No fun in the name of security
Published
Roughly a week ago, the Chrome developers announced that they will remove XSLT, their reasoning being that removing it will create a more secure browser, and they’re not wrong, but they’re also misleading. Now, a lot has been said about this specific topic, some people will mention how XSLT isn’t really used by anyone anyway and so removing it is alright, except that’s wrong, and XSLT is used by governments and other important institutions, so I don’t buy this argument at all.
Besides I think pretty much every single person discussing this issue is missing the point, cutting out an entire feature goes against the spirit of the web, browsers have dedicated themselves to maintaining backwards compatibility with even the oldest of webpages today. Who knows what feature they’ll kill tomorrow? XHTML? HTTP 1.1? It always seems unlikely until the moment they actually do it. Backwards compatibility obviously can’t be continued forever, but XSLT hasn’t reached that point, it’s just XML, something we’ve already all gotten used to. So there must actually be a different reason as to why the Chrome developers have done this, and that’s why I called it misleading at first.
Aaron in his article “Shouldn’t we trust Google and other pertinent questions” points out an entirely different reason as to why Google might’ve cut off XSLT, you should go read his article anyway, it’s excellent. Obviously, as Aaron points out, this might just be a coincidence and we can’t claim that this is the whole-picture story but all the circumstances behind it are suspicious and Aaron’s perspective paints a different light as to why XSLT was hacked off: greed.
Far too often, I see these decisions taken in the name of security, but they always usually benefit the parties involved in more insidious ways. I am not sure what to call it, maybe securewashing or whatever, but Google seems to be a fan of this method to push through anti-privacy or anti-consumer measures!
Manifest v3: The end of ad-blocking for thee.
Browser extensions are little programs that can be used to enhance or extend your browsing experience, however, they must all include a special file (the “manifest ”) dictating what permissions the program wants, what websites its gonna run on, and so on.
Manifest v3 is an update to the way things used to work, among other things, it introduces limits on how extensions can process and block network requests. A big consequence of this is that Ad-blockers that use Manifest v3 will be significantly restricted. There can’t possibly be any conflict of interest considering that Google, the company behind Chrome and Chromium, is also an advertising company, right? And I am sure you know what the rationale was, it was security all along.
Manifest v3 was marketed as improving privacy, security and performance.
What a load of bullshit.
Web Environment Integrity, anyone?
Thankfully this project didn’t actually get pushed through due to pushback, but it serves as an interesting case study for my little project.
WEI (Web Environment Integrity) was created by Google as a way to verify your browser, your interactions, essentially it allowed Google to act as a bouncer, controlling who and what gets to browse the web. Y’wanna guess why Google tried pushing this dystopian feature on us? It was security, all along.
I remember the pushback against this being stronger than Manifest v3, mostly because Manifest v3 was a mere boring upgrade with actual security enhancements whereas this was far more insidious and downright dystopian. And thankfully, we actually did manage to stop it. Err, well… A limited version did end up in Android as Android WebView Media Integrity API, but I can still use my browser without being denied entry by Google, for now.
You wanna install your own apps on your own device? Too bad.
I swear there was a word just on the tip of my tongue for describing Google, I mean, it controls the most popular browser, and the most popular mobile phone system, there was a legal term for companies like that… Mono-polo or something, I can’t quite remember.
Anyway, yes, Google does also own Android which is the most popular system used on phones today. One of the greatest things about Android is that you could install your own apps easily, unlike those iOS nerds that have to either pay 100$ a year or deal with finicky renewal processes every week. (Except if you’re European, because Europeans have the Digital Services Act)
Google has recently announced that they will be “introducing a new layer of security” by restricting what applications you can install on your phone. I think this is frankly one of the worst things Google could’ve done to ruin the openness of the Android platform, but whatever, the Google executives seem to think different. Isn’t it convenient how every single feature that Google has, thus far, managed to implement has been enhancing security by taking away user choice? Why is it that Google is so keen on masking their obvious anti-consumer behavior behind the security smokescreen?
But really, why?
The obvious answer is that if companies such as Google and Microsoft were brutally honest about why they do the things they do, then the world would tear them apart, and so to save their skin, whilst still slickly saving sums of spare cash to satiate their shareholders, they turn to the security trap. And the best part, is that it isn’t a lie, what they do actually does improve security.
Manifest v3 wasn’t all about ad-blockers, one of the most amazing things about it was it prevented remotely hosted code from being ran on a users browser. What this means is you basically only can run code bundled into your application. This was a legitimately good change for security! It just got bundled up alongside changes to the networking API that restricted ad blockers, and this is unfortunate for us, but great for Google!
The Web Environment Integrity project would have, in some level, enhanced security at the cost of limiting the open web to only what Google accepts, this was a tremendous change and the consequences were obvious. Restricting who can create loadable APKs would probably improve security.
I think the fundamental reason why security is such a good coverup for anti-consumer behavior is that security often means removing choices, it means cutting down on the scopes and areas that can go wrong or that can be infiltrated. Those two areas are often at odds with one another, user choice means fundamentally the choice to install malware, it’s a paradox. There is no way you can let users install whatever applications they want, without the applications you don’t want them to install.
So, sure, it is just XSLT for now, and we can always migrate our webpages and our websites to content negotiation or whatever it is you nerds are suggesting. But why? Why do I have to do more work just because a multi-billion (maybe trillion) dollar company couldn’t pay a developer, and the bigger question: When will we finally recognize anti-consumer behavior for what it truly is, instead of falling for the security smokescreen a millionth time?