I recommend using an ad-blocker while visiting that site :-/
Lately, I find myself using more and more plugins to make the "modern web" tolerable. To list a few:
Channel Blocker (lets me block channels from search results on Youtube);
uBlock Origin;
Disconnect;
F.B Purity;
Consent-O-Matic (auto fill cookie consent forms);
Kagi Search;
PopUpOFF;
Facebook Container;
Privacy Badger;
ClearURLs;
Return YouTube Dislike
Basically, if I visit a website and don't like the experience, I either never go back (Kagi lets me exclude it from search results) or find a plugin to make it tolerable.
What I really want now is the ability to exclude entire websites from any permissions I grant to plugins. I feel like in the last year, I've read a couple stories about companies buying successful plugins and then using them to track you or show ads or whatever. I'm worried this will be the next stage in the battle for our attention -- best case: companies will buy popular plugins to track us and show us intrusive ads; worst case: nefarious actors will buy them to scrape information we think is private and collect it.
IE: I just want to be able to say "Hey, Firefox... those permissions that I granted to plugins x, y, and z? They don't apply to www.myfavoritebank.example.com"
Is there a browser that has that feature yet? I spent a few hours trying to figure out if Firefox did. It did not appear to.
edit: Added semicolons to separate plugins in list b/c HN stripped the newlines from my comment.
> Consent-O-Matic (auto fill cookie consent forms)
This will modify the browser fringerprint making you more unique.
I would not install so many extensions as you're trusting a huge number of organizations/people with privileged access to your browser. Anything that modifies CSS, Document Object Model (DOM) will make your browser stand out.
Trying to avoid tracking on the modern web is a losing battle for any but the most hyperparanoid, consistently careful, and technically astute individuals.
For everyone else: you're going to leak identity information one way or another, and it's going to get correlated. The more plugged-in and connected you are, the harder it is to remain anonymous.
If you really value your privacy, don't use the internet or any types of computers, including phones, and never go outside.
This comment is true on the facts, but militates for what I consider to be a poor conclusion. I know a lot of people who talk this way, and it's usually those who are best positioned to defend themselves from surveillance. This is annoying to me because giving up on surveillance defense doesn't really make sense in the long term for individuals, and we need technical experts in the resistance.
Try to remember that policy, law, and major social trends tend to have slower feedback loops than other machines. It's hard to know today where we will innovate that will ultimately make a contribution to societal progress, but I can tell you with pretty high certainty that giving up won't help change anything for the better.
Like the lady said, "We live in capitalism, its power seems inescapable--but then, so did the divine right of kings."
> If you really value your privacy, don't use the internet or any types of computers, including phones, and never go outside.
Or, perhaps, take a bit of a more nuanced view of things. Perfect privacy, exactly like perfect security, is and always has been an unattainable ideal. But less than perfection is still very useful.
Locking your front door won't stop someone with a battering ram, but you might want to do it anyway.
I use uBlock Origin's element picker and element blocker features to just make the popup notices disappear, without accepting them.
But that's mostly just a habit of mine that I know is pretty useless, as websites don't need cookies to track you, and I really don't know why they even bother anymore.
Try using the extension "I don't care about cookies"
It's excellent. I have needed to disable it occasionally to make basic site functionality work on some sites that I absolutely need to use, though I'm forgetting which ones.
Don't bother with this extension as it can't delete other storage locations where there is persistant storage. Also Firefox has TCP, Total Cookie Protection so you don't need them anyway.
I'm not sure if Cookie AutoDelete hides or auto-accepts cookie popups, but that was the main motivation for using "I don't care about cookies" -- I don't want to see all these ridiculous cookie notices on every site I visit.
I use Ad Nauseum instead of plain UBlock so that the data sent is just garbage. You would think something simple like clicking all the ads wouldn't work, but it works well enough that Google banned it from the Chrome store
I totally forgot about Ad Nauseam! I used to use it instead of uBlock Origin (which, if I remember correctly, is what Ad Nauseam actually uses for its adblocking). Google banning it from their extensions marketplace only strengthened my loathing for Google and my resolve to use it. I don’t remember why I eventually stopped - probably the inconvenience. Now that I’m a Firefox user, I should pick that back up and give it a spin again. It was entertaining to see the visualization of all the ads it had clicked on.
I also used to use Chaff (https://chrome.google.com/webstore/detail/chaff/jgjhamliocfh...), which opens up a tab and browses on its own when the browser is idle and disappears when you start using it again. As with Ad Nauseam, the means of protecting privacy behind it is not anonymity, but rather obfuscation - muddifying your actual browsing behavior by flooding the data you leave behind with junk data (at which point it ceases to be data, I suppose). The problem with that extension was that I would sit back and wait for it to start browsing, and then I’d waste too much time watching it / customizing its behavior.
The book _Obfuscation: A User's Guide for Privacy and Protest_, written by the authors who developed Ad Nauseam and TrackMeNot, has a great chapter on chaff (the obfuscation tactic, not the Chaff extension mentioned above).
Don't do this, you're not making your browser any more private than just blocking using uBlock Origin.
Any kind of "obfuscation" extensions that change browsing behavior significantly modify the fingerprint. There are a lot of uBO and other adblocking users but very few Ad Nauseam users or users of other weird extensions.
I also wouldn't be surprised if there isn't a way to filter out those "clicks" anyway from the ad provider's side.
They are risky and mostly written by people who think they sound cool without thinking of the side effects.
Your consistent advice in your post history is don't ever use any extensions besides uBlock Origin because of fingerprinting and "privacy"
But what if I want actually use the web instead of just blocking ads. Sponsorblock, TamperMonkey, 1Password, CamelCamelCamel, etc are all useful extensions as well that make browsing the web specifically for me better.
There are so many fingerprinting techniques that it seems pointless to have a detrimental experience generally instead of using a sandboxed computer for specific dangerous activities.
I'll continue to use Ad Nauseum, despite your recommendations against it, because I'd rather have a known worthless profile than a worthless browser.
>I also wouldn't be surprised if there isn't a way to filter out those "clicks" anyway from the ad provider's side.
Theres no evidence supporting this, but Google blocking it from the Chrome store is strong evidence that filtering out those clicks is actually difficult
Edit: Also its a moot point as extensions can't be used for fingerprinting if you just don't use Chrome https://github.com/z0ccc/extension-fingerprints#extension-fi... . I assume any activity I do in Chrome is sent back to Google (or Microsoft or Brave) regardless of plugins installed.
Yeah, the permission model in browser plugins is all kinds of messed up.
In absolutely no way is it the plugin's decision where it should be allowed to run. It's great if it self-restricts and we should encourage that, but it's absurd in the extreme that any version of plugin support ever shipped without a way for users to override and restrict them further. Trusting the author of a thing to do what they claim to do is literal security insanity, and it always has been.
Chrome is sightly improving here, with click-to-activate extensions, but it's still pretty far from just giving me a frickin list field.
For anyone curious as to how I solve the problem right now, I just have two separate Firefox profiles. One has a ton of plugins; I use it to browse the web. The other has no plugins; I use it to visit my bank's website.
That's a good question. I don't know -- I never considered private browsing. If I close a private browsing session, are all traces (ie: cookies, history, etc.) of it erased? If so, I don't think that's what I want. I'm okay with my bank (and websites I trust) setting cookies, for example.
Sure, but my bank and (like most other highly trusted sites) doesn’t set any useful cookies anyway. I think there is an option to autofill my username, but why bother if my password manager does that anyway?
I do the same, but because I think it’s important to see what the average use will when using the web. Especially if you’re working professionally with the web in anyway.
Browser plugins generally have privileged access to data exchanges between user and remote server. So, they could potentially spy on you and scrape your secrets.
> IE: I just want to be able to say "Hey, Firefox... those permissions that I granted to plugins x, y, and z? They don't apply to www.myfavoritebank.example.com"
> Is there a browser that has that feature yet? I spent a few hours trying to figure out if Firefox did. It did not appear to.
Safari has the ability to enable/disable extension on a per-site basis... Even on a "ask every time" basis. Thankfully the ask shows up as a lock badge on the extension's icon rather than a popup.
>Lately, I find myself using more and more plugins to make the "modern web" tolerable.
Once upon a time, we used programs to guard against malware. AdAware, ccleaner, a whole bunch of them. I feel so old calling them "programs" here, instead of apps or extensions.
> Basically, if I visit a website and don't like the experience, I either never go back (Kagi lets me exclude it from search results) or find a plugin to make it tolerable.
If you like a site to go back to it repeatedly don't you think it would be fair to "pay the fee" of seeing the ads, thus supporting that site, however annoying they are?
I agree. If you want the benefits of hypertext and http as a medium then the downside is user agents can modify what you send and render as they see fit.
It's not really about seeing ads. It's getting tracked every inch of the way, being sorted into unkownable categories and actively being served malware that makes me use an adblocker.
Classic TV made do without "personalized" ads, why should this not be enough to compensate for presenting and maintaining a website?
> If you like a site to go back to it repeatedly don't you think it would be fair to "pay the fee" of seeing the ads, thus supporting that site...
I struggle with this. Of course I want the producers of content that I like to make money. And it seems obvious to me that if I'm one of the people consuming (and liking) that content... some of that money I want them to make should come from me.
But the pipeline that the "modern web" provides to complete that transaction is openly hostile towards me. It makes content creators that I want to support participants in a giant machine designed to build a dossier on me (and every other user of the "modern web"). It also encourages VERY LARGE numbers of content creators I do not want to support -- those whose primary goal is to be participant in that machine; who only produce content because the machine requires it.
I would argue that this machine has never built this dossier with my "informed" consent (but lawyers could make the case that it has). But now, the machine builds it without even bothering to get my "uninformed" consent. For example: Facebook is known to build profiles on people that don't have Facebook accounts -- ie: people that could never have agreed to their TOS.
The top priority of this giant machine is putting ads in front of my face. Helping me discover content that I want to consume is only a secondary priority.
And there is a GOOD reason for why this machine evolved: people don't want to pay money _directly_ to content creators, so a way evolved for them to receive compensation _indirectly_. So yes, this is -- at least in part -- my (our) fault.
But I really feel like things have shifted to the point where the large majority of compensation that content creators receive is a function of their value to that machine... not a function of the value they create for the people who consume their content.
This is all a very long way of saying: I don't believe the value of a content creator _to me_ should be calculated based on their value _to this machine_.
I don't know what the solution is. Find a way to accurately assess the value _to me_, not _to the machine_ -- and then provide a way for me to pay the content creator directly. If I like the content enough -- and IF I'm not shown ads or tracked once I'm a paying customer -- I will pay. This is how newspapers worked for... centuries? (Save that newspapers did show ads, though they did not track you).
The problem is... I think that being part of the machine is more lucrative than selling content directly to consumers. And the hostility of this machine towards me has turned this into a fight. Of course I'm going to fight back.
> ...however annoying they are?
This is where you start to lose me. I don't think "annoying" captures just how "hostile" this machine has become.
I'm old enough to remember switching from Yahoo Search to Google Search -- NOT because the results were better, but because Google's ads were less intrusive. I never blocked those ads. I even clicked a few...
I know of only one website that does ads right: the Penny Arcade web comic. I admit I haven't gone there in years, but when I did, their ads were always products they approved of (usually computer games), in the style of the web comic, in a way that fits the site, and made by them, so no malware. This makes it less intrusive, but also a powerful stamp of approval, that I suspect makes it far more effective as an ad. This is better for legitimate advertisers and visitors, although it does mean extra work for the site, of course.
> Channel Blocker (lets me block channels from search results on Youtube)...
I wish this were possible for the phone app. Every now and then I am recommended a video from one YouTuber in particular that I can't stand. Is there an app for that? I don't think you can block within YouTube, which would be great.
You can select "Do not recommend this channel" as one of the options when you see content you don't want to surface anymore. It's not as good as a block, but it does help remove some clickbait algo trash from your feed.
I don't think so (I looked). Best I could find was some articles online claiming you can add "-unwantedChannel '...'" to your YouTube search to exclude individual channels. I didn't even test it because it would be WAY to cumbersome. Maybe that's all Channel Blocker does under the covers -- add a bunch of those switches to my search.
What frustrates me the most is that this is one place where mine and Google's interests actually align! Let me help train them to not show me crap I don't want to see... then I'll use their products (YouTube and Search) more and give them more opportunities to show me ads! (Well, theoretically -- I block as many ads as I can right now).
That was one of the big reasons I looked for an alternative to Google search. IIRC, you used to be able to exclude results from Google search. In order to do so, you HAD TO LOGIN TO GOOGLE (another huge win for Google!). Now I use Kagi -- primarily because they allow me to exclude sites from their search results.
They really don’t. Some YouTube videos (and channels) are way more profitable for Google than others, on a CPM basis. I think there are even some videos that are just plain money losers (long videos that aren’t packed with mid rolls).
Google wants to steer you towards the most profitable videos and away from the unprofitable ones. They don’t care about your interests. They’d rather trick you into watching videos you don’t like and that get you angry (but keep you engaged) than to watch videos you’re really interested in but are too long and niche and unprofitable.
Doesn't help for searching for new stuff, but you can subscribe to channels using rss feeds. From my experience, it helps avoid getting sucked down the YouTube rabbit hole
You can almost certainly be uniquely identified from the combination of feeds your RSS reader polls regularly, combined with your location, if the feeds alone are not enough.
The more feeds you subscribe to, the more unique your fingerprint.
I currently use an add-on to block search engine results (Highlight or Hide Search Engine Results[1]) so Kagi sounded interesting, but the free tier having a limit of 50 searches puts it out of the realm of even giving it a trial period for me.
I really like the idea about a sort of global blacklist for your permissions.
Heh, you got me. A password manager is the ONE plugin I have installed in my profile that I use to access my banks.
Simply put, I trust the password manager. Recently, however, I have considered uninstalling that plugin and using only the desktop version of the password manager -- and then copy/pasting username/pw from the password manager to websites.
One reason I don't do that, though... is because having the password manager as a browser plugin guarantees (?) that the password it presents to me is for the site I am visiting. If I end up on a webiste with an IDN that was chosen very carefully to look like my bank's domain, my password manager plugin won't present me with a password -- which will trigger my paranoia.
If you can't tell, I wrestle with this decision pretty regularly...
Use the built-in browser password manager. It is safe and it only auto fills for the correct URL… exactly what you mentioned. You should be able to export from your current PW manager and import into the browser’s. Then turn on browser sync to make sure those passwords are available on all browser instances.
In Firefox you can change the "network.IDN_show_punycode" value to true, and you will no longer see lookalike UDN domains. It's a good point about using a browser password manager though, since they won't function on a lookalike domain and that should force you to stop and reassess, at which time you (hopefully) notice the scam.
I use banking and other sensitive sites in a separate browser profile with no extensions installed. On Mac, that would be something like "open -a "Google Chrome" --args --profile-directory=secure" and on Linux "google-chrome --profile-directory=secure".
For the rest of the web in my Default browser profile, I do have ad-blocker extensions installed (uBlock Origin, some Violentmonkey scripts), but they're not linked to the Chrome store. I prefer loading them as unpacked extensions and updating them once in a while manually. Mainly in case some malicious actor takes control of these extensions pushes an update that does something wild.
Not OP. My solution is to use a different browser in private browsing mode. Both Windows and macOS now come with a default browser pre-installed. I use that for any financial transactions - banking, paying bills, shopping etc. I totally avoid password managers. Using phrases is a simple way to create strong and easy to remember passwords. Eg. "This is a Good Password for #2013!".
I also like Awesome RSS to bring back Firefox's RSS feed finder, Old Reddit Reddirect (brings back old reddit), Search By Image, Theater Mode For Youtube, User-Agent Switcher, Youtube-shorts Blocker (you can still view them, but the layout is the same as a normal video), View Image Context Menu, Smart Referer (adds a bit of privacy)
I use most of what you are using, but with temporary containers on Firefox, meaning that all the cookies from random sites are not persistent, so I don't need to worry too much about unwanted tracking. When I do want to let a website keep cookies, I just assign it to a specific container. There is also SponsorBlock to save time on YouTube and Libredirect to use privacy respecting frontends.
Slightly off topic but I've been wishing Youtube would add something like Channel Blocker forever, thank you for mentioning it. Do you use anything that lets you improve Youtube recommendations? They've become almost completely useless for finding new content, only showing videos I've seen and/or videos from channels I already follow.
A lot of your privacy related extensions are obsoleted by features in uBlock Origin.
Consent-O-Matic: use annoyances filter list
PopUpOFF: sounds useless, use filter list
Privacy Badger: sounds useless, use filter list
ClearURLs: use url cleaning filter list
uBlock Origin URL filter lists don't work the same as ClearURLs.
Privacy Badger is an extension by the EFF. It blocks cookies, that's it.
The other one I don't know, but you should stop being condescending when teaching people about things you don't know about. Using uBlock Origin only might be a good option for some cases, but it's not a silver bullet.
For reference, ClearURLs can bypass redirects, has etags protection, both features which uBlock origin does not have (or at least didn't have last time I checked).
Privacy Badger removes outgoing link tracking by Facebook and Google, has custom well-tested lists to block cookies or blocking third-party without blocking them entirely when necessary/useful. It also has quite a few smart learning features (not the ones Google tells are "fingerprinting" you) such as blocking canvas-based fingerprinting on the go.
uBlock Origin is awesome. The default blocking lists are great. The other ones provided with the extension are even better. But it's not a magic silver bullet. What you're going to use really depends on what you want out of your browsing experience, what your threat model is, etc.
Original commenter is right about the feature obsolescence and didn't seem condescending to me. Just more or less critical of the general idea, as one doesn't really need so many extensions for privacy, which most of the list appeared to be tackling.
That said, URL filtering isn't necessarily effective at keeping your behavior private either. There's an argument to be made about ClearURLs and URL filtering in general being counter intuitive, as you might stick out among a sea of other users with marketing params in their URLs.
Still wishing for a Tor-like solution to anonymizing all users on a browser configuration level.
> Original commenter is right about the feature obsolescence and didn't seem condescending to me
Maybe it wasn't, intention and tone are really hard to get through text, that's just how it felt to me when I read it.
> That said, URL filtering isn't necessarily effective at keeping your behavior private either. There's an argument to be made about ClearURLs and URL filtering in general being counter intuitive, as you might stick out among a sea of other users with marketing params in their URLs.
I'm personally kind of torn on this kind of thing, because fingerprinting is the default in the www since you expose your IP to every server you connect to. I personally believe it's worth to try and reclaim the privacy even if it could expose to even more advanced tracking techniques. Also things like removing google analytics tags and removing the "google.com" of urls in google searches is probably really effective. (you'll notice that Google only adds this redirect mechanism if you have JavaScript disabled, probably because they don't need that if you're running JavaScript anyways).
> Still wishing for a Tor-like solution to anonymizing all users on a browser configuration level.
One can wish. I'm very pessimistic about Tor and i2p though, the market incentives to block these networks are just too great to ignore for most business. Ultimately though I believe the problem is that privacy is not a computers problem but a human one.
Thanks for the tips. I will check out the filter lists you mention.
You might be wrong about PopUpOFF, though. I started using it as a solution to websites that pop-up an overlay asking me to subscribe to their newsletter when I mouse-out of the window. It is fantastic at putting an end to that.
Here are a few things I do to combat nasty websites:
- blacklists entire domains using wildcards (using an "unbound" DNS resolver and forcing all traffic to my DNS resolver, preventing my browser to use DoH -- I can still then use DoH if I want, from unbound)
- reject or drop a huge number of known bad actors, regularly updated: they go into gigantic "ip sets" firewall rules
- (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.
I do not care about what this breaks. The Web still works totally fine for me, including Google's G Suite (yeah, I know).
EDIT: just to be clear seen the comments for I realize I wasn't very precise... I'm not saying all IDN domains are bad! What I'm saying is that in my day to day Web surfing, 99.99% of the websites I'm using do not use IDN and so, in my case, blocking IDN, up until today, is totally fine as it not only doesn't prevent me from surfing the Web (I haven't seen a single site I need breaking) but it also protects me from IDN homograph attacks. Your mileage may vary and you live in a country where it's normal to go on website with internationalized domain names, then obviously you cannot simply drop all UDP packets attempting to resolve IDNs.
While these are all good practices, killing DoH conclusively on your home network is more difficult than you've made it seem, as ultimately all you can really do is use domain blacklists at your firewall. It's no longer as straight forward as just control port 53 traffic, not like you can realistically shut down 443... Blocking DoH is largely whack-a-mole and I think is only going to get worse as this and similar techniques spread. There are so many sneaky ways to resolve a hostname an app or device can choose to use now.
You can force traditional port 53 DNS protocol traffic to your own resolver with firewall rules, the same doesn't work for DoH. a DoH request to a domain your firewall blacklist doesn't have looks just like ordinary https/443 traffic and will pass unhindered.
This is exactly why DoH is a trojan horse. You can't control it as a network administrator, all it takes is a piece of software to simply remove the controls for users to configure their own DoH and bam, end user has little to no control over how their applications perform name resolution.
Little pro-tip for anyone who tries to run their own private DoH infrastructure too, Firefox doesn't like RFC1918 addresses for the DoH resolver. Set `network.trr.allow-rfc1918=true` if you run DoH on a private IP.
> It's only true when all of the computers on it are too.
I was unclear. This is exactly the case I'm talking about. The network, and all of the devices on the network, are mine.
> What? No it doesn't.
It does. It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.
> You're not supposed to be able to have control over what tools other people use on their own computers.
Again, I'm talking about having control over my own machines, not anyone else's.
> It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.
If that makes DoH bad, then privacy is bad too since it makes it easier for terrorists and pedophiles to evade the law.
On my network, running my machines, these privacy mechanisms really are bad. Having them doesn't give me any privacy (the entire system is my private system to begin with -- who am I being private from?).
The only privacy they are affording is specifically to entities that I don't want operating on my machines to begin with, who are mostly interested in violating my privacy.
So this privacy mechanism, in this use case, really is bad because it reduces my privacy.
Yes you can. Do what corporate firewalls do. MITM all TLS connections with your own personal CA. Don't allow any traffic streams that you can't MITM to leave your network.
You can't control it as a malicious censor who's trying to control what Web sites other people's computers can access just because they're on your Wi-Fi. You can absolutely control it on computers that are actually yours.
For now. I would point out that the browser with the largest market share by a considerable margin is created and developed by a company that makes most of its money by selling ads, and that choosing your own DNS server with the capability of blocking those ads is a direct threat to that revenue model.
They will tell you it is to defeat censorship though and to improve network resilience, because they are deeply committed to having the image of being a champion of internet freedom.
They don't need DoH to stop you from being able to block ads at the network level. For a while, a lot of sites have been proxying their ads through their own domains to do that.
And besides, every browser that supports DoH also lets you pick what server to use, and adblocking DoH servers exist.
1. couldn’t you “just” (yea yea I know) install a cert on all your devices and force all 443 traffic though a proxy (like some corporate networks do)?
2. (Something I’ve been meaning to get around to trying for a while) default-block outgoing connections unless unless the external host was recently resolved for the corresponding internal host via your internal resolver? That seems like it would kill anything that tries to avoid your ad-blocking resolver. It seems like that might block hard-coded addresses too, but that could be a good thing..
That's insufficient. There's nothing stopping a web site (or ad on a website) from forming its own DoH request that bypasses the browser and the port. It can be done entirely within the HTTPS stream.
If you're monitoring the HTTPS stream, you'll see it. The point of the proxy is exactly to inspect the content of HTTPS requests (that's why you need to install your own certificate).
The biggest problem with 1) is that you lose the ability for your browser to perform checks on the certificate. If the certificate fails, the only option is to deny the connection. (Or fake it and return an error page but that can have unintended consequences.)
And with 2), that would work, though you'd probably want to whitelist port 53 so that you can resolve names in the first place. Sounds like it should be effective, though.
A successful mitm with an injected trusted cert should appear 100% valid to the browser. That's the point. According to your device setup the connection has not been tampered because you as the device owner allowed a new root cert to be trusted.
The rest is just fear mongering, I'm sorry, not sure how to phrase that more elegantly or politely. I'm not an uber smart domain expert wrt certs, but we shouldn't have to be to know that valid device MITM with certs is a normal use case. And it shouldn't be used as a boogeyman man on layman users.
Those checks are then performed on the MITM device. Instead of an error page the device could return the same sort of page that your browser would otherwise display for you. The connection has been MITM'd after all.
Maybe this is so but I have yet to see it. AFAIK all the DoT/DoH are on known dedicated IP addresses. I know they don't have to be. They could be on generic Akamai/CF/BunnyCDN/etc... end points but I have yet to come across one utilized in the wild. Have you found any? What are their IP addresses? I would like to add them to my DNS timing/monitoring scripts.
I null route about 24 DoT/DoH IP addresses and my one smartphone seemed to figure out automagically that my router was serving up DoT on 853. I can tell if something is bypassing Unbound because there are things I know should not resolve correctly.
I confine everything on my network and if anything is able to resolve any one of the sanctioned countries or if the domains I override resolve to their correct address I will see it. I can only think of one opaque device I have that could even try to do that but I know it doesn't because I have to unblock .cn to get vehicle updates for it. I should add that I do not let random IoT's onto my network and that vehicle diagnostic tool from China is only on my network about once per year for a few minutes. I should also add that I have fascist firewall rules for anything I do not trust and all new SYN packets are logged. DoT and DoH use TCP.
Funny you should mention that. I have a few Squid-SSL-Bump proxies that I use for a few devices. For several years I even used that to visit HN and to my surprise was rarely rate limited or blocked when accessing from a VPS. With Squid I can also make decisions on content types, file sizes and more. There are only a handful of sites it doesn't work with because they for whatever reason are still using public key pinning. A few google sub-domains, eff.org, paypal but interestingly no banks.
This only works with devices that I can install my own CA key onto. I have not figured out how to do that with the vehicle diagnostic tool.
> This only works with devices that I can install my own CA key onto
Yes, that's why I don't use any commercial IoT devices. I have no actual control over them. Before I shed the few I did have, I kept them segregated on their own subnet so that at least their presence didn't have to impact anything else.
> While these are all good practices, killing DoH conclusively on your home network is more difficult than you've made it seem
Oh I know but so far you can still ask both Firefox and Chromium to not use DoH and hence force them to use port 53 and from what I've seen they really honor that. For the moment.
I don't doubt that in a not so distant future we may see companies hardcoding DoH into apps without any possibility of removing that setting!
What I do is no panacea but it gets rid of a lot of things.
> There are so many sneaky ways to resolve a hostname an app or device can choose to use now.
But I whitelist apps that can connect to the net. Browsers, apt (for Debian/Devuan package update), the one that update the NTP/time, SSH out and that's basically it.
I know it's a game of whack-a-mole, but I'm still playing it : )
It can be more of an issue if you have a lot of "smart" products or IoT products that essentially operate as black boxes on your network though. Would just recommend not doing that, if you have devices on your network that you don't control, someone else does.
That only affects things that use the browser's facilities to engage in DoH. A web page could decide not to do that, and manufacture their own lookups using JS, for instance.
Oh? I thought I answered it. What are you really asking for here? A tutorial?
If that's what you want, you need to give me time to put it together. I set this up a number of years ago and don't remember the details off the top of my head.
here's what I do remember: I use a squid proxy and replace all of the HTTPS certs on my other machines with my own. When HTTPS is negotiated, it's with my proxy, not the end destination.
Then the proxy does its proxy thing and sets up a normal HTTPS connection with the destination.
In my proxy, I have a script that is looking for the HTTP lookup exchanges detailed in RFC8484 (https://www.rfc-editor.org/rfc/rfc8484). When it finds them, it drops them on the floor. Everything else just gets passed through.
While these are two common standards, you can easily implement DoH almost anyway you want if you are building a service or device. Its just replying to a request for a hostname record over HTTPS fundamentally - it can be as simple as an extra REST API you run. The number of "protocols" here is effectively limitless. I cant stress enough how simple it can be - check the specs you linked, the example HTTP request/response for the DNS over HTTP3 example is really basic - you could build your own in less than an hour if you really wanted and understand how traditional DNS works.
There is no such thing as right or wrong way to do DoH so long as the DNS messages are passing over HTTPS - the standards are largely to help make it easier to deploy and avoid common pitfalls of course (simpler to integrate to browsers and other software "for free" if the message response body format is standardised), but devices, apps and even javascript in the browser are free to solve this anyway they want, with whatever kind of message payload they can dream up.
DoH is just an HTTP request over SSL in most implementations, nothing more, with the record usually in the payload body in a JSON message or similar.
There's nothing stopping you just making your own REST API and responding over HTTPS that returns hostname records for any service you build or run - it doesn't even need to use an existing DoH standard. These are exactly the sort of tricks stuff like IoT devices are already using to ensure they can phone home regardless of your network's DNS settings.
DoH is literally just "DNS over HTTPS" (hence the TCP a lot of the time) and you can build this a ton of different ways, including as a basic RESTful API. Local javascript on the page could literally just call any old HTTPS web API to get hostnames resolved, and thanks to HTTPS is much harder to detect, inspect and interfere with than traditional DNS. Fundamentally, a DNS request is a really basic API to implement.
This is why DoH is so hard to conclusively block - its by design to look like "normal" web traffic so bad actors are prevented from manipulating your DNS responses, and the implementation can be done pretty much anyway you want - there are a million different ways to pass a message over HTTPS, and to a firewall they all look like the exact same normal HTTPS traffic if you don't explicitly block the IP or domain serving the DoH.
I venture onto the Asian and Russian parts of the Internet semi-regularly, and in all these years I have seen perhaps one or two sites with IDN that were actually useful to me.
Mainly homoglyphs. Characters that LOOK like Latin characters but aren't. Scammers register domains to make it look like at a glance you're visiting a reputable site.
It's why many browsers started defaulting to showing "xn--<whatever>" (punycode representation of IDN characters).
It sucks for domains that are emoji but whatevs. Scammers ruining things for everyone, as usual.
International domain name - blocking them prevents look alike URLs from working. But also, IMO, this is bad advice for anyone who uses not English as a language...
If there's any non-English-speaking culture that embraced IDNs, I'd love to hear it. E.g. in my experience as a Russian speaker, Cyrillic very rarely shows up in domain names for legitimate websites, and correlates strongly with malware.
> (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.
I couldn't see how to do this in Windows Firewall. Which OS/firewall/rule are you using?
I don't do any of that stuff and don't think I am running into nasty websites. What is it supposed to do?
I do uBlock origin with pretty standard lists and have a list of allowed persistent cookies. Are the uBlock lists doing all that work in the background?
I'm not even a native english speaker and my native language does have accentuated characters so there's that...
I don't like to have to set rules in browsers: I'll do it when mandatory but I prefer things that the browser won't change during it's next update and, also, I use several browsers.
I personally use Timescale magicDNS on all my devices, with pihole DNS running on a home server. The magicDNS can make my home server the 1st responder for DNS queries and it'll block a lot of ad domains.
DoH was designed to prevent the network operators from interfering with or snooping on DNS. The stated purpose was to prevent your carrier or country from seeing which domains you access, and/or blocking you from accessing them. However, it also prevents devices like piHole from passively blocking ad requests as easily.
Or, in other words, FBI now recommends using Android :-) It's baffling how much better uBlock Origin + Firefox experience on Android is compared to any iOS ad blocker I have tried. They kind-of work but let half of the ads through.
I develop a popular iOS and macOS ad blocker that block almost all ads[1] including all YouTube ads.
Will be interested to hear if you've tried it out and what may have been missing?
The only things we don't block at the moment is some non-English content and Adult sites. With a small team these haven't been the primary focus for the time being. Other than those though we should stop pretty much everything else.
The app works well enough but I deleted it. After setting it all up there’s no mention that it will work without the subscription. There’s no mode to say “continue without the subscription using the free services” just a very large button and a description of the price to subscribe. That’s hella sus. Also the very first screen doesn’t let you opt out of notifications or skip it with “setup later” etc etc — these customer / user hostile patterns had me so jaded I deleted the app and won’t go back.
Appreciate the feedback. We'll take it on board for improvements in the future.
We recently moved to a paid app model with a 30-day free trial available (from a freemium app model).
Understand that this is not as appealing as a free-forever product. We found that we had hundreds of thousands of free users and not enough paid users. After developing the app for many years under this model, we had to make some changes so that we could continue to fund the ongoing app development and updates.
The notification prompt can also be declined in the alert that appears; though we could make this more obvious with a clear 'Skip' button.
Understandable, but if I’m getting ads because I’m not subscribed to things, I don’t want to suscribe to avoid those ads. I would likely pay a one time fee, but not yet another subscription.
I know you have your reasonings, but I’ll give you my raw unfiltered train of thought of why I wouldn’t sign up in case it helps you in your business:
“It’s only 30 bucks a year” say 100 other apps. I get it, you’re trying to make money, but there are many other ways of doing this for free. You’re not offering that much product to me that’s worth a subscription. Netflix? I actively use it every night. Spotify? Several hours a day. Blocking ads? Maybe a one time fee.
Other than paying yourselves which makes 100% sense what if any serverside or other costs does this app/plug-in incur if the filtering is being done from within safari?
While Chrome uses the same rendering and JS engines as Safari under the hood, it doesn't share all features (like the extensions API). I think only DNS-based ad blockers work for both and content API-based ad blockers like Magic Lasso don't.
Hey thanks for Magic Lasso. I've had it installed for years. Only after starting my app library from fresh did I realize how much I missed it (and it took me quite a while to figure out and remember that it was magiclasso doing the heavy lifting - easy to install and forget!)
Right, Android trades ads for system wide tracking and that's rotten for the user. Moreover, Android's tacking mechanism is brilliantly effective—one has to admire Google's ingenuity for its receiver/signalling system. It's so integral to Android that one can view the O/S as built around it rather than it as an addition/add-on to the O/S. Essentially, Android is an O/S built around an ingenious spying system.
It's just not possible to use
an Android phone as Google intended (and as the vast majority of users actually do) without that tracking mechanism taking center stage.
My solution is to disable or uninstall Google Play Services/apps and I never create a Google account. Also, wherever possible, I use a rooted phone.
The penalty for such action is that many of the attractive so-called free services are unavailable to me. However, the benefits of closing down or uninstalling all unnecessary services and apps and disabling JavaScript are that my battery now lasts for days, ads are a thing of the past and the phone and internet access are much faster.
I accept however the vast majority of users either aren't capable of making such a tradeoff or aren't prepared to do so and Google knows that—that's why it's a winner. For Google, users like me are just insignificant noise.
> It's just not possible to use an Android phone as Google intended (and as the vast majority of users actually do) without that tracking mechanism taking center stage
These things are not as tightly woven into the OS as you make it seem.
It is very much possible. GrapheneOS, CalyxOS, roll your own AOSP-based image.
A completely degoogled Pixel series is even practical and realistic for casuals. As you say you miss out or have to fiddle a big for many apps which break without SafetyNet and other malware.
"These things are not as tightly woven into the OS as you make it seem."
I know that but try and tell it to the average user. Even many of my techie colleagues aren't game to make changes to their phones for fear of losing some beloved feature. Frankly, I'm amazed at how tolerant people are to this level of surveillance.
That said, much can and does go wrong, resurrecting bricked phones seems to be a pastime of mine. As you know, whether one can decouple Google's spyware subsystem easily or not depends on the phone. If you can't gain access to the OS then it's not possible to roll one's own ASOP-based image or use some other one.
These days, many manufacturers are making it harder and harder to bypass security features, unlock the boot loader and install custom ROMs. Nevertheless I won't buy a phone without first checking whether I can install a custom ROM and it's definitely harder now than it was say five years ago.
Man, some people are just crazy. You’re so hell bent on using android you limit the functionality of your phone to it essentially just being a brick.
Buy an iPhone, install an ad blocker, disable all the tracking, and be done with it while still being able to use the features of the phone you bought.
Imagine not being able to have root, uBlock origin, or third party Youtube clients. Oh, and now also, sending every one of your pictures to Apple so they can call the cops on you to cover their asses[1].
1. I've owned iPhones and Apple is hell bent in locking me out of its tech. If you want to live in a straightjacketed tech world then that's fine. In my world that's a truely bricked environment.
2. When I make phone calls I use a feature phone, it's incapable of doing anything else. That is, it has no Internet access—not even Bluetooth.
3. I wouldn't be seen dead on social media or using a Gmail account, and I've no need of Apple's store or Netflix, etc. so the functionality you refer to isn't an issue.
4. My Android phones are for limited internet use only and or portable computer use. Similarly, the functionality you speak of just doesn't apply. They are hacked and tailored specifically for my requirement and they do exactly what I want. Right, I'm in control (unlike iPhone users).
5. Even then, as a rule, my Android phones don't use SIM cards, they connect to the internet wirelessly via separate pocket routers which further isolates them from internet gumpf and garbage.
Maybe I'm reading this response wrong, but your comment doesn't seem to make much sense to me. The amount of freedom from surveillance the GP seeks is not something Apple hardware will offer to you at any price. Google makes it painful and onerous, but Apple makes it impossible.
I think this was meant to point out that trading ads for system wide tracking isn’t necessarily a deal you are forced to make if you are a person who is motivated not to make that deal. For most people avoiding tracking isn’t even a thought. Their first order of business is inviting Facebook, Twitter, and Tik Tok to the party.
AFAIU it's all F-Droid apps that are GPS-free. I rely on a small handful of others installed from the Aurora, Google Play is a requirement for some of those.
I may be hallucinating that shim, though I'm pretty sure it actually exists...
"...I rely on a small handful of others installed from the Aurora, Google Play is a requirement for some of those."
Later thought. I also occasionally install Play Store apps via Aurora Store and it's worth noting that some state that they require Google Play Services but in fact they do work without it (I normally have GPS/Google Play disabled or uninstalled).
I've not bothered to research why but I presume it's the reporting mechanism that's not working, the core operation of these programs being independent of GPS (presumably this would simplify programming if the programmer is also coding the program for iPhone).
I'd be most interested if you or anyone else has more info about this.
I have been running Graphene for years and find that few proprietary apps really need GAPS. I get a warning that it is required when they try to serve an ad, but I just dismiss it and enjoy the ad free experience. Graphene has great shims and even a sandboxed Google Play Services for those who want a lot of notifications. I don't use it myself, but my partner does.
1Blocker has a built in internal device local VPN service that also covers all apps on the phone - not just Safari. Breaks any of the "free with ad" games so yeah, it's effective!
I don't have the data to back this up, but I've been operating under the assumption that the majority of people access the internet through their smart phones more than any other devices. Maybe it's my age, but a lot of people I know don't own traditional computers and if they do it's a single laptop they occasionally use for office tasks.
I’m sometimes shocked at how much my wife relies on and accomplishes through her Pixel 3. She uses a computer only when she wants a bigger screen - photo editing or watching a show. Everything else she uses her phone. Is very surprising to me. I feel like I can barely do anything on my phone.
It depends a lot on how much typing you do. If it's mostly reading, phone is tolerable. For HN or Reddit, I want my damn keyboard.
But, conversely, the way we interact online also changes to accommodate these trends. Twitter was an early example of that, and so is the focus on audiovisual content over text for the more recent social networks.
I honestly don't understand how people can stand to browse the web on their phones. I almost never do, because it's such a pain in the butt. But c'est la vie!
It will probably end up like C. P. Snow's The Two Cultures and for many never the twain shall meet. This shouldn't be surprising really given the diversity of people, views, etc.
As for myself, I use both regularly but for serious work the PC/large screen predominates.
In recent years I've often found myself working on the PC with a collection of phones about me all with different but related information on them. It's akin to having multiple textbooks open on one's desk for reference. It's also a handy way of not cluttering up my PC screens with multiple windows/tabs open.
I'm wondering if those still are the majority, worldwide. Smart-phones have done a lot to democratize computing power (now if only they weren't used to put >90% of their users in corporate controlled walled gardens...)
Smart phones didn’t change anything here: 99% of their users didn’t care about the “open” nature of desktops before they were a thing, too. A vanishingly small percentage of computer users care about tinkering and openness. It’s been decades since tinkerers and hackers were the majority of computer users.
one could argue that the mobile era has put computers in the hands of the vast majority of people on the planet that couldn't even be bothered to operate a pc.
I don't actually believe smart-phones have done much to democratize computing power because phones don't give you much control over computing power. You can't develop software on a phone using a phone. And frankly the vast majority of phones have way more computing power than is actually used.
On a related point, the push to the cloud is befuddling when everyone has a phone with "free" (from the developer's point of view) computing power sitting there unused. Everyone's wasting money on centralizing compute despite more distributed compute being available than ever before.
I'm still here. I've used a browser on my phone exactly once to register my phone. With exception to that one time I only use Firefox on Linux on an old PC.
Why did you bother to register your phone then? I've used many smartphones and never registered any of them. I wouldn't give the time of day to Google or Apple let alone my personal details.
Similarly, I use Firefox on Linux but I also regularly browse the web or post to HN on a phone that's been heavily deloused of Google using Firefox and other browsers—but never Chrome.
I've used many smartphones and never registered any of them.
When I say register, I meant sign up for the wireless service. I did not already have an account. I was on my wifi and browsed to the wireless provider to activate my sim card and get a phone number. I could have done this on my PC but doing that on my cell verified with the vendor that my phone was supported since I am using an off-brand device. It was easier to copy the IMEI that way.
For Googles app store I used a throw away Gmail address that is not used anywhere else. I would love to put a new image on the phone but AFAIK there are no custom roms for my make/model of device. I would love to install GrapheneOS but they have sadly limited device support to Pixel. I am learning more about using adb since this is my first smart phone and with time I will neuter Google without replacing the rom, hopefully. It's mostly harmless for now since I rarely have the phone on.
Fine, that all makes sense. As I posted elsewhere here, the problem of getting replacement ROMs is considerably harder than it was a few years back. I now go to considerable lengths to check if a suitable ROM is available before I buy a phone. I also don't buy one when first released, I want to see how a ROM market develops or if it's well supported. It's also a reason for keeping old phones or getting friends and relatives to give me their old ones, chances are they're easier to root/re-ROM.
As others have said, .mobileconfig or official app work great.
I geek out a bit and use Surge for iOS (pricey and not for non-techie users) and run a few proxies. It'll also allow for DNS override, which I use NextDNS's DNS over HTTPS.
You don't need pihole. there are adblockers on iOS. They aren't as flexible as ublock on android but they're 98% there and good enough with the added advantage that google isn't spying on your every move and sending it back to the mothership.
GeckoView is literally Gecko with an Android API wrapped around it, so that sentence doesn't really explain anything.
The actual thing is that simply each app embedding Gecko needs to be brought up to speed separately, and if Android is lagging behind, it just is, "GeckoView" or not. (Even before the invention of GeckoView, due to understaffing Android Firefox used to lag behind in terms of multi-process capability, so nothing new under the sun…)
Most blockers are running through Safari Extensions, so they’re limited to whatever Apple allows them to do. It’s no uBlock, but I made an app that lets you run your whole device’s traffic through a blocker [0].
Make ad brokers share responsibility for losses due to scam ads. If the ad broker is unable to clearly identify the advertiser for lawsuit purposes, the ad broker should face consequences. They're assisting the criminal by helping them hide.
Google and Meta seem to have no idea what's going on within their own advertising networks.
Similarly to all the stories (with two currently in the front page of HN, eBay and PayPal) about algorithms that are just insufficient for the range of realistic scenarios these companies must deal with on a regular basis.
It's merely the equation of profit outweighing customer service. Admittedly, they're working on a scale that's difficult to comprehend, but that shouldn't absolve them of aiding and abetting criminal use of their systems.
Google's and Meta's profit motives are the base cause of this continuing escalation of the ubiquity and user-hostility (to put it mildly) of internet advertising.
It's only been predictable for the last 20 years...
> Google and Meta seem to have no idea what's going on within their own advertising networks.
Which is the problem.
Distributors of ads need a solid Know Your Customer program, so you can find the crooks. Otherwise, they have to accept liability for scams they help promote.
The same should be conveyed to the user too. Ads should have a landing page that tries to inform kids and computer haters about ads and about the company and product and what changes it makes to your PC and charges it makes to your bank.
No "let Onedrive cloud your photos" in my gallery app, no "keep using Edge" when downloading Chrome, no recommended apps on my Samsung phone.
Some businesses useful to criminals have extra requirements for identifying customers. Pawn shops. Junk yards. Auctioneers. Auction services and ad brokers should be added to that list.
It is infuriating that Google seems to be doing nothing about scam ads. For years I have been seeing "Click to install iPhone update!!!" ads on YouTube mobile. Easy to have huge profit margins when your company hires no humans to do things like customer support and ad vetting.
Pretty sad state of affairs that Google can't or won't stop this, especially since they gradually redesigned the ads spots to look practically identical to the search results. Be very careful clicking anything on Google's search results.
And weird speech-synthesied rousing music: ‘Jim worked for a big electronics manufacturer, and had an idea. <Electronic item>s for the people. They they wouldn’t let him make it. They stole his idea and made a bad version. Now Jim is making <Electronic item>s himself that are twice as good and only a quarter the cost! Buy one to support Jim and stick it to the big evil corporation!”. How did that get to be a genre?
And “buy my video course to learn how to make thousands of dollars a day!” scams.
I find it frankly astounding how much obviously fraudulent advertising there is. Isn’t it illegal? Is there no authority that police’s it?
The big "DOWNLOAD NOW" ads placed on webpages for software downloads are pretty bad too. Whenever I'm setting up a fresh windows machine I haven't grabbed an adblocker yet and am not used to seeing ads so they get me every now and then.
The number of times I had to yell at family members to NOT CLICK THAT ITS AN AD is maddening. It required getting a pretty nasty virus and a complete wipe to actually convince my dad to install adblock.
The download sites also make the correct arrow smaller and harder to spot so you click on the ad. I was thinking this today: the last thing a download page wants is for you to be successful and download the thing and then f-off
Yea, I think we can all conclude they just don't care if it effects their bottom line. So short-sighted. About a month ago people in the AMD subreddit were complaining about compromised drivers and software appearing as the #1 search results due to these kind of ads.
I still get ads for Slovenian brides on YouTube. Not only is it incredibly gross and objective to me, Google clearly knows nothing about my demographic.
I still see extreme right wing propaganda on a pristine profile on YouTube’s flipping homepage. I would love to use expletives on the YT management right now, but I refrain.
Google are literally profiting from the promotion of malware and scams, resultant from the business decision to reduce human interaction within the process.
Over the years, marketing networks have been infiltrated by hackers who manipulate ads to spread malware. Since the ads were served through a host of web pages, the attackers could do damage to a victim’s computers in minutes. With an ad blocker, though, you can prevent this situation from happening to you.
It is simultaneously impressive and sad and hilarious that security of millions of people depend on the work of one volunteer software developer (gorhill – ublock origin) and a bunch of volunteer block-list maintainers.
Pretty late to the game there, FBI. There are examples going back decades of drive by downloads and exploits from ads on popular websites. It's not enough to avoid shady websites. Any website filled with ads is already a shady website.
Yep. The only time I ever had a malware-infected computer it was one of those drive-bys. You didn't even have to click through the link to the site advertised at all, the browser would just go ahead and start prefetching it, so in case you did, it would seem quicker. And meanwhile the Adobe plugin would just happily start executing whatever code came from it.
I had to thoroughly wipe my computer and the computers of two others that fell to the same malicious ads.
Now ublock origin is standard and no Adobe products are allowed.
I stopped using adblockers generally when I considered both 1) we get very little visibility on when an extension changes-hands/updates, combined with 2) you have to give it access to all your browsing data.
People sell popular browser extensions to malicious parties all the time and AFAIK there's no systematic way to notify users when this happens.
Any serious schizo worth their weight would only be using an airgapped system at home and only connecting to the Internet from public APs with a completely separate computer.
You can not say a browser is built to block ads when showing ads is literally how it makes money. You maybe turned it off, but most people didn't. If everybody turned it off, it would not have a revenue stream.
> You can not say a browser is built to block ads when showing ads is literally how it makes money.
Sure I can:
It was built to block ads. You have to tell it to do so in a way that blocks "all of them" otherwise it just blocks the terrible/annoying/malicious ones.
Sure, but do they also not collect any analytics for their ads? Will that last through a financial crisis if advertisers offer them more money? Will it last if they gain market dominance?
If their money comes from advertisers and not users, they serve advertisers and not users. Supporting them as a temporary solution just means if they succeed we have all the same problems when the same incentives come into play.
> Sure, but do they also not collect any analytics for their ads?
Configurable.
> Will that last through a financial crisis if advertisers offer them more money?
Will Brazil win the 2090 world cup? I'm not sure I get your point...
> Supporting them as a temporary solution just means if they succeed we have all the same problems when the same incentives come into play.
Internet services are run by ads. Unless we can transfer to a model which is publicly funded or subscription based (even free software needs to pay for servers and employees -- the money has to come from somewhere) then the best we can hope for is an ad-funded service which allows you enough control to turn everything off if you want to.
Do you have a better solution and are you willing to start working on it?
Otherwise, you are making 'perfect' the enemy of 'good'.
Remember when you responded to a post about blocking ads by default?
> Internet services are run by ads. Unless we can transfer to a model which is publicly funded or subscription based (even free software needs to pay for servers and employees -- the money has to come from somewhere) then the best we can hope for is an ad-funded service which allows you enough control to turn everything off if you want to.
Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
The internet existed before internet advertising, and the kinds of websites people built for intrinsic reasons rather than for money were far superior. If Facebook et al disappeared completely the world would be a better place.
There is not a shortage of content, there is a shortage of filterability created by low-effort garbage funded by ads. If people aren't willing to pay for something, it's because it's not that great.
Patreon shows that some people are willing to just make donations for free content. And incidentally, Patreon-supported content tends to be higher-quality because they're serving donors, not advertisers.
We don't need ads. Ads are a blight on humanity which provides negative value.
> Do you have a better solution and are you willing to start working on it?
You mean the < 10 lines of code necessary to have an ad blocker installed by default?
> Otherwise, you are making 'perfect' the enemy of 'good'.
Brave is not "good". It's literally no different in any way from a browser which supports adblocking extensions.
> Remember when you responded to a post about blocking ads by default?
It does block ads by default. You then asked about analytics.
> Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
I definitely do not support ads. I block them.
> The internet existed before internet advertising, and the kinds of websites people built for intrinsic reasons rather than for money were far superior. If Facebook et al disappeared completely the world would be a better place.
Yes it did. It was funded by the government, universities, the military, and people through personal servers (you can probably also count BBSs as well). These things had functions orders of magnitudes smaller than are available today (want to see a satellite picture of your house then get walking directions from there to Alaska?).
> If people aren't willing to pay for something, it's because it's not that great.
Someone pays for everything. Do you have a solution? I would happily pay more taxes to publicly fund services like search engines and browsers -- but that isn't politically viable right now.
> We don't need ads. Ads are a blight on humanity which provides negative value.
I agree. That's why I block them.
> You mean the < 10 lines of code necessary to have an ad blocker installed by default?
No, I mean how to fund massive projects and infrastructure without public funding.
> It's literally no different in any way from a browser which supports adblocking extensions.
I never said it was. I said it blocks ads by default.
If you open google.com and search for 'mattress' in Brave, you will see Google ads in Brave, by default.
Furthermore, Brave is capable of blocking these ads, but chooses not to, therefore it does not block ads by default.
>> Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
> I definitely do not support ads. I block them.
"you" was referring to Brave, not yourself. The point is that Brave is a first part ad vendor (showing ads is how it makes money) so for this reason it is not commited to blocking first party ads by default (as it would be ironic I guess).
> Someone pays for everything. Do you have a solution?
Yes, you can chose to support paid search engines and browsers, paid by users, not advertisers.
> I agree. That's why I block them.
Original comment was about which browser is blocking all ads without discrimination, on default settings.
You can make any browser block ads with some effort, through for example extensions.
> If you open google.com and search for 'mattress' in Brave, you will see Google ads in Brave, by default.
It doesn't block all ads everywhere -- I don't know any browser or extension that does. It certainly blocks most of them. I don't see google ads because I don't use google for search (and I also run a pi-hole), so I wouldn't know.
> "you" was referring to Brave, not yourself.
Well 'you' use strange sentence structure and grammar and it doesn't communicate your point clearly -- or you are retroactively changing what 'you' mean after 'you' write it.
> Yes, you can chose to support paid search engines and browsers, paid by users, not advertisers.
Does 'you' refer to 'me'? Because I already do that. 'I' was speaking of browsers and software and services in general. And I already brought up the subscription model but that doesn't work for browsers, apparently. Why don't you make one?
> Original comment was about which browser is blocking all ads without discrimination, on default settings.
Original comment was about browsers blocking ads. I mentioned Brave was built to block ads. You seem to have changed this conversation to be about Brave supporting ads and how if it does then it doesn't 'count' when it blocks them. Try to keep up.
I'd recommend expanding the browser configuration information on your site to include the options found under about:config.
There's a bunch of settings in there not available under the main settings. Eg privacy.resistFingerprinting -- which actually has a bug where your browser suddenly stops opening full screen, even with this setting disabled. Solution is to toggle this setting on and off, restarting browser between toggles, and Firefox will remember to open full screen again next time if that's how you left it.
Is it time for an open source adblocker that only blocks bad actors?
I am perfectly fine with ads, I've previously run sites where it was a small source of income myself. I know it would be in a cat and mouse game with the bad guys but if it blocked most of them it would certainly help a lot of people.
Adblock Plus is already like this and everybody technical quickly realised the reality of an advertising "Whitelist" instantly creates a de facto protection racket where getting an exclusion from the adblocker becomes a valuable commodity. It's worth paying WHATEVER the adblock operator is asking to get on the whitelist. Adblock Plus got big bucks from Google who in turn have saved billions from striking a deal with them. The small guys - well they got screwed - you need to go through certain well financed ad networks to deliver "Acceptable ads". Adblock Plus is still popular for some reason but I don't know any technical people who still use it because well it's corrupt and hostile to its own users and has a clear drop-in replacement.
In the opinion of the vast majority of adblocker users, agree with it or not, ALL advertisers are bad actors. So they will never voluntarily choose filter lists which allow "good ads" the vast majority of the time. As such this will only happen if you get the adblocker to set allowing "acceptable ads" as a default, which makes what you're talking about INTRINSICALLY corrupt and paternalistic. If you want people to actually do this, show up at the houses of Adblock developers with suitcases of money, plenty of drugs, and beautiful prostitutes and whisper sweet stories into their ears about how they can help small businesses find markets for their products. Sadly ublock origin's developers appear to be incorruptible.
Google has figured out trying to push "acceptable ads" any harder is pointless and has instead moved to simply make adblocking technically harder to do by taking control of web standards.
Let's build that company that serves ads and blocks bad actors. We can then offer the blocklist to other blockers.
Problems:
* vetting ads costs a lot of time (= money). So you're getting less money per impression
* requires a massive amount of infrastructure if you want to ensure that the ad doesn't change in between you vetting it and you serving it to your clients (= money).
Meaning the consumers of our company will get less money per ad they show to their visitors.
So they'll go to one that offers more. Simple as that.
In order to fix the bad actors we need to start making the websites serving the ads (like Reddit) and/or the networks (DoubleClick) responsible for what they offer up.
As long as that doesn't happen it'll remain a cesspool.
Just put relevant ads locally and the problem goes away.
By that I mean, if you're a site about say, board wargames, and there's some new board wargame that wants to advertise on your site, ok. Edit your page to add an ad graphic with a link to the seller. That's cool. And maybe the people reading your page will actually want to buy it!
But there's just no way that third-party ads through some generic ad network will ever achieve that fit or reliability. And ads based on tracking people's data and suggesting things based on what you interacted with on social media or whatever? That's always going to be hot garbage at best. Adding in a third-party ad network (and probably behind that brokers and other middlemen) can't possibly make it better, it can only make it worse. So that's what we have today.
But go back to simple static ads relevant to the content of the page and problem solved.
Most ads are bad. I think uBlock Origin's list leaves most static banners intact. I don't mind seeing ads too much if they are the same for everyone that visits the website and is relevant to the content.
It is already a cat and mouse game, adding another handicap for the good guys seems like too much. Plus, perverse incentives might creep in on the “bad actor” definition.
On Mac and iOS I use and recommend AdGuard which has native content blocker extensions and lets you use Easylist block lists (as well as their own).
On Chrome/Firefox I use uBlock Origin which works well. I’m not sure if the community recommends something else at this point.
I also use various other extensions like StopTheMadness to disable right click hijacking and other bad behavior and Banish on iOS to prevent certain banners from appearing.
I know most people trash on Brave, but honestly, if you disable its crypto features (which is just a click away), it's actually a decent browser that blocks almost all ads I see, even on iOS!
For example, YouTube has no ads in iOS Brave. Since iOS doesn't allow real browsers and extensions, Brave has been a sanity-saver for me.
Pair that with uBlock on desktop and you're golden. 98% of the sites don't break at all either.
Safari on iOS does allow extensions. It also is a “real” browser, whatever that means. iOS does not, however, allow _alternate rendering engines_, which is different.
I find Safari extensions inferior than Chrome/Firefox extensions. Who thought it's a good idea to show extensions as apps on the springboard/launchpad??
I now have 68 extensions on my Brave (desktop). Imagine seeing 68 additional icons on my macOS launchpad!
Safari is clearly a real web browser, you can use it to browse the web. It is a weird comment, the more straightforward and honest way of putting it would be “alternative browsers.”
> Since *iOS doesn't allow real browsers* and extensions, Brave has been a sanity-saver for me.
I mean, the comment is pretty straightforward, I don’t really see the need to come to this person’s defense. I agree that the iOS policy is dumb, but deliberately misinterpreting this person to make them correct is silly.
No script is excellent, but it is certainly not for the faint of heart. It basically breaks the (modern) internet and then you have to go in yourself an unfuck each website.
The upside though is big, stops all the insane bloat that runs on most pages. Many websites run fine with all their scripts blocked too.
NextDNS + Ublock Origin (or Brave Browser, since it uses the UBO lists by default) is a really good combo on its own, and easy enough for my self-proclaimed "tech illiterate" friends to set up and use.
It ultimately depends on what your threat model is, what are you trying to defend against? I use Qubes dispvms (whonix if possible) for personal browsing, but that's pretty far toward the extreme end of the scale.
I feel like, for those asking for cursory information about setting up an ad blocker, ublock origin should be recommended, and not pi-hole. Ublock Origin is a one click solution that works great for everyone, while pi-hole requires setup and does quite a lot. For instance, when I was using pi-hole, Windows Update and Epic Games Launcher simply stopped working for me. I'm not sure what was going on, it could have been something wrong on my end, but nonetheless, I'd hate having to help a user with issues like this after recommending pi-hole when all they wanted in the first place was a simple ad blocker. In my opinion, pi-hole is great, but it should only be brought up in cases where the user has already communicated they want something more than UBO.
I respect your feelings, but Ublock Origin is not available on my Android phone or on my iPad. It's also not available for all browsers. It may not work for you, but for me Pi-hole is a wonderful solution for my whole family, and they don't ever need me to touch their devices in order for it to work for them.
That's fine if you have no other option, but it is inferior to uBlock Origin since it can't do any cosmetic filtering. Better to use pi-hole on your network for clients that have no other choice, but to then also use uBlock Origin on any client you can.
to add one that hasn't been mentioned in this thread, a good hostfile can both block ads and speed up your internet.
https://github.com/StevenBlack/hosts
If you're on Android also use Blockada to block ads in app. It's a local VPN server that filters out requests to ad servers. I think there are other apps like that but I never used anything else.
uBlock Origin, Privacy Badger, Pi-hole, and a mobile browser like Firefox that allows for extensions for those times when one is not browsing on the same network that the Pi-hole runs on. One may also use a VPN on all devices that connect to a network with DNS-level ad-blocking.
A combination of uBlock Origin + NoScript + Bypass Paywalls Clean + FastForward + ClearURLs as well as a pop-up blocker of your choice, will make your web browsing experience a bit cleaner. Not all of these might available for Chromium, I personally use Firefox for my daily use, with some Chromium browsers as backup.
NoScript will break pretty much 50% of the web. It'll take you about a day to whitelist all the sites you use daily and then it's smooth sailing.
The former team left Privacy Tools and that is now just arbitrary recommendations by one guy who mostly spruiks cryptocurrency bullshit. He also has no experience when it comes to auditing, verifying any of what is recommended, not a sysop, not a programmer either.
I use adnauseam (https://adnauseam.io/), which is built on top of ublock origin, and it works pretty well.
The generic nuclear option to hide terrible web design, bypass (some) paywalls, and improve performance 1000x is to disable javascript. ublock and adnauseam both have a button to disable all javascript on a page, which is handy when reading articles on sites filled with garbage.
>both have a button to disable all javascript on a page
Be slightly careful, there's a known issue (limitation of Chrome really) where requests and javascript are not blocked in the first few seconds of launching a browser or an incognito window (you can test this yourself). And this is true even with "Suspend network activity until all filter lists are loaded" enabled, because I think it's some limitation on Chrome as to when exactly extensions get loaded.
So if you do rely on javascript being disabled for safety, after a fresh launch or new incognito window, you should visit a safe webpage first before going to the risky one.
I'm going to just read "limitation on Chrome" as "purposely defective by design" as there's sufficient incentive to delay disabling to let a few telemetric squeaks escape.
Just switch to a browser that respects user privacy. With NoScript you can fine tune which domains you'll accept scripts from when the zero-JS experience isn't usable.
Should we also not use uncommon resolutions, uncommon browsers, uncommon OSes?
The personal and societal effect of ads are more tangible than the personal effect of tracking. Even if networks are truly able to use this data, it doesn't matter how precisely you can be served with ads if you don't see them.
adnauseam is seriously a terrible idea. It's actually dangerous. The idea that you can somehow trick advertisers by polluting your dossier and making it useless to them after filling it with random data is fundamentally flawed.
Every scrap of data collected about you will be used against you. It doesn't matter if it's accurate or not, nobody cares if they data they have about you is accurate, data brokers will happily sell your personal info to anyone even knowing full well that it's got inaccurate and conflicting info in it. Many won't even know because the process is entirely automated.
By automatically clicking on ads and "expressing interest" in random things you're just filling your dossier with ammo which gets handed to others to fire at you. Every random thing you add to your permanent record is one more thing that can only hurt you.
You cannot know what will prejudice someone against you. Maybe one day adnauseam decides to click on something that gets you flagged as having a certain political view, or having a certain sexual orientation, or being an alcoholic, or having a mental illness, or being at a certain income level, or belonging to a certain religion, etc. One day that exact data can cause you to get turned down for a job, or for housing. It can mean that a website charges you more than what your neighbor pays for the same product. It can mean your insurance rates go up next year.
You will never be told when it happens or why. Your health insurance company isn't going to tell you that they raised your rates because you (adnauseam) clicked on too many fast food ads last quarter. You're just suddenly getting a higher bill. Your auto insurance company won't tell you that they raised your rates after you were clicking ads for DUI lawyers, but suddenly they and every other insurance provider you try are quoting you higher monthly prices.
If your browser extension decides to go click on ads about abortions you could even end up being hauled into a texas courtroom and having to defend against charges. Sure, you'd get them thrown out eventually. Probably. But it would still cost you a ton of time and money and stress. The information in your dossier can get you targeted, harassed, or attacked by extremists. It can get be used against you in court rooms. It can get you investigated by three letter agencies. It can be used to impact your 'secret consumer score' or consumer trustworthiness rating.
The information being collected about you is sold to companies, employers, activists, extremists, and law enforcement. That data never goes away. It follows you for the rest of your life and will be used against you in ways you'll never be aware of and cannot today imagine. Filling your dossier with huge amounts of content (random or not) is dangerous and only increases your risk for zero benefit.
All I care about is hiding/obfuscating my personal information. I just don’t like the idea of giving that away for free, even if it’s actually harmless.
I don’t care if I get wrongly labeled/categorized due to this. It’s not like my profile was an accurate representation of who I am before I turned on ad nauseam. If someone gets dragged into a court room for clicking ads, that would be funny, and I doubt they would have a hard time finding support from orgs like the EFF, gofundme, etc.
One long term benefit of this is that if a lot of people use it, advertisers will start seeing diminishing returns on their investment in internet ads. This will lead to reduced spending and less ads overall.
> All I care about is hiding/obfuscating my personal information.
adnauseam does not do this. It only adds to your personal information. It doesn't hide anything.
> I don’t care if I get wrongly labeled/categorized due to this.
Then you must not care when you suffer the consequences of having been wrongly labeled/categorized. Nobody can make you care about yourself, your money, your safety, or your time if you refuse to.
> It’s not like my profile was an accurate representation of who I am before I turned on ad nauseam.
Again, nobody cares about how accurate it is or not. It's about quantity, not quality. Accurate or not, that data will increasingly impact your life in very real ways. The more data they have, the worse it will be for you.
> One long term benefit of this is that if a lot of people use it, advertisers will start seeing diminishing returns on their investment in internet ads.
this isn't actually true, because advertisers don't care. That's why the world is still and increasingly filled with ads that aren't laser focused on you as an individual. We have more and more ads on network TV, on billboards, on radio etc. None of them were stopped because they sometimes showed an ad to someone who doesn't care about it. Seriously, they don't care. You clicked, that's good enough for them. Sales aren't even always the goal. Being seen (or the appearance of being seen) is often all they need.
Right: regardless of what the ad is, just by auto-clicking on it you provide a signal that when aggregated together can roughly piece together your browsing history. As a toy scenario, maybe you only visit tech blogs, and tech blogs usually have tech related advertisements. The fact that you have auto-clicked on ads that were on tech sites, and not say fashion sites, is itself a strong signal that can be used to infer browsing history.
Also I think advertisers are already used to dealing with click fraud and so track metrics that won't meaningfully be impacted by this strategy.
> All I care about is hiding/obfuscating my personal information.
> adnauseam does not do this. It only adds to your personal information. It doesn't hide anything.
It does hide it. It hides it between a bunch of garbage data. That’s the point.
If the CIA wants to assassinate me, a browser extension isn’t going to help. But if I start seeing ads for adult diapers while I’m browsing the internet, I’m going to laugh and feel good about knowing they wasted a few cents.
> Accurate or not, that data will increasingly impact your life in very real ways. The more data they have, the worse it will be for you.
Sorry, but that’s ridiculous. It sounds like FUD a spam blog operator would say lol.
> this isn't actually true, because advertisers don't care. That's why the world is still and increasingly filled with ads that aren't laser focused on you as an individual. We have more and more ads on network TV, on billboards, on radio etc. None of them were stopped because they sometimes showed an ad to someone who doesn't care about it. Seriously, they don't care. You clicked, that's good enough for them. Sales aren't even always the goal. Being seen (or the appearance of being seen) is often all they need.
When something isn’t working, you stop wasting money on it. Ads aren’t going to completely disappear, but if collecting personal data on individuals stops being effective, then marketers will need to turn to other means of targeting. It won’t happen tomorrow, but I did say “long term”
Companies are using every scrap of data they can get their hands on to take more of our money and they want more. The government is buying up data they can't legally collect directly. It's pretty likely that you've already experienced real world consequences of the data taken from your online activities. (https://epic.org/issues/consumer-privacy/data-brokers/)
They tell us that all the tracking we're subjected to is just about ads, but the data being collected is used all over the place offline. What we really need is privacy regulation with real teeth, but that's probably not going to happen any time soon because it's making companies tons of money. There's a multi-billion dollar a year industry around the buying and selling of the our data for a reason.
Brave, Firefox, Bromite all do, or you can use nextdns or adguard as a private DNS in your network settings. I think the last option is a little wireguard set up to route traffic to a server or small pc that has unbound and pinhole on it
So for example YouTube serves their own ads so you can't skip YouTube ads with a DNS level adblock you need ublock origin which can block anything referenced in HTML which is why it works for skipping ads on YouTube.
The FBI page in question[0] (I hope ic3.gov is legit!) says "Before clicking on an advertisement, check the URL to make sure the site is authentic." But on a mobile device nobody knows how to do that. And the URL will be some kind of ad redirect a mile long.
FBI: "Rather than search...type the business’s URL into an internet browser’s address bar..." I'm not sure about this one. Typos easily happen, and it's the typo'd domain that scammers might own. Risky whatever way you go I suppose. For well known businesses I'd rather search and click on organic links than trust my own typing of a URL.
"Use an ad blocking extension". Third time's the charm. Great to see this advice coming from the FBI.
The same applies to corporate networks - there is no good reason why the default office computer installations for your employees should have a browser without an ad blocker, there are some (not huge, but some) security benefits that make it a reasonable IT policy almost everywhere.
In the case of the FBI, et. al., who according to the article "are already reportedly using network-based ad-blocking technologies", I'd wonder if not being able to access certain material would hinder the investigation of scams.
I think browser Notifications help drive these attacks. How many web sites do you visit that offer a pop-up that says the site would like to send you Notifications? You click Allow and suddenly start seeing Ads popup in your Notification area, not a site notification but an Ad.
I had a user show me one of these Notification ads just this week, telling here that McAfee found a virus and click the Ad to remove the virus. We do not even use McAfee, it was a straight up attack ad. Thanks Chrome!
Does anyone have any adblockers they recommend that still show "safe" ads (e.g. non-malware) by default, without having to whitelist every site? I'd be open to the security benefits of an adblocker if I could still passively support all the sites I visit.
The only "good" ads are those you have to specifically go out of your way to view because you want to view them; such as product catalogues.
All other ads are physiological assault and should be made illegal. Particularly those ads which exist "IRL" and can't otherwise be blocked, such as billboards.
If you want to harm advertisers while possibly support the sites, you can use AdNauseum, which basically does what uBlock Origin does, but will randomly access a percentage of the ads blocked, to waste the advertiser's money.
I don't particularly want to harm advertisers; I'm just interested in the proposed security benefits from OP. This does seem like a realistic middleground though. Thanks for the suggestion.
Those who are a bit tech minded – consider adding DNS filtering on your home network (using pi-hole or something else). It has drastically changed my web experience for the better, including across iPhone apps, smart TVs and other surfaces where ad blockers can't help.
I see this advice a lot but I can't imagine it working better than using a system level adblocker like AdAway on my phone. (Smart TVs I understand, though mine seem to be unusually ad-less compared to what I've heard Samsung does).
What if you're out and about disconnected from WiFi? What if you need to turn the thing off for a sec to click on a sale/promotion in an email?
Out and about: yeah install something on your phone (or use a self hosted vpn that plugs into pihole? never tried it)
Need to click on sale: You can easily temporarily disable it in the web interface in 1 click
It's a nice way to block ads for any wifi connected device in your house without additional setup. There are probably 10+ ad-serving devices in my house between the TV's, laptops, tablets, and phones.
> use a self hosted vpn that plugs into pihole? never tried it
Not that it plugs _into_ PiHole per se, but rather that the Self Hosted VPN makes your phone use your home DNS server (including the PiHole itself). It works! I use https://www.pivpn.io/ but there are many others.
I wonder when/if they'll also recommend JS whitelisting. The majority of browser exploits rquire JS to function, and even the occasional few which don't are likely going to be obfuscated using JS to avoid easy detection.
That’s quite significant if the situation got so bad that even the FBI recommends a practice now which will arguably harm the profits of some of America’s largest corporations.
hehe makes sense to send all the pages you visit to the FBI/NSA, etc. If they have multiple sources (DNS and AdBlockers, VPNS, etc. They can verify the data on one or the other.
This does make me wonder, is there any extension that can modify the DOM? I.e remove nodes aka a div container by className or change css and make it persist?
Sure, but ad-blockers are also basically adware that scans through the entirety of all websites you visit. Very similar snooping to custom keyboards etc...
> but ad-blockers are also basically adware that scans through the entirety of all websites you visit. Very similar snooping to custom keyboards etc...
Er, not as a group they aren't. Like, I'm sure there are bad adblockers, but if you stick with uBlock Origin you'll be fine.
Why wouldn't uBlock Origin be targeted? Nobody is capable of auditing the entire codebase, paying off open source contributors flat out isn't hard and it's cheap.
Removing ads only makes you more unique. As most users don't block ads, by using an ad blocker sites can identify you more by knowing you use an ad blocker.
It is more comfortable, but it's preferred using a wide DNS ad blocker as sites can only know that for some reason the DNS server can't resolve their domains. DNS ad blocker can also increase uniqueness.
Using an ad blocker extension can also cause security issues, as the extension has full control on network traffic and has potential to be exploited.
> But loading ad's are the much greater security issue.
How so? You're just retrieving the data and displaying it.
> And if you care about "uniqueness" you have that already with your IP
There are many ISP's that use NAT to save IP addresses, hence an IP is not really an identifier. Even if not, an IP is identifieing the all network, and all the ones that are connected to the same network. You can see how in YouTube (incognito mode) you will always get personalized videos based on your IP approximate geolocation (usually just the state) if it's your first time.
> Yeah displaying data...that cant be dangerous ;)
It's not dangerous because it's coming from a good source, such as google ads.
> Do you really think your argumentation is good?
Yes, because that's what happens. I don't really think an IP is a good identifier because it's shared by others. Using cookies is a much better option.
2. You think ~everyone/most have ISP-NAT (hint nearly ~no one has it and IPv6 is a thing too (hint 2. those are 38% worldwide))
But you care about uniqueness because of ad-blockers who are used by ~40% of all users, but a IP is "not" unique, nor the browser, OS, resolution and GPU and the combination of all those factors, but NONO the Adblocker is the problem.
The success rate of the algorithm is important. The average person doesn't want to see someone's else ads just because they're in the same network. No one wants to see their kid Minecraft ads.
IP are also constantly changing, at least once a month. For sure, they can't rely on one identifier, which is the IP address, because after it changes, all of the data is gone.
Also, you say things I didn't say. I said THE IP is not a really good identifier, but you also say I meant also other identifiers.
The IP can't survive on its own. The algorithm needs more than just one thing. It needs multiple things while if one is not applicable then we get another one.
An ad blocker already eliminates you to 40% of the internet users, which is a lot.
>IP are also constantly changing, at least once a month.
I don't know from where you have that one sided information (maybe you life in a bubble), but my IP changes never until i leave the router powerless for more then 12 hours.
>An ad blocker already eliminates you to 40% of the internet users, which is a lot.
No it's not, but your screen-resolution combined with GPU combined with OS combined with Browser(Version) combined with Cam/Mic combined with ~location is.
> I don't know from where you have that one sided information (maybe you life in a bubble)
I guess it's company dependent.
> No it's not, but your screen-resolution combined with GPU combined with OS combined with Browser(Version) combined with Cam/Mic combined with ~location is.
You said it yourself. 40% of all users use an ad blocker, hence when you use one, the website will know, and you're part of them.
I am puzzled here. Why is the FBI expecting the free market to solve the problem created by the free market? Are these scams somehow legal? If the scam is illegal, and search engines are promoting the scams at the top of search rankings, doesn't that make the search engine an accomplice in the scam?
If I invited crack dealers to deal out of my house for a small cut of the proceeds, I'm pretty sure I go to jail when they're caught. That's essentially what search engines are doing here.
I don't, but Google is presumably not pleased to hear the FBI say "Cyber criminals purchase advertisements that appear within internet search results". https://www.ic3.gov/Media/Y2022/PSA221221
The FTC, other regulators or courts in the countless cases against Google may also use such a statement as validation that fraud is rampant.
Using Brave Browser and never looked back. I use MSEdge for work stuff (client testing as it's their default). It was vanilla, but recently I had to install uBlock (minimum).
It was too unbearable to do a simple search for some technical info and end up on a website that would LITERALLY slow the OS as a whole due to spike on Edge's CPU and memory usage.
Lately, I find myself using more and more plugins to make the "modern web" tolerable. To list a few:
Channel Blocker (lets me block channels from search results on Youtube); uBlock Origin; Disconnect; F.B Purity; Consent-O-Matic (auto fill cookie consent forms); Kagi Search; PopUpOFF; Facebook Container; Privacy Badger; ClearURLs; Return YouTube Dislike
Basically, if I visit a website and don't like the experience, I either never go back (Kagi lets me exclude it from search results) or find a plugin to make it tolerable.
What I really want now is the ability to exclude entire websites from any permissions I grant to plugins. I feel like in the last year, I've read a couple stories about companies buying successful plugins and then using them to track you or show ads or whatever. I'm worried this will be the next stage in the battle for our attention -- best case: companies will buy popular plugins to track us and show us intrusive ads; worst case: nefarious actors will buy them to scrape information we think is private and collect it.
IE: I just want to be able to say "Hey, Firefox... those permissions that I granted to plugins x, y, and z? They don't apply to www.myfavoritebank.example.com"
Is there a browser that has that feature yet? I spent a few hours trying to figure out if Firefox did. It did not appear to.
edit: Added semicolons to separate plugins in list b/c HN stripped the newlines from my comment.