
Ask HN: What's the best ad-blocking, privacy-enhancing extension set up? - mlissner
There are a bunch of privacy enhancing and ad-blocking extensions out there, but it&#x27;s impossible to figure out where their features are unique and where they overlap. Of course, too much overlap, and they start slowing down your browser.<p>My goal is to make my browser as private as possible with minimal damage to my usual browsing experience. For example:<p>- LSO and Flash: Blocked.
 - As many third party cookies blocked as possible without breakage.
 - JavaScript works most of the time?
 - Ads are blocked
 - Various forms of fingerprinting are blocked&#x2F;disabled
 - HTTPS is used as much as possible
 - etc.<p>I&#x27;m currently using Privacy Badger + uBlock Origin + HTTPS Everywhere. It feels like a lot already, but there&#x27;s also Ghostery, RequestPolicy, and a million others.
======
foobuzz
> Various forms of fingerprinting are blocked/disabled

Be very careful with that. If you're one the few who have the features
disabled on a compatible browser, you make your configuration more unique and
it becomes easy to identify you.

I'd would also advice not to spoof the User-Agent since the browser can be
detected thanks to other parameters and if those ones contradict the User-
Agent that's a very specific fingerprint.

I'd also advice not to enable the DNT (Do Not Track) header since it does
nothing at all and is used by a minority, so it increases your entropy too.

The combination of your three extensions is very fine as far as I can tell.
This is what I would advice in addition to them:

\- Whitelist _first-party_ cookie. Make them be deleted when you close the
browser (in the privacy settings of Firefox) and whitelist the few sites you
need them to be remembered. To whitelist a site on Firefox, click on the thing
at the left of its url on the address bar (either a planet or a lock), click
on 'More informations...', go to the Permissions tab, scroll to 'Set cookie',
uncheck 'Use default' and click the 'Allow' radio button.

Many websites include arbitrary JavaScript that they grabbed in the
documentation of some statistic tool or something like that. Such scripts,
running directly in the site's pages, can then access first-party cookies.

\- Use something else than Google. If you can't deprive yourself of Google
results relevance, then use StartPage, it's a Google proxy. They make money by
displaying non-targeted self-hosted ads. Unfortunately, I fear that Google
might be able to identify you thanks to your queries themselves. Otherwise,
just use DuckDuckGo.

\- Use your history and bookmarks. Search engines are for discovering new
content. To find something you have already seen or to reach a website you
already visited, use your history. Ctrl+Shift+H. Or just type some word you
remember in the address bar and pick the correct suggestion.

\- Use search keywords ([https://support.mozilla.org/en-US/kb/how-search-from-
address...](https://support.mozilla.org/en-US/kb/how-search-from-address-
bar)). They allow you to associate a keyword to about any search form anywhere
and then search this form directly in the address bar. This also will reduce
your search engine usage.

You should also know that when your browser performs a third-party request,
the recipient of the request can know the page you're coming from thanks to
the HTTP referer header. It can be disabled in about:config
([http://www.technipages.com/firefox-enable-disable-
referrer](http://www.technipages.com/firefox-enable-disable-referrer)), but
I'm not sure it would be a good idea, first because of what I've said about
fingerprints in the beginning, second because it might break some websites.

------
thisjustinm
I use uBlock Origin [1] along with the EFF's Privacy Badger [2].

Hard to say how well it really works for privacy without really digging in to
exactly what private info I'm leaking across the web but I haven't seen an ad
in ages.

[1] [https://chrome.google.com/webstore/detail/ublock-
origin/cjpa...](https://chrome.google.com/webstore/detail/ublock-
origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en)

[2] [https://www.eff.org/privacybadger](https://www.eff.org/privacybadger)

~~~
jeo1234
uBlock Origin is also available on Firefox ([https://addons.mozilla.org/en-
US/firefox/addon/ublock-origin...](https://addons.mozilla.org/en-
US/firefox/addon/ublock-origin/)), as is Privacy Badger.

------
TheSisb2
You're pretty much covered. uBlock Origin + Privacy Badger is awesome.

You can add something like Tab Cookies or Self Destructing Cookies. You can
also add something like uMatrix to the mix.

If you really want to go far, add a "User-Agent Switcher" type extension.

I wouldn't add more than this though, it starts to be overkill. Also do note:
I used to use noscript and it works well, but going from 0 JS on a domain to
all JS on a domain isn't ideal. If you want ultimate security, add noscript as
well but maintain the others so that when you whitelist a url you can still
expect to be safe.

~~~
ljk
from the page it looks like privacy badger is similar to noscript, care to
explain how it's better than noscript?

noscript also has "forbid", "temporarily allow", and "allow" settings for
blocking domains

~~~
the_zeroth_law
They're both good at different things:

NoScript blocks Javascript/Flash/etc. based either on a list you import, or on
a case-by-case basis. I use it as a security measure, blocking potentially
harmful content by default and enabling it only if I need it for the site to
function.

Privacy Badger is not designed for security so much as it is for protection
against non-consensual tracking. It observes which third-parties store high-
entropy cookies on your device. If it sees a third-party domain doing so
across three different first-party websites, it automatically blocks requests
for _any_ content to that third-party from your browser.

So I'd say the big differences are Privacy Badger is set-and-forget, while
NoScript isn't; Privacy Badger protects against different tracking (including
pixel tags); NoScript protects against some first-party tracking (if you don't
allow JS on a first-party domain) and security dangers.

Full disclosure: I work for EFF which makes Privacy Badger.

~~~
ljk
thanks for answering!

------
discreditable
> My goal is to make my browser as private as possible with minimal damage to
> my usual browsing experience.

Not very long ago I wrote a guide documenting my specific configuration which
has precisely this goal in mind [1].

The short version: disable third-party cookies, enable tracking protection
(Firefox only), use uBlock Origin with some extra filters, use HTTPS
everywhere, Enforce Click-to-Play and Disable Unnecessary Plug-ins.

One tweak I don't cover in the guide that I think I like is disabling custom
fonts. In Firefox this is under Options > Content > Advanced > uncheck "Allow
pages to choose their own fonts, instead of my selections above". The privacy
benefit here is probably negligible, but I quite like that I don't have to
wait for giant remote fonts on everyone's blog to load.

[1] [https://brashear.me/blog/2015/08/11/hardening-firefox-to-
pro...](https://brashear.me/blog/2015/08/11/hardening-firefox-to-protect-
privacy/)

~~~
merpnderp
I use basically this setup with one additional plugin: Noscript. But this has
more to do with browser safety than privacy, in that I don't want some shady
third party site getting to run whatever JS they want on my machine.

~~~
discreditable
I made myself use NoScript for a few days. I was quite surprised at how
performant the web suddenly was, but quite discouraged at how often I had to
unbreak websites. Because of that I don't run it anymore, but understand why
people do.

~~~
merpnderp
Hah, yep, but after a while you get good at guessing which third party sites
will unbreak the current page. And sometimes you realize the content isn't
worth letting all the garbage run on your computer.

------
teamhappy
I use uBlock Origin to block ads and Ghostery to block social media foo (and
trackers, of course). Ghostery makes it easy to enable stuff you want to use
all the time (Gravatar, Typekit, etc.) and to temporarily enable stuff like
Twitter buttons, Soundcloud player, etc. On top of that I use HTTPS
Everywhere.

When I feel the need for real privacy I use the Tor Browser.

// Oh, and I also disable all the fancy features in Chrome and most plugins.

------
emanuelmaues
I use HTTPS Everywhere, uBlock Origin, Random Agent Spoofer with almost
everything checked, Self Destructing Cookies and uMatrix.

I do not recommend Ghostery at all, since it is closed source and it collects
your data through GhostRank, if enabled.

~~~
nextos
I think this is a good setup. Not leaking metadata is uber uber important [1].
I feel that by revealing my weird setup e.g., mutt as a mail client I'm really
easy to track.

Getting fingerprinted via font browser metrics is also a major worry of mine
[2]. Especially if running an exotic setup, it's easy to stand out.

[1] [http://www.nybooks.com/blogs/nyrblog/2014/may/10/we-kill-
peo...](http://www.nybooks.com/blogs/nyrblog/2014/may/10/we-kill-people-based-
metadata/)

[2]
[http://www.guanotronic.com/~serge/papers/fc15-fonts.pdf](http://www.guanotronic.com/~serge/papers/fc15-fonts.pdf)

~~~
ronjouch
I think too this is a good setup.

Self-Destructing Cookies, especially, is rarely mentioned in such discussions,
but is a godsend to enable cookies for the convenience of staying logged only
in domains you trust (e.g. I have: archlinux.org, feedly.com, mozilla.org,
stackoverflow.com, ycombinator.com) but _not breaking_ sites that depend on
them (e.g. no gmail if you simply disable them).

Also, if you use Firefox, enabling `privacy.trackingprotection.enabled` in
about:config is a good no-addon-required first step [1].

[1]
[https://wiki.mozilla.org/Polaris#Tracking_protection](https://wiki.mozilla.org/Polaris#Tracking_protection)

~~~
nextos
Yes, but what's the overlap with uBlock Origin of privacy.trackingprotection?
It's very unclear to me. After some experiments and log inspections when it
was released I concluded uBlock was a superset. Maybe I'm wrong though.

~~~
ronjouch
Asked myself the same question, did the same experiment, and reached the same
conclusion :) .

Another unclear thing is the update rate/policy of
privacy.trackingprotection's blacklist.

~~~
nextos
Good to hear :)

What's your addon setup then?

~~~
ronjouch
Mostly the same as emanuelmaues above, just a bit lighter: uBlock Origin,
Self-Destructing Cookies. Differences:

\- No HTTPS Everywhere because I (think I) remember to check for HTTPS when it
matters, and access those sensitive sites via bookmarks, where I ensure HTTPS
is used.

\- No uMatrix because it's too much of a hassle, I'm okay with the 90%
provided by uBlock Origin.

\- A common custom user agent via (firefox / about:config)
`general.useragent.override` rather than Random Agent Spoofer, which pops UAs
sometimes so obscure that Google freaks out and serves me a no-js version. I'd
use it if it provided a choice like "Random among the last five <Firefox>
versions on <any os>", currently to do this I'd have to manually exclude tons
of browsers.

(Off-topic) out of the privacy stuff and back into regular addons land,

\- dotjs to spruce up custom js in a few sites. When GitHub Enterprise say
"maybe, someday" to your feature request, that means "do it yourself" ^^.

\- (Not an addon, but worth mentioning) userContent.css to manually
uncruft/simplify sites I frequently visit. I prefer this to Stylish, it's all
in a single .css file in my profile folder; simple to edit and sync across
work/home.

\- FlashDisable to pretend I do _not_ have flash (to ensure html5 vid is
served in priority, many non-top tier video hosts still serve Flash by
default) but be able to activate it quickly when needed (flash game, video
with no html5 alternative).

\- HighlightAll because I'm so used to this feature from all text editors that
I take it for granted even in a browser.

\- VimFx to keep my hands on the home row as much as possible.

And you, anything crispy to share?

~~~
nextos
Nice. I just use vimperator with a couple of commands to make switching around
proxies simple. Or custom search keywords with multiple arguments
autocompleted.

Apart from that ublock origin, https everywhere and privacy badger. Nothing
fancy.

~~~
ronjouch
Hey, I didn't know about multiple arguments in search keywords! Are you
talking about
[http://kb.mozillazine.org/Multiple_parameter_keyword_searche...](http://kb.mozillazine.org/Multiple_parameter_keyword_searches)
?

------
rmxt
In addition to all the plugins that everyone has listed, I'm also interested
in hearing about the default settings that should/need to be disabled in
Chrome or Firefox so as to prevent most/all of the "dial-home" features. For
example, unchecking the features in Chrome > Settings > Show advanced settings
> Privacy, like "Use a web service to detect spelling errors" or the offer to
translate pages further below.

While perhaps not as potentially malicious as 3rd party websites, I think that
a discussion regarding privacy in web browsers themselves is a useful one.

Some discussion here: [http://thesimplecomputer.info/the-private-life-of-
chromium-b...](http://thesimplecomputer.info/the-private-life-of-chromium-
browsers)

------
fencepost
If you're willing to go through the headaches of having to reload some pages
multiple times, a combination of NoScript and RequestPolicy Continued (not the
original RequestPolicy) may be your best bet.

For sites that you visit regularly you can simply whitelist them; for rarer
sites you may have to reload pages 2-4 times as you allow requests out to
CDNs, etc. and allow JS.

I run that way in Firefox as my daily driver, but have Chrome much less locked
down with uBlock Origin for things that I just can't get working right. Chrome
is also the only version of Flash installed.

I also tend to do most purchasing (or at least checkouts) in Chrome - annoying
to get stuff all set then have the order go screwy because you have to reload
the payments page several times to make it work.

------
diakritikal
Few folk using Ghostery... but I thought Ghostery was the plugin backed by the
advertising industry that just fed your data back to them anyway?

I use AdBlock (original) and Disconnect. Perhaps Disconnect does something
with my data too _shrug_

~~~
garrettgrimsley
Ghost Rank is opt-in, and it does help the advertising industry: [0]

>We rely on Ghostery users who opt-in to participate in a feature called
Ghostrank®, which sends us anonymous information about the data collection
technology they see, and where they see them. We take that information, add
our analysis, and sell it to companies to help them audit and manage their
relationships with these marketing tools. None of the information we share is
about our users, nor is it stored in a way that could be used to trace back to
our users.

Ghostrank® is off by default, meaning you can use Ghostery without sharing
anything with us if you prefer. (But please opt-in! It is how we keep Ghostery
free and continue to make it the best tool out there!)

Further, from their privacy policy: [1]

>The Ghostrank information we collect helps to increase our tracker
intelligence, and to improve our products and solutions for businesses. We do
not use any collected information to track individuals or to target ads to
them. Ghostrank data may be licensed commercially and incorporated into our
solutions for businesses. To learn more, contact Ghostery at
privacy@ghostery.com or visit www.ghosteryenterprise.com.

Disconnect is monetized through user payments: [2]

>We are a consumer software company and rely on payments from our users. We
believe basic privacy protection should be available to everybody,
irrespective of the ability to pay. In support of that goal, we have a two-
part pricing model. For our desktop browser extensions, users can “pay what
they want.” For our mobile software applications we offer a Basic free version
and a Premium paid version that has additional benefits. Payments help sustain
our work and also support nonprofits that share our corporate values.

[0] [https://www.ghostery.com/en/faq/how-does-ghostery-make-
money...](https://www.ghostery.com/en/faq/how-does-ghostery-make-money-from-
the-add-on/)

[1] [https://addons.mozilla.org/en-
US/firefox/addon/ghostery/priv...](https://addons.mozilla.org/en-
US/firefox/addon/ghostery/privacy/)

[2] [https://disconnect.me/help#how-do-you-make-
money-](https://disconnect.me/help#how-do-you-make-money-)

~~~
dynomight
Thanks for this. I just installed ghostery and I'm still reading up on it. I
don't have a problem with advertising and people making money and studying
usage. I do have a problem with attempts at tracking individual users and
trying to create individual user profiles. I like how you started your list at
zero.

------
ialex
here its a performance review of some of them uBlock origin seems the best
performance wise, [https://www.raymond.cc/blog/10-ad-blocking-extensions-
tested...](https://www.raymond.cc/blog/10-ad-blocking-extensions-tested-for-
best-performance/view-all/)

------
nextos
What's the overlap between uBlock Origin and other plugins like Ghostery or
Privacy Badger? Or even uMatrix?

~~~
the_zeroth_law
One major difference is that Privacy Badger doesn't use a blacklist like the
others and really isn't designed for the purpose of ad-blocking. It's designed
to prevent non-consensual tracking, so it observes which third-party domains
try to store high-entropy cookies, and if it sees a third-party domain doing
so across multiple first-party sites, blocks any further third-party requests
to that domain.

Full disclosure: I work at EFF, which makes Privacy Badger.

~~~
nextos
That's good. What plugin setup do you recommend on Firefox to protect
ourselves?

Furthermore, I'm concerned about useragent and font metadata attacks. Any
recommendations for these?

------
buckbova
Drop this in your hosts file and set up a refresh script to replace it
periodically.

[http://someonewhocares.org/hosts/hosts](http://someonewhocares.org/hosts/hosts)

~~~
yrro
I sincerely hope you don't do this. You're trusting that the people who run
that site won't turn malicious in the future; and since your link uses http,
you are also trusting that the same applies to their ISP, your ISP, or anyone
in between!

~~~
stephengillie
Yeah, someone might hijack localhost's address. They might even be so
nefarious as to submit RFCs to make that address range publicly routable.

~~~
jasonlotito
Not the person you are responding to, but it's obvious he's referring to the
suggestion that you automatically update the hosts file from the URL.

> set up a refresh script to replace it periodically.

Especially considering the https version of the page isn't valid.

------
chrisxcross
Flash is not installed, so there is no need to block. For Adblocking I use
Bluhell Firewall, to stop tracking Ghostery and Self-destructing cookies. On
top of that I run noScript to kill remaining junk. And because I like to
encrypt: HttpsEverywhere.

------
benologist
I use Ghostery, uBlock and ClickToPlugin on Safari, and stopped using any
other extensions since I came across a couple that were trojans for injecting
ads.

------
znpy
I had nice results blocking ads with squid+adzapper.

The nice thing is that it does not slow down firefox, ad opposed to the
adblock plus extension.

------
mrmondo
uBlock origin and subscribe to relevant feeds. It's simple, lightweight and
covers both privacy / security and ads.

~~~
mlissner
You mean to RSS feeds instead of going to actual websites?

~~~
perlgeek
I think mrmondo refers to the "lists" that the ABP-family of extensions
support. They are lists of domains and regexes to block, and maintained
generally by third parties (not the addon developer).

Some of these lists are specific to geographic regions.

~~~
mrmondo
Yes indeed, sorry :)

------
proactivesvcs
Privoxy and, for Firefox, BetterPrivacy and Self-Destructing Cookies.

~~~
colsandurz
I second privoxy. I never see ads and the memory usage is low, 0.1% on my 8GB
laptop. I use it along with polipo (a caching proxy).

------
spuiszis
AVG Privacy Fix, HTTPS Everywhere, Ghostery.

