Google's Manifest Version 3 Will Reduce Browser Security in Chrome and Other Derivatives

This summer Google is rolling out a sweeping change to how plugins are able to work with its web browser, updating from what is called Manifest version 2 to version 3.

In doing so, the ability for plugins to block malicious and other undesirable content will be significantly reduced. Curiously enough, Google claims that Manifest V3 will improve privacy, security and performance, but I am quite skeptical of these claims.

Under Manifest V3, Google has introduced changes such as:

1. Strict Permissions: Manifest V3 enforces stricter permissions policies for extensions, which may lead to some essential features being disabled or limited due to security concerns.
2. New API Restrictions: The new version restricts the use of certain APIs that were previously available in Manifest V2, making it more difficult for developers to create effective ad blockers and other content-blocking plugins.

While the stricter permissions and API restrictions can help to reduce the negative impact of malicious plugins, the bigger problem is that they significantly undermine the capacity of plugins that can block malicious websites, such as those distributing ransomware or engaging in phishing attacks, to keep users safe.

This is because this reduced access undermines the ability for plugins to update their respective lists of known problematic websites and web content. Meaning one may not have the level of protection that was possible in Manifest V2 to block malware, phishing, information exfiltration and other sorts of malicious web content.

These changes are already underway for early stage releases of Google Chrome, and are expected to be broadly rolled out to all editions (outside of enterprise users that have about another year of grace time should they opt-out) of the browser later this year.

The motivation here is clear. Google is the largest advertising company in the world, and it derives the vast majority of its revenue from selling ads on its search platform, YouTube and on other websites that run ads using Google's platform.

Ensuring ad blockers are made less functional means that Google is likely to realize a small increase in revenue from ads that were once blocked for users that continue to use Chrome.

That is perfectly understandable, as the company has a fiduciary responsibility to its investors to do whatever is possible to maximize their business' growth.

The problem, however, is that this path is one that jeopardizes the security, privacy and user experience of not just Chrome itself, but also browsers based on Chromium, such as Brave or Opera.

At this point, the best choice if one is interested in continuing to be able to block malicious web content, ads and privacy-infringing tracking is to consider using Mozilla Firefox with the uBlock Origin plugin. Migrating from Google Chrome is not too difficult, but the catch is that some websites do not fully support Firefox and that can create friction in our day-to-day workflow.

Ultimately it is a trade-off, like many things in life or business. We have to make the best choice, weighing the pros and cons along the way.

I've chosen to use Mozilla Firefox as I think it is the best choice to stay more secure against the ever increasing threshold of attacks leveraged against web browsers.

What will you do?