Comments on HN here, and I do recommend reading them. Here is Google's justification, announced in April of 2019. In summary: Google will block sign ins to their site from embedded browsers. I...
Comments on HN here, and I do recommend reading them. Here is Google's justification, announced in April of 2019.
In summary: Google will block sign ins to their site from embedded browsers.
I don't really like the way some people are trying to frame this; there's legitimate potential concerns to be had wrt. smaller third-party browsers, and they're sure to be drowned out in misinformation such as "You need Chrome to use Google". The idea that it's a "proprietarization of the web" (@tindall) is far-fetched. This isn't "the web", it's "Google".
Like, this isn't even a new thing; it used to be pretty common to just throw a "we're not letting you log in because we don't trust you based on your user agent" type page to some apps.
The way I see it, personally: My Google account's authentication safeguards a ton of extremely valuable information. I have four companies behind GSuite auth, and a 13-ish year old personal account behind it as well. Lots of the services I use are using Google as oauth provider. This is one of those cases where, yeah, I'll take security pragmatism over purism.
I use Firefox on Linux as my primary browser, and spend far too much time on the web. I can't think of a single site that's blocked me because of it. Can you list three examples?
I use Firefox on Linux as my primary browser, and spend far too much time on the web. I can't think of a single site that's blocked me because of it. Can you list three examples?
I've had problems with Appfolio-based leasing portals recently-- I was unable to download my lease PDF or finish my application for an apartment in Firefox, both on Linux and Android. Even...
I've had problems with Appfolio-based leasing portals recently-- I was unable to download my lease PDF or finish my application for an apartment in Firefox, both on Linux and Android. Even changing useragents didn't work in this case, had to use Chrome/ium.
For what it's worth, unless the web has drastically shifted in the past six months, I can only remember a single time in my ~3 years of using Firefox on Linux that a website disallowed...
I take it you haven't used Firefox on Linux in a while. This is very common, and it sucks.
For what it's worth, unless the web has drastically shifted in the past six months, I can only remember a single time in my ~3 years of using Firefox on Linux that a website disallowed non-Chromium-based browsers (IIRC, some open-source video thing?) - and their users were up in arms over it.
Now nag screens, sure. Reddit dot com on mobile prompted you to use Chrome (or their app, bleh) for a good long while, the College Board's recent AP test administration gave an extra check to Chrome, but still, nothing too egregious.
It sounds like Epiphany is supported, though; the problem actually being with in-app embedded browsers (not just merely "browsers built on gtkwebkit"). I gave more context to my line of thinking...
It sounds like Epiphany is supported, though; the problem actually being with in-app embedded browsers (not just merely "browsers built on gtkwebkit"). I gave more context to my line of thinking lower down the thread if you're curious.
What I'm seeing in the mailing list, the article, and in about 50% of the HN comments is that Google will block sign ins from embedded browsers and other non-supported browsers. Blocking sign ins...
In summary: Google will block sign ins to their site from embedded browsers.
What I'm seeing in the mailing list, the article, and in about 50% of the HN comments is that Google will block sign ins from embedded browsers and other non-supported browsers.
Blocking sign ins from embedded browsers seems pretty clearly targeted at phishing Android apps. What concerns me is if this Chromium Embedded Framework is used by something like Midori, a GTK based browser. What concerns me much more is that "other non-supported browsers" (very) presumably includes unique or uncommon browsers like NetSurf, or Links, or any non-Chromium non-Gecko based browser competitor. This screams antitrust to me, but it seems likely that any such case against Google related to browsers won't be brought up for years with the current state of the DOJ, and that's scary.
I get that email - and Gmail in particular, with it commonly being used for OAuth - is for most people, myself included, a single point of failure for their online identity, and that every effort should be made to keep it safe and secure. Blocking embedded browsers, provided it reasonably excludes actual browsers based on WebKit, makes sense, but excluding "other non-supported browsers" provides no legitimate security benefit in my eyes.
I thought CEF was more like Electron in that it was a full Chromium engine implementation instead of just a fork? Isn't that what Spotify and Steam use for their desktop clients?
I thought CEF was more like Electron in that it was a full Chromium engine implementation instead of just a fork? Isn't that what Spotify and Steam use for their desktop clients?
If it's regular upstream Chromium being embedded, wouldn't it be somewhat trivial to spoof an application using CEF as just plain Chromium to get around Google's blocking of it? I mean, it's...
If it's regular upstream Chromium being embedded, wouldn't it be somewhat trivial to spoof an application using CEF as just plain Chromium to get around Google's blocking of it?
I mean, it's frustrating that developers would have to do that in the first place, but it seems like a simple workaround?
Can't say whether other people are blowing it out of proportions in discussions, I haven't dropped by the HN thread you've linked yet, but at least in the OP link they seem to be evaluating it...
Can't say whether other people are blowing it out of proportions in discussions, I haven't dropped by the HN thread you've linked yet, but at least in the OP link they seem to be evaluating it properly. Any browser that can't sign into Google services can only see quite limited adoption for quite limited purposes. It can't be used by much of the general population for general internet browsing. Later in the email thread, it appears that they managed to test the new changes and confirm that Epiphany is unaffected for now, but this is still a troubling stance for Google to be taking. They aren't The Web, but they're a part of it that a great many people use. The web should be universal, if a browser can't access a part of it, it takes the blame, not the website.
I don't think that's true, to be honest. This comment on HN reflects your argument I believe: But I don't believe they do. All the currently popular web browsers started from fairly major...
Any browser that can't sign into Google services can only see quite limited adoption for quite limited purposes.
I don't think that's true, to be honest. This comment on HN reflects your argument I believe:
Every new browser, by definition, starts out as a self-compiled project.
But I don't believe they do. All the currently popular web browsers started from fairly major predecessors. Sure, if you track down their ancestry, you'll find Mosaic, or for the most recent example you'll find KHTML. But take the newest mildly popular browser Brave: It's based on Chromium. Servo is one of the first "from-scratch" browsers in a LONG time, and it has to have massive backing from an existing internet corporation because nobody can build this stuff from scratch.
And if they do, by the time "signing into Google" becomes an actual blocker for the browser, they'll already be popular enough to be included by Google in that whitelist (I mean, if Epiphany today is included…).
I don't want to defend Google too much on this, they deserve a lot of the heat just from their past behaviour, but this actually sounds like a non-issue, one they warned about a year and half in advance.
I'm not sure I understand the point you're making. If a new web browser project comes into existence, it's only used by the people developing it. Maybe some technical users start using it because...
I'm not sure I understand the point you're making. If a new web browser project comes into existence, it's only used by the people developing it. Maybe some technical users start using it because it fits their needs. Maybe a few general-purpose users pick it up because it works for them and doesn't break the things they need to not break. But it can't make much progress in the general population if there's something pervasive lurking in there preventing a majority of people from using it for at least one purpose.
Epiphany already suffers from this a bit. Epiphany is nice, and I use it on my laptop. But on my desktop I use Firefox, because it's my desktop I consume my media on, and Epiphany doesn't support Widevine. People don't switch around web browsers for different purposes, they pick one that works and they stick with it until it stops working for them. "Signing into Google" or "watching Netflix" or "accessing a random obscure website that only works on IE6" is a blocker as soon as one person is turned away from the project because they can't do what they want with their web browser.
Nah. There's billions of websites out there. HTML and CSS are behemoths, and JS is behemoth squared. Browsers are operating systems right now. If you build a new operating system from scratch,...
Nah. There's billions of websites out there. HTML and CSS are behemoths, and JS is behemoth squared.
Browsers are operating systems right now. If you build a new operating system from scratch, "popular HP printers do a weird proprietary thing that only works with Windows" will not be what prevents you from getting popularity.
It takes so much work to get to the state where things work that, by the time you do, you're bound to be popular: Either it took you decades of work and it's an inhuman achievement that will make itself known by sheer curiosity (and be highly marketable, etc), or it's a massive project that has marketing behind it anyway.
I am worried that this might mean they end up blocking WebPositive, the only actively developed native browser for Haiku. Alternative operating systems already have enough of a hard time without...
I am worried that this might mean they end up blocking WebPositive, the only actively developed native browser for Haiku. Alternative operating systems already have enough of a hard time without being blacklisted by Google.
It seems like this problem could mostly be solved if Google accounts had a “developer mode” that you could turn on that disables some security checks? (Don’t get hung up on the name. Maybe it...
It seems like this problem could mostly be solved if Google accounts had a “developer mode” that you could turn on that disables some security checks? (Don’t get hung up on the name. Maybe it could be “experimental mode” or “the yolo flag.”)
The problem is that some Google accounts are much more important than others. Somehow losing my main account would be catastrophic. But I could create a throwaway account, set it to developer mode, and then use that to fool around with experimental browsers.
How can Google know whether I consider an account to be throwaway or not? They can’t. This really needs to be left up to the user.
It doesn’t solve all problems, since at some point someone has to decide whether a new browser is finished enough and has a good enough track record for fixing security bugs promptly that unsophisticated users could use it with their main account. But it would make it less frustrating for more-technical users.
For the list of “trusted” browsers, there is the larger issue of who decides. If you don’t trust Google then this is yet another decision that they shouldn’t be trusted with. But what entity do you trust more than Google to make critical technical decisions like this? I can imagine a government regulator doing it, but I can also imagine them doing it badly. It’s not like the FCC is always right. Many FCC commissioners don’t have a good track record.
One model that sort of works is the one for certificate authorities. Browser and OS vendors decide who the trusted certificate authorities are, which isn’t great in some ways but at least they are somewhat disinterested and seem to make decisions about which certificate authorities to trust or distrust on bureaucratic, technical grounds. Certificate transparency gives them the insight into a CA’s operations to regulate them effectively. It also helps that one of the organizations making the decisions is Firefox, and there are multiple organizations that loosely collaborate and generally agree on the list.
It would sort of make sense for big, trusted websites like banks to decide which browsers are on the high-trust list, but this would only be in a world where they are more developer-friendly, technically competent, and transparent about their decision-making. Banks don’t have the track record for this.
It is similar to how someone competent needs to decide which mobile apps are malware, and ideally there would be a separate organization doing this, but in practice, Apple and Google do it. This lack of a separate organization to do it means we end up second-guessing big tech’s decisions.
I think you’re passing lightly over the problem to be solved, though. Like, malware exists, crappy software exists, shady businesses exist, and the average person has no idea how to evaluate the...
I think you’re passing lightly over the problem to be solved, though. Like, malware exists, crappy software exists, shady businesses exist, and the average person has no idea how to evaluate the risks themselves. Amateur work is more risky. Trusting everyone by default doesn’t work.
It’s not ideal that LetsEncrypt had hoops to jump through, but they did eventually get through it and became trusted, and it’s good that they could become trusted without trusting every shady person who wants to set up a CA. There needs to be some filter, and nobody knows how to do this gatekeeping in a way that’s not messy. There are just better and worse ways of doing it.
Carve outs for experiments (like for experimental aircraft) are one way the regulators try to avoid crushing amateurs entirely while still somewhat protecting the safety of the masses.
I think it would be good to figure out how to advocate for less regulation while still acknowledging that, crappy as they may be at it, the regulators have an important job? And in some cases we have the wrong organizations doing the gatekeeping because if they don’t do it, nobody will, and getting a better organization off the ground is non-trivial.
I'm not very familiar with Elementary so I can't judge. I do think there needs to be some kind of organization that evaluates browsers and comes up with the list of the ones that are trustworthy...
I'm not very familiar with Elementary so I can't judge. I do think there needs to be some kind of organization that evaluates browsers and comes up with the list of the ones that are trustworthy enough for things like banking. Letting each large website choose based on unknown and probably arbitrary internal criteria doesn't work very well.
As for how shoddy work can make you insecure, you are aware of all the experts saying you shouldn't roll your own crypto and all the companies that do? But you're right, it's not really an amateur vs. professional thing.
For you, maybe it doesn't? That's why there should be a developer switch. But for consumers buying stuff off Amazon, if there are no standards then random chinese gadgets will have browsers in...
For you, maybe it doesn't? That's why there should be a developer switch.
But for consumers buying stuff off Amazon, if there are no standards then random chinese gadgets will have browsers in them ("Internet of shit") and if there is no organization pushing back, there are no standards, and it's a race to the bottom.
(Or they will just download random binaries, which the software equivalent.)
Someone has to vouch for them being compliant with the relevant specs, and some of this is about process compliance, things like regular security updates.
Comments on HN here, and I do recommend reading them. Here is Google's justification, announced in April of 2019.
In summary: Google will block sign ins to their site from embedded browsers.
I don't really like the way some people are trying to frame this; there's legitimate potential concerns to be had wrt. smaller third-party browsers, and they're sure to be drowned out in misinformation such as "You need Chrome to use Google". The idea that it's a "proprietarization of the web" (@tindall) is far-fetched. This isn't "the web", it's "Google".
Like, this isn't even a new thing; it used to be pretty common to just throw a "we're not letting you log in because we don't trust you based on your user agent" type page to some apps.
The way I see it, personally: My Google account's authentication safeguards a ton of extremely valuable information. I have four companies behind GSuite auth, and a 13-ish year old personal account behind it as well. Lots of the services I use are using Google as oauth provider. This is one of those cases where, yeah, I'll take security pragmatism over purism.
I use Firefox on Linux as my primary browser, and spend far too much time on the web. I can't think of a single site that's blocked me because of it. Can you list three examples?
Pearson myLab or eduLab or whatever it was called only works on Chrome (unless they changed it in the last few years which I highly doubt).
Vieple, a web-based video-interviewing platform, refused to let me through with Firefox recently, but allowed Chromium.
I've had problems with Appfolio-based leasing portals recently-- I was unable to download my lease PDF or finish my application for an apartment in Firefox, both on Linux and Android. Even changing useragents didn't work in this case, had to use Chrome/ium.
I don’t think any site has outright blocked me, but a bunch just don’t work.
For what it's worth, unless the web has drastically shifted in the past six months, I can only remember a single time in my ~3 years of using Firefox on Linux that a website disallowed non-Chromium-based browsers (IIRC, some open-source video thing?) - and their users were up in arms over it.
Now nag screens, sure. Reddit dot com on mobile prompted you to use Chrome (or their app, bleh) for a good long while, the College Board's recent AP test administration gave an extra check to Chrome, but still, nothing too egregious.
I do use Firefox on Linux; it's not my primary browser but I use it regularly. I find that captchas are more annoying and that's about it.
It sounds like Epiphany is supported, though; the problem actually being with in-app embedded browsers (not just merely "browsers built on gtkwebkit"). I gave more context to my line of thinking lower down the thread if you're curious.
What I'm seeing in the mailing list, the article, and in about 50% of the HN comments is that Google will block sign ins from embedded browsers and other non-supported browsers.
Blocking sign ins from embedded browsers seems pretty clearly targeted at phishing Android apps. What concerns me is if this Chromium Embedded Framework is used by something like Midori, a GTK based browser. What concerns me much more is that "other non-supported browsers" (very) presumably includes unique or uncommon browsers like NetSurf, or Links, or any non-Chromium non-Gecko based browser competitor. This screams antitrust to me, but it seems likely that any such case against Google related to browsers won't be brought up for years with the current state of the DOJ, and that's scary.
I get that email - and Gmail in particular, with it commonly being used for OAuth - is for most people, myself included, a single point of failure for their online identity, and that every effort should be made to keep it safe and secure. Blocking embedded browsers, provided it reasonably excludes actual browsers based on WebKit, makes sense, but excluding "other non-supported browsers" provides no legitimate security benefit in my eyes.
I thought CEF was more like Electron in that it was a full Chromium engine implementation instead of just a fork? Isn't that what Spotify and Steam use for their desktop clients?
If it's regular upstream Chromium being embedded, wouldn't it be somewhat trivial to spoof an application using CEF as just plain Chromium to get around Google's blocking of it?
I mean, it's frustrating that developers would have to do that in the first place, but it seems like a simple workaround?
Can't say whether other people are blowing it out of proportions in discussions, I haven't dropped by the HN thread you've linked yet, but at least in the OP link they seem to be evaluating it properly. Any browser that can't sign into Google services can only see quite limited adoption for quite limited purposes. It can't be used by much of the general population for general internet browsing. Later in the email thread, it appears that they managed to test the new changes and confirm that Epiphany is unaffected for now, but this is still a troubling stance for Google to be taking. They aren't The Web, but they're a part of it that a great many people use. The web should be universal, if a browser can't access a part of it, it takes the blame, not the website.
I don't think that's true, to be honest. This comment on HN reflects your argument I believe:
But I don't believe they do. All the currently popular web browsers started from fairly major predecessors. Sure, if you track down their ancestry, you'll find Mosaic, or for the most recent example you'll find KHTML. But take the newest mildly popular browser Brave: It's based on Chromium. Servo is one of the first "from-scratch" browsers in a LONG time, and it has to have massive backing from an existing internet corporation because nobody can build this stuff from scratch.
And if they do, by the time "signing into Google" becomes an actual blocker for the browser, they'll already be popular enough to be included by Google in that whitelist (I mean, if Epiphany today is included…).
I don't want to defend Google too much on this, they deserve a lot of the heat just from their past behaviour, but this actually sounds like a non-issue, one they warned about a year and half in advance.
I'm not sure I understand the point you're making. If a new web browser project comes into existence, it's only used by the people developing it. Maybe some technical users start using it because it fits their needs. Maybe a few general-purpose users pick it up because it works for them and doesn't break the things they need to not break. But it can't make much progress in the general population if there's something pervasive lurking in there preventing a majority of people from using it for at least one purpose.
Epiphany already suffers from this a bit. Epiphany is nice, and I use it on my laptop. But on my desktop I use Firefox, because it's my desktop I consume my media on, and Epiphany doesn't support Widevine. People don't switch around web browsers for different purposes, they pick one that works and they stick with it until it stops working for them. "Signing into Google" or "watching Netflix" or "accessing a random obscure website that only works on IE6" is a blocker as soon as one person is turned away from the project because they can't do what they want with their web browser.
Nah. There's billions of websites out there. HTML and CSS are behemoths, and JS is behemoth squared.
Browsers are operating systems right now. If you build a new operating system from scratch, "popular HP printers do a weird proprietary thing that only works with Windows" will not be what prevents you from getting popularity.
It takes so much work to get to the state where things work that, by the time you do, you're bound to be popular: Either it took you decades of work and it's an inhuman achievement that will make itself known by sheer curiosity (and be highly marketable, etc), or it's a massive project that has marketing behind it anyway.
I am worried that this might mean they end up blocking WebPositive, the only actively developed native browser for Haiku. Alternative operating systems already have enough of a hard time without being blacklisted by Google.
It seems like this problem could mostly be solved if Google accounts had a “developer mode” that you could turn on that disables some security checks? (Don’t get hung up on the name. Maybe it could be “experimental mode” or “the yolo flag.”)
The problem is that some Google accounts are much more important than others. Somehow losing my main account would be catastrophic. But I could create a throwaway account, set it to developer mode, and then use that to fool around with experimental browsers.
How can Google know whether I consider an account to be throwaway or not? They can’t. This really needs to be left up to the user.
It doesn’t solve all problems, since at some point someone has to decide whether a new browser is finished enough and has a good enough track record for fixing security bugs promptly that unsophisticated users could use it with their main account. But it would make it less frustrating for more-technical users.
For the list of “trusted” browsers, there is the larger issue of who decides. If you don’t trust Google then this is yet another decision that they shouldn’t be trusted with. But what entity do you trust more than Google to make critical technical decisions like this? I can imagine a government regulator doing it, but I can also imagine them doing it badly. It’s not like the FCC is always right. Many FCC commissioners don’t have a good track record.
One model that sort of works is the one for certificate authorities. Browser and OS vendors decide who the trusted certificate authorities are, which isn’t great in some ways but at least they are somewhat disinterested and seem to make decisions about which certificate authorities to trust or distrust on bureaucratic, technical grounds. Certificate transparency gives them the insight into a CA’s operations to regulate them effectively. It also helps that one of the organizations making the decisions is Firefox, and there are multiple organizations that loosely collaborate and generally agree on the list.
It would sort of make sense for big, trusted websites like banks to decide which browsers are on the high-trust list, but this would only be in a world where they are more developer-friendly, technically competent, and transparent about their decision-making. Banks don’t have the track record for this.
It is similar to how someone competent needs to decide which mobile apps are malware, and ideally there would be a separate organization doing this, but in practice, Apple and Google do it. This lack of a separate organization to do it means we end up second-guessing big tech’s decisions.
I think you’re passing lightly over the problem to be solved, though. Like, malware exists, crappy software exists, shady businesses exist, and the average person has no idea how to evaluate the risks themselves. Amateur work is more risky. Trusting everyone by default doesn’t work.
It’s not ideal that LetsEncrypt had hoops to jump through, but they did eventually get through it and became trusted, and it’s good that they could become trusted without trusting every shady person who wants to set up a CA. There needs to be some filter, and nobody knows how to do this gatekeeping in a way that’s not messy. There are just better and worse ways of doing it.
Carve outs for experiments (like for experimental aircraft) are one way the regulators try to avoid crushing amateurs entirely while still somewhat protecting the safety of the masses.
I think it would be good to figure out how to advocate for less regulation while still acknowledging that, crappy as they may be at it, the regulators have an important job? And in some cases we have the wrong organizations doing the gatekeeping because if they don’t do it, nobody will, and getting a better organization off the ground is non-trivial.
I'm not very familiar with Elementary so I can't judge. I do think there needs to be some kind of organization that evaluates browsers and comes up with the list of the ones that are trustworthy enough for things like banking. Letting each large website choose based on unknown and probably arbitrary internal criteria doesn't work very well.
As for how shoddy work can make you insecure, you are aware of all the experts saying you shouldn't roll your own crypto and all the companies that do? But you're right, it's not really an amateur vs. professional thing.
For you, maybe it doesn't? That's why there should be a developer switch.
But for consumers buying stuff off Amazon, if there are no standards then random chinese gadgets will have browsers in them ("Internet of shit") and if there is no organization pushing back, there are no standards, and it's a race to the bottom.
(Or they will just download random binaries, which the software equivalent.)
Someone has to vouch for them being compliant with the relevant specs, and some of this is about process compliance, things like regular security updates.