Jump to content

Search the Community

Showing results for tags 'safari'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 13 results

  1. “Completely fake,” an Apple engineer explains After Microsoft, Apple might be the next big name planning to migrate to the Chromium engine for its very own browser. This is what one ridiculous rumor making the rounds today claims, indicating that Apple is ready to abandon WebKit to adopt the same engine that powers Google Chrome and, starting this year, Microsoft’s Edge browser. The information was originally published by Russian blog iPhones.ru and several other English-based websites reposted it, along with what they claimed to be evidence of Safari being rebuilt on Chrome. A screenshot that was included in a bug report showed what the sources described as an early version of Safari running on Chromium, with some claiming that the project is actually in an advanced phase and Apple is truly committed to making the whole thing happen as soon as possible. And while at some level it might actually make sense for Apple to switch to Chromium and follow in Microsoft’s footsteps, the report is completely false and there’s basically no chance to see the Cupertino-based tech giant invest in the engine that Google insists so hard for. In fact, WebKit is here to stay in Safari, there’s no doubt about it, and moving forward Apple has absolutely no reason to invest in Chromium. Fake, fake, fake The evidence that is supposed to confirm Safari is moving to Chromium actually links to an unrelated security issue from 2015. The screenshot claiming to show Safari based on Chromium is completely fake as well, as it shows Intelligent Tracking Prevention in Chromium – ITP is a proprietary Safari feature and Chromium doesn’t include such code. Apple developer Ricky Mondello also confirmed on Twitter this was a false report. “The screenshot of the alleged Chromium bug includes a supposed Apple email address that doesn’t belong to anyone on the Safari or WebKit teams, and Chromium doesn’t have any code to support ITP that could be enabled. This is a complete fabrication,” Mondello explained. Rick Byers, software engineer at Google on Chromium, found more proof this is fake news. “I've confirmed the referenced bug is an unrelated security issue from 2015. Biggest giveaway that this fake is that the bug number is too low to have been created in the past several years. We're now over 1,000,000,000!” he tweeted. Of course, Apple hasn’t commented on the original report, but this time, it’s pretty clear it doesn’t even have to. Source
  2. If you use Safari you are frustrating advertisers. What you need to know Intelligent Tracking Prevention is impacting advertisers. Marketing executives are saying that the technology is "stunningly effective" at preventing tracking. It is causing Safari users to be devalued in the advertising market. Two years ago, Apple unveiled Intelligent Tracking Prevention for Safari which aimed to protect users of the browsers from unwanted tracking. It was yet another in a long-running move towards more privacy on behalf of the company for its customers, and this technology, in particular, seems to be having a major impact on the advertising industry. In a report by The Information, executives within the online publishing industry have said that the technology has been "stunningly effective" at preventing companies from identifying users' behavior across the web. One executive says that it has led to a devaluing of Safari users. "The allure of a Safari user in an auction has plummeted," said Rubicon Project CEO Michael Barrett. "There's no easy ability to ID a user." On the other hand, it has also created somewhat of a discount market for those who want to save on advertising, as long as buyers are okay with the data being less precise. The Information reports that the cost of reaching a Safari user has dropped as much as 60% while Chrome users continue to get more expensive. The cost of reaching Safari users has fallen over 60% in the past two years, according to data from ad tech firm Rubicon Project. Meanwhile, ad prices on Google's Chrome browser have risen slightly. Apple's Safari privacy features paint a stark contrast in tracking when compared to users who chose to use a different browser like Chrome. According to Nativo, which sells online advertising software, only 9% of Safari users allow tracking whereas 79% of Chrome users do. This is in part because many of Safari's privacy features are turned on by default. Only about 9% of Safari users on an iPhone allow outside companies to track where they go on the web, according to Nativo, which sells software for online ad selling. It's a similar story on desktop, although Safari has only about 13% of the desktop browser market. In comparison, 79% of people who use Google's Chrome browser allow advertisers to track their browsing habits on mobile devices through cookies. Some believe that the devaluing of Safari users is a mistake, based on the demographics of those who tend to own an iPhone, iPad, and Mac. They put the responsibility on marketers to adapt to growing privacy enhancements and uncover new ways to reach the people they want to get in front of. "Apple users are more valuable to advertisers based on demographics, being higher income, et cetera," said Jason Kint, CEO of industry trade group Digital Content Next. He argues that Safari users have been "wrongly devalued" in the short term and says marketers just need to find better ways to reach them online. Source
  3. But no one cared When Google started gutting the effectiveness of ad blockers on its Chrome browser, there was an outcry; but for some reason, no one cared that Apple had done the same thing for a year and a half. Google wanted to limit the maximum rules an extension could pass to Chrome to 30,000, which many Chrome extension developers said was extremely low, and wouldn't even begin to accommodate the likes of ad blockers, parental control or traffic inspection extensions. The company was immediatelly attacked for trying to "kill ad blockers" and after months of criticism, Google eventually backed down on its initial plan and settled on a higher limit ranging from 90,000 to 120,000, a number that many extension developers, and especially those managing ad blockers, still consider insufficient. On the other side, when Apple rolled out the new Content Blocker API, it enforced a maximum limit of 50,000 rules for each new extension that wanted to block content inside Safari. Of course AdBlock was running faster. It had fewer rules to apply than before. Unlike Google, Apple never received any flak, and instead, the Tame Apple Press pushed a sound byte that Apple was caring about users' privacy, rather than attempting to "neuter ad blockers". One of the reasons might be that few people use Apple's Safari, and Apple doesn't rely on ads for its profits, meaning there was no ulterior motive behind its ecosystem changes. Besides Apple fanboys tend to believe what ever their Mighty Overlord tells them. But there is another reason which might not be so nice. Apple is known to have a heavy hand in enforcing rules on its App Store, and that developers who generally speak out are usually kicked out. It's either obey or get out. Unlike in Google's case, where Chrome is based on an open-source browser named Chromium and where everyone gets a voice, everything at Apple is a walled garden, with strict rules. Apple was never criticised for effectively "neutering" or "killing ad blockers" in the same way Google has been all this year because the pressure normally starts with extension developers, but it then extended to the public. In Apple's case, developers will never to complain because it could result in them being kicked out of Apple's store. Source
  4. Safari to ape Firefox, go all-in on anti-tracking The WebKit team has unveiled a new Tracking Prevention Policy that could help bolster privacy for users of Apple's Safari browser. ValeryBrozhinsky / Getty The WebKit project - the open-source initiative that generates code for Apple's Safari browser - quietly announced last week that it would follow in Mozilla's footsteps and quash tracking technologies designed to follow users across the web. In a short message on Aug. 14, the WebKit team pointed to its new Tracking Prevention Policy, a document that spells out its plans in detail, including what types of tracking it will create and how it will deal with any side effects. "We have implemented or intend to implement technical protections in WebKit to prevent all tracking practices included in this policy," the document read. "If we discover additional tracking techniques, we may expand this policy to include the new techniques and we may implement technical measures to prevent those techniques." The policy document ticks off half a dozen types of tracking WebKit will bar or does now, including cross-site tracking and fingerprinting. Safari already blocks some cross-site tracking under its Intelligent Tracking Protection (ITP), which debuted in 2017 and was enhanced last year with the browser bundled with macOS Mojave and iOS 12; it's stingy with the information it offers sites - information that can be abused to identify a user by, for instance, recording the installed fonts and plug-ins. The WebKit team tipped its hat to Mozilla for motivating it to put its plans digital paper. "Our policy was inspired by and derived from Mozilla's anti-tracking policy," the group wrote, linking to the Firefox maker's own guidelines. Firefox has been on a privacy tear of late. And because of its rapid release cadence - Mozilla pushes out a new browser every six weeks or so, while Apple upgrades Safari only once during a year - its new features and functionality have received plenty of press. In June, for example, Mozilla switched on Firefox's Enhanced Tracking Protection (ETP) for new users and let current users enable it themselves. The technology, which had been in development for four years, stymied cookie-based and URL parameter-based cross-site trackers, and optionally also stopped fingerprinting. By mimicking Mozilla, WebKit - and by extension, Apple - may hope to steal some of the anti-tracking, pro-privacy spotlight. It may not be a coincidence that both browsers - Firefox and Safari - have lost user share in the last six months; their makers likely see privacy as an edge over the leader, Google's Chrome, and thus an opportunity to attract more users. How a browser protects users' privacy, in fact, has largely replaced older metrics, such as rendering speed, to define differences between brands. As an example of the trend, Microsoft too has pitched its reborn Edge, that browser relying on the Chromium open-source project's technologies, as a shield between the user and bad behavior on the part of sites and their advertisers. Of the top four browsers, only Chrome has not proclaimed its anti-tracking bonafides. But WebKit didn't simply repeat what Mozilla promised in its anti-tracking screed: The former took a much tougher line on trackers. "We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities," WebKit wrote. "If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention." In other words, WebKit will retaliate against scofflaws, maybe by holding everyone accountable for the actions of miscreants, perhaps by singling out the those who try to go around the tracking prevention. "Equating circumvention of anti-tracking with security exploitation is unprecedented," applauded Lukasz Olejnik, an independent security and privacy researcher and consultant, in one tweet. "Overt treatment of privacy as a first-class citizen (like security) is the only direction (your move Microsoft, Google, all the rest!)," he added in another. The policy document does not specify a timetable for adding new tracking protections or enhancing existing ones in WebKit, much less when they would migrate into Safari. Source: Safari to ape Firefox, go all-in on anti-tracking (Computerworld - Gregg Keizer)
  5. How to configure Safari in iOS - A user-friendly and privacy focused guide Most iPhone and iPad users don't often pay attention to how their default browser works, unless they run into an issue. We have written a user-friendly and privacy focused guide, to teach you how to configure Safari in iOS. This is more like a cheat sheet, we didn't want to bore you with technical jargon. So, we kept it pretty simple and straightforward. How to configure Safari in iOS You can't manage Safari's settings from, well, Safari. iOS is a little bit weird when it comes to that; instead, you need to go to the Settings app to configure the browser. You can find Safari on the side-bar to your left. There are a slew of options that you can modify here. We will mention the most important ones which you may want to tweak. Siri and Search - Do you use Siri? If your answer is no, disable everything under this option. This is a personal choice. If you use Siri, you can choose whether it should display suggestions, learn from how you use Safari, and whether it should display information/suggestions in search results. Default search engine - No prizes for guessing what's default here, Google of course. You do however have 3 other options to choose from Yahoo, Bing and the privacy-centric DuckDuckGo. Search suggestions - You may know this as auto-complete from desktop browsers. It can help you save a few seconds, which would have otherwise been wasted typing the rest of the search phrase. This can get finicky though, as you may get suggestions which may not be entirely relevant to what you are looking for. Safari suggestions - This option is kind of similar to search suggestions, and pulls up information from sources like Wikipedia. The information is displayed inside the address bar, and maybe useful at times. It is powered by Siri, in case you were wondering. Quick Website Search - Want to see a Wikipedia page of a particular topic, but too lazy to type it? Try typing something like "Wiki iOS", and it should load the relevant page. Pre-load Top Hit - This is like a lottery, and depends on what you're searching for. It loads the most popular result for the term you searched for. I recommend disabling it, simply because it can be inaccurate and because it needs to connect to the site in question. AutoFill - You can use Safari to automatically fill in your name, credit card info, to quickly checkout on websites. Frequently visited sites - As the name so obviously suggests, this feature lists your most often accessed websites. It can be useful, if you like to visit the same sites everyday. For e.g. news, weather, sports, etc. You can manage your favorites (bookmarked websites) separately, and also the behaviour of tabs. These are pretty basic options that are self-explanatory. Important Safari Settings in iOS that we recommend, and why Apple Safari is quite good in iOS and has some very useful options to keep you safe on the internet. Block Pop-ups - Despite the fact that iOS is generally considered safe(er) from malware, you don't want websites popping-up windows to annoy you, or distract you. Leave this option on, and you won't notice a single pop-up, it's pretty good. Fraudulent Website Warning - This is a crucial feature and is one of the many pre-enabled options in Safari. It helps in preventing known scam/fraud sites from loading in the browser, and thus stops phishing attacks dead in their tracks. Prevent Cross-Site Tracking - This option will prevent websites, you know the pesky ones, from tracking your browsing history on other websites. This is perhaps the most important of all the features. Downloads - If you have a ton of space in your iCloud account, you can let your downloads be saved in the cloud drive, else you may want to save them locally on your iPhone or iPad's storage. Content Blockers - These are your ad blockers, and yes iOS does have a few. I personally use AdGuard, because I use YouTube, Reddit, Facebook, etc from the browser directly instead of their respective apps, and don't need to see or hear the ads/video ads. Camera, Microphone, Location - These are personal choices, and can be set to Deny or Allow for all websites, or set to ask you every time. Ask yourself, do I really want the website to use my camera, hear what I'm saying or know where I'm? If you want to be in control, select Ask Every time. Request Desktop Website (enable for iPads) - This isn't security related, but to enhance your user experience. On iOS 1,3 err, I mean iPadOS, this option is enabled for iPads, because the screen is large and scales down the desktop theme of almost every website to fit the display perfectly. On iPhones, it isn't recommended to enable the option, because the display isn't big enough. Finally, there is the Advanced section, where there are a few options, which we think may be of use to developers, especially the Experimental ones. The rest of the options here, aren't really meant to be fiddled with by normal users. Source: How to configure Safari in iOS - A user-friendly and privacy focused guide (gHacks - Martin Brinkmann)
  6. Apple today released a new update for Safari Technology Preview, the experimental browser Apple first introduced three years ago in March 2016. Apple designed the Safari Technology Preview to test features that may be introduced into future release versions of Safari. Safari Technology Preview release 84 includes new Safari 13 features that will be available in macOS Catalina. These features include a new Favorites page and prompts to change a password when a weak password is detected. Refreshed Favorites Design. The Favorites page has been visually refreshed, and now includes Show More and Show Less actions. Switch to Tab from Smart Search Field. The Smart Search Field now offers switching to an already-open tab when a search query matches the title or URL of an open tab. Warnings for Weak Passwords. When signing into a website with a weak password, Safari will prompt you to visit the website in a new tab to upgrade the password to an Automatic Strong Password. Safari uses the well-known URL for changing passwords (/.well-known/change-password), allowing websites to take users directly to their change password pages. The password list in Safari Preferences has also been updated to flag weak passwords. The new Safari Technology Preview update is available for both macOS High Sierra and macOS Mojave, the newest publicly available version of the Mac operating system that was in September 2018. The Safari Technology Preview update is available through the Software Update mechanism in the Mac App Store to anyone who has downloaded the browser. Full release notes for the update are available on the Safari Technology Preview website. Apple’s aim with Safari Technology Preview is to gather feedback from developers and users on its browser development process. Safari Technology Preview can run side-by-side with the existing Safari browser and while designed for developers, it does not require a developer account to download. Source
  7. Microsoft confirms the latest version of Skype for Web drops support for Safari Microsoft released a new version of its Sky for Web client earlier this week in a bid to make the service easier to access. Now, however, the company has confirmed that Skype for Web is no longer supported in Safari. In a statement to VentureBeat, Microsoft explained that Skype for Web uses a “calling and real-time media” framework that functions differently across the various browsers. Thus, it decided to prioritize Skype for Web support in Microsoft Edge and Google Chrome: A Microsoft spokesperson said the service requires “calling and real-time media” technology that is “implemented differently across various browsers.” So the company “decided to prioritize bringing Skype to [the] web on Microsoft Edge and Google Chrome based on customer value. Skype for Web originally launched to the public in April of 2016 after extensive beta testing. The move to drop support for Safari isn’t necessarily surprising, though. Last month, Microsoft warned Skype for Web users that Safari, Firefox, and Opera support would soon be dropped. The only question was when the switchover would occur. The latest version of Skype for Web includes a handful of improvements over previous versions. The web app includes revamped notifications, HD video calling, built-in call recording, and more. Read the full announcement post here. You can try Skype for Web here, but you’ll have to do so in Chrome or Edge, or another Chromium-base browser such as Brave or Vivaldi. It’s unclear if Safari support could come down the line at some point, but it’s clearly not a priority for Microsoft at this time. Source
  8. A team of Belgian researchers discovered privacy issues in how browsers, ad-blocking, and anti-tracking implementations handle third-party cookie requests. A team of Belgian researchers from KU Leuven analyzed third-party cookie policies of seven major web browsers, 31 ad-blockers and 14 anti-tracking extensions and discovered major and minor issues in all of them. Major issues include Microsoft Edge's unwillingness to honor its own "block only third-party cookies" setting, bypasses for Firefox's Tracking Protection feature, and use of the integrated PDF viewer in Chrome and other Chromium-based browsers for invisible tracking. Cookie requests can be sorted into two main groups: first-party requests that come from the address listed in the address bar of the browser and third-party requests that come from all other sites. Advertisement displayed by websites makes use of cookies usually and some of these cookies are used for tracking purposes. Internet users can configure their browsers to block any third-party cookie requests to limit cookie-based tracking. Some browsers, for instance Opera or Firefox, include ad-blockers or anti-tracking functionality that is used in addition to that. Anti-tracking mechanisms have flaws The research paper, "Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies", detailed information about each web browser, tests to find out if a browser is vulnerable to exploits, and bug reports are linked on the research project's website. The researchers created a test framework that they used to verify whether "all imposed cookie- and request-policies are correctly applied". They discovered that "most mechanisms could be circumvented"; all ad-blocking and anti-tracking browser extensions had at least one bypass flaw. In this paper, we show that in the current state, built-in anti-tracking protection mechanisms as well as virtually every popular browser extension that relies on blocking third-party requests to either prevent user tracking or disable intrusive advertisements, can be bypassed by at least one technique The researchers evaluated tracking protection functionality and a new cookie feature called same-site cookies that was introduced recently to defend against cross-site attacks. Results for all tested browsers are shown in the table below. The researchers tested the default configuration of Chrome, Opera, Firefox, Safari, Edge, Cliqz, and Tor Browser, and configurations with third-party cookie blocking disabled, and if available, tracking protection functionality enabled. Tor Browser is the only browser on the list that blocks third-party cookies by default. All browsers did not block cookies for certain redirects regardless of whether third-party cookies were blocked or tracking protection was enabled. Chrome, Opera and other Chromium-based browsers that use the built-in PDF viewer have a major issue in regards to cookies. Furthermore, a design flaw in Chromium-based browsers enabled a bypass for both the built-in third party cookie blocking option and tracking protection provided by extensions. Through JavaScript embedded in PDFs, which are rendered by a browser extension, cookie-bearing POST requests can be sent to other domains, regardless of the imposed policies. Browser extensions for ad-blocking or anti-tracking had weaknesses as well according to the researchers. The list of extensions reads like the who is who of the privacy and content blocking world. It includes uMatrix and uBlock Origin, Adblock Plus, Ghostery, Privacy Badger, Disconnect, or AdBlock for Chrome. The researchers discovered ways to circumvent the protections and reported several bugs to the developers. Some, Raymond Hill who is the lead developer of uBlock Origin and uMatrix, fixed the issues quickly. At least one issue reported to browser makers has been fixed already. "Requests to fetch the favicon are not interceptable by Firefox extensions" has been fixed by Mozilla. Other reported issues are still in the process of being fixed, and a third kind won't be fixed at all. You can run individual tests designed for tested web browsers with the exception of Microsoft Edge on the project website to find out if your browser is having the same issues. Closing Words With more and more technologies being added to browsers, it is clear that the complexity has increased significantly. The research should be an eye opener for web browser makers and things will hopefully get better in the near future. One has to ask whether some browser makers test certain features at all; Microsoft Edge not honoring the built-in setting to block third-party cookies is especially embarrassing in this regard. (via Deskmodder) Now You: Do you use extensions or settings to protect your privacy better? Source
  9. FedEx is really sorry. No, seriously. It's gotten so bad that FedEx feels it has to pay you to use Flash, a technology derided as being outdated and unsafe. You know when people say "this is so bad, you couldn't pay me to use it"? FedEx just upped the ante. The shipping and logistics giant still relies on the often-criticized Flash animation technology to power some of its site, and so has begun offering $5 to customers as a sort of "sorry!" for the trouble. "We apologize for the inconvenience, but it looks like your browser no longer supports Flash," FedEx's website kindly says. Considering top browser makers such as Google, Mozilla and Apple disable or don't include Flash by default in their Chrome, FireFox and Safari browsers, this FedEx message probably pops up a lot. The site then goes on to offer $5 as an incentive, though you do have to spend more than $30 on your order because, well, it's not like FedEx is actually just going to give you the money no-strings-attached. Of course, there's good reason not to take FedEx up on its offer anyway. Adobe Flash frequently struggles against security flaws, which has led companies like Google, Facebook and Apple to actively block it. FedEx didn't respond to a request for comment about how sorry it feels, and Adobe didn't respond to a request for comment about continued criticism of Flash. Source
  10. Mozilla Firefox with its multi-process architecture enabled is still the web browser with the best memory performance according to Mozilla. Our own memory benchmarks saw Firefox lead the pack in 2012 and 2014 when we compared the browser's memory usage against Chrome, Opera and Internet Explorer on Windows. Mozilla did run tests of its own last year, and ran them again this year with multi-process versions of the browser. Multi-process architecture separates the browser from content processes in Firefox. Mozilla estimated last year that Firefox would use about 20% more memory with a single content process added, and more if more processes were used by the browser. The new test conducted by Mozilla takes different content process configurations into account. More precisely, Mozilla ran the same test that it did last year with 2, 4 and 8 content processes. Mozilla's loaded 30 web pages of the Alexa top 100 in their own tabs, with 10 seconds in between loads, and looked at the memory usage of the browser in the end. Firefox, Chrome, IE, Safari memory performance in 2017 The result, as you can see on the graph above is that Firefox is very memory efficient. This is particularly the case on Windows and Linux, where the memory use difference is significant. Firefox uses more memory if more content processes are added, but the difference between 2 and 8 content processes is not as problematic as Mozilla assumed last year. On Windows 10, memory performance increased by about 300 Megabyte from 587 MB to 905 MB with eight content processes enabled. On Linux, memory usage rose by just 125 Megabyte under the same eight content processes. The difference is not as spectacular on Mac devices. Firefox with two and four content processes uses less memory than Chrome, but the difference is just 150 Megabyte at the most. The eight content process version used even more memory than Chrome on the operating system. Chrome used 1478 MB on Linux, 1382 MB on Windows, and 1365 MB on Mac OS X. Mozilla's plan is to increase the number of content processes to four in the near future. This would make Firefox use less memory than Chrome on all platforms. On two, Windows and Linux, it would use considerably less than Chrome. It needs to be noted that Google Chrome uses one content process per tab by default. Firefox's memory usage would increase more if Mozilla would enable this as well. Tip: you can tame Chrome's memory usage by enabling processes per site, and not tab. This works for other Chromium-based browsers as well including Vivaldi and Opera. If you use Firefox, check out our guide on optimizing Firefox's memory use. Closing Words You can run the tests by yourself, as the tools that Mozilla used to run the benchmarks are openly available. It appears at least, that Firefox is still the most memory friendly user in 2017, and that the switch to the multi-process architecture has not changed that. While memory use increased, it is still better than Chrome, IE or Safari even with multiple content processes enabled. Article source
  11. geeteam

    [Infographic] Browser Wars

    According to New Relic’s data, which analyzed more than 16.8 million page loads from early October through early November last year, BlackBerry 10 devices loaded web pages in 1.55 seconds on average. The second-fastest web browser, Opera Mini 4.2, wasn’t even close, with page load times that averaged 4.78 seconds. In other words, the BlackBerry 10 browser is more than three times faster than its next-closest competitor. Apple’s Safari browser on the iPad came in at No. 3 with an average page load time of 4.91 seconds, and no other native web browser was even included in New Relic’s top-9 rankings. An infographic showcasing the company’s test results follows below. Source
  12. By Casey Johnston - Jan 28 2014, 7:00am AUSEST Updates turned some Chrome add-ons maliciousnot all browsers allow that. Customers complain about activity tracking in CRXMouse on Chrome, a particularly invasive add-on. In a recent revelation by OMG Chrome and the developer of the Chrome extension Add to Feedly, it came to light that Chrome extensions are capable of changing service or ownership under a users nose without much notification. In the case of Add to Feedly, a buyout meant thousands of users were suddenly subjected to injected adware and redirected links. Chromes regulations for existing extensions are set to change in June 2014. The changes should prevent extensions from being anything but simple and single-purpose in nature, with a single visible UI surface in Chrome and a single browser action or page action button, like the extensions made by Pinterest or OneTab. This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June. Given how Chromes system of updates, design restrictions, and ownership seemed to have gotten ahead of itself, we decided to take a look at the policies of other browsers to see if their extensions could be subjected to a similar fate. While Chrome isnt the only browser where an Add To Feedly tale could be spun, it seems to be the most likely place for such an outcome. Firefox Mozillas Firefox differs from Chrome in that it has an involved review system for all extensions that go from developers to the front-end store. Reviewers will reject an extension if it violates any of the rules in Firefoxs extension development documents. One of these rules is no surprisesan add-on cant do anything it doesnt disclose to users, and existing add-ons cant change their functionality without notifying the user and getting their permission. Firefox puts add-ons with unexpected features, like advertising that supports the add-on financially, into a separate category. Users have to explicitly opt-in to these features, says Jonathan Nightingale, vice president of Firefox. This means that in these cases, users will see a screen offering them the additional features, says Nightingale. One example is FastestFox, which pops a tab at first install asking the user to enable ad injection from Superfish. It's how developers implement these opt-in screens that could provide for a possible loophole; the addition of advertising might be obscurable by language, and data tracking could be, too (it's permitted under Firefoxs rules, but it must be disclosed in a privacy policy). Still, the review policy and need for opt-in for these more pernicious features both help prevent users from having new functionality sprung on them. Safari Safari has extensive design documents for its extensions but no central clearinghouse for them like other browsers. Apple keeps a gallery of a chosen few extensions that must meet certain regulations, but these represent a small fraction of the extensions available. Data tracking of an extensions users is possible, per the design docs, as is ad manipulation. Unlike Chrome, but like Firefox, the download and installation of Safari extension updates must be manually approved by the user. There are no regulations for disclosing functionality changes or changes of ownership, however. Internet Explorer Microsofts browser absolves itself of responsibility for add-ons on a support page where it states, "While add-ons can make your browsing experience better by giving you access to great Web content, some add-ons can pose security, privacy, or performance risks. Make sure any add-ons you install are from a trusted source." Add on at your own risk. Like Apple, Microsoft maintains an exclusive gallery of vetted add-ons. The company encourages extension makers to get user consent for unexpected add-on functionality, but it doesnt require it or block extensions that dont do it. Markup-based extensions can only be installed from within the browser, and therefore these must have the users explicit consent according to Microsoft. Other than this infrastructure, nothing prevents IE add-ons from doing things like injecting ads or redirecting a browsing experience (remember, this was the former home of the invasive toolbar add-on). IE10 does have an add-on management window, but some add-ons, like the ad-injecting Buzzdcock, have to be removed as if they are full-fledged applications. Uninstalling a particularly invasive IE add-on. Opera The latest versions of Opera are able to use Chromium extensions, but unlike Chrome ones, they get a review process thats similar to Firefoxs. Most importantly in Opera, there are restrictions on the types of scripts an extension can run and how they handle ads. Andreas Bovens, head of developer relations at Opera Software, told Ars in an e-mail that Opera doesnt allow extensions that include ads or tracking in content scripts, so extensions that, for example, inject ads inside webpages the user visits are not allowed. Extensions can, however, have ads in their options pages or in the pop-up that is triggered by their button in the browsers interface. Every extension gets a review, and the review team takes special care to suss out the nature of any obfuscated JavaScript code. If some of the code is obfuscated, reviewers ask the developers for the unobfuscated code to look at as well as a link to the obfuscation tool. That way we can check that the input and output indeed match, Bovens says. When an extensions ownership is transferred or the extension is updated, its subject to the same rigorous review process as an extension thats being submitted for the first time, according to Bovens. An extension that goes from having no ads to injecting ads, as some Chrome extensions do, simply would not pass [Operas] review process, Bovens says. Retiring to the not-so-Wild West? While Chrome extensions may have a better ideology than those of some other browsers, the breadth and depth of functionality that Chrome extensions can have without any kind of review process means that Chrome users trust can get taken for granted. Its similar to the Google Play app store, in that way: pretty much anything can make it to the market, but enough user complaints can get it taken down, as in the case of Add to Feedly and Tweet This Page. Based on policy and practice, users who heavily rely on extensions or have been made wary of them by developers recent transgressions may be safer on browsers like Firefox and Opera, where regulations are a bit stricter and there are people to police them. But there can be downsides to a vetting process, too, mainly in terms of rate-limiting iteration and improvements, so its a matter of weighing options. Former home? This is the current home for an awful lot of crapware add-ons, like Conduit's search hijacker, or the Ask.com toolbar that still hasn't died a thousand deaths, even though it should. http://arstechnica.com/business/2014/01/seeking-higher-ground-after-chrome-extension-adwaremalware-problems
  • Create New...