"Users may also switch to uBlock Origin. It does not support the $rewrite filter option and it is not vulnerable to the described attack."
AdBlock uses Adblock Plus filtering engine internally and also supports and enables "Acceptable Ads" by default:
> AdBlock is a popular ad blocking extension for Chrome, Opera and Safari, now based on the Adblock Plus code.
* * *
This is why brands have immense value.
It's not just your opinion. Mr. John McAfee himself, the guy who started the company and whose name it still bears, has publicly stated that McAfee software is "the worst software on the planet"!
If that isn't enough for people to avoid a brand name, then I don't know what is. But apparently, countless businesses are so clueless they keep using McAfee software even though its own founder says it's trash.
Although it's been molasses-slow in comparison to 3rd party tools since that time as well.
When I talk to these folks and probe why they think they need WinZip, they never say "oh, I was trying to uncompress a 7GB file the other day in Explorer and it took forever." They say "I'm on Windows, and this is a Zip, therefore I need WinZip." They're usually genuinely surprised to find out that this is something Windows can do all by itself.
> Since its release in Windows XP, Zip folders has not been actively developed. The reason is the usual: Because adding features requires engineering resources, and engineering resources are limited. Furthermore, since the compression and decompression code weren’t written by anybody from Microsoft, there is no expertise in the code base, which means that debugging and making changes is a very difficult undertaking.
seems to translate to ‘because we really don’t care’. It’s not as if Microsoft is strapped for cash.
They even killed ChromeOS ans Chorme updates for a bunch of 3 to 4 year old Chromebooks recently, despite the hardware being fine to run newer ChromeOS.
Safari is really easy to beat by anti-ad-blocking technology, the only reason for why more publishers won’t do it is because they don’t want to piss off people, but as the minority of people using ad-blockers grows, they’ll get over that fear.
Also FYI injecting scripts in webpages is the only way to prevent anti-ad-blocking from working.
It might be enough to handle most of the ads at the moment, but it fails miserably when a website uses any adblock circumvention.
As for your specific claim, 1Blocker has an entire section of blocking rules to counter anti-adblock.
Sure, if some site want's to be completely hostile to users, it may still show up. The little cross icon on the tab solves that issue pretty quickly.
Regarding https, this change was made in 2015.
Oh, there are all sorts of them.
From simple feature requests (like being able to distinguish fetch/xmlhttprequest) and bug reports (like that it considers requests to subdomains third-party) to something more complicated.
The problem is that regardless of what's requested/reported, there is no reaction.
As it should. Sometimes subdomains are third party. If I whitelist example.org I do not want any subdomains to be whitelisted without be explicitely whitelisting *.example.org as a wildcard or any specific subdomains.
As for why someone would request JS - you’re the one who suggested chrome/ff blockers are “more advanced”. And yet here we are on a thread about arbitrary code execution.
Not really. I've submitted a request for an enhancement myself (ability to auto-redirect to the canonical URL - to avoid the bullshit of AMP pages) but what you've suggested just don't seem like worthwhile or positive changes IMO.
My argument wasn't "zero change is good" my argument is that it doesn't need much change and a stable API is hardly "abandonment".
What do you mean by abandoned? I use it and it works for me daily.
Most of the changes and improvements to modern ad blockers are to deal with this kind of ads. Not in Safari, though. Webkit devs did nothing to improve or extend the content blocking API. Not to say that it still imposes the ridiculous rules limitation - you can't have more than 50k rules in a list (while Easylist alone has more than 80k).
I can appreciate that uBlock Origin wants to be a universal condom that works on every website for everyone, but I also don't think it's so damning if the content blocker API is sufficient for that. Yet uBlock Origin and its rule lists still fail at this task as well.
A website can do any number of annoying things that uBlock Origin cannot block including things that aren't even related to ads. I simply refuse to use such websites. In fact, I want to know that a website does these things rather than remain in blissful ignorance. I don't want to support such a website even with my viewership.
I've built content blockers. The rule limit is circumvented by simply bundling multiple rule lists.
Also, 80% of Easylist is crap anyways. The problem with Easylist and things like it is that they become append-only lists because nobody wants to go back and verify that rules still apply. Not to mention all the site-specific rules for sites you'll never visit because it was someone's random hobby horse. But you can absolutely encode Easylist across two content blocker extensions bundled in one app. But in doing so, you'll also realize how easy it is to prune so that it fits in one rule list, there are so many rules for garbage sites.
I'd say it is sufficient for 90% of the websites at the moment.
My point is that this is not a constant value. Advertisers adapt and evolve, and content blockers need to do the same.
> A website can do any number of annoying things that uBlock Origin cannot block including things that aren't even related to ads. I simply refuse to use such websites. In fact, I want to know that a website does these things rather than remain in blissful ignorance. I don't want to support such a website even with my viewership.
This is indeed the best way to let site owners know that this approach is unacceptable. I wish everyone were doing the same.
> The rule limit is circumvented by simply bundling multiple rule lists.
Sure, but this is a workaround, quite an ugly one in fact.
> Also, 80% of Easylist is crap anyways
It does contain a lot of redundant rules, maybe 30% of it, but not 80% that's for sure. And what if I want to use more filter lists? The only thing I can do is use the multiple lists workaround. It is simply weird that nothing was done about this limitation in more than 3 years.
For example, an unbounded rule list has unbounded serial compilation time.
A 50k rule list recompiles in a couple seconds on my laptop and quite some time on my iPhone, but multiple rule lists can be compiled in parallel.
I suppose your response to this would be that content blocker recompilation could be made parallel over a single list or made to support incremental recompilation.
And you're probably right. But note that even Chrome's proposed content blocker system has the same limitation. Perhaps it's not as straightforward as it seems and it's not just a result of neglect/abandonment.
I mainly responded because the language you used seemed more damning than necessary. But have you tried 1Blocker X which is built on the content blocker API? It's hard to condemn the content blocking system too much when there's an app that utilizes it to such great effect.
You are right about Apple/Webkit moving slowly on community feedback and bug reports though. I suppose I'm used to the glacial pace of non-critical-path browser issues after my Firefox bug went three years without response until it was fixed after Quantum's release. You are probably more critical here than I am. At Amazon, anything sev3 to sev5 went into a heap so large it was a miracle if anyone opened it again.
Somehow, my intuition is that ublock is too advanced/complex for non-tech-affine users.
> BetaFish Inc, owner of AdBlock, paid to acquire control of the GitHub repository and control of the ublock.org site last year. The apparent goal was to keep the deception ongoing, and further increase it, as clearly the site is trying to game search engines so to rank ublock.org high in results. They also registered the trademark "uBlock" in Germany, and have been pulling code from "uBlock Origin" repo.
> Nothing that they are doing is user friendly, it's to deceive people who are looking to install "uBlock Origin" into installing "uBlock" instead.
Fixed now. Thanks for your work.
> Through April and May 2015, the uBlock project was forked by Chris Aljoudi, while uBlock Origin reflected the continuing effort by the original developer Raymond Hill.
Since April 2015, uBlock Origin has been completely unrelated to the web site ublock.org.
> Shortly after the project division [between uBlock and uBlock Origin], Chris Aljoudi created ublock.org to host uBlock, promote the extension and request donations... In July 2018, uBlock was acquired by AdBlock.
IIRC, Raymond Hill, the original author of uBlock and current maintainer of uBlock Origin, voluntarily gave the control of uBlock project to Chris Aljoudi because he was tired of dealing with all the bug reports/issues (and Aljoudi offered to take it over, I think).
But due to various reasons, shortly (very shortly, maybe even no gap in between) after, he self-forked uBlock  to make uBlock Origin and started to work on it again.
So technically uBlock Origin is the fork, and more importantly, Chris Aljoudi didn't really "fork uBlock", he inherited the main repo.
Note: I'm by no means to defend Aljoudi's practice on uBlock and I'm pretty sure Hill regretted his decision of handing it over. But let's avoid historical revisionism.
(See the "forked from chrisaljoudi/uBlock" text and readme.MD below)
Edit:  Hill's own words about this matter on Apr 11, 2015: https://github.com/gorhill/uBlock/issues/38#issuecomment-918...
But he later fully transferred (everything, including stars issues and whatever) the repo to Aljoudi (you can do that on GitHub) so it was under Aljoudi's namespace. Then, Hill forked it back, which eventually became the repo for uBlock Origin we have today. It doesn't show "forked from xxx" any more today for reasons I don't know (maybe he recreated it?), but you can still see it in the archive version of it I linked above (you can also check older dates and Chris' one, to show the transfer more clearly).
Simply giving ownership to a GitHub repo might not be a license.
The people who forked tried to make some money off the name by asking people for donations. They seemingly failed after the uBlock creator called them out and renamed his work to "uBlock Origin".
So the people who forked sold what they got to ABP and called it a day.
(I've worked on filter lists since the Junkbuster and then Privoxy days, through Adblock Plus. Then Adblock Plus suddenly seemed like a bad place to be, and uBlock was similarly questionable, so I moved to uBlock Origin, even though adding new rules there was more work than in ABP. I've been very happy with uBlock Origin, and with its lead developer's apparent benevolent intentions.)
Support for this filter option was discussed (and declined) in uBlock Origin's issue tracker:
Here's a permalink to your explanation in that thread: https://github.com/uBlockOrigin/uBlock-issues/issues/46#issu...
After some clicking I found this: https://github.com/uBlockOrigin/uAssets/issues/4080#issuecom... , might be interesting
Calling it an exploit is no different than claiming .exe files are exploits because they allow arbitrary code to run. Or that browser extensions are exploits because they too can manipulate the page.
The problem is that you can’t necessarily trust filter maintainers to be completely honest. Users don’t regularly audit the thousands of rules in their filter lists, so a bad or compromised filter could easily introduce a malicious filter in an update. The $rewrite rule lets a filter change what code is being loaded by a webpage (under certain fairly realistic situations).
I agree with that, and it's not a strong security model. But my original point is that the author is using a bad faith argument by describing a feature they dislike as an exploit. It's in spec for what the original authors intended. Just like running an executable program is potentially risky, but a design of the system.
I read the article and perhaps it's been edited since you commented, but the author states in the introduction that there is a security vulnerability in a feature and provides an exploit. That to me is quite different from calling the feature itself an exploit.
> It's in spec for what the original authors intended. Just like running an executable program is potentially risky, but a design of the system.
While it's true that it is in spec, I see a big difference in terms of how users experience this situation compared to running an executable program. I see this as more analogous to new feature introduced in an executable format that offers a different security guarantee to what users are already comfortable with. I don't see pointing this out as being in bad faith.
While I'd still argue it's "working as intended" (for better or worse), he is at least calling this specific demonstration an exploit rather than the feature as a whole. So I'll step back from that position, at least part way.
Thank you for the clarification on that point.
As a developer, I expect that browser plugins can execute code in some context (though I think general users may not even expect that); but I don't generally expect that plugins will execute code from some arbitrary 3rd party source.
Ad blocking extensions should consider dropping support for the $rewrite filter option. It’s always possible to abuse the feature to some degree, even if only images or style sheets are allowed to be redirected.
The classic "ban it because it can be abused" mindset. Let's ban the use of computers too, certainly that would be more secure!
Google has been notified about the exploit, but the report was closed as “Intended Behavior”, since they consider the potential security issue to be present solely in the mentioned browser extensions.
As they should, because what user-agents are doing have nothing whatsoever to do with their site.
(Disclaimer: I don't use ABP nor uBlock nor any in-browser blocking extensions, so I have no conflicts of interest here. I use a full MITM proxy which is far more powerful than anything you can do with a browser extension. I wonder what he'll think about that...)
Can your MITM proxy modify HTTPS traffic? If so, how did you configure your machines to trust the cert you're using?
Yes, of course. It wouldn't be very useful otherwise. The proxy has its own CA, and I install the cert into the trusted roots of all the machines I use.
I really like it, no doubts it's good and everyone should consider using it.
BUT, since we are talking about uBlock Origin, I'd like to mention another awesome extention Raymond Hill made.
uMatrix alone is very powerful, and will prevent most ads.
Yes you as a user need to do the work, but the result is better.
If you like the idea of uMatrix, you may also look at NoScript!
Actually, I live almost ad free using NoScript + uBlock Origin for at least 2 yrs.
$rewrite... what a dumb feature btw!
You cannot. Pihole may be. Abetter solution for network-wode ad blocking, but some ads (such as push notification spam) use the same domain name as the original site, so pihole can't block them, being just a DNS blacklist.
Constrained list of functions.
This could go a long way towards opening up the web to more extensions but also keeping it more secure.
I recently did a rev to the Polar chrome extension:
and I had to request a new permission for filtering and they're now taking a WEEK to approve my any updates due to code review.
I really only need to evaluate a URL and add headers.
This doesn't need to be turing complete.
I basically just need to take a HTTP response and headers if they're missing when a specific origin is set.
And what does Turing completeness has to do with security anyway?