Browser Add-on Google’s Manifest V3 Still Hurts Privacy, Security, and Innovation

Nightwalker

Level 24
Verified
Honorary Member
Top poster
Content Creator
Well-known
May 26, 2014
1,314
Despite the best efforts from AdGuard team and Gorhill unfortunately manifest v3 extesions are bound to be lackluster, it is flawed design after all.

There are some viable alternatives for now:

1- Brave with its native adblocker based on Rust.

2 - Firefox

3 - AdGuard for desktop

4 - Manifest v3 + some DNS adblocker like NextDNS, AdGuard DNS and Control D.
 

Back3

Level 13
Verified
Top poster
Apr 14, 2019
608
Despite the best efforts from AdGuard team and Gorhill unfortunately manifest v3 extesions are bound to be lackluster, it is flawed design after all.

There are some viable alternatives for now:

1- Brave with its native adblocker based on Rust.

2 - Firefox

3 - AdGuard for desktop

4 - Manifest v3 + some DNS adblocker like NextDNS, AdGuard DNS and Control D.
AdGuard v3 and Next DNS complement each other on my PC. In the last 2 days…. With Chrome….
 

oldschool

Level 70
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,996
No surprise there from the research I've been doing.

Here's just one example from 4 months ago:
Securing Decrypted Secrets

With browser wallet extensions, one critical security challenge is where to safely keep the decrypted secrets when the wallet is unlocked. In Manifest V2 extensions, background pages are used to store secret values in variables in memory, such that they can be persisted (at least as long as the browser is running), but are not stored to disk. None of this is possible with service workers, which are short-lived event handlers that typically do not maintain state. The only way to persist data between handled events in Manifest V3 using existing methods is by utilizing IndexedDB, Caches, or the chrome.storage API. However, all of these resources require that secret data is written to disk, thus creating a different set of security challenges.
A proposal was made to add the chrome.storage.session API to the chrome.storage API, which enables extensions to store variables in memory so that service workers and other parts of the extension can access these values as long as the session is active. Although the chrome.storage.session API is enabled in the newest chromium versions (starting from version 100 and higher), it has not been formally announced and, at the time of writing, is listed as pending in the chrome extension documentation. This modification to the API is not battle tested, and the impact that the usage of this API has on the security of browser extensions wallets is not yet known.

Unsupported Encryption and Key Derivation Packages

Another challenge caused by the switch to Manifest V3 is that encryption and key derivation packages that are considered to be secure, such as argon2 and libsodium-js, are currently not supported in Manifest V3 because of their usage of WebAssembly, which is disallowed for extensions in the new manifest version. For libsodium, this could be a bug in the code used to switch between wasm and asm, whereas argon2 is currently compiled only to wasm. Our team has previously discussed the common usage of insufficiently secure key derivation algorithms and weak encryption algorithms and we intend to publish a blog on this subject in the near future. The incompatibility of argon2 and libsodium-js with Manifest V3 currently limits the options for secure key derivation and encryption methods. It seems likely that WebAssembly will be supported for extensions in Chrome in the future, but the fix is not in production yet.

Conclusion​

In Manifest V3, in order for secret data to be stored securely, the chrome.storage.session API must be used, even though it has neither been officially launched nor sufficiently tested and audited as a secure medium for persisting secret data. In addition, encryption key derivation and encryption packages that are known to be secure are currently incompatible with Manifest V3, which limits the options available for the implementation of sufficiently secure cryptography.

We encourage community members and stakeholders to closely monitor developments in chromium based browser extension security.
Manifest V2 to V3: Challenges and Security Considerations. - Least Authority
 
Last edited:

Gandalf_The_Grey

Level 64
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,367
Google to test disabling Chrome Manifest V2 extensions in June 2023
Google has announced more details regarding turning off support for the Google Chrome Manifest V2 extension as the company pushes more developers to transition to Manifest V3.

An update from the Chrome team says that they will proceed in careful, experimental steps, ensuring a smooth end-user experience during the phase-out of Manifest V2 in June 2023.

During that time, Google will support extension developers with guidance and information on the new protocol and how they can best roll out versions that support it without their users experiencing hiccups.
Today's update provides more granular information on the roll-out of Manifest V3 (and phase-out of Manifest V2), adding the following milestones:
  • In January 2023, with the release of Chrome 112, Chrome may run experiments to turn off support for Manifest V2 extensions in Canary, Dev, and Beta channels.
  • In June 2023, with the release of Chrome 115, Chrome may run experiments to turn off support for Manifest V2 extensions in all channels, including Stable channel.
Based on this update, the deadline for lifting Manifest V2 support has been pushed back by five months, from January to June 2023.
 
Top