work fine | everywhere.) | laumars wrote: | Plus any smaller browser likely just another Chromium or | Blink fork. There is very little out there these days | that is truly independent. | graham_paul wrote: | elaborate on the ublock nerfing? | AaronFriel wrote: | Chrome's Extension v3 API will remove the ability for uBlock | Origin to filter web requests in code, instead the | application will have to submit a list of URLs to filter to | an internal API and this list has a maximum size and limits | the flexibility of the URL filtering. | | See the uBlock Origin author's post: | https://github.com/uBlockOrigin/uBlock- | issues/issues/338#iss... | | This is ironic, because uBlock implements an extremely | efficient filter and is even looking into using WASM to speed | it up even more. Google's public position is that | implementing functionality in JS or WASM is unacceptably | slow. They say "[Preventing or weakening ad blockers] is | absolutely not the goal. In fact, this change is meant to | give developers a way to create safer and more performant ad | blockers."[1] | | Google's public position is also that WASM is "consistently | fast"[2], fast enough to rewrite Google Earth to target | it[3], and "It's entirely feasible to build a complex code- | base to run performantly in the browser using | WebAssembly"[4]. | | So which is it? Is the Web Request API being deprecated | because it's not possible to write performant code in | extensions using Chrome's powerful JS and WASM engine, or is | it possible but there might be some other, different reason | that they're blocking it? | | [1] https://blog.chromium.org/2019/06/web-request-and- | declarativ... | | [2] | https://developers.google.com/web/updates/2019/02/hotpath- | wi... | | [3] https://blog.chromium.org/2019/06/webassembly-brings- | google-... | | [4] https://developers.google.com/web/updates/2018/08/wasm- | av1#f... | jaywalk wrote: | > In fact, this change is meant to give developers a way to | create safer and more performant ad blockers. | | Imagine anyone actually believing Google is trying to | _help_ ad blockers. What a dumb thing for them to even say. | jonas21 wrote: | Why? When Apple made the exact same change in Safari, | they also gave these reasons, and everyone believed them. | danShumway wrote: | uBlock Origin is not available for Safari in its original | form. It only exists as a (somewhat neutered) fork that's | basically dead[0]. | | There's a disconnect in the sense that a lot of people | think that adblocking in Safari is fine, even though it | is pretty objectively less capable than Firefox/Chrome in | this area right now. There's no disconnect in saying that | Manifest v3 is going to hurt adblockers, because the same | changes in Safari also hurt adblockers, and (as of last | time I checked) Chrome's proposed changes go even farther | than Safari's did. | | But in general, yes, you should already be avoiding | Safari today if you want to use the best adblockers on | the market. Safari suffers from the exact same problems, | that's why I use Firefox even when I'm on a Mac -- | because the adblockers and security extensions for | Firefox are just a lot better. | | https://github.com/el1t/uBlock-Safari/issues/158 | mkl wrote: | Apple doesn't make their money selling ads. | deckard1 wrote: | These days Google's core value appears to be a Kafkaesque | hypocrisy. | | They promote efficient websites to increase ranking with | their search algorithm, while operating ad services that | bog websites down. Not to mention the whole AMP business | where they looked at Facebook and developed a severe case | of walled garden envy after previously being a champion | of open web standards. | cft wrote: | I switched to Firefox because of Google banning Bypass Paywalls | extension that is available as a Firefox add-on. When I was | building my bootstraped company, Google really taunted us with | emails like this, when our AdSense monthly earnings reached | $10,000 and we're my only source of income. We had 20 million | user profile pages, and they were saying that something is | wrong with some of them, without saying what, forcing us to | "review" them all. We built sophisticated ML content filters, | to receive more unspecified warnings and get the account shut | down. I managed to reinstate the account, but it left a very | evil taste. I am in the process of degoogling, using Bing as | the default in Firefox. | the_af wrote: | > _The recent nerfing of ublock origin has already had me | feeling iffy on things._ | | What did they do to ublock origin? The single best Chrome | extension _ever_. If it stops working and I must suffer YouTube | ads again, it 's bye bye Chrome. | AaronFriel wrote: | Context and receipts are here: | https://news.ycombinator.com/item?id=23170485 | creato wrote: | If Youtube ads mean that much to you, why not just pay for | it? I'm all for ad blocking (I use ublock too) but if I | heavily use a site that offers me a way to pay a reasonable | price, I think it's the right thing to do. Uploaders with | monetized videos still get paid that way (and I don't want to | bother with Patreon etc, that doesn't nearly scale to | everyone I watch videos from). | input_sh wrote: | They're going down the Safari line of limiting the number of | rules an extension can use, significantly reducing the | efficiency of adblockers. | | If it goes as planned, you won't see ads on YouTube for sure, | but there likely won't be enough space to add rules for less | mainstream ad networks and some of the specific sites you | visit. | pixelHD wrote: | I'm assuming this [0] is what the commenters are referring | to. Google is proposing changing web request api, which can | break how ublock origin works. | | Also, this [1] happened. | | [0]: https://www.xda-developers.com/google-chrome- | manifest-v3-ad-... [1]: | https://github.com/uBlockOrigin/uBlock-issues/issues/745 | [deleted] | [deleted] | icheishvili wrote: | I whole-heartedly agree and this is why I give money to AWS and | Azure will not give any to GCP until the lack of transparency | and random product killings stop. | Shorel wrote: | So many people claim for change, but so few migrate to Firefox, | DuckDuckGo, or another alternative. | megablast wrote: | You should have stopped using chrome years ago. What will it | take for you to wake up? | Baeocystin wrote: | It's not about just me. I use a half-dozen different browsers | during my work day. It's how the provider of the world's | dominant browser is behaving, with ramifications that affect | all of us. | farooge wrote: | (old dude here) I knew this attitude was coming when i saw the | billboards recruiting PhD's back in 2008 (or so). I figured | they'd be completely infected by arrogant (but clever) twats | around 2015. i believe my guess proved to be true and it's been | getting worse ever since. also, the fact that their (organic) | search is so awesome also-also that they were allowed to buy | Waze, ffs, get out of my life!. | nikanj wrote: | Google is the new Microsoft. Using it is mandatory, liking it | is optional. | gumby wrote: | > I need functionality, of the type PushBullet has provided for | years, to do my work. | | If you can use the Apple stack this functionality has been | built in for years and is pretty robust. | | Just FYI as you say the functionality is _needed_ -- I know | this won't help if you can't switch to Apple | nicolasbistolfi wrote: | I've been using PushBullet for years. Great product! It's not | fair what big companies are doing to what it seems to be, | prioritizing their own features over third party well-built | products. It's abusive. | boredgamer2 wrote: | If you haven't switched to Firefox, you should! There were a | few things I didn't like at first, but after searching | StackOverflow and blog posts for how to change the settings, I | am now fairly happy! | crazygringo wrote: | I understand that with many spam-related heuristics, a company | like Google chooses not to share exactly why a site or e-mail | server is blacklisted -- because an actual spammer can evade that | metric and still get away with everything. | | But I don't believe that thinking applies whatsoever to apps or | extensions. There are far fewer of them and parties need to work | together. It's unfathomable to me why Google doesn't point out | which specific permissions a reviewer has flagged as suspect, or | given an option for the developer to give the justification | specific to each option. | inopinatus wrote: | Counterpoint: there is a team within Google that got it right at | least once. We have live import/export integration with Google | Sheets and this requires additional OAuth scopes. The request for | justification they sent was polite, specific about the scopes of | concern (and why), and with no hard deadline. Our response was | handled politely and promptly. | | I realise the GCP API team may not be dealing with as big of a | swamp as a consumer-facing apps group, but it was nevertheless | one of those few occasions when Google left me with an impression | other than overwhelming hubris. It was more like talking to AWS | service teams, or Cisco TAC when you have a CCIE on staff. | nikolay wrote: | Google are cutting the branch they are sitting on. I only use | Chrome because certain extensions are not available on Firefox. | During all these years, they've become impossible to deal with. I | open Chrome with 10 tabs and after a couple of hours it's using | gigabytes of RAM. From a thin client, it became the thickest | client in the visible universe. It's time to consider options... | not that there are many. | narrator wrote: | I can't wait till Google starts running contract tracing. | majewsky wrote: | Good news! They won't. They're only providing an API to give | everyone who needs to run contact tracing access to the | Bluetooth Beacon system. | | EDIT: /me wonders what "contract tracing" is going to be | brazzy wrote: | > clipboardRead | | I bet that this is it. Clipboard data is _extremely_ sensitive, | as it can often contain passwords. | softwarejosh wrote: | even mozilla is terrible in this regard, its a losers game. | thorum wrote: | Does your browser extension really need to access localhost/* - | as in, port 80 on my local machine? That would make me very | uncomfortable about installing the extension. | | Would it be possible to restrict the extension to accessing a | specific port or endpoint that is used by PushBullet? | raegis wrote: | Right, this suggests the app either (1) runs a web server on | the client device, or (2) wants to access a third party | webserver on the client device. I don't know if this is common. | Or maybe I don't know/understand why this is needed. | | Also, isn't allowing access to the app's website the same as | allowing access to any website? Can't you just redirect? | shadowgovt wrote: | Redirects shouldn't compromise the CORS / XSRF security | model, which is the key item of concern from a Chrome | Extension standpoint. Like if pushbullet.com redirects to | foo.com, the crex is now looking at the foo.com page and its | permissions will apply accordingly. | lostinroutine wrote: | Maybe I'm naive but what if pushbullet.com was just running | a server-side fetch and returning the result? That would | bypass CORS, essentially acting as a proxy server. | wolfgang42 wrote: | Pushbullet doesn't need a Chrome extension to tell their | server to make a web request. But, their server doesn't | have your cookies, so there's no security concern. | shadowgovt wrote: | That's a great question, and it's not limited to Chrome | extensions. | | In general, for any resources that don't require | credentials to access, pushbullet could hypothetically | serve them at like pushbullet.com/proxy/gmail.com/favicon | or something. But resources requiring credentials are | another thing entirely. | | In general, the thing that prevents a third-party server | from MITM'ing your interactions with a target server is a | combination of domain names and SSL certificate. That | doesn't prevent a site from _trying_ to get you to let it | act as a MITM, but it prevents the site from acting as | the MITM while claiming it 's something else. | | As a concrete example, let's imagine pushbullet.com | wanted to act as MITM for your GMail account. If it has | your username and password, then ( _handwaving here; | GMail 's authentication model is complex_) it could do | that; it could forge well-crafted requests that look like | they come from your browser, and get proper responses | back. | | But if it doesn't have your username and password, | there's not a lot it can do. Your browser won't give | pushbullet.com cookies scoped to gmail.com, and if | pushbullet tries to ask you for your password, they can | only do so much to make it look like GMail's the one | asking (SSL certs make it hard for pushbullet to try and | forge a GMail front-page with a gmail.com domain). It can | still happen, but "user was tricked into ignoring the | domain name and gave their password to another service" | isn't something web security models can fix. | lostinroutine wrote: | Thanks for the explanation! I guess I was looking at it | more from the perspective of merely making requests | (without creds). | | My understanding is that if an extension has a wildcard | 'https://*' origin listed in its manifest, then it can | make cookie-populated requests to any domain that matches | the wildcard. That's actually pretty scary from privacy | and security perspectives. But I suppose that's part of | the reason CWS has moderation in the first place. | Guzba wrote: | We use localhost to communicate with our desktop application | which is commonly installed alongside our extension by users. | | An example of how we use this communication channel is | preventing both our extension and desktop apps from showing | notifications on the same computer. Our apps are all about | notifications so this would get unacceptable very fast. We ping | our local desktop app via localhost to see if it can manage the | notification, and show it with our extension if it isn't | running. | | Maybe if we limit it to just the local port we use? Seems like | it can't hurt to try that too. | [deleted] | karlicoss wrote: | It might be a bit trickier, because if you hardcode the port | in the manifest, the user wouldn't be able to change it? | | Might be better than nothing I guess, but on the long term | you'd need to add the port in settings and request the | permission for localhost+port dynamically? But that's got | another issue, e.g. last time I tried it [0] for my | extension, Firefox didn't support dynamic URL permissions for | URLs with ports. | | [0] https://github.com/karlicoss/grasp/blob/f24378ebae68c22be | a03... | paulirwin wrote: | I believe you're supposed to use Native Messaging for that: | https://developer.chrome.com/extensions/nativeMessaging | rosywoozlechan wrote: | This may be well what needs to change, but in any case the | message from Google should have been explicit about it | instead of the dev involved having to create a blog post, | hope it gets traction on HN and that someone here knows | what the problem is. | maartn wrote: | the docs are pretty explicit about it | nolok wrote: | Yes and no, I would be glad if Google in general could | get much much better at this but in this specific case | I'm sorry but http://* and localhost access is not a | hidden small thing. | VWWHFSfQ wrote: | You can probably get around this by setting up some DNS like | localhost.pushbullet.com -> 127.0.0.1. It's probably not in | the spirit of what they're asking for though, if it is indeed | the problem. | stingraycharles wrote: | This is a very good suggestion, and could very well be the root | cause of these rejections. It's a potential security | vulnerability that is triggering the violation. | | I hope the author sees thorum's comment! | poopyKnoopers wrote: | Nah, dude. Fuck that localhost access. Sorry, but I wouldn't | install something that's running listeners on localhost:80 (or | any other port) just because they want to route data from a | browser extension to an installed program. | | That's a pretty bootleg hack, to be quite honest. | | Would you _dare_ touch my /etc/hosts mappings too? | | Guess again, Mark Shuttleworth! You wouldn't ever even get | installed in the first place. You DON'T have root. Not anymore. | [0] | | Google is correct to reject you. Localhost belongs to the | individual. | | [0] http://security.stackexchange.com/questions/44512 | Animats wrote: | It's inherent in what Pushbullet is doing that Google would not | like it. It aggregates user data from multiple sources, including | SMS, notifications, and chat, sends it to the Pushbullet servers, | and sends it back out again. Only Google is allowed to aggregate | data like that. | | _Fuhrer command! Suffer us to obey!_ | fourzs wrote: | When I was sixteen years I received the exact same email from | Google, and was then permanently banned from the chrome web | store. | gregsadetsky wrote: | I went through the same hell a year ago [0]. My extension [1] now | has 60k users (covid added 10k users in 1 month) and I'm also | afraid that any insignificant update would trigger this hell. | | I'll contact PushBullet with a possible way forward (PB, if | you're reading this -- contact me). Anyone else in this | situation: my email is in my profile. | | [0] https://news.ycombinator.com/item?id=20186915 | | [1] https://chrome.google.com/webstore/detail/dictation-for- | gmai... | Kikawala wrote: | I've been using Pushbullet in FF and on my iOS devices for years, | but need to find a replacement as the app was removed[1] from the | App Store. | | [1]https://www.reddit.com/r/PushBullet/comments/eirc1m/not_avai.. | . | moxylush wrote: | You are the victim of an algorithm. No people and no | accountability, thats how they roll. | FriendlyNormie wrote: | Meanwhile the Honey extension is fearlessly purchased for 4 | billion dollars. Something smells like shit here. | ggm wrote: | Don't they call this a "marketplace"? If so,the Regulator is the | FTC not the FCC. | | If they walk like a duck and call it a duck then talk to the duck | hunting authority? | mgeyer wrote: | Wait can some one please simply explain to me whats gong on here? | I'm new to this but I absolutely love it! and I paid for it too. | Why do all good things have to be taken away? | Arcsech wrote: | This kind of thing just keeps. Coming. Up. from Google and | between ML black boxes making arbitrary judgements and random | product shutdowns, a hard requirement for any personal projects | of mine is "no Google dependency", because it might vanish at any | time, with zero notice or recourse. | pkaye wrote: | What kind of people make these decision at Google? Engineers? Or | did they automate everything with "machine learning"? | snazz wrote: | It's very automated, especially during the pandemic when many | of the content moderators can't go to work. | cirwin wrote: | We went through the same problem at Superhuman (and as I write | our latest extension update has been pending review for 2 weeks, | so maybe we're about to hit it again). | | Simeon on the mailing list was quite re-assuring, and I would | recommend reaching out to him, though there are limits to what he | can help with. | | That said we found that the review process is quite arbitrary, | resubmitting may work simply because you get a different | reviewer. (We've seen identical copies of the extension with | different version numbers where one was approved and one | rejected). | | We've also observed that they use some kind of automated code- | analysis to tell whether or not you're making use of the | permission; so you may want to check that it's obvious from the | code included in the extension bundle that you need the | permissions you're asking for. | | We've also hypothesized that they apply different standards to | extensions depending on the number of users - our staging | extension (~50 users) usually gets approved quickly, but our | production extension usually takes a while and is less likely to | be approved. (This may just be luck of the draw coupled with | arbitrariness though) | sevencolors wrote: | Damn that sounds like crazymaking :( | | Dunno why they can't be more explicit which part of the code is | the issue | binaryfour wrote: | This literally just happened to me today... | grwthckrmstr wrote: | Yikes! I've used PushBullet for since several years and I can't | imagine not using it. | | I can understand why Google is doing this though. They have a | "Send to device" feature in Chrome. Killing the top 3rd party app | is the perfect way to grow adoption of their new & in-built | feature. | | "Do no evil" | philsnow wrote: | Neither here nor there but it was "Don't be evil", never "Do no | evil". The latter evokes the Hippocratic Oath and sounds | virtuous, but the former is a somewhat tongue-in-cheek | reference to the (at the time) megacorps they wanted Google to | not be like. | | (Mind, they're arguably not complying with the "Don't be evil" | version _either_ , especially lately.) | jerf wrote: | You know, at the _very least_ it would be nice to get something | a bit more direct, like, "We are no longer permitting | extensions that do X on our marketplace", or heck, even just a | "We're permanently rejecting this for unspecified reasons." | | But if that's what you're doing, don't claim that the extension | is being rejected for "overbroad permissions". I understand | that Google may not literally come out and say "We've decided | to eat your extension's functionality and you can just burn." | But don't _lie_ about why it 's being rejected... however much | you may wrap the result up in marketingspeak, don't actively | _lie_ about the reason for rejection, so that someone can burn | the candle at both end for two weeks futilely trying to appease | the lying error message. | | As for the fact it may not look that great no matter how much | marketing-speak it gets wrapped up in for Google to just eat | some functionality and kill all competition... yeah, well, suck | it up Google. Don't _lie_ about it. I mean, you can always spin | it as security security blah blah security if nothing else, | which ought to be enough of a fig leaf. | TheAdamAndChe wrote: | Outright admitting this may cause issues with antitrust laws. | geza wrote: | I got the same notification yesterday morning for my own open- | source extension HabitLab ( https://habitlab.stanford.edu/ ) - | same vague request for "you're not using the minimal set of | permissions" without mentioning what permissions they want me to | stop using (HabitLab is already using the minimal set of | permissions for the features it implements - any removal of | permissions would have to be done at the expense of reduced | functionality). Emailing just results in them sending me a link | to the policy. So this is definitely not an isolated case. | BFatts wrote: | It says, in the email provided, exactly what must be done: Change | the required permissions - your scope is too broad. | extesy wrote: | I'm in the same boat. My open source chrome extension[1] has just | been taken down[2] after several years of no complaints because | it apparently violated content policies related to nudity and | pornography. Say what? Well, I guess you could view _any_ image | using my extension, including nudes. Isn't that the problem with | most other extensions which could be used on porn sites, like | editing cookies, etc? I've submitted it for re-review but I'm not | holding much hopes. | | [1] https://github.com/extesy/hoverzoom [2] | https://github.com/extesy/hoverzoom/issues/512 | __s wrote: | Only perverts use binoculars | ChrisMarshallNY wrote: | I am the proud recipient of _many_ Apple rejection notices from | the App Store (I have been releasing iOS apps since 2012). I have | not had an app pulled, but I have had many rejections to | submitted apps (the latest were received yesterday). | | In all of the notices, Apple is usually quite explicit in what | the problem is, including attaching screengrabs, and they will | respond, if I ask them for further clarification. | victorvation wrote: | I've seen cases where Apple will actually decompile/debug your | app and point you the exact feature / method / line that they | find unacceptable. Despite all of my other complaints about iOS | ecosystem, they _do_ keep their App Store walled garden fairly | well tended. | hutzlibu wrote: | Out of curiosity, where those big name apps, or small ones? I | assume that level of service is reserved or more important | apps? | victorvation wrote: | Not a tiny app by any means, but we were definitely small | enough that we were surprised at the level of depth in | their analysis. | ChrisMarshallNY wrote: | Small ones. Most are free. | | Over the years, I've had over twenty apps in the store, but | most are retired. | | I'm down to seven: https://littlegreenviper.com/AppDocs/ | ashtonkem wrote: | I had Apple point out that I hadn't yet added a TOS for a | trivia app I was making; they're very thorough. | filleduchaos wrote: | This is why I'm often amused when people gripe about the | $99/year membership fee for the Apple Developer Program. | Wowfunhappy wrote: | As someone who gripes about it: I think $99/year is a | perfectly reasonable fee in order to submit to the App Store. | I just don't think it should be the only way to run my own | code on my own phone (without jumping through the rediculous | hoop of reinstalling an app every single week). | sushid wrote: | You just answered yourself. It's not a the only way to run | your own code on your own phone. AFAIK that restriction is | to prevent jailbreakers from easily sideloading paid apps | as "their" apps on their phones. | Wowfunhappy wrote: | But it effectively is! There is no way for me to make | _anything_ useful if I have to connect my phone to a | computer and reinstall the app every seven days. If I | forget, the app suddenly won 't open. If I go on vacation | without a computer, the app won't open. The seven day | thing is useful for testing and nothing more. | | If the goal is to prevent piracy, well, as with other | forms of DRM, I as a paying customer don't appreciate | being treated as a thief. Dedicated pirates can and do | just buy stolen enterprise certs on the black market | anyway. | rosywoozlechan wrote: | Xcode is free, Interface Builder is free, all the | documentation for everything is free. I'm trying to get into | Windows development and don't use Apple devices, but I agree | $99 a year for everything Apple gives developers is not | expensive considering the value and the cost of these tools | on similar platforms. | benhurmarcel wrote: | They're "free" but you must buy Apple hardware to run them. | ChrisMarshallNY wrote: | I consider it a "token" amount, calculated to be just enough | to keep people that aren't actually serious about releasing | apps out. | | They sure aren't looking at developer account fees to hold | their bottom line up. | | It's low enough that I can easily keep two organizational | accounts going. | wegs wrote: | I just want to mention this is why I believe Google will never be | able to compete with AWS, or otherwise be credible in the B2B | space. You're relying on automated systems which can take down | your business on a whim, with no recourse. | | Where I work uses Office 365, which is a horrible, horrible | technology compared to Google Suite, but I can't, in good faith, | argue for switching to Google. It's not a company I'd ever rely | on in a business setting. | MattGaiser wrote: | Any reason that Google doesn't give reasons and ways to comply? | | I haven't ever had to deal with a Google person regarding Android | development, but when I built stuff for Blackberry (miss that | company), they always provided nice and detailed feedback. | Blackberry famously let legal influence design, so I would be | surprised if it was a cover your ass thing. | 29083011397778 wrote: | > Blackberry famously let legal influence design, | | Do you have a source or link for this at all for further | reading? A quick search doesn't turn up anything, but it sounds | like a great read | MattGaiser wrote: | Famously might be too broad and a bias from my own | experience. I went to school in Ontario and knew a bunch of | Blackberry interns and employees and people generally know a | lot of absurd stories about RIM. | | An intern who I went to school with told me about how legal | once chose the colors for a dashboard he worked on as they | did not want to seem to be copying some other company. | | A co-op complained about them being in every meeting and | constantly shooting stuff down. | | The one written reference to it I know about was in a 2011 | open letter. | | https://bgr.com/2011/06/30/open-letter-to-blackberry- | bosses-... | iaml wrote: | Most likely an automated system to prevent abuse. For a company | that takes pride in their machine learning they sure do have a | lot of false positives. | [deleted] | patwalls wrote: | Because they are attempting to automate all of it. This message | is generic and based on some analysis of the "manifest.json". | | They have also _turned off_ all reviews in the Chrome Web | Store: https://news.ycombinator.com/item?id=22935092 | gowld wrote: | Huh? They turned off reviews because a _worldwide pandemic_ | eliminated their ability to maintain staff to moderate | reviews. That 's the _opposite_ of "automating it". | patwalls wrote: | I'm not saying that's why they turned them off, just | another sign that Google is not investing | time/money/resources into the Chrome Web store. | pgrote wrote: | Is there a replacement for pushbullet? | | Long time user of pushbullet since I like to be able to text from | the desktop. Google has released messages.google.com, which is a | nightmare to use among various desktops. | | Microsoft released their Phone app, which disconnects so | frequently it is unusable. | | I have no confidence Google will allow pushbullet back. | | Is there a replacement that allows notifications and texts from | the desktop? | yawniek wrote: | i guess removing plaintext http and localhost should fix this. | Guzba wrote: | We never use plaintext http so that is a reasonable thing to | remove for our first-part domain (pushbullet.com). | | We use localhost to communicate with our desktop application. | An example is preventing both our extension and desktop apps | from showing notifications on the same computer (our apps are | all about notifications so this would get unacceptable very | fast). Maybe if we limit it to just the local port we use? | Seems like it can't hurt to try that too. | frei wrote: | You could try that. Long term, it should also be possible to | route this communication through the internet, or use the | Chrome/Firefox/WebExtension NativeMessaging API [0][1]. | | 0. https://developer.chrome.com/apps/nativeMessaging. | | 1. https://developer.mozilla.org/en-US/docs/Mozilla/Add- | ons/Web... | duncan_bayne wrote: | From a comment by Baeocystin: | | "If you use our tools, we can kill your livelihood at any time | for any reason and tough shit if you want a why" | | It has always been thus with proprietary tools and platforms. | | Back in 2011 I switched careers from developing software on | proprietary stacks - at the time C# 4.0, Silverlight, and MS | Windows - to developing on open source stacks, starting with Ruby | on Rails and JavaScript. | | It looks like the younger generation is busy rediscovering the | vulnerability and helplessness of such systems themselves. | | A short time after I switched away from Silverlight, I found a | bug in the open source XML library my team was using. I then | submitted a PR to fix it, which was merged (with some revision | :)) after a few days. The experience was a revelation after the | combination of magic 8 ball and years-long wait times for non- | critical bug fixes on Visual Studio. | | If you develop for Chrome, or the App Store, or Play Store, or | iOS (and increasingly MacOS these days), or Windows... don't | complain when the owners of those systems bite you in this | fashion. | dapids wrote: | The fact that this team realized so simply that they shouldn't be | reading data on every site the user visits while the extension is | installed is deserving of a vague response from google. Sad | really. | mehrdadn wrote: | My guess is 'cookies'. You really shouldn't need access to (say) | the user's Google cookies. I don't expect Google likes extensions | doing that without good reason. | typenil wrote: | Another reason to use Firefox. | tonystubblebine wrote: | I'd been in a similar issue on the Android store and found that | the best solution was to try to game whatever bot is flagging | you. Support was completely unable to provide clarity and getting | escalated by internal Google employees just led to more unhelpful | emails from higher levels of support. | | I was positive that I was in compliance but I could also see that | a bot was flagging something. So I kept tweaking code and | resubmitting. Eventually what worked was taking the offending | code block and hiding it at the server level. | | It's such a face palm. I literally call out to the server to run | some logic that should be completely safe to run in the app. | ridewinter wrote: | As the developer of an exposure notification app put on ice by | Apple-Google, it's due time to take back the freedom of the | internet that made it so powerful in the beginning. | | Is there anything happening around an all-web app phone? Seems | like all the pieces are there..like native functionality in | JavaScript with certain extensions. | meraku wrote: | Another happy PushBullet user here. Extremely useful for | receiving text messages from my phone while on my laptop, | especially for web apps that insist on sending security codes | that way instead of TOTP. | | This sort of behavior from Google really is infuriating. How they | can just decide to boot an app from the Chrome Store that is | installed by over a million users is mind-boggling. | | It's a pity that Chrome doesn't allow extensions to be installed | from the new Edge store, like Microsoft allow Edge to install | extensions from the Chrome store. With both built on Chromium, | that could've potentially been a workaround (though you may want | to consider adding this extension to the Edge store anyway). | | Hopefully someone from Google will see this and stop the madness | or be able to provide more details on exactly what needs to be | done, though I wouldn't bet on it. | driverdan wrote: | > It's a pity that Chrome doesn't allow extensions to be | installed from the new Edge store | | Why would anyone want to do that? What's a real pity is that | they make every effort to block users from installing their own | extensions. App stores are terrible. | shadowgovt wrote: | How does Chrome prevent people from installing their own | extensions? Download-and-unpack still works fine, last I | checked. | Spivak wrote: | No, they make every effort to ensure that installing | extensions outside the store is annoying so that you can't | push your malware by just having users download and install | it. This kind of malware _plagued_ Firefox for years until | they made extension signing mandatory | kyriakos wrote: | I switched to Edge chromium when the first production release | came out and I am extremely happy. I use all my extensions | including unlock origin straight from chrome Web store and it | feels a bit snappier than chrome itself. | jyfzbj wrote: | This is concerning. Shouldn't Google's store have a dedicated | support rep for extensions above a certain threshold? | tbodt wrote: | https://twitter.com/dotproto | dathinab wrote: | I'm always surprised that such a in-transparent behavior is even | legal for the operator of a custom marked place (or whatever you | call it). | | (I think the same about Google Play, the iOs App Store etc.) | jlevers wrote: | This happened to me, too. After emailing customer support several | times asking for clarification, and getting the same | uninformative answer every time, I decided to take down the | (free) extension (which had 20,000+ users) rather than risk | having my developer account deactivated for uploading a rejected | extension too many times. | | I use Pushbullet every day, and would be gutted if it were killed | for such a ridiculous reason as this. | jaredandrews wrote: | Slightly related, Google is also tightening up Android 11 | location permissions (with good reason). In this blog post[0] | they outline a process for getting approval that was supposed to | be underway by the start of May. | | So far I have not been able to locate this form nor have I been | able to find any Android developers who have. | | If anyone here knows where it is or what the deal is, please let | me know. | | [0] https://android-developers.googleblog.com/2020/02/safer- | loca... | 51Cards wrote: | LONG term Pushbullet user here, big proponent of their services. | I use it on Firefox myself so this doesn't affect me personally | but still there are few services I will strongly advocate for. | Pushbullet is one of them. Google, if you're listening this is | going to make a lot of users very unhappy. | throw1234651234 wrote: | I just want to take this opportunity to complain about trying to | send a gmail email from a service account, which required us to | use G-Suite, and still doesn't work because it can't generate a | token. | geofft wrote: | Uh, yikes: | | > _As I looked at the permissions and what our extension actually | needs to operate, I noticed a great opportunity to reduce our | permissions requests. We do not need to request access to data | onhttps://*/* and http://*/*. Instead, we can simply request data | access for https://*.pushbullet.com/*, http://*.pushbullet.com/*, | and http://localhost/*. This is a huge reduction in the private | data our extension could theoretically access. A big win!_ | | While I agree with the larger part about the lack of transparency | of what they want you to fix, this is an amazingly huge | oversight, and the fact that the extension review process got an | established, popular extension to go "Wait, we don't actually | need to request access to every website ever" is a point _in | favor_ of the review process - and, unfortunately, a (weak) | argument in favor of the review process taking the attitude that | they get lots of crap and don 't have the time to explain to all | the authors of crap what they're doing wrong. How did the | extension ever ask for this _in the first place_? | | Also why do you need http://localhost/? Is the extension running | a web server on localhost with native code? If so, can you use | the specific mechanism/permission for communicating with native | code via a subprocess (because it turns out running a web server | on localhost is very hard to do securely)? If not, what's it for? | | I'm sympathetic to the broader argument here, but given the | provided information, all of this is consistent with an extension | that _should_ be kicked off the app store within 14 days. | factsaresacred wrote: | Have been through a similar experience. | | Developing extensions for Google Chrome is a particular form of | masochism. They really don't seem to care. And things took a turn | for the worst last December when the approval process went from | hours to weeks. | | Check out the Chrome Google group for a sample of the lost souls | who hitched their wagon to the Chrome platform and now cry | futilely into the abyss for support: | https://groups.google.com/a/chromium.org/forum/#!forum/chrom... | yorwba wrote: | This one looks particularly relevant: | https://groups.google.com/a/chromium.org/forum/#!topic/chrom... | | It seems like all extension developers play the same game of | guess-and-check to find out which permissions they should | remove, and the unlucky ones get banned for trying too often. | thatguy0900 wrote: | When I read something like this I have to assume Google is | just trying to kill off extensions, it's such a glaringly | obvious problem there's no way any human has seen and okay'd | it with good intentions. | aaanotherhnfolk wrote: | I'm the person at $dayjob who has to chart a course through | the recent chrome web store changes and this is honestly my | conclusion too. | | These extensions don't make any money at all for Google, in | fact some of them lose money for Google (privacy oriented | extensions, ironically.) | | They are a security nightmare for Google, capable of side | channel browser attacks or direct abuse via a permission | (all_urls permission can read your emails to grandma.) | | Google doesn't want extensions to exist, and they also | can't outright kill them without creating a new foothold | for their competitors in the browser wars. So we get this | intentionally masochistic process change. Jump this high or | we'll ban you. Now jump higher but with your eyes closed. | Okay, now backflip or you're banned. The extension | developers have absolutely no power to fight back. | devit wrote: | The fact that they were requesting https://*/* and http://*/* | (i.e. full control over all your accounts) without it being | absolutely necessary reflects terribly on them. | | Still not clear why localhost (which can mean root access to the | local machine since it may have localhost-only services that | enable that) and cookies access is needed, also | http://*.pushbullet.com is unnecessary since they should always | use HTTPS. | | If they had properly implemented the extension they may not have | this problem now. | jeromegv wrote: | Nobody is against enforcing better behaviors from developers, | the issue is that they are not telling anyone what those issues | are. I don't know why you can always count on someone to defend | a multi-billion corporation against small companies, is there | no empathy left? | gowld wrote: | Why doesn't Google notify all extension devs about these | issues, to get it fixed, instead of sending vague threats? | KCUOJJQJ wrote: | Does Google send this message to random developers ([1]) and | then look at the changes that developers make to get a list | of things that developers apparently think are not so good? | | [1] https://en.wikipedia.org/wiki/Thirty- | Six_Stratagems#Stomp_th... ___________________________________________________________________ (page generated 2020-05-13 23:00 UTC)