
Pornhub Bypasses Ad Blockers with WebSockets - mirceasoaica
http://blog.bugreplay.com/post/152579164219/pornhubdodgesadblockersusingwebsockets
======
teach
Looks like another example of porn companies pushing the envelope with
technology.

They were accepting credit cards online before virtually anyone. In fact, I
think most innovations in technology come from either the military, video
games or porn.

~~~
cerrelio
I worked for a porn company for 2 years. I can say that the engineers and ad
people there are probably some of the best I've worked with in my career. The
company I worked for several years ago was eventually acquired by MindGeek
(formerly Manwin) after I left.

It was one of the only companies where I truly felt that they would let their
engineers experiment and grow. If an idea sounded like it could bring more
traffic or increase the quality of traffic, they'd let you do it. If that idea
didn't pan out in a short period of time (~3 months), then it was canned and
they tried something new.

I work at a very large global corporation now and I'm shocked (and bored) at
how drawn out their development cycles are, and at how little license they
give their engineers to be creative. The risk averseness makes it almost
impossible to bring anything into production.

I'd go back to porn if it weren't for the fact the industry as a whole seems
to be very secretive and mafia-like.

~~~
kchoudhu
If you don't mind me asking, how does one re-enter "polite society" after
working for a porn company?

(I'm not saying that working for a porn company is bad! Far from it. It just
seems like it would be really difficult to break back into the corporate
mainstream after working for a porn company due to the raised eyebrows during
the screening process.)

~~~
cerrelio
Most corporations are so scared of violating employment law that they never
ask for specifics. The last two companies I worked at had a third-party
verifier who simply confirmed (by pay stubs, calls, etc) my employment
history. I assume they don't share anything else other than that I worked
_somewhere_ for the periods I stated on my resume.

The more difficult part is tolerating the passive-aggressive culture of
"polite society" that exists at most "legitimate" companies. Porn company
culture is very aggressive. At my current dull-corporation job it's almost a
weekly occurrence where I want to tell my manager or someone else up the chain
to fuck off and get out of my way, in regard to getting work done. Porn is the
only industry I've worked in where an aggressive (tinged with a modicum of
respect) attitude is rewarded. I hate the hypocrisy at large corporations who
encourage "take initiative/leadership, get-it-done!" attitudes, but then push
back when an employee actually does that.

~~~
brianwawok
Trading industry. Lots of profanity in trading. It sounds similar in many ways
based on what you said. Very much results oriented and not PC.

------
mcescalante
For anyone who uses uBlock Origin (and if you don't, I highly recommend it),
there is a companion plugin for WebSockets that I recently stumbled upon and
am enjoying [https://github.com/gorhill/uBO-
WebSocket](https://github.com/gorhill/uBO-WebSocket)

The article also notes that uBlock and ABP have both shipped "workarounds", in
the typical cat and mouse fashion

~~~
Klathmon
Maybe try paying for the content through their plan that allows you to pay
without seeing any ads?

I get that this is a porn site we are talking about here, but why is "just pay
for it" never discussed in these kinds of submissions?

Why is it always "how do we keep getting all this content for free without
paying" and not "why can't they make it easier to pay" or "how else can I pay
for this without losing security or anonymity"?

~~~
m3rc
Because that's a totally separate discussion. Blocking ads is about
controlling what code runs on my machine, not about trying to obtain content
without "paying" for it. There has been a nightmarish amount of malware served
through ads and so blocking ads (and external JS content) is a security
concern. After the fact, once all ads have been blocked, there can be a
discussion about creators getting money for their content. In that
conversation I am happy to talk about paying for Youtube Red, supporting
people on Patreon, and sponsored segments in podcasts, all of which I am in
favor of.

But don't try and turn a security issue into an ethics issue.

~~~
Klathmon
But it is an ethics issue.

They have a way to pay and get ads 0% of the time, guaranteed. If you really
cared about your security, you would both block ads and pay for the
subscription to ensure you never get served the code in the first place.

And even if that weren't the case, why is it okay to just take what you want
without paying just because you don't approve of the security.

Often times I don't trust a website with my credit card info, the solution is
to not use that website. The solution is to not try to hack in and take what I
want without paying...

Edit: i've now had threats sent to the email I had listed in my user profile
about this. So i'm done talking here.

~~~
Mithaldu
To repeat: It is not about paying. I do pay for a number of services that do
me right (Steam games, Google Play music, Netflix, others) and would pay for
services if i could (Youtube Red). Personally i have no stake in pornhub since
i don't use it.

It's still, and entirely separately from payments, a very important issue.

The real context here is:

 _Controlling what my own mechanical device does with the information it
receives from other people 's machines._

Even if the internet had no ads and no tracking code and no malware anywhere
whatsoever, there would still be a need for the technology to block and change
the way in which my computer handles the things sent to it by other computers
before showing them to me. I have a myriad blocks and css modifications and
even site additions and other things set up that have absolutely nothing to do
with ads, and being able to do that reliably is important.

~~~
jomamaxx
"Controlling what my own mechanical device does with the information it
receives from other people's machines. Even if the internet had no ads and no
tracking code and no malware anywhere whatsoever, there would still be a need
for the technology to block and change the way in which my computer handles
the things sent to it by other computers before showing them to me. "

This is not true at all.

You see ads all the time in apps you have on your mobile device (i.e. non
browser) - and there is nothing you can do about it. Is the world freaking out
over the consumers ability to 'control which ads come up in a specific app'?
Not really.

~~~
problems
A few recommendations for you:

[https://f-droid.org/repository/browse/?fdfilter=ad&fdid=org....](https://f-droid.org/repository/browse/?fdfilter=ad&fdid=org.adaway)

[http://repo.xposed.info/module/tw.fatminmin.xposed.minmingua...](http://repo.xposed.info/module/tw.fatminmin.xposed.minminguard)

Never seen an in-app ad on mobile personally. No one is freaking out because
it's a solved problem already.

If those don't do it for you, write an Xposed module to strip it like
[http://repo.xposed.info/module/ma.wanam.youtubeadaway](http://repo.xposed.info/module/ma.wanam.youtubeadaway)

Don't underestimate people who hate ads, especially video ads.

~~~
jomamaxx
"Don't underestimate people who hate ads, especially video ads."

If you don't want ads - then you have to pay for the apps.

Get it?

This has nothing to do with technology, ad-blockers, advertisers or anything
else.

It's not even at the level of 'economics'.

No pay / No ads = no content.

None of you teenagers have been able to counter that point yet.

> 99% of Apps and Websites with content would disappear if there was no ad
> revenue or payment.

I can't believe that any of you are finished school and have jobs, because all
this talk of 'turing machines' is laughable and incredulous.

~~~
problems
> If you don't want ads - then you have to pay for the apps.

Some apps don't even offer an ad-free option. I'll pay if they provide me
value, I won't pay if they don't, simple as that. This used to be a more
standard model called shareware, but it kind of died out in the mobile app
decade.

> No pay / No ads = no content. > None of you teenagers have been able to
> counter that point yet.

Why can't I pay them just as much as the ad-revenue they'd earn from me? It'd
be fractions of a penny per page, nothing like the cost of most of these sites
paid models.

If they offered a reasonable payment model, I'd be much more open to it. But
until they're willing to accept their real value per page view, I'm not
interested in paying $10/mo for everything I use, when I wouldn't even provide
them with $0.10/mo in ad revenue.

For now, blocking ads is the only option if you want to get a full internet
experience without the ads, if enough people block ads that advertising is no
longer a viable model and more viable models become available, I'm more than
open to them. But we have to get the industry to that point where they're at
the consumer's whim and not like it is currently where the consumer is at the
advertiser's whim. The advertisers having all the power is not a good solution
here.

------
cyborgx7
The Mindgeek employee arguing[1] against adding WebSocket blocking
capabilities to the Chrome API linked in the post is a fun read. Sounds like
the ad industry is starting to get a little desperate.

[1]
[https://bugs.chromium.org/p/chromium/issues/detail?id=129353...](https://bugs.chromium.org/p/chromium/issues/detail?id=129353#c58)

~~~
joatmon-snoo
The hostility is _beautiful_.

------
agentgt
Some what relevant story... Many years back I worked for a software company
where we had traditional IT guys. One of the IT guys was really nice moral
guy. One of the things he did to keep our WAN connection speedy was monitor
the firewalls and routers and do traffic shaping/shaving/balancing.

He showed me once how much traffic was going to porn sites on the company WAN
(he knew I wouldn't tell anyone). It was quite impressive... at times it was
35%.

Now he could have been dick and found out which workers were looking at stuff
but he did not and I remember distinctly his reasons were something like: _"
everyday I see the smoker crowd take 30 minute smoke breaks and all kinds of
employees waste time and resources... but porn like coffee and cigarettes
might actually help some people get work done..."_

~~~
kilroy123
Who the hell would watch porn at work!? I find this utterly bizarre. It is
some exec having a wank in his office with the doors closed?

Maybe I'm just the weirdo for _not_ jerking it at work?

~~~
agentgt
I had a couple of theories at the time who was doing it:

* The sales team was predominately young college guys. I often saw these guys IMing links back and forth.

* The consulting team often VPN tunneled in. I remember distinctly that IT could never get the routing on the VPN right such that internet traffic would not go through the VPN. That is they would VPN and think... hmm I'm alone in a hotel and leave the VPN client on.

~~~
acdha
At a previous workplace, that telework laptops were definitely a problem:
someone senior broke policy by letting their teenage son use it, which was
first noticed from the heavy P2P traffic over the VPN but the excuse was
accepted when the porn browsing continued while the exec was in the office
explaining.

------
wintom
I know there will be a lot of heat on me fro HN users about ads but here goes
anyway:

Ads are pretty bad right now but the reality is that the internet without ads
would not be a useful internet. Half of the tools and the things you use all
of the time could not exist without ad revenue.

The reverse of this is that Ad Blockers are much worse than the ads. They have
become the Mafia of the internet!

Did you know that as a company looking to bypass adblockers you can pay ad
blockers to whitelist you? That is extortion money! Google and Facebook pay.
The little guys looking to aquire customers now have to pay for the ads by
impression and when their ads are blocked have zero chance of showing.

I know you may not care but we are heading down to an internet where the ads
are now becoming content and we are basically reading nothing but junk. The
junk went from one section of the page to now being the page. Advertising has
existed as long as media has and as such will never go away. There is
advertising on pay to view channels like cable, companies want to sell to you
and they wont just disappear.

Lets stop this, lets get rid of the ad blockers and lets force the advertising
companies to be responsible with their technology, not drain our batteries,
not sell our personal info and we will have a much better internet.

~~~
milcron
> Did you know that as a company looking to bypass adblockers you can pay ad
> blockers to whitelist you? That is extortion money!

Adblock does this, but to my knowledge uBlock does not.

~~~
blahi
Adblock didn't do it in the beginning either :) Just like utorrent became
popular because bitcommet became slow and clunky. Have you looked at utorrent
lately?

~~~
milcron
Ugh, don't remind me. That was a great piece of freeware before it went sour.
:(

But, there are many many alternatives these days: Deluge and qBittorent are
both pretty decent uTorrent replacements.

------
the8472
Pornhub Bypasses _Chrome_ Ad Blockers with WebSockets.

Firefox request filter APIs do cover websockets for example.

~~~
catdog
This should be made more clear. It seems that Chrome is generally behind in
that regard, e.g. for a long time it wasn't even possible at all for an addon
to block requests.

~~~
fab13n
Chrome is a browser offered for free by what's essentially an advertising
company. How could we expect it to be on the cutting edge of the fight against
advertising?

They only tolerate ad-blocking plugins as long as it's necessary to retain
power users. For instance, they aren't tolerated on Android.

~~~
JulianMorrison
Firefox on Android has ad-blockers.

~~~
shostack
How well integrated is it into the rest of Android? Can I have the Google
search bar open results in ff by default?

~~~
Fej
Yeah.

Android is not like iOS or Windows for mobile. Default apps are handled much
like on Windows, even down to the home screen.

If you install a new browser, for example, then it will give you the option to
change the default the next time that you try to open any web link. Same goes
for most anything. If you install a new app launcher (home screen) the next
time you press the home button it will prompt you for which app launcher you
want to use (since they're just normal apps).

------
the_duke
I'm much more concerned with a new ad blocking circumvention technique that
has emerged on plenty of sites in the recent months:

Open the actual link you are clicking on in a new tab, and change the current
page's location to some advertising page.

They even randomize when a link opens in a new tab, so you can't just close
the page automatically, but have to wait for the result.

It drives me crazy.

\---

I do love how the MindGeek guy got called out on the bug tracker, though.

~~~
hayksaakian
You're talking about the "pop under" ad format

------
intrasight
I see so many comments which boil down to "either buy a subscription or be
willing to have ads shown". But here's the reality. Even if you pay for a
subscription, you still see ads. And worse, you still have code from 3rd
parties, whom you didn't invite, running on your computer.

I bet if you took a survey of the HN community, the majority would say they
have no problem with 1st-party ads (how about simple inline images) of a
quality commensurate with the quality of the publication.

~~~
epmatsw
To be real, any time you visit any site you're running 3rd party code you
didn't invite. NPM modules, random scripts from CDNs or stored off in a /libs
directory, hardly any sites are built entirely on code hosted or written by
the party running that site. Ads get a bad rap, but if you're running JS on
the modern web it's not even the biggest culprit.

~~~
intrasight
True, but when I say "3rd party code" I was specifically referring to code
coming from a 3rd party server and therefore not under the control of the 1st
party. If the site I visit hosts the code then I trust it because I trust the
1st party (not saying that's necessarily a good idea, but it's my current
philosophy).

I have uBlock Origin set to block any 3rd party requests, so I do have to
explicitly "invite" any such code/resources. And you can tell uBlock to
remember those invites. This feature has made the web bearable again.

------
rurban
pornhub and other sites happily detect my adblocks, but still cannot serve any
ads via websockets, because I use a proper /etc/hosts file from
[http://someonewhocares.org/hosts/zero/](http://someonewhocares.org/hosts/zero/)

~~~
ars
If that became a problem for them they would just use an IP address directly
instead of a hostname.

~~~
rurban
yes, then my firewall rules will grow significantly :) But then I would be
able to use IP masks, as with dnsgate. The hosts file doesn't take wildcards.

------
FreeKill
Pretty interesting. I don't really understand why PornHub or others put so
much effort into getting around ad blockers, unless it's purely to pad their
statistics when it comes to getting new Advertisers to partake or I guess even
to try and trick people into accidental clicks etc. using shadier practices.

You'd have to imagine that a visitor to their site, who has taken the time to
actively setup and run an ad blocker, is probably the least likely user to
actually click on an ad in the first place.

~~~
67726e
Aren't some classes of ad payments based on impressions? Surely with high
traffic it's worth it to get around the blocker if only for the impression.

~~~
cmrdporcupine
Yes CPM payment is based on impressions. But ultimately an advertiser will
stop buying ads, or significantly lower the CPM, if they don't see click
throughs (or better yet, conversions to product purchases, etc.) for those
impressions. They keep track of the CTR (click through rate) and if that falls
below a certain level they're going to evaluate why.

I don't work in ads anymore, but I get the impression that that industry must
be under the impression that CTRs and conversions are in fact dropping because
of ad blockers, because there's a rash of new startups that work in the space
around detecting and getting around ad blockers.

------
danso
Have to give the MindGeek employee credit for participating in the bug thread
and being upfront about his employer [0]

[0]
[https://bugs.chromium.org/p/chromium/issues/detail?id=129353...](https://bugs.chromium.org/p/chromium/issues/detail?id=129353#c72)

~~~
geofft
I don't think he's being up-front - the phrase "As a for-profit organization"
refers to AdBlock Plus and the insinuation that ABP is trying to monetize
blocking WebSockets in contrast to the user's preferences, not to the author's
organization.

(Or maybe I'm just missing the sarcasm in your comment)

~~~
danso
No sarcasm, I misread the statement (though to be fair, it was his grammatical
error). I wonder why he even chimed in? Before his comment in August, the
thread was inactive for 1.5 months (and the bug report was unfilled for 4
years).

Also interested in how a user in the thread knew that he worked for
Mindgeek...if I'm reading this right [0], this Websockets thread was his first
message.

[0]
[https://bugs.chromium.org/u/3552224858/updates](https://bugs.chromium.org/u/3552224858/updates)

------
0xmohit
No wonder they are getting smarter:
[https://news.ycombinator.com/item?id=12846537](https://news.ycombinator.com/item?id=12846537)

~~~
peterkelly
Seems they're looking for PHP developers... I don't think I'd be comfortable
telling my friends and family that's what I do all day

~~~
cookie_monster1
That is understandable. I don't think I would be comfortable telling my family
that I develop PHP either.

~~~
yarou
Haha, beat me to it!

Seriously though, PHP has come a long way from the CGI/SQL injection days,
though I feel its namespacing and scoping rules are rather ancient.

------
rosstex
And uBlock Origin blocks WebSockets with the "uBlock Origin WebSocket"
extension :)

[https://chrome.google.com/webstore/detail/ublock-origin-
webs...](https://chrome.google.com/webstore/detail/ublock-origin-
websocket/pgdnlhfefecpicbbihgmbmffkjpaplco)

------
hoorayimhelping
The referral of this link is for reddit programming. Mods might want to change
that to help out the author understand where their traffic is coming from.

~~~
edibleEnergy
hehe thanks, I felt kind of bad putting any sort of utm tags on the blog in
the first place. I posted it to r/programming and somebody reposted it to hn.
The tracking tag doesn't matter to me anyways. I'm just glad people found the
writeup interesting :)

------
api
Ads will win the arms race. There's a clear economic model and "black hats"
always have the advantage due to instant feedback on the success of attacks
(REPL-like instant feedback learning vs. speculation).

The problem is the economic model of the web, or lack thereof. Ad blockers
evade that problem.

------
PromisedLAN
Has anyone else been experiencing redirects at kickass.cd? I have ublock
origin but it still occurs.

------
aq3cn
I hear porn industry complain about internet piracy. So that could be their
next target after ad-blockers.

[http://www.huffingtonpost.com/news/porn-
piracy/](http://www.huffingtonpost.com/news/porn-piracy/)

------
joe_momma
Oh yah, well what if I had javascript disabled altogether?

~~~
cm3
Presumably the site in question wouldn't be functional then, but it would
solve it.

------
INTPenis
I was on pornhub last night and didn't see any ads. ;)

Could it be that noscript will block this if you are forced to whitelist each
video by clicking it before it plays?

~~~
touristtam
If we are talking about the same extension, then it is down to the way
noscript blanket block the scripts on the page.

~~~
INTPenis
I noticed recently that yes they do have some sort of connection between the
JS required to play certain videos and the JS required to show ads.

And the latest from pornhub is actually that noscript cannot simply allow the
video window, it refused to play until I allowed one of the domains on the
page temporarily, then the ads came up and the video would play.

It's not rocket science, it's obvious that people will eventually defeat
noscript. But I think pornhub stands out a bit as being especially nerdy and
bleeding edge.

------
rajeshp1986
There are many news sites which do Adblocker detection. I guess this is a
known trick by many people in the industry and they are not doing anything
here.

------
dedalus
I thought PageFair used the same approach and adblock plus actually does block
websocket traffic to certain domains..

------
awqrre
I haven't seen any ads on xhamster.com which I think is the same company?

------
sickbeard
Maybe people wouldn't use adblockers if their ads were elegantly integrated
with their content (as opposed to opening hidden pages in the background and
messing with navigation).

You reap what you sow

~~~
fastball
Well, we are moving towards promoted/sponsored content in lieu of ads, so
probably in the not distant future we might start seeing more product
placement, etc.

 _Female Pornstar: Yes! Harder!_

 _Male Pornstar: Gimme a sec, I need to replenish my electrolytes with a big
gulp of Brawndo!_

~~~
codezero
That would be pretty entertaining. Realistically they could do a lot of
product placement for sex toys, lube, condoms, and things that fit the target
demographic :)

------
LargeCompanies
Those online pirate movie streaming sites figured a way to bypass ad block in
September or so.

Considering what type of site it is (the biggest one) it doesn't bother too
bad; a few pop ups here and there. If they start amping up that number then I
will be googling for a better ad block.

------
quirkafleeg
Looks like another case of the old myth about porn innovating or "pushing"
technology, as usual with nothing to back it up.

~~~
unethical_ban
He literally gave a case (from memory) about the industry being an early
adopter of technology. Not every anecdote needs a citation. Where's your
citation about it being a myth?

Man, posts like this are so prevalent on HN. Why can't people stop and think
about whether their words are useful to the conversation?

~~~
idlewords
Another tired accusation about negativity on HN, with no examples.

~~~
wernercd
Another tired accusation about tired accusations about negativity on HN...

We have achieved irony inception.

~~~
idlewords
We must go deeper.

~~~
seangrogg
BOMMMMMMMMMMMMMMM!

