
Ask HN: What's the best setup for ad blocking and tracker blocking? - whitepoplar
I currently use uBlock Origin + Privacy Badger, but I&#x27;ve become frustrated with having to disable one or both of the above for too many sites--they just break functionality for a good chunk of the web. What&#x27;s the best setup these days for ad-blocking + privacy&#x2F;tracker-blocking that doesn&#x27;t break the web? Thanks!
======
Fnoord
I recommend multiple layers. Why? Because some devices/apps will circumvent
one of these layers one way or another.

I use Pi-Hole plus WireGuard to route all my devices through my home broadband
connection (so even on a hotel/train WiFi, when on LTE, etc). I forward it to
Unbound which uses DNSSEC and DNSCrypt. I'm using an EdgeRouter Lite for that
purpose. It does add a little bit of latency, but I don't mind, as it also
increases my privacy on the insecure link. It also works on say a smart TV or
an official Android device (I use a rooted Android device with microG which
doesn't implement GAds). My partner sees barely any ads at home due to this
setup (I did not bother to setup WireGuard on her smartphone as of yet).

On each individual client device I also use a layer 7 firewall ("personal
firewall"). On macOS I use Little Snitch and LuLu. On Linux I use OpenSnitch.
I don't use Windows, but if I would I'd at least remove all the tracking stuff
(for example with O&O ShutUp). On Android, I don't use a layer 7 firewall
which is my bad.

For browser, on every OS I use a configured Firefox (which I did NOT document;
my bad!) with a bunch of addons. uBlock Origin (mainly to manually block "you
are blocking ads" notices). I use uMatrix, Cookie AutoDelete, Smart Referer,
Privacy Badger, Decentraleyes, HTTPS Everywhere, containers for
Amazon/Facebook/Google (would like to add Microsoft), CanvasBlocker, Tracking
Token Stripper, Forget Me Not, Terms of Service; Didn’t Read, and Buster:
Captcha Solver for Humans.

uMatrix _will_ break the web. However it is more user-friendly than NoScript
ever was. You are going to have to configure such. For websites you regularly
use, you can save the temporary changes, or just not use such bloated
websites. Also, I recommend the addon Dark Reader and the feature Reader Mode.

To test your setup on your browser, try ipleak.net. One of the things I
configured in Firefox, is to disable WebRTC. I don't use an addon for that.

~~~
ziddoap
Be wary of too many. Your combination of extensions is likely quite unique and
finger-printable.

~~~
Fnoord
AFAIK Firefox does not share the extensions it uses; Chrome does.

Using these tools [1] [2] [3] suggest I'm most profileable by the fact I use
macOS. Which I can hide in the useragent string, but is then still detected.

[1] [https://ipleak.net](https://ipleak.net)

[2] [https://panopticlick.eff.org](https://panopticlick.eff.org)

[3] [https://amiunique.org](https://amiunique.org)

~~~
ziddoap
It's been awhile since I looked into it. From the last study I know on the
topic [1]: It is much easier to fingerprint Chrome, however Firefox is
susceptible to extension fingerprinting techniques. To be fair, these
techniques may have been addressed since publishing - I haven't checked.

It may or may not be worth considering depending on your threat model. There
may also be novel techniques published since.

Edit: It looks like amiunique is detecting extensions with Plugin Detector [2]
which claims to work on Firefox, and at the very least can detect Adblock (per
amiunique).

[1][https://www.cse.chalmers.se/~andrei/codaspy17.pdf](https://www.cse.chalmers.se/~andrei/codaspy17.pdf)
[2][http://www.pinlady.net/PluginDetect/](http://www.pinlady.net/PluginDetect/)

~~~
Fnoord
The threat model is, IMO, pretty clearly defined. If the threat is 3 letter
agencies, we'd be trying to fingerprint Tor Browser, and we'd be using Tor
(with 2 use cases: one on *.onion only, other one on clearnet via exit nodes).
So what we are trying to defend from, is fingerprinting by commercial entities
such as FAANG.

I don't use any special plugins; only the default ones (which are a practical,
necessary evil). If I were to remove/disable the default plugins, that'd
increase my fingerprint.

I've been trying to let websites tell me which extensions I use in Firefox
(remember we are using Quantum since Firefox 57, released in November 2017
which changed the way extensions work). The paper is from CODASPY’17, March
22-24, 2017. I haven't been able to reproduce detection of extensions. Keep in
mind also, that I use some precautions. I block canvas via CanvasBlocker. I
block Javascript via uMatrix. I even block domains via DNS (Pi-Hole) and
uBlock Origin.

If I want to be tracked less easily I'd need to not browse fullscreen, I'd
need to not use a native Mac browser but run a Windows or Linux VM or a remote
SSH connection (which, quite frankly, is quite possible in a terminal these
days as per Browsh [1]), and I'd need to use only the default fonts (because I
am using specific fonts in ~/Library/Fonts). Some of these fonts there are
temporarily or backup fonts. I will remove these to a temporary directory, and
load them ad-hoc.

[1] [https://www.brow.sh](https://www.brow.sh)

~~~
ziddoap
The paper was only the one I remembered off the top of my head. There may be
more recent work, more relative to Quantum (although the paper does look at
WebExtensions), since then. I also personally like to assume that published
research papers are a step behind what is happening in the wild.

But, you obviously have a good grasp on what is in your threat model and what
isn't. My original comment was geared more towards the people who pile on
privacy extensions, sometimes at random, who are under the impression that
more extensions always equals more protection.

------
tyfon
I have "pi-holed" my openbsd router using both ip blocklists for the firewall
and dns blocklists for unbound that refresh automatically every night.

All my clients run firefox with ublock origin and https everywhere. I ran no
script for a while but it is quite painfull to manually allow scripts on a lot
of pages so I think I have found a nice balance. I have also turned off wasm
support in firefox.

If a site doesn't work with the above or shoves large nasty inline popups with
"we value your privacy" etc and do not show a clear reject button I leave.

edit: I also pay subscription to most of the websites I use often that support
payment and if they don't I email them and tell that I don't want ads and that
I'd like to pay for it. Usually one can come to an arrangement.

~~~
0xdeadb00f
As someone not very knowledgeable with the issues associated with web
assembly, may i ask why have you disabled it?

~~~
tyfon
I don't trust it yet. That's all.

I want to see how it behaves in the wild before I run it myself.

------
stubish
If uBlock Origin + Privacy Badger give you too many problems, what you are
after is a worse setup. You want a less aggressive system that allows the ad-
tech that those sites are relying on to work, which will also allow that ad-
tech to display some ads and invade some privacy, but its a perfectly
reasonable choice.

Personally, I use uBlock Origin + Privacy Badger (and NoScript for work, per
policy). In most cases, if a site doesn't work I've realized I really don't
want to be there (and the Internet is likely better off without adding my rant
to the comments section of that click bait article I really shouldn't be
wasting my time with). It is fairly rare to find a broken site and rarer still
to actually need to use it (airlines are the worst), so I don't sweat the time
to temporarily disable protection or work out the white list.

~~~
nickjj
I never heard of Privacy Badger until you mentioned it.

Their FAQ[0] says it's a replacement to Adblock Plus (which implies uBlock
Origin too).

What makes you use both of them together? Why not just Privacy Badger?

[0]: [https://www.eff.org/privacybadger/faq#How-is-Privacy-
Badger-...](https://www.eff.org/privacybadger/faq#How-is-Privacy-Badger-
different-from-Disconnect,-Adblock-Plus,-Ghostery,-and-other-blocking-
extensions)

~~~
input_sh
Privacy Badger isn't an adblocker per se. It's designed to block trackers, not
ads. Those two often collide, but Privacy Badger won't do a thing to block
first-party ads (as an example).

That's somewhat different than uBlock Origin's no-ads-what-so-ever policy.

~~~
WilTimSon
Does PrivacyBadger interfere with uBlock or vice versa? I really like this on
paper but wouldn't want to fiddle too much with adding exceptions to each of
them just to make sure they don't cannibalize one another.

~~~
stubish
No, they play together just fine. Privacy Badger probably doesn't do much (or
anything) in addition to uBlock Origin, but it is nice to wave the EFF flag.

------
ignoramous
The _best_ setup acc to me for web is Firefox + uMatrix + CanvasBlocker +
WebRTC Blocker + DecentralEyes + HTTPS Everywhere + Smart Referrer + StartPage
/ DuckDuckGo + any DNS over HTTPS provider of your choice. Be prepared for the
recaptcha time sink. You could turn on Firefox's resistFingerpriting setting,
too. Use Brave or Bromite as an alternative browser for websites that break.

For phones, you could run DNSCloak with AdGuard DNS (iOS) or Blokada
(Android). There's AdGuard Pro, Lockdown Firewall, and Guardian VPN+Firewall
for iOS that are super neat.

NoRoot Firewall, NetGuard, and GlassWire Firewall for Android that I've found
to have acceptable privacy policies. LittleSnitch or LuLu Firewall for Mac,
GlassWire Firewall for Windows are some of the other options.

Pi-Hole your routers too for other devices connecting to Internet.

~~~
sjwright
> Be prepared for the recaptcha time sink.

You can marginally reduce the recaptcha "problem" by using the Privacy Pass
extension, though I can't speak to whether there's a net loss of privacy by
using it.

~~~
CaptainMarvel
I have had it installed for the past half year, and in that time only one pass
has been used.

~~~
hendersoon
In my personal experience, the vast majority of captchas are Google, while
Privacy Pass is only supported by Cloudflare. If Google supported it, it would
be amazing.

Unfortunately Google uses their captchas to train image recognition algorithms
so they have an incentive not to do so.

------
dantondwa
Apart from the usual recommendations, to Firefox users I recommend enabling
first-party isolation by setting "privacy.firstparty.isolate" to true. In this
way, the data of every website will be isolated from each other. It is like
the Facebook/Google container extension, but for every single website there
is. It has yet to break something after one year of use and it has certainly
made my browsing feel much less invasive.

~~~
Freak_NL
> […] it has certainly made my browsing feel much less invasive.

How does this manifest itself to you? With uBlock Origin installed (part of
the usual recommendations) you don't see any ads at all. I couldn't tell if
some website shared data with another website, because the effects that I
could observe (e.g., ads that follow me around) are already gone.

~~~
tgtweak
The fact you're logged into Google everywhere after checking your Gmail...

~~~
tecleandor
Aaaaah yeah, I've seen several pages trying to either auto-login or auto
create a new account with my Google account :(

------
keiraarts
I've been using [https://www.nextdns.io](https://www.nextdns.io) for the last
month.

It's PiHole as a Service.

~~~
orangea
Wow, what a creative use of IPv6 to allow a custom configuration without the
use of DNS-over-HTTPS.

~~~
ignoramous
DNS over HTTPS, DNS over TLS, and DNSCrypt are all abt preventing DNS
manipulation attacks and encrypting the DNS traffic to the resolver (if not
till the nameserver). Plain old DNS over UDP/53, IPv6 or not, can't be a
substitute for that, afaik.

------
rococode
I'm curious, what websites are breaking for you? I use the same (+ Facebook
Container) and I rarely notice breakage. PrivacyBadger is the only one that's
broken something for me before (image links from a CDN), I can't recall uBlock
Origin ever breaking a site for me unless the site has an anti-adblocker.

If you're talking about the "please disable your adblocker to continue"
messages, you can consider something like Anti Adblock Killer [1] which can
help bypass those kinds of blocks.

As far as the best setup I think what you have is fairly close to "the best"
already without getting more hands-on. You can check out Pi-hole which I've
heard is superior, but harder to setup [2].

[1] [https://github.com/reek/anti-adblock-
killer](https://github.com/reek/anti-adblock-killer)

[2] [https://pi-hole.net/](https://pi-hole.net/)

~~~
PNWChris
Off the top of my head, disabling uBlock has been the only way to unblock on-
and-off trouble with some ATT-owned websites (ATT's own website,
ATTWatchTV.com, etc) and owner.ford.com (original, the beta works fine).

My experience has been generally good, but weird stuff (especially
authenticating/login) just won't work sometimes with uBlock and Privacy Badger
running.

I also use the HTTPS everywhere Chrome extension, so perhaps that is an added
factor that breaks things.

------
gorhill
> I've become frustrated with having to disable one or both of the above for
> too many sites--they just break functionality for a good chunk of the web

For uBlock Origin[1], the best solution is to report the breakage to filter
list maintainers.

Keep in mind that all the lists are community-contributed, with filtering
issue addressed as users report them. So you benefit from these when using a
content blocker making use of these community-maintained lists.

So when you report a broken site and that as a result the lists are updated,
then you contributed back to have the issue addressed for others as well when
they visit the site.

The basic default lists/settings should have minimal breakage issues.

* * *

[1] Side note: uBO is a _content blocker_ , not an "ad blocker" \-- I never
ever referred to uBO as an "ad blocker". I consider this an important
distinction.

------
forgotmypw3
Edit: I forgot to mention the most important piece: When a site says that it
won't work without JS, I accept this and close the tab. Unless it's Google
Maps.

My browser has built-in URL-based filters.

I browse with JS disabled except for a handful of sites, which I enable for
the session whenever I need it.

My browser makes it easy, with a three-key shortcut to toggle it.

This is about the extent of it.

I used to use uBO, which I still think is great, and enough for more Chrome
and Firefox users. Many blessings to its maintainer.

~~~
kerkeslager
> When a site says that it won't work without JS, I accept this and close the
> tab. Unless it's Google Maps.

This is the real problem at the end of the day. Some of the worst offenders as
far as privacy and security are useful so they're hard to detach from.

Every six months or so I try OpenStreetMap and see if I have the patience to
deal with its more limited functionality. So far the answer has been "no" but
I'm due for another try...

~~~
forgotmypw3
I don't mind letting Google in. I've accepted living in the open.

It's more about wasting my cycles, safety of my environment, etc.

It's certainly nice to not ping 127 trackers per page, a nice bonus.

Google Maps doesn't do that anyway. Except to Facebook, IIRC... Or is that
vice versa? Facebook knows where I am too, but at least they're in a no-JS
jail, thanks to the half-maintained but sturdy m.facebook.com.

Anyway, feel free to hang out on this lawn as long as you like, it's not like
it's mine.

------
codezero
General advice: make sure you have a solution on all platforms. TV, IoT, phone
on wifi, phone on mobile network, etc...

At home you need to first subvert your ISP.

Make sure you have a router doing blocking, like a PiHole. For mobile devices
always use a VPN and DNS protection like dns-crypt. Use Cloudflare’s mobile
DNS over HTTPS solution even though that’s a single point of failure, decide
for yourself how risky you think that is.

Besides browser specific plugins you should implement a host block. The host
block lists are not too exhaustive so if you use dns-crypt configure it to log
every dns request and add any new hosts to your block list that look
surprising.

It’s a lot of work, but if that’s what you’re looking for you may find some
fun ways to automate this workflow :)

------
tambeb
For mobile I use [https://blockerdns.com/](https://blockerdns.com/) (full
disclaimer: that's my creation). It's ad blocking through DNS-over-TLS on
Android 9 and above.

For home I just run my own bind DNS servers internally. And then for friends
and family I have them set their routers to a couple bind DNS servers (same
config as my internal ones) in the cloud.

For all of the above I use the same block list. It currently has about 25k
entries, and is built with some data from a few of the well known public
lists. But I augment that with domains I find by regularly auditing specific
websites that are particularly aggressive with ads and specifically trackers.

But with that said, since I've got friends, family and paying users working
from that list, I do actively try to prevent the breaking of popular sites and
services. For example, personally I'd outright block anything related to
Facebook since I quit them years ago, but too many people still use it, so for
my list I try to keep a good balance by blocking their pixel and stuff like
that, while allowing the resources absolutely necessary for the site.

~~~
scoot
> full disclaimer: that's my creation

Small observation: when you disclose something, it's a disclosure.

~~~
tambeb
Ah damn, I botched that one. No more commenting while walking the dog.

~~~
scoot
Don't beat yourself up. It seems lime disclosure and disclaimer are almost
consistently used in reverse on HN. It's the strangest thing!

~~~
scoot
*like

------
murat124
The best setup is cli browser links or lynx.

Next best is Firefox with uBlock Origin, uMatrix, Privacy Badger, Cookie
Autodelete, Decentreleyes, and a bunch of about:config alterations. Some sites
will break. If a site breaks I either forget about it or open it in incognito.

~~~
Rediscover
> The best setup is cli browser links or lynx

Agreed. lynx(1) is my primary browser, after configuring its "externals" and
some patching of it (then re-compiling) to rewrite URLs (mostly the Google
crap).

My secondary is emacs-w3m with heavy URL re-writes.

------
ElFitz
On macOS I mostly use LittleSnitch, with a few lists, then manually add
trackers and calls to weird domains made by apps that shouldn't make them.
Upside is, it's system-wide.

Wrote a post about that [https://weekly.elfitz.com/2019/02/12/block-ads-and-
trackers-...](https://weekly.elfitz.com/2019/02/12/block-ads-and-trackers-on-
your-mac-with-little-snitch/)

But the best setup (still haven't done it) would probably be pi-hole, remotely
accessible over some vpn (because you don't want to manage what would
otherwise amount to a publicly accessible DNS server). It would cover all your
apps and devices.

------
z_open
My setup is Firefox with the usual about:config modifications (search for it)

uMatrix

Ad Nauseum

Smart Referer

Decentralized Eyes

https everywhere

Cookie autodelete

VPN with ipv6 turned off since they don't reroute that

With uMatrix I also block all first party cookies and scripts by default and
white list as needed.

This only breaks websites the first time you visit them. Only thing that
becomes an issue is uMatrix but as you Whitelist the sites you need it just
ends up not being a big deal.

~~~
tssenek
Very similar to what I have. May I recommend using containers? It works
wonders and gives me peace of mind.

------
sathomasga
I'm mildly surprised that no one has mentioned
[Better]([https://better.fyi](https://better.fyi)). Works very well for me.

The pitch:

Better uses our own list of blocking rules, curated and maintained by Ind.ie.
We use the principles of Ethical Design to decide what should be blocked. This
is our only blocking criteria, advertisers cannot pay us to compromise our
integrity and unblock them.

Better does not block respectful ads. Respectful ads respect human rights,
human effort, and human experience. For an example of respectful ads, see The
Deck network, winner of our first Cloud of Fame award.

~~~
latexr
> I'm mildly surprised that no one has mentioned
> [Better]([https://better.fyi](https://better.fyi)).

It only works on Apple’s platforms, and the OP didn’t specify what they’re
using. Furthermore, it’s just a Safari Content Blocker with (last I checked) a
single list, meaning it has a hard limit of 50k rules, “curated” by (by their
own admission) “a tiny two-person-and-one-husky” team.

I’m glad it works for you (and many others), but for a tech-savvy crowd that
cares about long-term effectiveness, that’s an inferior solution.

------
jkfd73bls9
[https://technitium.com/dns/](https://technitium.com/dns/)

You block domains at the dns, you can download a variety of block lists and
you can also create your own. You can log the dns lookups to find out what
domains are being used which can be used to further create a block list. The
advertising code and tracking code never gets downloaded. Runs on the window
pc so you don't have to worry about making changes to anything else upstream,
great for laptops and road warriors who use a variety of internet connections.

------
jacobheric
I use firefox with ublock origin and privacy badger and I can't recall the
last time I ran into a site that was broken because of it. But, I visit a
fairly narrow section of the internet regularly so there might not be much
overlap between what I browse and you browse.

I also use the multi-account container add on and the temporary container add
on. This allows me to pin a few big sites to their own containers (google,
amazon, etc) and open all other new tabs in temporary containers. This setup
works great and appears to help keep firefox fast over time. I use duck duck
go to search but firefox makes it trivial for me to re-run a search with
google if I need to.

I also run an ad blocking vpn on google cloud using Algo. I use google cloud
because the vpn can run on the permanently free tier and I only pay for
network traffic (which is near zero), and I also enjoy the irony of it. I have
wireguard clients setup on all of my devices to use the vpn either permanently
(phone) or on demand (laptops). Having this vpn is nice as it makes it easy to
block ads in apps on my kids mobile devices.

This vpn setup works ok but not quite as well as when I ran the same thing
using Streisand and open vpn clients. I only say this because I have a
homebrew whole-house audio setup with a bunch of google audio chromecasts and
no matter how I tweak the wireguard client settings I cannot get that casting
to work properly. With open vpn clients, those settings are a cinch.

~~~
mosselman
I did some tests and found that privacy badger adds a significant amount of
load time. I couldn’t justify it for the minimal effect it has. If you use
ublock with firefox’s protections and block third party cookies you are pretty
good from a browser point of view.

~~~
jacobheric
Interesting. I never really had a firm grasp on the overlap in functionality
of ublock origin and privacy badger. I threw privacy badger in the mix at some
point as I like the EFF and wanted to give it a whirl. I haven't noticed any
sites loading slowly, but I'll do a comparison on some of the sites I use and
see if it's slowing things down.

~~~
mosselman
In my case it really made a difference. Close to 1 second in some cases even,
which on a total of 3-4 seconds of course is a big deal.

A way to beef up your privacy protections might be to look at DNS filtering. I
use dnscrypt-proxy with a blocklist. You can also put trackers in your hosts
file in order to route them to 0.0.0.0.
[https://filterlists.com/](https://filterlists.com/) is a nice resource to
start out at.

------
euske
Although this isn't exactly blocking, I tend to use Reader View a lot these
days. I installed an extension that allows to force using it for any page, and
I wish that FF made it default.

~~~
ignoramous
What's that extension, if you don't mind sharing?

------
plg
A Raspberry Pi running Pi-hole[1] works really well in my household. We have
20+ devices and 2 adults, 2 kids, connecting to a combination of wifi and
ethernet and all get DNS automatically assigned to the Pi-hole. I routinely
see ~ 20-30% of all outgoing DNS requests blocked by the Pi-hole.

Note you don't need a Raspberry Pi to run Pi-hole, you can run it using a
Docker image too.

[1] [https://pi-hole.net](https://pi-hole.net)

~~~
bberrry
Does this setup block youtube ads on iPads for example?

~~~
girishso
Not in the app, but it blocks youtube ads in browser. Blocking ads in YT app
is next to impossible with pihole.

------
diafygi
I'd recommend starting with Firefox, and configuring Firefox's cookie settings
to always block third party cookies.

Next, if you have a good password manager that can auto-fill logins, set
Firefox to delete all cookies (and everything else) when you close the
browser. That way, every time you open your browser you're starting from a
clean slate. I promise you'll quickly get used to logging in every time, and
it won't be that hard.

Next, enable Firefox's Multi-Account Containers add-on. This basically allows
you to isolate sites you commonly use into their own cookie realms. Create
containers for the sites you want to isolate (Google, Facebook, LinkedIn,
etc.) and set those domains to always open in that domain's container. That
way, when you click on a link to Facebook it will auto open a new tab in that
Facebook container.

Next, install uBlock Origin. I don't think there's a need to install Privacy
Badger since you're already blocking third party cookies, but others please
correct me.

Next, for websites that don't work with uBlock Origin, create a dedicated
container for that domain and set to always open in that container. Then,
whitelist in uBlock Origin whatever tracker on that site you need to run
things properly. That way, the tracker is isolated to just that domain's
container.

Overall, Firefox's Multi-Account Containers are extremely powerful for
isolating site cookies and trackers. I wish they would allow you to set
different cookie settings per container, so you could by default clear cookies
when you close Firefox and add exceptions for specific containers, but even
given that deficiency, is still the most powerful browser feature that's come
out since tabs.

------
craze3
I'm also curious about this. A couple years back, I switched from 'AdBlock
Plus' to 'uBlock Origin' and the difference was night and day (it blocked SO
many more ads).

I've been out of the game for awhile, so I'm wondering what beats uBlock
nowadays... Any recommendations?

~~~
wtallis
What you noticed was not really a meaningful difference between the two
extensions, but just a difference in the default ruleset subscriptions—which
you can manage independently.

~~~
gorhill
> not really a meaningful difference between the two extensions

That is incorrect.

uBlock Origin has filter syntax not found in ABP[1], so there will be a
meaningful difference when it comes to what is blocked or not, and also there
is a difference due to policy[2].

* * *

[1] [https://github.com/gorhill/uBlock/wiki/Static-filter-
syntax](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax)

[2] [https://www.vice.com/en_us/article/j5zk8y/why-your-ad-
blocke...](https://www.vice.com/en_us/article/j5zk8y/why-your-ad-blocker-
doesnt-block-those-please-turn-off-your-ad-blocker-popups)

------
ankit219
Might not be the best setup, but this gives me minimal issues.

1/ Chrome browser with extensions - Disconnect
([https://disconnect.me/](https://disconnect.me/)), Ad blocker, and Anti-
Adblock killer script with Tamper monkey.

2/ Cookies disabled by default.

3/ Any sites which refuses to function without them, open in incognito or
guest window.

This gives me minimal problems. Most of the tracking is out via Disconnect,
many ads are blocked automatically, and the remaining ones I block manually. I
will definitely be tracked by a few websites and third-parties, but this gives
me a better balance than just focusing on complete block.

To add to it, google provides you an option for not recording searches and
location. Also, keep deleting cookies regularly for the ones you have enabled.

------
tofu_ink
I use that setup + a hosts block file, and i recently started using a pi-hole.
I also use stylus to block a few custom elements and change themes for a few
sites. I mostly visit news sites and some random sites.

The only issues i have had have been on pinterest. What sites do you have
issues on?

~~~
zaphodbeblebrox
In regards to using stylus to block a fwe custom elements, you can also use
uBO's cosmetic filters[1] instead. Converting stylus' styles to uBO filters is
easy enough if all you are using them for is hiding a few elements. I guess
this has very limited use to you though if you also use stylus' themes, as it
won't let you remove an extension.

[https://github.com/gorhill/uBlock/wiki/Static-filter-
syntax#...](https://github.com/gorhill/uBlock/wiki/Static-filter-
syntax#cosmetic-filters)

~~~
tofu_ink
Well thank you good to know, ill have to start experimenting to see how well
it meets my needs. I mostly use stylus to to dark theme sites , remove side
bars footers and headers, then expand the main article column to be 80 - 100%
of the page. I really enjoy just reading an article with no distractions.
(reddit is a pain)

~~~
zaphodbeblebrox
If you want, I can help you with that some. I know more than I probably should
about how uBO filters work.

------
XzetaU8
IMO uBlock Origin in Medium blocking mode is the best "less is more" setup.

[1]: "uBlock Origin in Medium mode for Lighter and Stronger Protection, with
Less websites breakage and hassle"

[https://malwaretips.com/threads/ublock0rigin-in-medium-
mode-...](https://malwaretips.com/threads/ublock0rigin-in-medium-mode-for-
lighter-and-stronger-protection-with-less-websites-breakage-and-hassle.93311/)

[2]: Blocking mode: medium mode

[https://github.com/gorhill/uBlock/wiki/Blocking-
mode:-medium...](https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-
mode)

------
ropiwqefjnpoa
Currently using Brave Browser, AdBlock Plus and Privacy Badger. For my daily
usage, I only have a few sites I need to whitelist.

~~~
gnicholas
What does ABP and PB add to Brave? I have used Brave for several months and
found it to be excellent from a speed perspective. I sort of always assumed
that if it's able to go that much faster than Chrome, it must be blocking most
of the nasty trackers. But perhaps I still need to add in some reinforcements?

~~~
fastball
I think ABP on top of Brave is overkill. I always used uBlock Origin on Chrome
and that worked better for me than ABP. Now that I've switched to Brave, I
don't have anything additional installed, and I feel like it's blocking almost
all of the ads and definitely all of the tracking (in fact, Brave's anti-
tracking is sometimes a bit too aggressive and blocks normal function of
sites, so I have to disable it on occasion).

~~~
ropiwqefjnpoa
I'll give it a shot, I switched from Chrome so I was paranoid

------
t0astbread
I use a slightly customized version of the Energized Protection[1] block list,
which acts as a DNS sinkhole but is really just a text file that you paste
into /etc/hosts. Before that I was using Pi-Hole but I found it too cumbersome
to maintain properly. (Additionally /etc/hosts entries are way easier to scan,
modify and verify for non-maliciousness IMO.)

In my browser I use uMatrix since it gives me fine-grained control over what
websites can do. I have very strict default policies that break most sites but
you can set them to whatever you want.

Additionally I've written my own regex-based request blocker[2] for YouTube
midroll- and page ads since I don't trust other, more opaque ad blocking
solutions that handle those (like AdBlock Plus). It does break all other
Google services I'm aware of however. (Which I could patch but I don't really
mind.)

[1]:
[https://github.com/EnergizedProtection/block](https://github.com/EnergizedProtection/block)
[2]: [https://addons.mozilla.org/en-
US/firefox/addon/ytblocker](https://addons.mozilla.org/en-
US/firefox/addon/ytblocker)

~~~
m31415
Don't you notice a slowdown in your connection on using a 20MB hosts file?

~~~
t0astbread
Not at all.

I also just checked via dig if there is any slowdown and dig didn't report
any. (I first queried google.com with the large hosts file, then replaced the
hosts file with a default one, cleaned my DNS caches and requeried and it
didn't show any speedup.)

~~~
t0astbread
Furthermore, I don't know how Pi-Hole works internally so I don't know if it's
somehow specially optimized compared to /etc/hosts or implements any caching
strategies but wouldn't introducing another server in your DNS chain slow
things down more than /etc/hosts which is always present anyways?

------
alecco
Besides disabling JavaScript you can put hosts file blocklists. This is much
faster.

Simple corporation block list (e.g. Facebook, Google)
[https://github.com/jmdugan/blocklists/tree/master/corporatio...](https://github.com/jmdugan/blocklists/tree/master/corporations)

"Someone Who Cares" list
[http://someonewhocares.org/hosts/](http://someonewhocares.org/hosts/)

Ultimate Hosts Blacklist: 1 million blocked domains (once in a while you might
need to unblock something) and also a bonus known hacking IP blocklist
(prevents common hacking sources).
[https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist](https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist)

If you have iOS device install an ad blocker app like AdBlock Fast, this plugs
to practically all web sessions in the phone.

------
calmchaos
Cookiebro is a great cookie manager since it supports both blacklist and
whitelist and can even block single cookies. It also has a built-in Cookie
Editor and Cookie Log for monitoring which sites are trying to set cookies.

[https://nodetics.com/cookiebro/](https://nodetics.com/cookiebro/)

------
hprotagonist
at home, [https://pi-hole.net/](https://pi-hole.net/) on the go, i use some
combination of ublock, noscript, and their equivalents

------
cassianoleal
pi-hole over ZeroTier so I can get it wherever I am and latest Firefox with
the most secure custom privacy setup. Nothing seems to break but I don't use
things like Facebook and Twitter so wouldn't know about them (seems pointless
to try to stay private if you're on them anyway.)

------
idrock
PiHole + Little Snitch + JSBlocker on macOS Mojave

JSBlocker is cranked up to to the max - no inline JS, or frames or videos,
etc. Then as I go about info surfing I progressively enable services that are
vetted like some content delivery services, common JS frameworks, etc.

Makes the web actually tolerable.

------
jamesponddotco
I posted this somewhere else before, so I will just repost as the answer did
not change that much.

I use Safari with JS and cross-tracking disabled on macOS and iOS, Firefox
with a custom user.js on elementaryOS. I enable JS only when necessary —
looking at you, Help Scout.

For actual blocking, I run a Pi-hole on a VPS that connects to multiple
DNSCrypt servers that I control, which block everything I want while improving
privacy. Planning on replacing Pi-hole with AdGuard Home for DNS over HTTPS
and DNS over TLS, since I want to have this server public at some point, for
others to use.

If anyone is interested in testing, shoot me an email at root@jamespond.co. No
logging, DNSSEC, disk encryption, Canonical Livepatch, 24/7 monitoring and
completely open source.

:)

------
garbre
I'm using that exact setup and I can't remember when it broke anything. Now
uMatrix breaks everything, but that may be for the best. If the modern web is
working, you're the product.

------
Shanesor
Check out the no script Firefox add on. If u go to a website that pops up a
big screen saying disable ad block u can right click the screen blocking and
remove it and bam website works perfect

------
Farfromthehood
AdGuard for Android works fairly well. I may spring for the premium version.

Elsewhere I use LittleSnitch on my Mac, followed by Firefox (w/associates
plugins like everyone else).

------
6gvONxR4sf7o
Cookie Autodelete is a good one. Simple to configure what cookies you want.
Doesn't get in the way while still deleting the cookies you don't opt to keep.

------
SylvieLorxu
I use a Pi-Hole and on top of that uBlock Origin. Seems a pretty nice
combination. For privacy though, you need to know what level of privacy you're
aiming for. At a certain point, adblockers and tracking protectors won't help
and you're better of with something like Tor. For like, general daily use
though, I very much recommend a Pi-Hole + uBlock Origin. Oh, and Firefox, not
Chrome, for obvious privacy reasons.

------
KiDD
I use a custom built pfSense router running pfBlocker. The web broken,
websites that won't function without adtracking doesn't deserve to be visited.

------
sdan
[https://someonewhocares.org/hosts/](https://someonewhocares.org/hosts/) and
AlgoVPN

------
DanieI
I use Brave browser plus adguard dns. They support dnscrypt and I've got it
enabled on my OpenWrt router. Adguard does break the internet a little bit
because they block those tracking links that quickly redirect you to the
website that you wanted to go to. I think that the Pi-hole is a better option
if you need or want to do any personalized customization to your block list.

------
jmartinpetersen
I'm not that paranoid and I don't really care about blocking ads, just the
most egregious tracking. So I use Disconnect and rarely see ads or "please
disable your ad blocker", and when I do see ads, I just shrug it off.

I don't know how efficient it is for tracking, but at least I have the moral
high ground of going after blocking tracking, not ads in general ...

------
jszymborski
so, this isn't for everyone, but I like the uBlock Origin + uMatrix combo.

This will break a lot at first, but uMatrix allows you to build a whitelist
easily, and slowly over time website won't be broken half as much, and it'll
be exceptionally rare for you to have to disable the whole extension whenever
you want things to get working again.

~~~
rozab
The basic functionality of uMatrix is actually built into uBlock Origin.
That's the setup I use. I have all 3rd party scripts and frames blocked by
default and allow them on a per-site basis as required. After a while you get
a sense for which domains need to be let through for a site to work

~~~
toupeira
More info here: [https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-qu...](https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-quick-guide)

------
subbz
I'm using Firefox with uBlock Origin (+ social network blocking lists),
Decentraleyes and Firefox Multi Account Containers.

I put every "big data" collector (Google, FB, etc.) in a single container
using FMAC.

(And to be honest: I tried uMatrix but it was too work intensive.)

------
kyriakos
Pihole unfortunately doesn't block YouTube ads anymore. Anyone found a
solution for that?

------
jvagner
UBlock Origin on Mac and 1Blocker X on iOS. Pretty happy, only have to
whitelist occasionally. But it’s usually a surprise and I struggle until I
realize one of my blockers is interfering with a site I want access to.

------
true_tuna
Pihole on a raspberry pi ZeroW and ublock origin for desktop and Adblock plus
for mobile.

I love ublock’s ability to easily block individual elements of a page such as
distracting video or moving crap.

------
3xblah
What are the sites that are not "working" with your setup?

------
Sir_Cmpwn
I use uBlock Origin and disable JavaScript by default, then instead of
enabling those things when sites break, I choose to be more discerning about
the websites I visit instead.

------
enz
The following doesn't break my everyday browsing:

uBlock Origin, Decentraleyes, httpseverywhere, DNS over HTTPS (currently
Cloudflare, but plan to use my own resolver soon)

------
earenndil
I honestly get relatively little site breakage; so I'm just fine with that.
But if you're having issues I would suggest reek anti-adblock killer.

------
lota-putty
Setups which are data sinks giving minimal info about end users are the best.

If you outsource processing/filtering, that data has commercial value
eventually.

------
andrethegiant
I use Pi-hole on the network level, then 1Blocker as a content blocker. It
blocks add and analytics trackers, and works on macOS and iOS.

------
tssenek
z_open's setup is really good. Very similar to mine. A site that has helped me
learn enormously about this is privacytools.io. I designed my config based on
their suggestions. There are a tons of privacy conscious alternatives to
everyday software.

Many of the configs you are going to see here can be reasoned through the
suggestions at their site.

------
xthestreams
> What's the best setup these days for ad-blocking + privacy/tracker-blocking
> that doesn't break the web?

If one doesn't want to break the web, they shouldn't block ads since most of
the web is free _thanks_ to ads.

I use a blacklist approach and only block ads on those websites which clearly
have no consideration for usability (popups, autoplaying videos, ...) or for
privacy.

I have found that Unlock Origin is great for this approach.

~~~
kerkeslager
> If one doesn't want to break the web, they shouldn't block ads since most of
> the web is free thanks to ads.

Things you pay for with your privacy and attention aren't free.

If you visited a website and they charged your bank account without your
permission, that would be theft. If you visit a website and they take your
data and attention without your permission, that's also theft. I don't agree
to the self-serving assumption I've somehow agreed to pay for your content on
your terms simply by visiting your webpage. You don't have the moral high
ground here.

I'm old enough to remember when people put content onto the internet because
they wanted to, not because it brought them ad revenue. The internet was
better then, and many of those old-style websites are _still_ the best sources
of information on the internet. I also pay for content with money, and that
content tends to be much higher-quality. If all the businesses supported by ad
revenue go out of business, I'm pretty okay with that.

~~~
xthestreams
Then do not use those websites, if their morality doesn't suit you.

In your words, using a service without paying for it is also theft.

~~~
kerkeslager
So it's your position that if I send an HTTP request for the public homepage
of a public website to a publicly accessible server and that server sends me a
response, I'm stealing that response? I'm obligated to render all the content
you send me, and run all the code, just because you sent it to me?

No. _If you don 't want me to see your content, don't send it to me_.

If you want me to agree to do something before looking at your content, then
send me a contract of some sort and don't send me the content until I agree to
the terms of your contract. Otherwise, I haven't agreed to do anything for you
just because you sent me your content.

I'll also point out that you said upthread:

"If one doesn't want to break the web, they shouldn't block ads since most of
the web is free thanks to ads."

First you say it's free, then you stay I'm stealing it? Which is it, are they
free or am I obligated to pay for them?

Imagine if other businesses worked this way. You hear a store is giving away
books, so you go and ask them for a free book, and they say, sure, yes, the
books are free! But as you're reading the book, you come to a page where it
says that by accepting a free book you've agreed to also read a packet of
marketing materials for the bookstore, send them a DNA sample, and spend some
time mining gold for them. And no, you can't give the "free" book back, you've
already started reading it so if you don't do what the bookstore demands, that
would be stealing!

~~~
xthestreams
I guess the stuff you're talking about totally falls under my "only block ads
on those websites which clearly have no consideration for usability [...] or
for privacy"

I didn't say that ads are great. I said that NOT ALL ads are bad, and without
them some great content couldn't exist, because most people need funds for
their work and selling stuff or services sometimes isn't an option.

So if you're talking about tracking ads, I'm totally with you. But if you're
talking about ALL ads, then your idea may be an utopia.

~~~
kerkeslager
> I said that NOT ALL ads are bad

Ads are inherently trying to make me want something I don't want, so I'd say
that all ads _are_ bad.

> most people need funds for their work and selling stuff or services
> sometimes isn't an option.

Why is that, exactly?

Nobody has to sell ads. If you business only works because you sell ads, your
business model doesn't (or shouldn't) work. I don't think that we as a society
benefit from propping up businesses who produce content that is so low-quality
that nobody would pay money for it.

> So if you're talking about tracking ads, I'm totally with you.

What ads _aren 't_ tracking me? There are only a few ad networks who even
claim not to track you, and it's unclear how many ads those companies actually
serve up--it's certainly not a large portion of the ads on the internet. And
as far as I know _none_ of the ad companies out there have open-sourced their
code, so whether they're telling the truth is a big open question. Advertisers
certainly have lied about this in the past. Apple, for example, has been
dinged for this a few times, while trying to sell itself as a privacy
advocating company.

WITH evidence, click through and conversion rates are very low already, so
it's pretty hard to persuade advertisers to advertise without collecting as
much data about you as possible. So nearly all the ads out there are tracking
ads. Even if you only accept that all _tracking_ ads are bad, the word
"tracking" is only a minor technicality.

------
erikpukinskis
I use PolicyControl in Chrome and it works great. I can have fine grained
control over each site.

------
anujdeshpande
PiHole with Cloudflare DNS

------
mrweasel
I just use DuckDuckGo’s privacy plugin, that seems to kill most ads.

------
Brajeshwar
Pi-Hole at the Home Router.

1Bocker for Safari.

uBlock Origin for Chrome.

------
Jailout2000
I have a multi-tiered adblocking environment at home and abroad.

At home, I have AdGuardHome installed in a VM acting as my home network's DNS.
It's pretty effective and is an alternative to PiHole. This is a first-tier
filter I have while at home for all my devices.
[https://github.com/AdguardTeam/AdGuardHome/](https://github.com/AdguardTeam/AdGuardHome/)

On the web browser, I have the AdGuard Firefox extension.
[https://adguard.com/en/adguard-browser-
extension/firefox/ove...](https://adguard.com/en/adguard-browser-
extension/firefox/overview.html)

For my mobile phone, it's a little obtuse but relatively straightforward. I
have a non-rooted Android phone. I've installed AdGuard for Android there as
well. The way it works is it runs a local VPN on my phone, so all device
traffic goes through a localhost proxy, which filters the DNS and unencrypted
TCP traffic. For HTTPS filtering, it installs a local TLS CA to perform re-
signing of websites (you can configure it to ignore EV certificates, as I
have, which are more common with online banks and more secure sites). It works
pretty well with exception to apps that have built-in ad platforms like
Instagram. It blocks 100% of ads in apps like Wunderground, Reddit, and
Firefox. [https://adguard.com/en/adguard-
android/overview.html](https://adguard.com/en/adguard-android/overview.html).
There's also an iOS version of the app on their website.

I have a Google Play Music subscription which comes with YouTube Premium.
However, more and more YouTubers are diversifying their revenue, and have gone
to completely sponsored videos with embedded ads. For sponsored clips in
YouTube, SponsorBlock extension:
[https://github.com/ajayyy/SponsorBlock](https://github.com/ajayyy/SponsorBlock)

Decentraleyes [sic] is another extension that I use primarily on my phone, but
also at work. It allows the web browser to use local versions of CSS/JS
frameworks and fonts that would otherwise have to load from CDNs that track
your requests. Things like jQuery, Bootstrap, AngularJS, FontAwesome, etc. are
all loaded from local copies through this extension. This benefits the user by
saving bandwidth and page load time as well as stopping unwanted tracking from
the remote party. [https://addons.mozilla.org/en-
US/firefox/addon/decentraleyes...](https://addons.mozilla.org/en-
US/firefox/addon/decentraleyes/)

Don't Fuck With Paste. This extension prevents websites from disabling pasting
in form fields. Extremely useful when you are using a password manager to
enter form data or just copying and pasting from another location. Websites
that break paste are just as bad as websites that serve ads in my book.
[https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-
wi...](https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-with-paste/)
(it's also available for Chrome).

If you know someone or you yourself actually still use Facebook, I also highly
recommend Social Fixer. Not only does it block Facebook ads and other page
elements, but it lets you keep track of other events like who unfriends you.
It has a lot of options and I've been using it for years.
[https://socialfixer.com/](https://socialfixer.com/)

Worth checking out are NoScript extension, PiHole, and UBlock Origin. I don't
use these but I've heard good things about them and everyone seems to
recommend them.

------
newfromblammo
Nobody mentioned Waterfox?

------
forgotmysn
step one is definitely to get off chrome

cli or FFX + ublock origin, ABP, FB container

------
nijaru
privacytools.io

------
mp3geek
Use Brave :)

------
auslander
For Apple folks: Ka-Block! for Safari, both iOS and Mac, second Firefox
Focus's content blocker on iOS. Always on VPN mobile and desktop. Always
Private browsing mode everywhere. Kills 99% of germs :)

------
njn
I don't mess with browser extensions anymore, I just use Brave:
[https://brave.com](https://brave.com)

