I wrote an article explaining the trend with browsers' add-on support and why I think that #Mozilla limiting users' choice on Android massively is part of that trend. The add-on ecosystem is degrading steadily, and I don't expect it to reverse course. https://palant.info/2020/08/31/a-grim-outlook-on-the-future-of-browser-add-ons/
Several people from the Mozilla community felt that I’m building up a conspiracy theory here. That’s not the case, I’m actually quite certain that people are acting with good intentions. Unfortunately, that doesn’t automatically mean that we’ll be happy with the results. Updated my article:
@WPalant scratch "add-ons". browser ecosystem is degrading o0
I just finished evaluating a shiton of tiny browsers for an embedded arm device but they are all dead.
"surf" was the first that looked remotely alive.
@bekopharm Yes, I mentioned that in the article. Add-ons are merely where this shows already, but it will affect everything sooner or later.
A modern web browser is an extremely fast moving target. It requires lots of resources to build one, which is why there are now only Gecko and Blink browser engines left. And even embedding an existing browser engine is lots of work merely to keep up with the development.
Now with Mozilla downsizing, Google is going to dictate the rules…
@WPalant Indeed a grim picture.
Btw wish you'd support Webmentions or Backfeeding.
@bekopharm I haven't heard of Webmentions before. Unfortunately, the experience is that features like that get very little legitimate use – but they are well-received by spammers.
@WPalant I haven't seen a spammer yet willing to burn entire domains - unlike real comment spam that only requires a canned comment solution but hey, your blog, your thing :)
@bekopharm The fun thing is: as your site rank rises, you get more inventive spam. The spammers will actually invest real thought into fooling you so that you leave the spam standing. 😀
My personal blog isn't too bad. But weeding out the spam on adblockplus.org (blog + forum) was the horror.
@WPalant don't think it's about rank. My personal blog was drowning in spam years ago so I gave up and disabled comments and pingbacks. Also comment links are usually marked user-generated-content so there is nothing in for seo. Anyway, I enabled this again with backfeed and mentions not offering a comment form in itself and wow.. there are real people! Meanwhile the anti spam plugins are bored.
Also imho(!) it's great being allowed to comment via a preferred platform without filling more forms
@bekopharm It absolutely is about rank. I mean, if your commenting system doesn't weed out bots – sure, you will drown in automated comments regardless of rank. But if you make filling out your forms impossible for bots, the high rank websites see the human spammers – those people who earn a few bucks by filling out comment forms all day. And I could see their referrer sites: they were primarily coming from Google searches, looking for popular websites with comment forms.
@bekopharm They also were very inventive. If you blocked their IP address, they simply reconnected to get another one. If that didn't work, they would use free proxies or one of a dozen VPN services. They would even switch to Tor. They would do whatever helped them place their content on your site.
@WPalant probably true. my stuff is niche enough so I only had to deal with bots and only very few desperate manual attempts on a forum of mine.
The few bots I got over social media were easily blocked so far. Here I can make use of the comfort offered by silos who usually remove spammers before I even have to lift a finger.
Say - if we'd had this conversation via your comment section - would this have changed things for you? I mean this is also coming from some random domain on the verse.
@bekopharm Not quite sure what you mean – we shouldn't have conversations via the comments section, it isn't the right tool for that. Some blogs have very elaborate comment systems, but once people start chatting there it still gets very hard to keep an overview. So I didn't really try to make this scenario possible.
@WPalant yeah - this happened accidental 😜 Initially I was just commenting on the article but via ActivityPub ;-)
Thing is that the initial comment to the article is not _at_ the article because I refrained from entering data into a form. It was way more comfortable for me. And you read it and you did even see a reason to reply. That's cool :)
What did you get?
A name. A message. An avatar. A source. All public meta data. It's now on your instance. And mine. Could have ignored or blocked it.
@WPalant So my point is: Would this have changed _if_ this interaction would have taken place between our blogs without 3rd party in the middle?
because a Webmention is just that.
@bekopharm Right now this conversation isn't being displayed on my website. If it were the same with Webmention – sure, nothing would have changed. If however I decided to display Webmentions in my comments section, I'd make this a lucrative target for spammers. That's the difference here.
@WPalant I fail to see the difference to offering the same target via comment form.
It get's moderated - as usual. Hopefully it's handled by nifty plugins already and in the end there is human moderation.
Just like here.
The effort is higher tho. How much does it take to setup a new account on e.g. Twitter or post to a form compared to using a domain as source, that will be completely burned once found out as spam?
Isn't this exactly how adblocking works? You kill the entire source?
@bekopharm Yes, I can try implementing this with the same premoderation mechanism as with the comments. The concern is really that this mechanism will be used to flood receivers with spam before it becomes widespread enough to be useful.
@WPalant legit point. It's an underdog and mostly used by [real] people usually only found by blogroll and alike. Implementing this in Hugo is hard (but I know people who did it). Using WordPress myself I get this ootb so it's cheap talk for me :-)
It's not really suited when the game is ranking and seo. Too much effort. The only good thing is that it's the same for spam targets. There are more hops involved _before_ stuff even ends up in some moderation queue.
@bekopharm I looked through this now. It does seem simple at the first glance. That is, until you start looking at parsing and processing h-entry microformat. That's the point where I thought: “Maybe some other time…” The existing Python libraries don't quite take this problem off my hands.
@WPalant that bad? Only fiddled with the php and node parsers. Results are mixed oc based on the source but the absolute minimum, a name and text content, was usually not a problem.
Anyway, thanks for checking at least 👍
@WPalant I suspect you are thinking a great deal about the future of PfP in light of this. I took the time to migrate from FF password store to PfP after reading your articles; so it is definitely a very important plugin.
Do you see a future for PfP, and if so, what would it be?
Hoping to see a blog post about that for either hope or closure. It really is a great bit of security that inspired me to look into these topics more (taking a SANS class now!).
@PresGas I hope that PfP can stay around. Worst-case scenario is offering it as a web page, but I hope that it won't come to that.
@PresGas On the other hand, I'm leaning towards giving up on Google Search link fix. Maintaining it just isn't worth it.
@WPalant Thanks! Keep us all posted on your odyssey. We appreciate the work.
@WPalant Looks like some more "Official" damage control, but still much about nothing:
At least there is some kind of communication about it??
@PresGas Yes, saw it. Not really adding much to the discussion. More add-ons will be allowed later, sure. But it doesn't say that Mozilla intends to stop gatekeeping.
A Mastodon instance for info/cyber security-minded people.