Hacker News new | past | comments | ask | show | jobs | submit login
“This is why I use ad blockers and a pi-hole server” (twitter.com/poa_nyc)
810 points by slater on Jan 23, 2020 | hide | past | favorite | 378 comments

Shout out to nextdns.io, they run a global pi-hole grid. OK, it’s better, but conceptually.

”Block ads, trackers and malicious websites on all your devices. Get in-depth analytics about your Internet traffic. Protect your privacy and bypass censorship. Shield your kids.”

All you do is point your DNS at it. (Or let one of their apps point DNS for you.)

But I really like the ethos:

”NextDNS was founded in May 2019 in Delaware, USA by two French founders Romain Cointepas and Olivier Poitrey. Olivier has been working on Internet infrastructures for the last 20 years. In 2005, he founded Dailymotion, the largest video sharing service after Youtube and the most popular European website in the world at the time. He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic. Romain and Olivier closely worked for years at Dailymotion on many different projects. Romain ended up leading the mobile & TV department.”

”We are true supporters of the net neutrality and Internet privacy. We believe that un-encrypted DNS resolvers operated by ISPs are detrimental to those two principals. Alternative solutions like Google DNS or Cloudflare DNS are great, but we think more actors need to step up and provide alternative services to avoid centralization of powers.”

In ~8 months it’s gotten mom proof while also being something I can recommend to techos. For me, it’s been more reliable than the enterprise Zscalar DNS filtering, and more configurable than other filters, particularly in allowing ad blocking and custom block lists and white lists along a rich set of built-ins.

I’m at 7% blocked out of 4 million queries in last couple months.

    Ads & Trackers 256,212
    Facebook         7,150
    Spotify          1,245
    Messenger        1,027
    Snapchat           938
    Twitter            916
I should note that I don’t use Facebook, Spotify, Messenger, Snapchat, or Twitter.

"He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic"

There is something about CDNs and DNS, usually not good. According to Paul Vixie, that is how we ended up with EDNS0 despite the objection of IETF. Wonder if this company gets permission to share data with Netflix. I would read the terms carefully.

Hopefully people will choose to run their own Pi-Holes on their home networks, preferably without pointing them at third party "upstream" DNS providers.

Some CDN rely on DNS for load balancing. They need information on end user network to properly resolve ( sending you to a server in the right geo for instance). If you use a third party resolver and it is not providing enough info, you may get poor performance. That's not some fancy tracking, in the end the CDN will get your IP and traffic. (Not saying it's impossible to use it for tracking purpose)

How does your own DNS server substantially help, given that it needs to get its data somewhere?

By distributing its requests across the many authoritative servers for the domains you visit. The only one that still sees all your DNS requests is the ISP.

In the US at least the major ISPs are likely the worst people to see your dns queries as they are actively selling that data to advertisers.

They see all of your traffic anyway, so it doesn't really matter if they also see your DNS traffic, it's not like HTTPS hides who you are visiting.

> They see all of your traffic anyway, so it doesn't really matter if they also see your DNS traffic, it's not like HTTPS hides who you are visiting.

Given a lot of traffic goes to cloud providers with IP pools that are discriminated largely by the HTTP Host header, it absolutely does somewhat hide "who you are visiting".

In other words, virtual hosting does provide some incidental "privacy". However, looking at the web as whole, not simply focusing on certain large CDNs, most HTTPS websites actually do not require the SNI extension. "Modern" browsers send domain names in the ClientHello plaintext automatically, by default, even though it is not required.

Then there are HTTPS websites who require SNI but do not actually check the name in ClientHello is the same as the name in the Host header.^1 Any name sent in the ClientHello will suffice to retrieve the correct web page. "Modern" browsers again blindly send more than what is required in that situation.

As such, it is the HTTP client, e.g. major browser, that is leaking information in plaintext unecessarily. "Modern" browsers are useful for displaying web content. However when it comes to retrieving it, they are less trustworthy. Too much is happening in these programs outside the user's awareness and control.

1. AWS Cloudfront is one example. It is possible to send a less descriptive, arguably more private, CNAME in the ClientHello whilst sending the known domain name in the Host header. https://news.ycombinator.com/item?id=21977961

Not really, as HTTPS doesn't currently encrypt the HTTP host header. It might someday, but even that wouldn't be foolproof.

I thought https was just http over a socket with ttls? Os, is it the certificate handshake where host header is leaked?

It's sent un-encrypted in the very first handshake setup so the server knows which public key to return. Details here[0].

There is, as you can see from Wikipedia[0], an encrypted version(esni), but that only sort of solves the problem. See [1] for more details on those.

The high level overview is, perfect secrecy of who you are talking to is a very hard problem on the Internet, and while some of these new features might help, there are a LOT of leaks to plug, so if someone is able to watch your traffic go by, chances are they can tell who you are talking to, but they maybe can't figure out what you are saying. Which may or may not matter, depending on your security threat(s).

0: https://en.wikipedia.org/wiki/Server_Name_Indication

1: https://tools.ietf.org/html/draft-ietf-tls-esni-05#section-7

> is it the certificate handshake where host header is leaked?

Yes, because of SNI [0].

In short, the ClientHello message sent by your browser as the first step of TLS negotiation (After the TCP connection is made, obviously) includes the hostname of the server you are trying to connect to unencrypted so that the server knows which certificate to present in the case of multiple sites being served on one IP/port combo.

[0] https://en.wikipedia.org/wiki/Server_Name_Indication

SNI requires the host header to be sent unencrypted, as the server needs to know which certificate to offer for the TLS session.

No. The SNI is transmitted in plain text as part of the ClientHello but TLS does not care about application implementation details. The HTTP Host header is encrypted along with the rest of the request.

I don't think ISP are a bigger threat to ad blocking than google, even if US ISPs have a very bad reputation.

s/EDNS0/& Client Subnet

Cool, sounds great! I went to NextDNS website only to find out they run Google Analytics...

I love how in this thread about, ostensibly, why tracking is bad and trackers should be blocked people are arguing that using GA is ok because doing anything else is "too hard". Why can't this same argument be applied recursively to any of the trackers in the NYT tracking sphere? I'm sure it can, and I'm sure that's why loading a NYT page loads dozens of various third-party tracking scripts: because doing anything else would have been "too hard" for the NYT marketing & technology departments.

To be slightly reasonable on this, GA on their site is nothing in comparison to the larger surface they provide. It’s not all-or-nothing.

Can you qualify that? In what sense is GA "nothing in comparison"?

Because the other companies are less well-known?

Because it's just one among 200 others? Even though it's owned by the largest adtech corp in the world?

Or is it because you told yourself that Google will probably do "less bad things" with that same data, after you give your users data away, completely out of your control.

> they run Google Analytics...

That's seriously disappointing. While I block GA and it's commonly used, my opinion of a site/service falls a fair amount when I see they're using it.

I'm not into the analytics business, but how does it come that, somehow, of all the major tech companies, it just happens to be Google to provide the one irreplaceable analytics service?

In particular, how that apparently never worried anyone before they became the "seriously nothing else can scratch this itch" quality analytics??

Because I saw it happen and it worried me. Some people must remember, about a decade (!!) ago, that half-joking nervous realisation that there was a single corporation whose server-controlled javascript ran on 90% of all webpages.

Or the part where you share all of your site's analytics with a third party you had no choice in? That wasn't even a thing before GA came around.

What is Google Analytics doing that it can't be replaced by anything that's not quite as ruthless with your visitor's data? (I really want to ask "is it that hard?" but I'm gonna assume there's something hard about it that I'm not thinking of)

Personally I'm afraid the reasons are dumb and shameful. I suppose Google Analytics is providing some additional details and data that it just happens to be unable to provide unless it tracks the everloving shit out of your visitors and accumulates this data on, say, Google servers. And people don't want to give that up, because weeeeell if it's spying on everybody and combining and keeping data anyway, they might as well get a slice of that pie, right? Flawed reasoning that work very well in unscrupulous people's heads.

And then you get someone complaining that the UX of the alternative isn't top notch. Which really tells you everything you need to know someone is willing to even begin thinking about sticking out a limb for.

I get this sinking feeling that in large parts of this industry there's less than 5% of people who actually think about and critically look at the ethics of what THEY are building, and they're probably listened to even less. It's probably even less, I've been talking to people that I consider very responsible engineers whose principles just wither as soon as you ask where the analytics data goes ... usually pointing at the client's choice. Except they're working on it and it's built into the infrastructure of the company and they provide it.

So easy to get the top thread in this comment section arguing fervently against any and all forms of tracking ... and then you get this massive back peddling when someone dares to suggest not using GA.

Is it blocked if you use their DNS? ;)


What should they use? And don't say matomo until it supports drilling down byond one level.

In this particular case I find it very dishonest: they talk about net neutrality and privacy protection but use Google Analytics. It does not matter if GA or Matomo is the best solution, they made the decision to use GA and thus don't seem to value their customers data that much.

What is it with this all-or-nothing attitude? GA provides objectively superior data and they probably get a lot of value from it, otherwise they wouldn't be using it - value which allows them to grow their business which ultimately benefits their users.

(at least for me) Considering the value of their service, GA on their marketing page seems like a very small compromise. If you don't like it you are free to block it - hell, they literally provide a service to do so.

> GA provides objectively superior data and they probably get a lot of value from it

Which is why everyone uses it and we just sit back and accept the consequences. You can't be expected to be taken seriously if you simultaneously argue that other's shouldn't do something while yourself use it for precisely the same reasons everyone else does.

This is not about all or nothing. This is about being dishonest in my opinion. It's like a doctor who recommends you to stop smoking because it's bad, but smokes on its own.

Consider a doctor that smokes during consultations subjecting you the patient to the ill effects of their secondhand smoke whilst simultaneously recommending that you give up. Perhaps a more accurate analogy. Would you trust the doctor in this scenario?

There is no dishonesty there. Merely acting inconsistent to one's advice. It's not a serious deficiency.

BTW, in a number of countries a large percentage of doctors smoke. It's a cultural thing: They pick up the habit during the stress of medical school. Would you suggest that a large percentage of doctors in those countries not inform patients that smoking is bad for them?

As a politician recently complained about: Purity tests are usually a bad idea.

It's fair to criticize. It's silly to reject their word/work because of it.

Except there's no doctor-patient discrepancy, most people in this thread are in the business and actually do have to make these choices based on their own expertise in the field.

It's a lot more like if all doctors were telling each other they should wash their hands before surgery, but many of them don't really because the tap water is cold and kinda too far away and everybody is doing it and what's the harm really and at least I'm not actively sneezing into the wound, you know?

The doctor smoking does not invalidate their assessment that smoking is bad for you, nor does it make his other "doctoring" services less quality.

For more reasons why (some/small) compromises should be allowed and not considered completely against the core value, see religious extremism.

Sure thing, but the gigantic Google Analytics machine is hardly a small compromise versus all the other ubiquitous tracking.

I don't even consider it a compromise, because literally no one arguing to use GA anyway seems to be able to present both sides of the scale considering the compromise.

Unless the doctor is smoking right next to you and making you breathe the smoke, he's not really hurting anyone but himself.

In comparison here this company is giving out all their user's browsing data to a huge advertising company without the user's explicit consent.

It's not dishonest, whether something is good or bad is never absolute. Something that is bad for someone is not necessarily bad for others.

I think first off that is hypocrisy not dishonesty and in the second place it's probably actually a regrettable and regretted addiction.

Nah it’s like a rehab clinic that requires you to smoke while you read their brochures on why you should quit :)

My dentist smokes.

Doesn't mean she can't clean my teeth and drill holes in my skull or whatever with high proficiency.

What is it with this all-or-nothing attitude? Matomo is good enough.

Depends on what you're looking for. Demographic data can be really important for a business and Matomo couldn't possibly provide that.

If you’re collecting and relying on demographic data than privacy probably isn’t very important to you.

Where are you getting this demographic data?

You don't get that from server logs.

Sound like you're not arguing against Matomo but arguing that you really in fact do want to share data with a third party to extract information that your users very much did not consent to.

It's terrifying what comes out of the wood works sometimes.

What is demographic data and how is it collected?

The age, gender, etc. distributions of the people who visit your website. I don't know anything about GA, but I'm guessing they'd know this from the currently signed in Google account.

What if people don't want to volunteer this information?

> What is it with this all-or-nothing attitude?

It's indicative of a lack of respect for their users.

> GA provides objectively superior data and they probably get a lot of value from it

That's certainly true. Also, that's orthogonal to the point. Being very valuable to website operators doesn't make its use any more acceptable to others.

> Considering the value of their service, GA on their marketing page seems like a very small compromise.

It's not a compromise until you consider the value of both sides of the equation. Please do elaborate on that, with some details on the negative externalities of blindly sharing your tracking data with Google.

Otherwise your argument just became "superior data has got some value to me, which is more than none, so yeah I got mine".

It's not less of an all-or-nothing attitude if you fail to seriously consider the other side of the supposed compromise.

What do you mean drilling down beyond one level? I use Matomo and find it just as useful as Google Analytics. Actually, I like their interface better than Google's.

Nothing? why do they need analytics?

To see what content is popular, to see what countries users are coming from, to how long a given page is retaining a visitor... all of this lets a business know what they need to change/offer/stop to better serve their customers and attract more customers.

I had a very niche ecommerce site for a couple of years, for ease I was only shipping to U.S. customers. I noticed that something like 20% of my traffic was coming from Canada so I decided to enable shipping to Canada but added a 5$ premium on top of the actual shipping cost. I had a sale to Canada the first hour of enabling it in my cart and Canada ended up being roughly 10% of my orders, even after I raised the premium/handling fee to 10$.

Looking at my GA page once caused more money to be going into my pocket and filled a need for Canadian customers. I didn't need to learn a programming language or spend tens of hours trying to figure out, through articles, how to copy paste a bunch of code together to recreate something comparable.

My question then would be, why do you need to use especially Google Analytics for that? Stats like "visitors per country" are a core feature of all major analytics suites. I set up analytics for many site on my job and I never experienced a use case where GA offered that specific feature no other software had.

GA is free and takes seconds to set up. Not everyone knows how to code, not everyone is a professional web dev or CS ninja, not everyone has piles of VC money to throw at such things. GA works, is well organized, and is often integrated with a lot of cart/web builder services where you simply have to plug in a short string and pop over to the GA website.

I needed a vegetable knife recently. I could have (and I do have the skills, and have made many knives over the past 25 years) purchased some appropriate steel and made one myself in 3-5 hours and had it incredibly sharp but I opted to buy a Mercer stainless steel one on Amazon for 20$~ because it required much less effort.

I also couldn't care less about Google or the NSA or Lectroids from another dimension tracking me so I don't rush to go "I'd better cater to the small percentage of my potential customers that want to leave zero trace on the internet, there are countless tools out there they can use to minimize that trail of breadcrumbs. This data is usable to me and Google makes it easy" and I imagine, even the company in question was like "some people want privacy but those that are concerned can easily block this with a browser extension, in their hosts file, and/or at a hardware level so we'll go ahead and use it and save a bunch of time".

> GA is free and takes seconds to set up. Not everyone knows how to code, not everyone is a professional web dev or CS ninja, not everyone has piles of VC money to throw at such things.

Imagine if restaurants had this attitude about hygiene.

I mean not everybody is a professional cleaner ninja or has money to hire them. Just wiping the counter a little is all everybody sees anyway, and everybody can do it.

If you're simply not skilled to do it properly, does that mean you get to earn the profit of doing it over your customer's backs anyway?

Your attitude really reminds me of, say, street food carts in some places. Because some of people just didn't receive food hygiene training, and they only have to get out there with a cart and something that looks edible.

You're essentially saying that violating your users' privacy is OK because not everyone has the skill or money to do it the right way?

In this case would you also say it's OK to be stealing in stores because it's cheaper than getting things the correct way by paying for them, and that stores concerned about theft should just do a better job at preventing you from stealing by using the real-life-equivalent of a hosts file to prevent you from entering the store?

I think his point is that he doesn't consider it a violation of privacy and that the people who do usually are better at controlling the data that is leaving their computer anyways.

Exactly. The people making all the fuss in this thread, are the people that are probably already blocking via one or more solutions.

"Don't track me!"

I can't, you are blocking it

"You shouldn't be tracking me!"

>You're essentially saying that violating your users' privacy is OK

I'm not holding a gun to their head and telling them to visit my site. If I walk into a business, or someone's house, I assume I'm being monitored. Websites are the same thing.

> I'm not holding a gun to their head and telling them to visit my site.

And I'm not threatening to skin you alive if you don't stop it.

How are threats of violence okay again?

If I walk into a non-Google business or someone's house, I don't assume that Google is the one monitoring me.

> I didn't need to learn a programming language or spend tens of hours trying to figure out, through articles, how to copy paste a bunch of code together to recreate something comparable.

Tens of hours, people. THIS is what your privacy is worth to some.

You forget that, while doing the unethical thing might seem a lot less hard, simply NOT doing the thing is also not hard at all! So that's not an excuse.

You seem to think you have a right to the earnings of the difference between those two, over the backs of your visitors' privacy.

THAT is the argument you have to explain. Not the part of how you managed to get fancy analytics for free by selling out your visitors.

This is an honest, detailed answer from an end user. Basically, he values simple demographic information about his visitors and doesn’t care about privacy. This is what countless other GA users have said here on HN and elsewhere.

If you want more privacy then build a better GA (from the typical end user perspective, recall the famous comment here that no one will use Dropbox because they can instead just run some Unix commands).

All of that can be done with local server logs,complete with pretty graphs and reports.

I am out of that game. Once upon a time, I labored over WebTrends for about a hundred different sites. It was not a great time.

I am not sure what would be a good replacement for Google Analytics these days but I had an absolutely terrible time with WebTrends and server-side logs. I was pretty doubtful about the results produced, as well.

And then crawlers completely mess up your data. And it’s another thing to maintain and process.

Or with a couple of mouse clicks it can be done with GA. Most people don't want to stare at lines of code, write cod, and fiddle around in logs for hours and hours. I have literally no idea how to extract that data in a comparable fashion and it would likely take me many hours of reading and trying to copy paste random bits of code I find in articles together to attempt to do the same. Obviously the company in question should have someone capable of doing that but most smaller companies and small business website owners don't, hiring someone to create that would cost money.

Stuff like GA you can copy paste an identifier or line of code, make it live and you're done. You now have a bookmark you can go to and see lots of actionable data in a nice visual form.

Most people don't care about a website tracking their OS/location/time spent on change etc so why would I, or someone else, put a bunch of extra work into fashioning something from scratch when there's a perfectly usable product that takes seconds to deploy and is easily blocked by those that don't want you to easily access that information about them?

If you need a knife most people would buy a knife. They would not buy a length of steel, cut it to rough shape, file or grind it down to the final shape, then spend an hour or more putting an edge on it with wet stones. Besides, the people that don't want tracked by Google are probably already blocking google via software and/or hardware solutions.

> To see what content is popular, to see what countries users are coming from, to how long a given page is retaining a visitor...

All of those things can be determined by using a web server log analyzer.

They should not use anything.

Or server logs, if they really must.

It seem like most people have forgotten that before Google Analytics, we all just looked at our server logs.

Sure, you can't get the exact same information, but you can get enough to do capacity planning and some basic stats.

I've started to wonder why people care about Google Analytics, what does it tell you that you actually need to know. Again capacity planning is useful, but other than that, isn't sort of pointless?

>exact same information

you could actually get more from plain old log parsing in some cases. First of all with GA you can't access the raw data. With logs you can create new type of stats/metrics/charts and apply them on past data. Also, IIRC GA uses random sampling - only a % of connections are recorded and the data being shown is extrapolated from those samples. While I'm not arguing that given the vast amount of data at disposal, huge capacity and great engineers they can make those extrapolations very accurate, I'm not entirely convinced it is precise for (very) small traffic websites. And since a small traffic logging requires both small storage space and small processing capacity the resources needed for keeping and processing your own logs are insignificant while the results might be useful.

Some of the larger website builders/hosting , e.g. Wix don’t even give you access to server logs.

Sure you can setup and run your own site and CMS easily enough, but running even hourly bulk log ingestion is usually not as straight forward and the information you can derive is very limited comparative to js based tracking.

Matamo ( formerly Piwik) is decent but still takes some time to setup and get right.

The main thing that the analytics tells you if you are promoting anything, is which of those promotions is actually working and driving visitors to your site.

>Some of the larger website builders/hosting , e.g. Wix don’t even give you access to server logs.

I don't think it's unreasonable to require them to provide you some sort in insight into your traffic data in that case.

You can to promotion tracking with just log parsing, depending on how your system is built. There's a large number of sites that handle that by simply having unique URL for each promotional partner.

> what does it tell you that you actually need to know?

Have you actually used Google Analytics? Doesn't sound like it.

First, being able to get stats on real traffic and not bots/crawlers is very important and GA does an excellent job of this.

Google Analytics also allows you to see how people actually use your site. Stats like how long, what their visit path looks like, and when they leave your site. It also lets you see demographic info, like age group and gender.

I've only touched the surface of what GA does. Yes, it is equally frightening and amazing how it tracks users.

Good luck doing these with your server logs.

> It seem like most people have forgotten that before Google Analytics, we all just looked at our server logs.

Yep, and lots of us still do. I wouldn't feel right throwing my users under the bus by subjecting them to GA.

Simple analytics? What would they even use the data for...

There are plenty of alternative solutions:

Piwik, GoatCounter, GoAccess, Open Web Analytics, clicky, Snowplow, Gauges, etc.

The correct solution is to self-host all analytics involving data that can be used to identify, track, or analyze individuals.

And none of these offer the ease of setup, ease of analysis, or ease of recognizing what actions to take that GA offers for $0 license and no hosting fees. These on the list are all admirable (esp. Snowplow) but all assume savvy users to be able to get things that are out-of-box with GA.

> don't say matomo until it supports drilling down byond one level.

everybody, this is what your privacy is worth to some people.

I’d be using GoAccess if it meant not giving up my users to Google. Matomo is a dream.

I use nextdns, it's excellent.

However beware that it's not a "set and forget" solution.

Example: This morning I did my occasional sweep of what I've blocked where, and to see if there's a new allowed domain in top N that should've been blocked. What I found is that ocsp.int-x3.letsencrypt.org.edgesuite.net is blocked by "kowabit.de - bl*cklist of death". I've added that to my whitelist now, I want certificate revocation to not be blocked.

Why would anyone block all of Akamai? This is the problem with user-generated-lists; sometimes the user clearly has no idea what they're doing.

Strange, cannot find any entry related to LE in the list: https://blocklist.kowabit.de/kwbtlist.txt




I whitelisted only the FQDN and left edgesuite.net largely blacklisted.

FYI: *.edgesuite.net is the domain that Akamai (CDN) allocates to nearly all of their customers.

That all sounds great, but what is their business model? How do I pay them for their service?

I checked.

It seems to be free for the first 300,000 queries per month, then switches to a regular DNS (no blocking). Unlimited queries are $1.99 per month.


Ok, but by paying you basically hand them your personal information which they can now tie to your internet access patterns. So now, besides your ISP, there's one more party with this info.

EDIT: they accept cryptocurrencies, so the problem is slightly less critical.

In case you use their DOH service (or TLS), it's only them, not your ISP.

You ISP still sees which IP addresses you eventually connect to.

Which are mainly going to be owned by AWS, GCP, Azure, DO, or CloudFlare

SNI (Server Name Indication) leak is still present and your ISP may know what website you're asking.

It's $2/month for unlimited requests, apparently: https://nextdns.io/pricing

That's surprisingly very reasonably priced.

Pricing is surely very reasonable, but I'm not comfortable with the idea of paying for not getting something. The whole system is flawed and building businesses on a flaw is a step in the wrong direction if we want to fuel motivation to solve that flaw.

The city of flint has a lot of water theyd like to sell you, it comes with extra so it follows your model. You should also love basic Hulu, they sell you a version that comes WITH added ads, such benefit.

In reality there are plenty of places you are paying for refined or filtered products. Organic or pesticide free foods, gas (you or your supply chain use it), higher end CPUs (less defects), it goes on and on.

You're also paying for the Internet access. Go build one and we'll pay you.

Is it? You can run a DNS server on a watch.

Not on my watch

It is free during beta. Then essentially a freemium model: https://nextdns.io/pricing.

I'm sorry for my ignorance, but how does NextDNS compare to by Cloudflare?

I've been using for some time. For me it has worked fairly well in the USA where my connection speed is ~200mbps. While I was in India, caused substantial slowdowns, in some cases made a few websites unusable. Typically I had it disabled. I'm unsure why this was happening because the website says it makes web browsing faster--I do not have the technical chops to understand this, so would anybody be kind enough to explain in a layman's language? Would NextDNS and differ in terms of speed?

I dont think the increase in speed is a result of you getting responses to DNS queries any faster, it's simply that if you only need to load the content you want and none of the content you dont (ads and whatnot), then the stuff you do want to see has that much more bandwidth available.

But at the current time I feel CloudFlare has more reputational skin in the game, that they're merely selling off spare capacity as opposed to making a separate business model work, and they don't offer logging as a service although they can certainly break their promises at a reputational risk.

In time NextDNS can build up their reputation perhaps to a point even exceeding CloudFlare, but right now I feel those who are joining early are "paving the way" via risk to their privacy.

To my knowledge does not offer as blocking? Or are you referring to some other cloudflare offer?

They're most likely referring to the provider reselling your data (basically you're trading scattered tracking on many providers to NextDNS getting all your DNS lookups, which can be resold without your knowledge)

You are correct. Cloudflare’s DNS does not assist you with blocking ads and trackers.

I do something similar by running CoreDNS on a pi with a bunch of blocks on domains. Works very nicely with caching as well, and the data stays where I expect it.

Wonder how this compares to AdGuard[0]


EDIT: They have a lot more products than just DNS (if you poke around the site)

Maybe a silly question, but how do they identify you? Simply based on your IP address?

You'll have a unique 6 character id, which you'll use as a subdomain or path in dns-over-https

For example, if your id is abc123

DNS-over-HTTPS https://dns.nextdns.io/abc123

DNS-over-TLS abc123.dns.nextdns.io

You also have ipv6 hostnames, which has the id in it

Logs of requests can be viewed at:


Can anyone who knows your id also view your logs?

As a fallback for standard UDP DNS over IPv4, they do use your IP address in a rather clever way: they have multiple IPv4s so you can have different rule sets for different devices under the same IPv4 and they identify which ones by linking the two addresses together (NET1->DNS1 gets RULES1, NET1->DNS2 gets RULES2, etc.).

What's the advantage in using this over something like say, Blokada?

1. You can a share your config across all your devices. Also works on desktops (AFAIK Blokada is just for mobile)

2. You can create multiple configs and easily switch between those

3. Works everywhere (Pi-hole is very cool but only works within the local network you set it up, AFAIK)

4. On my smartphone Blokada regularly stopped, probably because I use an energy saving profile. I could never keep it running for longer than a few days, no matter what I tried. NextDNS seems to work fine so far, had it running for some weeks without a single crash

Regarding #3: you could run PiVPN on your PiHole device and remote into the PiHole.

Mobile browsing on the go without ads!

>On my smartphone Blokada regularly stopped, probably because I use an energy saving profile.

I had an issue with it stopping every couple of minutes, recently I figured out it was Google Fi's VPN causing it to stop after noticing it was only doing it on my phone with a Fi sim and not on my device with a Sprint sim. At some point Fi updated it so that the VPN is always on instead of only turning on when it finds an unsecured wireless network and automatically connected you (which is extremely rare where I live).

> 3. Works everywhere (Pi-hole is very cool but only works within the local network you set it up, AFAIK)

I run a PiHole on an AWS EC2 instance, then VPN to it on my phone. The VPN is configured so that only DNS requests get sent to it and all other traffic just goes straight through the LTE connection so that I'm not paying for all the traffic through AWS.

Could you please elaborate on your setup. How do you achieve sending only DNS traffic over VPN? What do you do when your phone is connected to your home WiFi network?

> How do you achieve sending only DNS traffic over VPN?

I use OpenVPN on both my phone and the server with the "redirect-gateway def1 bypass-dhcp" option enabled on the server. See https://docs.pi-hole.net/guides/vpn/only-dns-via-vpn/

> What do you do when your phone is connected to your home WiFi network?

Nothing. The phone still uses the PiHole in AWS. I don't run a PiHole on my home network, as I use uBlock Origin to block ads on my desktop. I make my phone use a PiHole to prevents apps that aren't my web browser from getting ads, such as Google Now.

Thanks for the clarification.I'll give it a trial run to see how it pads out for me.

They some track record before I can start trusting them.

That's why I wish the Signal foundation started building 1. Password managers 2. DNS providers

NextDNS's anycast network seems to be built on top of M247 and Vultr. I wonder if it is stable enough.

There are a few others in there as well: https://bgp.he.net/AS34939

So if I am running both Nextdns and adblocker locally, is there any point ? Which one is blocking first ?

I do the same and together they work the best I find. Ad-blockers act at a different level than DNS blockers so can catch things that the DNS didn't (DNS only had domain, while ad-blockers have the full path)

But the order of evaluation is first local ad blocker then dns blocker I guess, right ?

From what I understand yes

NextDNS is great. However with these tools, problems appear when you specifically want to display your Firebase dashboard etc. directly going to a service from the "tracker" itself = analytics.google.com

Marking at domain level is too generic to wrestle with this problem.

You could have an alternative browser with unfiltered DOH for this.

Or maybe that's the right level... if tracker should be blocked then I guess it's better to not fuel this business.

Thank you for sharing this! I have never heard of them before, but I switched from Cloudflare to it after reading your comment and I’ve been a very happy user for the past 4 days :-)

> founded [..] in Delaware, USA by two French founders

This sets off my spidey sense. Delaware is known to be a hot bed of fly-by-night corporations and front companies used exclusively for shady dealings[1]. I'm not saying that's the case here, but proceed w/ caution.

[1] https://www.transparency.org/news/feature/delaware_the_us_co...

It's also an extremely common place to set up a legitimate business.

> More than 50% of all U.S. publicly traded companies and 63% of the Fortune 500 are incorporated in Delaware.


Delaware is used as the base for a lot of corporations of all stripes. It's because they provide an enormous tax advantage.

I actually had an argument with my business attorney about this many years ago. He wanted me to incorporate in Delaware for the tax benefit. I wanted to incorporate in my own state because that's the right thing to do.

and what prey, does a global pi-hole grid give that an actual RaspPi and pi-hole can't? What does it add?

Given they are based in Delaware, USA my starting point is far below zero privacy trust: Nextdns are gathering maximum possible data from everyone's DNS queries and selling it, or proposing to use it for advertising soon(tm). Enough independent reviewing and auditing might eventually persuade me that's unfair, maybe. If they actually cared for privacy why not incorporate in the EU and proudly wear full GDPR compliance? Or CA's upcoming privacy legislation?

There privacy policy is succinct and to the point:


> 1. We do not (and will never) sell, license, sub-license or share any of the data submitted directly or indirectly by our users with any person or entity.

Which is easily said. Whereas their pricing page tells a different story:


> Completely free during the beta, then free up until about 300,000 DNS queries/month — $1.99/month for unlimited queries.

... which makes for a very particular business model indeed.

There is no such thing as a free lunch. Which makes me wonder how they keep the lights on, and where the money comes from.

Im failing to see how the privacy and pricing pages stand in any kind of contrast to each other.

This business model is like literally every other SaaS platform that has a free tier. Would you trust them more if they had no free tier?

DNS-over-TLS is what they add.

Which is great, because then you can configure your Android to use nextdns as the private DNS provider and thus all adverts and tracking in your mobile apps and websites are covered too, even when you're away from your home network.

You can configure the same on your own PiHole, or VPN to the network it's on.

I think the value is convenience, all this is done for you, no maintenance.

My understanding is that pi-hole does not support DNS-over-TLS.

Are you saying that it does?

I've just looked and cannot find mention of it.

I know one can install stubby to achieve this, but now the convenience of nextdns is greater.

> My understanding is that pi-hole does not support DNS-over-TLS.

You have to run Unbound, as well.

Presumably it's just convenience for people that don't want to run their own.

It would work off of your network. If you are using their DNS it would work when you took your laptop to a coffee shop or when your phone switched to 4G/5G. That seems like a big benefit to me.

If you have your DNS server its trivial to connect to it from anywhere you are.

Do most people expose their pi-hole to the internet? I didn't think that was a common thing to do.

No. VPN tunnel in between.

Reliability, speed, accessibility, ease of use, more secure defaults... Enough?

The founders appear to live in the US so a US company is a lot more convenient for them, and Delaware has some very nice benefits for companies that AFAIK don't have any privacy drawbacks. Your assumption that they "are gathering data [...] and selling it" is beyond baseless.

EU users are protected by the GDPR anyways and despite what ProtonMail etc. would like you to believe, founding your company in Switzerland or whatever does not make you magically trustworthy.

From where I see it, they deserve no more and no less initial trust than any other company.

> Reliability, speed, accessibility, ease of use, more secure defaults... Enough?

Very glib, but not helpful nor accurate. Reliability of a web service? Speed faster than local network or local VPN tunnel? Convenience appears to be the top and bottom of it from other replies.

> assumption that they "are gathering data [...] and selling it" is beyond baseless

Not at all. US freedom of information goes far beyond everyone else's and leaves the expectation that personal data is collected, shared, sold, misused and abused, and that's been the case since long before the web. Personal data that most places consider private and inappropriate to share, and often have laws for, is frequently easily available in the US.

The web just brought it further into the gutter.

Europe has had freedom of information with constraints on personal data. Data protection has been around since the mid 90s, and prior to that there were other restrictions on certain types of data collection. The discrepancy between the two approaches has been there for probably seventy years, perhaps more, and it's widening not narrowing.

Those national norms set starting point of expectations, and what each nation tends to take as axiomatic. For a typical European, for the reasons mentioned, US privacy provision and expectation starts negative. Certain industries and categories get very antsy about data going, even briefly, to the US as a consequence of that. If it's any consolation I start with the presumption every company is untrustworthy.

> they deserve no more and no less initial trust than any other company

that is they deserve none. No company gets any trust from me until they prove that they deserve it.

I agree, but asserting they are evil with no evidence to support that is a lot further into the negative than "no trust".

Given numerous examples from the past this is what "no trust" equals to. I'm not advocating publicly accusing them of being evil without evidence, but assuming they are when deciding if and how to use their services is at least reasonable.

In other words in public my opinion on them is "neutral" until I have some information/data/signs to form/change my opinion, but internally I assume they are doing[0] something evil until proven otherwise.

[0] or at least assume they are capable of doing something evil and there is a non-zero chance that they will engage in evil-doing. (but again, not accusing them publicly until there are reasons to do so; I'm just describing internal thought-process)

Believing someone's claims out of thin air does not make it trustworthy either.

The existence of the gdpr is not enough. You'd also need to start reporting/suing those breaching the rules.

True, but my point was that incorporating in Delaware doesn't prevent the GDPR from applying to you (for EU customers). It's true that taking action against a non-EU company for GDPR violations is harder, but not impossible.

What really grinds my gears: they do the same thing when you're a paying subscriber.

I'm with the nyt for two years now, and I can vividly remember seeing the first ad that was displayed despite me being logged in. How is that okay?! And btw: I wanted to cancel my subscription afterwards, but apparently you can't do that via web from the EU (or not for my subscription type?) - so I need to cancel on the phone, during american business hours. I appreciate the times for their journalism, but their business practice with respect to selling their customers data is beyond inacceptable. I'm already paying you money, get your act together please...

It annoys me too, but I'm playing devil's advocate to reason it out.

When you buy a print copy, it also has adverts. The price you're paying is subsidised by the adverts, it doesn't completely cover the costs.

Perhaps there are two possible ends of the spectrum. On one side, you have to pay for all news that you access and there is no advertising. The news will be expensive, so only the wealthy will have access. The government can subsidise it, but that runs the risk of politicising it.

At the other, there is only advertising-supported news. The content you see is decided by whoever bids the highest.

A blended subscriptions plus advertising model tries to find a middle ground. I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies. Is that even possible now? Would advertisers pay if they didn't get that information?

>I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies.

Honestly: no. I'd rather pay more than selling my attention, because that's what ads are doing. My time is more valuable than whatever margin they're making by showing me ads, and I'm very confident that I'm not alone with this position.

>Is that even possible now? Would advertisers pay if they didn't get that information?

This is a really good question, and adding to it: how hard-wired are these mechanisms into modern websites such as the nyt's? I'm pretty sure that there is no simple on-off switch, but how much work would it be to implement one?

A sliding-scale subscription model would be nice, where I could say "I'll pay $100 per month and have no adverts at all" or "I'll only $5 per month, and I'm happy to have a lot of adverts".

But the advertisers probably want access to the kind of people who are prepared to part with a lot of money to avoid advertising. You see this in the FT and Economist where it's more expensive to advertise to subscribers, because the advertisers know those people have higher disposable income. If all they can have access to is lower-paid people, I guess there’s a risk a lot of the advertisers will not bother.

Maybe there's just an inherent problem here. News can be good quality, independent from government, free from advertising, and available to all. But it can't be all of those things at the same time at a national level.

>"I'll pay $100 per month and have no adverts at all" or "I'll only $5 per month, and I'm happy to have a lot of adverts".

there is another problem with that model. As long as ads revenue is a significant portion of publisher's income there is a risk of advertisers influencing the content. At $100/month you won't see the ads, but the news themselves could still be influenced by advertisers in some way. I'm afraid that this would need all or nothing approach to be effective.

I am afraid there is a high probability in that $100 wont work. And the question is a little more complex.

This is not about I am willing to paid $100 to get rid of ads as the OP stated, it is how many are willing to paid $100. Or more precisely, we need X ( Say 10 ) monthly million revenue form customers to sustain the business. Are there enough customers to share the $10 million expense. We could price it at $50, are there 200K customers wiling to subscribe, and if not, how many more paying the $5 + Ads will make it sustainable. Given the Ads money with the $5 subscription will be lower since the subscribers of $5 are likely not worth anywhere as much as the $50.

Like you said most of the high paying subscribers are already concentrated in FT , Economist or WSJ. And precisely the reason why Apple news didn't include any of those three. They still dont get it. It might work for casual, gaming, sports magazine. Not Quality Daily news.

> This is a really good question, and adding to it: how hard-wired are these mechanisms into modern websites such as the nyt's? I'm pretty sure that there is no simple on-off switch, but how much work would it be to implement one?

After Ars Technica's most recent revamp/relaunch of their pay-for subscription, it took them a few additional weeks to clean it up to remove all third party domain calls for paying user.

> I'm very confident that I'm not alone with this position.

You are not alone. There are plenty of services I pay to eschew ads. The moment they start inserting advertising, they'll lose me as a customer. I don't have cable, don't listen to FM or AM radio, and I don't have satellite radio, all because they have ads.

> The news will be expensive, so only the wealthy will have access.

I think this is correct, although HN readers may have some bias to disagree. I think the HN crowd is generally fairly well off financially (but not rich) and cares more about privacy than other groups.

> When you buy a print copy, it also has adverts. The price you're paying is subsidised by the adverts, it doesn't completely cover the costs.

For print and online the advertising covers the cost and the subscription is just a bonus on it, same thing you said but from the end users perspective. Why pay a bonus for nothing?

Print ads don't call home with your identity when you see them, they don't tell a dozen different companies who you are. The magazine may have some general statistics on it's customers (maybe differentiated by region?), but they certainly don't give the advertiser enough information to uniquely identify every person who sees an ad, along with individual demographic information and information on what ads the reader has seen elsewhere. The print customer database is (probably, hopefully) not linked into other third party databases that list what your hobbies are, what shelves you look in at the store, and what other publications you subscribe to.

If online news only had static first-party ads that were the same for every customer (or possibly every customer in X region), uninformed by Amazon/Google/other browsing, I'd be more than happy to turn off my ad blocker.

If the newspapers produced a daily epub, I'd be happy to pay for it. Even then, epubs can contain references to third party images and other resources (not sure about PDF, I despise PDF for lack of text reflow). My personal ideal for online subscriptions would be an OPDS catalog that I could subscribe to; this supports login-based access, and I could use fbreader or any other app to read.

Many of us don't care about the ads. It's the tracking.

They could offer a no-tracking tier. When you consider how little revenue most ads generate per user, the price increase wouldn't be very much.

> I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies. Is that even possible now? Would advertisers pay if they didn't get that information?

They would, if they had no choice. Thay have to be forced, both technically and legally, to advertise without using that kind of fidelity. Simple as that.

There's a better way: just don't read news.

I did the exact same thing. I was so pissed off about having to see ads on a website I was paying for.

They do the same thing to the US: They force you to call them.

I tried to cancel my credit card to get rid of the charge: soon after, they started charging me again.

In the end I had to call my credit card company and block all transactions from them, forever.

Super scummy, super annoying. Fuck the NYT.

Financial Times do the same thing. About €60 a month for a subscription and they still insist on putting ads in the app.

I estimate that the ads only generate a miniscule amount of revenue, yet it really detracts from the user experience.

The ads for paying users are probably worth a lot more than for non paying users.

For the FT specifically, I get the impression that a pretty large portion of subscriptions are corporate/paid for by employers so I'm not sure how true that really is.

The companies paying for a FT subscription for their employees are going to have well compensated employees, hence valuable eyeballs for advertisers.

This. Also, some of those eyes are going to belong to people who make purchasing decisions on the behalf of their employer. Those people are exceptionally valuable to advertisers.

I pay for NY Times (as well as several other papers, like the WSJ).

NY Times runs giant banner "subscribe" ads even if you're a paid, logged-in member. I still need ad blocking on!

I wouldn't mind ads equivalent to what you see in the real paper -- a Macy's ad at the end of an article, etc. But they should be in the page, and not popping up on top, on the bottom, or over the article.

That's why I like the Guardian, if you're a digital sub app is ad free.

Is it also data-collection free?

> And btw: I wanted to cancel my subscription afterwards, but apparently you can't do that via web from the EU (or not for my subscription type?) - so I need to cancel on the phone, during american business hours.

There's existing NL law (maybe based on EU regulation?) that makes this impossible. Basically: the way you cancel should be as easy as you subscribe. Meaning, if you could subscribe online, you must be able to cancel the subscription online. If subscribing was utterly difficult, then cancelling can be utterly difficult.

If there's EU regulation behind it, usually you can force any foreign company to abide by this. Unfortunately it was difficult to figure out if this NL law was based on any EU regulation (e.g. Consumer Rights Directive from https://ec.europa.eu/info/law/law-topic/consumers/consumer-c...).

Same thing with Wall Street Journal. Can't cancel via web, gotta waste 15 minutes on the phone. Never subscribing again.

I had the same experience with the Globe and Mail in Canada. You get ads regardless of whether or not you're a paying subscriber, and while you can sign up online, you can't cancel. It was a total pain in the ass to do that over the phone, and it's a glaringly-obvious (and misguided) retention tactic.

I'll never subscribe to them again. What a short-sighted way to optimize for revenue at any cost.

had same problem trying to cancel my subscription, I've canceled payments through paypal

This has to be a highlight of the discussion


Look at all that "innovation" being stifled...

It explains why there's so much fear-mongering and misinformation regarding the GDPR and how they're trying to make users hate it (by using non-compliant and annoying by design "consent" prompts). There are literally billions being invested in all that cancer called adtech/martech that's been made illegal by the GDPR.

JFC! Maybe if they didn't whore themselves out, they wouldn't need the money they're whoring themselves out for because their hosting and web dev costs would go way the fuck down.

For those who prefer json to ads, trackers and bloat, below is a script to fetch NYT by section in human-readable jsonp.

   #! /bin/sh

   case $1 in
   world        |w*)  x=world       # shortcut: w
   ;;us         |u*)  x=us          # shortcut: u
   ;;politics   |p*)  x=politics    # shortcut: p
   ;;nyregion   |n*)  x=nyregion    # shortcut: n
   ;;business   |bu*) x=business    # shortcut: bu
   ;;opinion    |o*)  x=opinion     # shortcut: o
   ;;technology |te*) x=technology  # shortcut: te
   ;;science    |sc*) x=science     # shortcut: sc
   ;;health     |h*)  x=health      # shortcut: h
   ;;sports     |sp*) x=sports      # shortcut: sp
   ;;arts       |a*)  x=arts        # shortcut: a
   ;;books      |bo*) x=books       # shortcut: bo
   ;;style      |st*) x=style       # shortcut: st
   ;;food       |f*)  x=food        # shortcut: f
   ;;travel     |tr*) x=travel      # shortcut: tr
   ;;magazine   |m*)  x=magazine    # shortcut: m
   ;;t-magazine |t-*) x=t-magazine  # shortcut: t-
   ;;realestate |r*)  x=realestate  # shortcut: r
   echo usage: $0 section 
   exec sed -n '/x=/!d;s/.*x=//;/sed/!p' $0

   curl -s https://static01.nyt.com/services/json/sectionfronts/$x/index.jsonp
Example: Make simple page of titles, article urls and captions, where above script is named "nyt".

   nyt tr |  sed '/\"headline\": \"/{s//<p>/;s/\".*/<\/p>/;p};/\"full\": \"/{s//<p>/;s/..$/<\/p>/;p};/\"link\": \"/{s///;s/ *//;s/\".*//;s|.*|<a href=&>&</a>|;p}' > travel.html

   firefox travel.html
Only need one domain for viewing in graphical browser -- static01.nyt.com -- articles and images look great, at least on desktop

Can block everything else

..do they not just do RSS?

That's genius though, and I love it. You're clearly very dedicated to both the NYT and privacy.

They do, they have topic-specific RSS feeds that work great for me. Example: http://rss.nytimes.com/services/xml/rss/nyt/Science.xml

UTF-8 complexity

Do they have any rate-limiting on calls to that endpoint? Does this get around the "You have X free articles remaining this month?"

Also, if you own a router able to run OpenWrt ( https://openwrt.org/supported_devices ), you have access to several packages providing the same technical solution as a pi-hole (DNS-based blocking). As far as I know, the most common and maintained is https://github.com/openwrt/packages/tree/master/net/adblock/... .

It's easy to install, full-featured, ships with lots of lists to pick from, auto-updates lists, doesn't need an additional device, and you will benefit from router features shipped as part of OpenWrt and probably unavailable in your router's proprietary firmware. Much recommended.

If that sounds attractive and it sounds like a good opportunity to change your crumbling unpatched router, the question "what's today's good cheap router running OpenWrt without trouble?" is frequently answered by https://www.reddit.com/r/openwrt/ :) .

Is it worth switching from AdvancedTomato to OpenWrt?

I don't know.

This isn't any better on the NYTimes mobile site. Everyone should be running Firefox for Android with uBlock extension enabled. Bonus: it reduces the network traffic so dramatically, it's like getting a new phone.

I used to be conflicted about using ad blockers on sites I frequent and enjoy and used to actively maintain my block list. After all, I want them to earn money.

But almost all websites are getting out of control and I no longer have the time and energy to do that. So Firefox+uBlock all the way

>But almost all websites are getting out of control

And they don't care if you're a paying user! I susbcribed to the NYT, paying them fair money every month for a couple of years now, just to be subjected to the same mess regardless. It's infuriating. Why should I even pay for the service when they still bombard me with ads and tracking?!

Yet that's just how all newspapers traditionally operate, you pay for delivery of their advertising platform.

I used to feel that way too, until I got redirected to scam "you won an ipad" sites from mainstream sites I respected. They served me a bad ad, so I blocked and never looked back. Who knows how many times they silently tried to serve me malware?

I use uBlock + privacy badger, so I whitelist some sites on uBlock. That way I will see those ads, but still block trackers

I use Firefox Focus. It's great for things like reading news articles because there no tabs. Just one page at a time. It has built-in tracker blocking but doesn't support extensions like ublock.

Normal Firefox for iOS with "Strict" setting enabled in the "Tracking Protection" section of Firefox's in-app settings menu reduces nytimes.com advertisements on the front page for me to basically 0. In my experience, it's just as good as Firefox Focus for blocking trackers and ads.

I use both on iOS. I generally open in Focus because it actually tends to be stricter. I find that if I open something in Focus I can, from there open in Firefox if blocking is too strict and sometimes it works. Another plus to using Focus, if a site is completely broken, I can just disable all blocking and not worry much about it because nothing gets persisted when I leave and blocking is automatically re-enabled the next time around.

Same workflow is pretty much possible without it, but it does make ephemeral browsing a bit easier.

I've been using Bromite on Android which is Chromium with ad blocking and Google services stripped out.

It's been flawless for me since I installed it. The maintainer is a user on here but I don't remember who.


Something like DNS66 is a good idea too:


AMP sucks, but it seems it might be a good idea for some of these request-heavy websites

You can make fast, light-weight websites without AMP. In fact, it's easier to make a fast, light-weight website than to make the modern request-heavy monstrosities you see today.

Just stop using 20 trackers and 10 ad networks, and stop loading so many parts of your page asynchronously. A news article should require zero JavaScript.

Of course you can

But tell that to the hundred-tracking-cookies-js-bloat website with the ridiculous "We care about your privacy" popup

If AMP cuts that crap from the website, I'll go to the AMP version, thank you.


To users, AMP is a godsend that greatly enhances the user experience.

I will happily use AMP pages. Web developers brought this on themselves with ridiculous amounts of JS code.

There are ways to incentivize sites to reduce bloat without asking them to use some Google-specific format.

HTML is really all you need to reduce requests though. You don’t need AMP. Obligatory motherfuckingwebsite.com and bestmotherfuckingwebsite.com links.

I prefer using a browser on Android that has integrated ad blocking with no extension needed. As with ad blocking extensions, browsing becomes lightening fast.

I like it the other way around.

Ublock origin uses public, transparent, editable block lists, I can not say the same about built-in ones and browser vendors could always have ulterior motives, be strongarmed into whitelisting exceptions and so on.

Regarding battery/bandwidth consumption on mobile, Brave is better even with Firefox + uBlock Origin combined.

[0]: https://brave.com/brave-saves-batteries/

[1] : https://brave.com/brave-one-dot-zero-performance-methodology...

Brave on android also broadcasts your phone model in the user agent, unlike FF. They've said they would fix this and then let the GitHub issue languish for at least a year at this point.


Even if that's true. Providing only sources from one of the competitors in question doesn't make your argument.

Ads have gotten to the point I'm once again getting the feeling I'm on IE with 80% of the page blocked by toolbars. But this time it's ads and video's blocking any content I want to consume.

Blockers are a valuable thing to simply be able to read or watch anything on most sites now a days. I also happily pay for proper media, but not when you complicate this by blocking parts of this action with ads to begin with.

The amount of tracking is mindboggling.

With advertisers switching to 1st party cookies it will get harder to avoid tracking, unfortunately.

I'm working on a browser extension called Baitblock: https://baitblock.app/

It also deals with 1st party cookie tracking. It clears cookie/storage on every page load as long as it detects that you're not logged in to the website (still buggy) using machine learning (NLP).

The next minor version (under development) will also allow you to block websites/domains from appearing from google search results, facebook feed, twitter feed and basically the entire internet.

It also blocks cookie/gdpr banners on websites.

(Signup on mobile does not work for now)

You can also add summaries/TL;DR for any link on the internet (right click) so others dont have to click.

For people that are fine with a manual whitelist there's also Cookie Autodelete: https://github.com/Cookie-AutoDelete/Cookie-AutoDelete. It removes all cookies when you navigate away from a website after a (customizeable) grace period. Usually this works fine, you just need to be careful when you tell it to erase cookies when the domain changes (rather than when the tab closes), some 2-step sign in procedures need the cookies from the original webpage to work.

Which doesn't save you from banners stretching around 50% of a given site urging you to accept their cookie policy.

I want a browser that allows first-party cookies, but auto-expires them if I don't visit the domain for an hour. It should also only allow one level of requests (i.e. if a site requests a resource, that resource cannot request additional resources from other domains).

The latter part won't prevent bad behavior, but it will force that behavior to be proxied -- which carries technical, financial and legal implications that will cause companies to be more careful about their downstream redirects.

Looks great, will try on Firefox when ready!

PiHole and the browser-based blockers are working to apply filtering to CNAMEs.


The cat and mouse games will continue until legal action is taken. Before loading any tracking at all the user should be shown a Yes/no option.

That didn't work out so well for the EU's cookie law. We need a different solution I think.

Nah, we just need enforcement so people actually have a way to opt out rather than being fobbed off with dialogs like "apparently we have to display this annoying popup to tell you we are using cookies because this is how the internet works now. [whatever, just take me to the page]", or "more options" buttons that take you to a never-ending maze with no actual way to opt out.

Actually stamp down on the sites taking the piss. Without teeth, GDPR is useless, but so would any other toothless solution be.

Many sites actually do follow it properly, i.e. they have the popup tell you that tracking ads are all OFF and if you want you can ENABLE them to get more relevant ads, but you are free to just dismiss it.

Once one of the big players that don't do this and instead have it e.g. opt-out are actually fined, I suspect more sites will begin to behave correctly.

I think it worked wonders with GDPR which exposed all this pus. Unfortunately, there EU has been too slow acting on it. Only British Airways has been slapped with a significant fine so far.

Marriott were fined £99m in the same week as BA in the UK, and Google were fined €50m in France last year, both under GDPR.

Ah, I forgot about Marriott.

The problem with fines against Google (and Facebook, too) is that it's peanuts for them. They just factor this in the same category as "legal costs", and it never affects them even remotely.

GDPR opt out rate is well well under 1%.

Cause at this stage opting out included navigating many stages of dark pattern and deceptive pages, including semi hidden links and fake slow progress bars. Even on the biggest sites.

If, and I say If, these gangsters ever get hit with major fines, and we get the simple yes/no option that a few pages have, then it will be better.

Right now, the ad industry (or should i say Mafia) is trying to actively circumvent this legislation

What does that even mean? GDPR requires companies to request that people opt in to information gathering.

And in reality, as long as no fear-mongering fines are handed out, companies will try to bypass it.

There would be ways to get control over this, but law is slow.

I rarely see opt in GDPR popups, it's typically "accept tracking" or "more options...", the latter seemingly sending you down an infinite rabbit hole. Well, now that I think about it, this might count as opt in, but this is definitely a dark pattern.

This is supposedly not allowed under the GDPR, but we're going to have to wait a while before this is actually tried in court.

It's not, the consumer advocate in Norway has already released one report on the subject [1, PDF]

Pushing all this through the legal system will take some time but the watchdogs in different countries are not sitting idle.

[1] https://fil.forbrukerradet.no/wp-content/uploads/2018/06/201...

The other thing I often see is an "accept tracking" button, and a tiny "more options" link that just goes to a page explaining how to switch off cookies on your browser. I'm pretty sure that's not OK with GDPR as well.

IANAL, but this is not entirely true. Under GDPR data can be used by claiming "legitimate interest" [0]. In the case of legitimate interest, the user needs to opt-out rather than opt-in.

0: https://www.gdpreu.org/the-regulation/key-concepts/legitimat...

1% of 1 million is 10k people.

If legal action would be taken, shouldn't browser have the controls regarding tracking preference? Setting up each page (provided that 'No' would still load page in either full or stripped-down variant) on each devices owned and/or reapplying choices whenever browser cache is cleared would be frustrating.

Maybe DNT should return as respected feature within browser and user choice shouldn't affect the access to the content but only its form.

DNT is counterproductive from a technical perspective. The more bits of entropy you give trackers, the easier you are to track.

If DNT was legally binding, they wouldn't be allowed to use that additional bit of entropy.

But I would prefer a PTM (please track me) header with legally binding semantics.

Those who abuse it the most will just move to a jurisdiction where it is allowed. Or they'll do it anyway, since many of the worst threats on the internet are already criminal. On the internet, technical solutions > legal solutions.

There are clearly some things that are economically viable as a criminal enterprise, but I don't think tracking people for ad targeting purposes is one of those things.

Tracking only pays if you can track a huge number of people and sell ads to a huge number of advertisers. The profit per tracked user is too small to pay for running a criminal enterprise.

Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.

> There are clearly some things that are economically viable as a criminal enterprise, but I don't think tracking people for ad targeting purposes is one of those things.

True, most illicit ads tend to be non-targeted. But some criminals do things like blackmail, fraud, espionage, etc. using tracking data.

> Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.

That all depends on the specific business model, business partners, and their presence. Regardless, what I describe is not conjecture, many companies are shuffling around data to avoid GDPR rather than comply.


A different company without a physical presence or business partner in the jurisdiction in question, might have little to no incentive to follow the law.

In the end, even if companies are breaking the law, or even if they are fined, your data won't be protected unless they actually change their behavior as a result. Calculated non-compliance is a commonplace strategy for corporate legal compliance.

I don't dispute any of that. But what it means is merely that compliance will never be perfect. Companies will always test the limits of the law and look for loopholes.

Like with tax compliance, this will always be an arms race. But if the law raises the bar, they will jump a little bit higher on average.

It doesn't have to be perfect. Privacy is not black or white, and trackers themselves are anything but perfect.

I recently looked at the list of what Google thinks I'm interested in. It's funny. Supposedly, I have a particularly strong interest in vehicles and buying cars. In fact I don't even have a driving licence, never owned a car, never will.

The list goes on and on like that. They must have rolled the dice to come up with things like "Flowers" and "American Football". I feel my privacy is completely safe with these geniuses :)

For sure, mass marketers prefer quantity to quality. Google/Facebook are not doing anything particularly novel in the realm of what is possible, nothing more than is needed to get accurate enough across a large number of users.

It's the more targeted uses of fingerprinting and data collection that are scary. If you're a person with lots of money or influence, there's already someone out there who is specifically trying to collect data about you in particular. Those people and organizations are looking at the data in much more detail than mass marketers.

Exactly. That's how we ended up with the terrible cookie warnings. The funny thing is that GDPR has language about respecting the DNT but no one cares.

Is there a good example of a large company that blatantly ignores DNT? I'd guess its hard to know as a lot of the tracking could be server side only.

Actually from what I can see, checking US websites from Paris gives much less requests.

Compare the request map for CNN from

- Dulles, VA: 511 requests https://requestmap.herokuapp.com/render/200123_JH_ed7b9b27df...

- Paris, France: 77 requests https://requestmap.herokuapp.com/render/200123_87_39fdca38ac...

I don't know if it's for sure because of the cookies/gdpr law, but there is a clear difference, and that's a big win in my opinion.

One acronym: GDPR

It's also one of the reasons why people have become so acutely aware of the problem. When the umpteenth site asks you to consent to over 200 ad providers/trackers, there's clearly something wrong.

I'm very curious on how 1st party cookies will be used for tracking.

How can they connect one website's cookies to another's?

All I can think of is fingerprinting, but afaik you can't really be sure "who's that" since fingerprinting filters people out, and isn't good enough to target a single individual.

I guess they can improve it, but there are ways to work around it too, it will probably be easier to fix fingerprinting than blocking 3rd party cookies.

Its seems that if 1st party cookies were as good they would have switched to it by now.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact