Google Promotes New WebBundles Standard, a Potentially Web-Dangerous Web Site Packaging Technology

In the general stream of news, the joint appeal of Chrome product manager Kenji Bahe and Google web consultant Yusuke Utsunomiya to use the new Web Bundles standard developed by Google went unnoticed . A corresponding manual for using WebBundles appeared on chromium.googlesource, and, in fact, it was not said about it anymore. The entry on behalf of Baze and Utsunomiya was published back in November 2019, but it caused a community reaction only now, and then only on several specialized sites and in one blog dedicated to cybersecurity.







Why is the technology of "packing" web page content into one source so dangerous, what it is, and why the Google web development team is stepping on a very slippery slope, let's understand below.



Web Bundle - the RarJPEG business lives on



Specifically, they wrote about WebBundle on Habré in already quite distant 2015. Then the authorComodoHackerreleased an article " Web Bundle - The RarJPEG Case Lives " with an overview of the latest release of the new tool on GitHub .



The 2015 WebBudle principle is simple and duplicates the principles of packaging .exe files: "arbitrary files are packed into one container file, and on the client side, access to them is organized by file name using the API."



The 2015 release was, in fact, a rethinking of users familiar with imageboards, the rarJPEG principle - when additional content was packed into an image. This made it possible to bypass the board's restrictions on uploading only images and transfer arbitrary files between users using an anonymous platform.



WebBundle was still aimed at bypassing restrictions on the type of files: it could be used to pack anything into a conditional PNG, including binaries, and transfer it under the guise of a picture in one "archive".



In 2015ComodoHackervery correctly assessed the prospects of WebBundle: the technology is specific and it will live only if it is used. Now, from 2020, we can safely answer that no, the technology was not used and it did not go into the world.



The problem is that Google's engineers and web developers definitely have Forchana's favorites, and they reimagined the concept of WebBundle, releasing version 2.0, or as they called it, WebBundles.



How Google's 2019 WebBundles are Different from 2015's WebBundles



The first and most obvious - the guys from Google got down to work. Second, they managed to pull random files like a useless owl into PNG packaging on the huge globe of web development and site building.



If we give TL; DR, then the difference between WebBundles and WebBundle looks like this:







Google engineers directly suggest using WebBundles to encapsulate multiple sources into one file for later displaying as a final web page for the user. In fact, the closest technology currently available is PDF. I think many of us have come across at least once in our life with the need to extract part of its contents from a PDF file and this does not need further comments.



But if Google promotes WebBundles as a ubiquitous tool, it could be an extremely dark time for the web, and here's why.



Why WebBundles are dangerous for the modern web



The modern web is built on the principle that each source has its own link, that is, we can decompile a page and view its contents, often literally by opening the console in a browser.



In the case of packaging a site in WebBundles, we get a monolith of dozens or hundreds of encapsulated sources, which for the outside world are hidden under one link, and this content can be called only by direct access to our "monolith".



From the point of view of information security, this means that any site that appears to the outside world as just a conditional mono-link can contain arbitrary JS code, scripts, advertisements, and so on, for which there is enough imagination.



Security researcher at Brave Peter Snyder socommented on the technology created by Google on his blog:



This technology can transform the modern Internet from a collection of hyperlinked resources (which can be checked, selectively retrieved, or even replaced) into opaque bubbles that work in an all-or-nothing fashion (like PDF or SWF already do).


The problem with WebBundles is that the very principle of opaque packaging of web page content into a single monolith makes it impossible to validate, plus devalues ​​the already built mechanism of URL relevance and indexing.



Basically, a common problem with all of these packaging tricks is that WebBundles create a local namespace regardless of what the rest of the world sees. This can ultimately cause massive naming confusion and negate years of work to create a confidential and secure environment.


Google



A well-known fact will now be announced: Google hates ad blockers. Perhaps they are trying to pretend that blockers are a phenomenon to live with and which will not go anywhere. Perhaps they themselves support this mainstream. For example, a built-in blocker was added to Chrome in November .



But let's be honest: the entire Google empire is based on banners and the first three SERPs labeled "ads." This is a multi-billion dollar corporate income and the entire business and development empire of Google revolves around the banners and these three links.



WebBundles could be a game changer on a technical level and make the concept of modern ad blockers completely dysfunctional. Random URLs can be packaged in WebBundlesto display ads, you can substitute URL addresses in them, and so on, for which you have enough imagination.



That being said, Google is serious enough. The current implementation of WebBundles is already integrated into stable versions of Chrome, but is disabled by default. But if you want, chrome://flagsyou can open this Pandora's box.





Chrome version 85.0.4183.83 (Official Build), (64 bit)



Now WebBundles are more like a gun that hangs on the wall and never fire. But if Google “squeezes” and the company's revenues drop significantly due to falling advertising budgets, this weapon may also be used. It is not known what the corporation will promise to web developers, but it is already clear that WebBundles looks very appetizing for unscrupulous webmasters who are ready to monetize their economy in any way and way.



How to deal with this is also unclear, especially given the fact that at the head of the possible implementation of "web-PDF" will be a company that is developing the most popular browser engine on the planet. Even worse, there are no intelligible alternatives to this engine now, because even Microsoft has already “shot and buried” their EdgeHTML flight attendant for two years, having switched to Chromium.



The analogy with PDF is made for a reason: the basic principle of displaying and packaging data between the document protection format and WebBundles is extremely similar. Even worse, by 2020, there are no publicly available tools and services (even paid ones) that would decompile PDF content with 100% accuracy and give it to the user in the desired format, and we're just talking about protecting text data. What methods of protecting the contents of containers WebBundles can create in Google is anyone's guess.



Google has so far carefully positioned WebBundles as "a tool for saving and transferring websites locally," that is, via media or Bluetooth. At the same time, the company calls WebBundles "a new standard that can fundamentally change the Internet," that is, there are already plans for widespread adoption of WebBundles.






Advertising



Servers for hosting sites of all sizes - that's about our epic ! All servers "out of the box" are protected from DDoS attacks, the speed of the Internet channel is 500 Megabits, the automatic installation of the convenient VestaCP control panel for hosting sites and even the automatic installation of Windows Server at tariffs with 2 GB of RAM or higher. Hurry up to order!






All Articles