[FR] Remove Chromium's ability to abuse BITS to connect to Google

[Kein]

Is your feature request related to a problem? Please describe. Ungoogled Chrome has no Chrome Web Store sync or update, nor self-update. Nor sync. There is no reason for it to connect to google services using Windows BITS (Background Intelligent Transfer Services).

Describe the solution you'd like Chrome's ability to use it should be axed

Describe alternatives you've considered Blocking BITS altogether system-wide/via firewall.

Additional context By default, BITS service being run as a shared service through svchost container as a part of netsvc group: Here is WFP packet log with BITS default setup through svchost container: Here is WFP packet log with BITS service isolated in its own container to confirm it is indeed this service that Google sneakingly abuses:

Problem In windows 10 due to underlying changes how services behave it is no longer impossible to block distinct service via WFP (default firewall or anything that uses WFP) despite the fact such option is present. A proper solution as a part of Ungoogled Chromium would be preferable.

[wchen342]

I have a different point. If it is a service installed during installation of chromium then it is possible to disable it. It will be more practical than something to trigger the windows firewall, which I doubt whether the installer built by ninja can do.

[Kein]

You're seeking to gut chromium more while using the Windows 10 which has telemetry just as bad if not worse.

What kind of argument is that? It is like saying, "even with ungoogled project Google will still be able to track you and collect all your data might as well stop using Internet". ???

How does this help when the OS itself is spying?

What it has to do with OS? Where did I say the issue must be addressed only because of some OS? Let me quote:

These are the core features introduced by ungoogled-chromium.

Disable functionality specific to Google domains (e.g. Google Host Detector, Google URL Tracker, Google Cloud Messaging, Google Hotwording, etc.) This includes disabling Safe Browsing. Consult the FAQ for the rationale.

Block internal requests to Google at runtime. This feature is a fail-safe measure for the above, in case Google changes or introduces new components that our patches do not disable. This feature is implemented by replacing many Google web domains in the source code with non-existent alternatives ending in qjz9zk (known as domain substitution; see docs/design.md for details), then modifying Chromium to block its own requests with such domains. In other words, no connections are attempted to the qjz9zk domain.

Chromium abusing loophole of Windows service is one of these cases, it is one of the runtime requests to Google servers and services that was missed and I strongly believe it should be addressed because this is one of the main goals of the project. The reason I mentioned Win10 issue is to apriori address off-hand arguments like "duh silly just use firewall". Using firewall isnt the point here.

@wchen342 It is a default Windows service Chromium just abuses as a hole to do dirty work. For the record, I do have it blocked at OS level and I've been using Ungoogled Chrome for a year or so, it is no issue and is not required for the browser to work (would be weird with cross-platform support in this case). The functionality related to that can be safely addressed/removed. My assumption is that it is used for the Chrome updates itself in the Chrome version: https://en.wikipedia.org/wiki/Background_Intelligent_Transfer_Service

[wchen342]

@Kein I wonder how the service can be used by Chromium to connect to google servers in the first place. I am not very familiar with Win 10 but from past experiences to get svchost.exe to do something the program needs to register something in the system, and it is mostly done during installation. However, there is domain sustitution in UC which supposedly removed all links related to Google before building, so this is not supposed to happen.

[Kein]

@wchen342 https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal

Developer audience BITS is a COM interface designed for C and C++ developers that can also be used by .NET developers. UWP developers should use the Windows.Networking.BackgroundTransfer API and not the BITS API.

Looks like just WinAPI.

Here is list of Jobs in the queue as of now:

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Add-BitsFile                                       1.0        BitsTransfer
Function        Complete-BitsTransfer                              1.0        BitsTransfer
Function        Get-BitsTransfer                                   1.0        BitsTransfer
Function        Remove-BitsTransfer                                1.0        BitsTransfer
Function        Resume-BitsTransfer                                1.0        BitsTransfer
Function        Set-BitsTransfer                                   1.0        BitsTransfer
Function        Start-BitsTransfer                                 1.0        BitsTransfer
Function        Suspend-BitsTransfer                               1.0        BitsTransfer
Application     svchost-bits.exe                                   6.1.7601.… C:\Windows\system32\svchost-bits.exe

PS C:\Users\Kein> Get-BitsTransfer

JobId                                DisplayName                   TransferType JobState       OwnerAccount
-----                                -----------                   ------------ --------       ------------
9ef07db5-195a-44a0-a812-0bd96809a378 VsBitsDownloadJob - 566186262 Download     Error          MyPC\Kein
a8a226e8-5d3b-4e32-a966-2c7ec3b12798 VsBitsDownloadJob - 566186262 Download     Error          MyPC\Kein
ddd1b339-7e7f-48d2-9595-2bc5bf8a5221 Chrome Component Updater      Download     Transferred    MyPC\Kein
9097bb7c-25e3-4062-b4d9-af0c2269c022 Chrome Component Updater      Download     TransientError MyPC\Kein
d7997ec6-dbb6-437e-8d9a-82c32cb6931a Chrome Component Updater      Download     TransientError MyPC\Kein
9f5a76a7-e9c3-4757-8b3d-0f52f5915afe Chrome Component Updater      Download     TransientError MyPC\Kein
91fb1771-03bd-4f05-a579-0e6e1f58fc31 Chrome Component Updater      Download     TransientError MyPC\Kein

[xsmile]

Please specify the version and source of your ungoogled-chromium installation and more details on what you did to trigger such behavior with a clean browser profile. I cannot reproduce this with 81.0.4044.138-1.1 from the Downloads section.

Your screenshots don't seem to show any indicators that chrome.exe is responsible for the outgoing connections to plus.l.google.com.

The Chrome Component updater however can be disabled with a flag: --disable-component-update. I'm not sure what the default behavior is and what exactly happens on Windows, but in any case domain substitution should prevent all connection attempts to Google, as mentioned by wchen342. All occurences of google.com in the source code are replaced, unless they are obfuscated in some way.

Is it possible to view detailed properties of such a BITS job to see what has been transferred? You can visit the page chrome://components/ and try to update a component manually. In my case the update fails instantly with Status - Update error and the output of Get-BitsTransfer stays empty.

[Kein]

Is Chrome Component updating allowed by default in Ungoogled? chrome://components/ shows Status - Update error for every of them.