Makers of ad blockers and browser privacy extensions fear the end is near

Overhaul of Chrome add-ons set for January, Google says it's for all our own good

Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

The anticipated result will be fewer extensions and less innovation, according to several extension developers.

Browser extensions such as Ghostery Privacy Ad Blocker, uBlock Origin, and Privacy Badger, along with scripting extensions including TamperMonkey, which are each designed to block adverts and other content and/or protect one's privacy online, are expected to function less effectively, if they can even make the transition from Mv2 to the new approach: Manifest v3.

Manifest v3 caps the certain capabilities of extensions and cuts off innovation potential

"If you asked me if we can have a Manifest v3 version of Privacy Badger, my answer is yes, we can and we will," said Alexei Miagkov, senior staff technologist at the Electronic Frontier Foundation, in a phone interview with The Register. "But the problem is more insidious. It's that Manifest v3 caps the certain capabilities of extensions and cuts off innovation potential."

Google argues otherwise and maintains its platform renovation will meet developers' needs, including those making tools for content blocking and privacy. The internet titan, which declined to comment on the record, maintains that Mv3 aims to improve privacy by limiting extensions' access to sensitive data and that it has been working with extension developers to balance their needs with those of users.

Google points to past endorsements, such as remarks provided by Sofia Lindberg, tech lead of ad amelioration biz Eyeo, which makes Adblock Plus. "We've been very pleased with the close collaboration established between Google’s Chrome Extensions Team and our own engineering team to ensure that ad-blocking extensions will still be available after Manifest v3 takes effect."

A numbers game

The estimated number of browser extensions in the Chrome Web Store as of two years ago ranged between about 156,000 and 190,000. Today, that figure is said to be almost 114,000. Comparing these numbers isn't straightforward – Google doesn't publish store data so third parties devise their own counting methods.

About two dozen Chrome extensions have over 10 million users, but most (about 87 per cent) had fewer than 1,000 installs in 2019, according to Extension Monitor, a now-defunct service. Google's disinterest in Chrome Web Store metrics may have something to do with it not being a profit center like Apple's App Store or Google Play – which both Apple and Google celebrate for their revenue generation. When Google discontinued the Chrome Web Store payment API in September 2020, only about nine percent of the extensions were paid or implemented in-app purchasing.

According to Chrome Stats, the most popular Chrome extensions block ads on Google and YouTube, making them something of a revenue sinkhole.

Google began work on Manifest v3, the successor to Mv2, in late 2018, ostensibly to make extensions more secure, performant, and private. The company's extension platform renovation was necessary – because extension security problems were rampant – and immediately controversial. An ad company making security claims that, coincidentally, hinder user-deployed content and privacy defenses looks like self-interest.

And Mv3 remains the subject of ongoing debate as the extension platform capabilities and APIs continue to be hammered out. But it has been adopted, with some caveats, by other browser makers, including Apple and Mozilla. Makers of Chromium-based browsers inherit Mv3 and Microsoft has already endorsed the new spec.

Others building atop Chromium like Brave, Opera, and Vivaldi have indicated interest in continuing to support Mv2, though it's unclear whether that will be practical beyond June of next year. If Google removes the Mv2 code from Chromium, maintaining the code in a separate Chromium fork may prove to be too much trouble.

The most widely noted change in Mv3 – and there are many that have significant implications – is the removal of the blocking version of the webRequest API, which is being replaced by an API called declarativeNetRequest.

Google insists the change is not about hindering content blockers.

There’s been a lot of confusion and misconception around both the motivations and implications of this change, including speculation that these changes were designed to prevent or weaken ad blockers

"There’s been a lot of confusion and misconception around both the motivations and implications of this change, including speculation that these changes were designed to prevent or weaken ad blockers," said Simeon Vincent, Chrome developer advocate, in a 2019 blog post. "This is absolutely not the goal. In fact, this change is meant to give developers a way to create safer and more performant ad blockers."

Requests, and more requests

The blocking version of the webRequest API allows an extension to see all the data in a network request before it gets sent – and possibly block or alter it – and to see all the data in a network response – and possibly block or alter it – before rendering it to a web page.

Given that passwords and account information could be intercepted this way, the webRequest API can be easily abused by bad extensions. According to Vincent, as of January 2018, 42 percent of malicious extensions were exploiting the webRequest API.

The declarativeNetRequest API works differently, applying rules – declared in advance or, in limited numbers, at runtime – that take action when they see a specific network request. The result is extension developers have an API that's less capable but more secure with respect to eavesdropping on network requests.

Asked to cite an Mv3 API that makes ad blocking and privacy extensions more effective, Google pointed to declarativeNetRequest as being more performant and more secure than webRequest.

Mozilla last year said the opposite in a blog post discussing Mv3: "We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR [declarativeNetRequest] as currently implemented by Chrome does not yet meet the needs of extension developers."

Raymond Hill, the creator of uBlock Origin, last December offered a similarly negative assessment of declarativeNetRequest:

An example that the declarativeNetRequest ("DNR") API is an obstacle to innovation in content blockers.

In discussion with filter list maintainers, last year I implemented a new feature, the ability to use "entity" in domain= option.[1] The DNR API does support domain= option, but it does not support "entity", which is the ability to use a wildcard in place of the effective TLD, to avoid to list all domains belonging to an entity.[2]

I can count over 420 filters currently in the default filterset which uses this feature, clearly a benefit to filter list maintainers. These filters would cease to exist in a DNR-based blocker.

The core issue is the lid on innovation, which is key for content blocker to stay reliable. If the DNR API had been designed in 2014 according to the requirements of the time, content blockers would be awfully equipped to deal properly with the current landscape. The DNR API as designed now not only [to] set back content blockers, but [to] condemn content blockers to stagnate innovation-wise.

Google's approach to performance and security in this context – neutering the webRequest API – isn't the only option. Ill-intentioned developers of native applications, web apps, and software libraries/SDKs can abuse people's trust equally well without the webRequest API – using JavaScript to grab form data prior to submission, for example.

App security for other platforms generally involves code analysis to see what it does, rather than denying access to APIs. But Google made a decision to restrict APIs rather than strengthen Chrome Web Store code review and enforcement.

Ghost in the machine

In an interview with The Register, Jean-Paul Schmetz, CEO of Ghostery, explained how his company's browser extensions have been using webRequest to disable Facebook tracking.

"When Facebook launched the Like button – it was an image basically of the Facebook logo," said Schmetz. "And part of that [network] request was harmless. It was just a page ID of the page where it was placed. And the other half of the request was a user ID which was absolutely not harmless because it essentially gave Facebook a ping that you were looking at a specific page, which can help them do a bunch of targeting stuff."

"And what we were doing is to keep the harmless part of the request, but remove or modify the harmful part of it," he said. "Which allowed the users to still have the Like button be visible and if you clicked on it, it would work as expected, except that Facebook would not be able to track everything that you read on the web. And that is definitely something that's going to go away with Manifest v3, the ability to modify the request as it leaves the browser."

Schmetz and other extension developers have observed that extensions used to be critical to browser adoption, but have become less important now that Google has what he describes as a monopoly.

One of the consequences of Chromium becoming the monopoly browser, and Firefox going away, is that extensions do not play the role that they used to play

"One of the consequences of Chromium becoming the monopoly browser, and Firefox going away, is that extensions do not play the role that they used to play," said Schmetz. "Before, you know, people would move from Chrome to Firefox if an extension was not available. And that stopped occurring.

"I think that extensions are basically seen by browsers – except bizarrely, for Safari at the moment – as sort of a half-necessary evil. Whereas before they were – I don't know if you remember those days – but basically, Chrome was struggling to implement extensions at one point and knew that if they didn't have extensions, they would never be able to compete against Firefox.

"So it was extensions that were really driving the creativity of the browser ecosystems. And unfortunately, with the monopolization of the browser infrastructure, this is becoming less so. And I think this is a big problem because extending the browser is the only way to make sure that a monopolistic browser is not stopping everything. It's like you can still customize it somehow, right?"

Schmetz said extensions used to be able to fundamentally alter the way browsers worked and now, due to Google's policies, they're only allowed to do one thing.

Wladimir Palant, who developed the Adblock Plus extension that became the basis for Eyeo, the acceptable ad business he co-founded, also cited the way in which extensions have gone from king-makers to supplicants.

"Historically, browser extensions have been a major factor behind Firefox adoption," said Palant. "I’m not saying that people primarily switched to Firefox because of extensions. But its extensibility made Firefox very attractive to power users and early adopters. And these are the people who tend to bring their family and friends along because they are playing IT support for all of them.

"Extensions come at a cost however. They threaten security and stability of a browser, and they are a huge maintenance burden. So we’ve seen Chrome become successful with an entirely different compromise: their idea of extensions was far less than Mozilla’s, with the extensions being very limited in what they could do. But it allowed them to ship a more stable product and innovate faster, eventually leading to Firefox adopting the same extension model."

Palant said now that extensibility is no longer the defining factor in browser adoption, Chrome is able to make changes with less risk of losing users.

"webRequest is an obvious choice to cut, it being a feature implemented fairly late because Chrome users kept demanding capable ad blockers," he said. "I doubt Chrome developers were ever happy with it, it being a notorious performance hog."

Palant said Mv3 entails a wide range of changes intended to improve security and fix bad decisions made during the early stages of Chrome development.

"The main issue here is breaking backwards compatibility abruptly," he said. "Many extensions won’t make the jump. But losing even half of their extensions is something Google can afford now. Users will no longer switch browsers because of extensions."

The EFF's Miagkov sees Google's prioritization of online advertising as the source of Chrome's problems.

Everything that happens in Chrome is at the very least colored by their advertising-driven priorities

"Chrome, the browser, belongs to an advertising company," he said. "And I think this is a major issue. Everything that happens in Chrome is at the very least colored by their advertising-driven priorities."

And it's not just Manifest v3 but also the various Privacy Sandbox initiatives and adjacent web specs that reflect this agenda. For example, Google has proposed a web standard called WebBundles that rivals like Brave argue would help websites avoid content blocking. The technology has been debated for several years but the privacy concerns raised remain unanswered.

"Google does not want to imagine a different web," said Miagkov. "Google does not want to imagine a web where nonconsensual personalized tracking is forbidden, period, like you just can't do it. When you look at Manifest v3, in the context of everything else that's happening, then it becomes much more clear that it's not at all driven by what's important to extension developers and consequently, extension users. It's driven by corporate Google priorities."

That would be fine if Chrome were one option among many, said Miagkov, but Chrome has a monopoly on the desktop where extensions are most relevant. According to the US Justice Department's 2020 antitrust lawsuit [PDF] against Google, "In the United States, Google Chrome is the leading computer browser, with almost 60 percent market share," and "over 85 percent of all browser usage in the United States occurs on Google’s own Chrome browser or [another browser that has a revenue sharing agreement with Google]."

Acts and consequences

One consequence of that dominance is that if Chrome fails to fix a known avenue of privacy abuse, then a large number of users go unprotected. That's been the case with CNAME cloaking, a way publishers can delegate control of a subdomain to a third-party firm to enable web visitor tracking. While other browsers like Brave, Firefox, and Safari have implemented defenses, Chrome has left the issue unaddressed for the past two years.

There was hope last June that the formation of a W3C WebExtensions Community Group (WECG), in which browser makers and other interested parties could discuss the future of extensions might change the dynamic of Google declaring technical changes prior to community engagement. But according to Miagkov, that hasn't happened.

"I think the W3C group holds great potential," he said. "It's already helping extension developers get heard a little bit, because there is a biweekly meeting where anybody can come and talk about what concerns they have.

"What I've seen, however – and I've attended every meeting for the last many months – I have not seen a single sign that Google changed anything, including its approach to input – from the group or from anybody else."

Google insists it has incorporated changes into Chrome as a result of developer feedback from the WECG and said WECG discussions have influenced the design of Chrome's Offscreen Documents proposals and have aided cross-vendor discussions of browser extensions. According to Google, this chatter has covered topics including allowing extensions to:

  • Declare optional host permissions with the optional_host_permissions field in manifest.json
  • Declare a custom content security policy that allows the extension to use WebAssembly
  • Specify whether content scripts should run in the extension's isolated world or in the page's world
  • Open their own popups using action.openPopup() (currently in development)

Google has also made other changes in response to developer feedback, such as raising the number of static rules that can be applied using declarativeNetRequest to a minimum of 30,000, the introduction of session rules, and regex rules, among others. Additionally, Googlers have made changes to other APIs, such as scripting.executeScript, and introduced storage.session for service workers. And The Register understands Google engineers intended to continue doing so.

Schmetz argues that Google's extension platform changes make browsers more a channel for publishers than a tool that serves internet users.

"The browser is technically called the user agent," Schmetz said. "And by [making extensions less capable], I think you make it less the user agent and you make it more like a page agent or publisher agent. Or browser manufacturer agent."

Schmetz sees Google's security claims as a cover for what they're doing.

"It's clear that a powerful platform like extensions has created some bad actors who have used extensions to do bad things. So Google can always say, 'Well, we're making our user safer.' But, you know, behind all that, it also means that the browser is not a user agent anymore."

Schmetz expects Ghostery will manage to adapt its extensions but worries about what comes next.

"I think the only thing that we are not able to do in the future is this modification of requests," he said. "I think making the tracking visible is going to continue to be possible. Again, we don't know exactly what form Manifest v3 will have in the end, but it looks okay at this point for us. But we are worried about Manifest v4."

Ghostery has hedged its bets by having its own browser, based on Firefox, where it can continue to offer its privacy tools if they become untenable within Chrome. But judging by recent browser trends, Chrome continues to maintain its market dominance.

Schmetz believes it's really important that people continue to have access to effective anti-tracking tools, particularly for blocking fingerprinting scripts.

"We definitely see a lot of fingerprinting going on," he said, noting that the ad industry has already moved beyond cookie-based tracking.

"Basically that these scripts are trying to create numbers that are unique to you and are being transferred in the requests. They are not being stored on your machine but are being predictably generated every time you visit a website. … It's very important to have tools that can block that because if you don't, you will be tracked right. There's no way to avoid it." ®

Other stories you might like

  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after's creators failed to show up to their hearings, and the judge ordered, and each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding in its piracy.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading

Biting the hand that feeds IT © 1998–2022