Hacker News new | past | comments | ask | show | jobs | submit login
Hush – Noiseless Browsing for Safari (oblador.github.io)
159 points by sysadm1n 10 months ago | hide | past | favorite | 68 comments



Hush is one of the extensions on my devices, but both Hush and AdGuard Pro take a back seat to:

A) 1Blocker: https://1blocker.com/

B) Orion Browser by Kagi: https://browser.kagi.com/

The first brings all the blocking customisation one needs to MacOS and iOS Safari, the other runs Firefox and Chrome extensions such as uBlock Origin:

https://browser.kagi.com/faq.html#extensions


Can you elaborate on why AdGuard Pro took a backseat to 1Blocker? Speaking of the free version, it seems like AdGuard provides more. The subscription also seems a lot cheaper than 1Blocker.

I have tried Orion browser, and was thrilled to finally have uBlock Origin on iOS.


1. iCloud Private Relay:

https://adguard.com/kb/adguard-for-mac/solving-problems/iclo...

2. Too much jitter and latency in browsing. I can tell when Ad Guard is running. I can't tell with 1Blocker. No problem with ads, it's the feel.

That said, Ad Guard will kill trackers and ads in everything if you use the (hair raising) https filtering:

https://adguard.com/kb/general/https-filtering/what-is-https...

Note that NextDNS, eero+ DNS ad blocking, and AdGuard DNS are all surprisingly friendly ways less technical users can enjoy equivalent of piHole benefits for the home, including ability to block ads from "smart" TVs and consoles when the router can distribute DNS settings, as well as for mobile devices where they help with any browser or app that uses device DNS settings.


Note that uBlock Origin is not supported[1] on the iOS version of Orion. Rather, the ad blocking you might have attributed to it is actually from the built-in ad blocker[2], which is quite good but unfortunately not as sophisticated as an actual functioning uBO.

[1] https://orionfeedback.org/d/1037-ublock-origin-settings-blan...

[2] Try browsing with the content blocker disabled vs with uBO disabled :)


Is 1blocker trustworthy? I have a vague recollection that they pulled some sort of bait and switch a while back, and deprecated their paid app in favor of a subscription-based app. I see that they at least offer a lifetime license, which is a prerequisite for me to consider using it, but I don’t really want to pay twice for the same product, or find my lifetime license abandoned a year or two from now.


Hush has changed the desktop browsing experience completely for me. I have rarely seen cookie banners in years.

I realize how big a difference it makes when I open a website on Firefox Focus on my Android phone and half the screen is just filled with the cookie accept/reject dialog box.


yea I have this feeling anything I have to use a computer that isnt mine. I just dont understand how people can put up with it. The worst is people are so resistant to change (because every change is shit), they fear when I speak "wait I install extension and you wont see any ads" and see "another change that will turn to shit, I already learned to ignore the ads, I dont need no adblocking, and isnt it stealing anyways?" kinda thinking. Its sad


I like Hush for Safari, but I also use Brave. Brave blocks cookie banners by default:

https://brave.com/privacy-updates/21-blocking-cookie-notices...


Wipr is a quiet, lightweight alternative too: https://kaylees.site/wipr.html


Wipr is great, but they're a separate thing. Wipr does not remove the nagging cookie requests


Wipr does remove cookie warnings. From the linked page:

> Wipr blocks all ads, trackers, cryptocurrency miners, EU cookie and GDPR notices...

I use Wipr and can confirm that I rarely see cookie warnings in Safari with it enabled.

I might be wrong, but I believe this is better than Hush as Wipr blocks cookies, while Hush accepts website defaults.


Interesting to see, as I still encounter these banners from time to time. I also have Wipr Extra enabled. Apologies for the mistake


Cookie banners are so annoying. I support any extension to remove them.


They are probably designed to be like that so you can rush into accepting the tracking across the web.

The web has become a sad place where most of the content is made for showing you ads and tracking you around, therefore tracking cookies are needed, therefore tracking cookie permission banners are displayed.


If you don't click accept on the very first page, websites can't connect you to where you're coming from, which is why they're like that.

I mean, in theory they could do that retroactively, but that would be waaay to complex.

Popular cookie banners enable services by executing their javascript. There's no event tracking mechanism whatsoever. Cringe fact about cookie banners.

It's probably because every engineer spends as little time as possible on it, since it's boring af. It's annoying & boring to implement, and once it's done, annoying to everyone that sees it.


> They are probably designed to be like that so you can rush into accepting the tracking across the web.

Correct (speaking as someone who worked in an adjacent area).


The DuckDuckGo browser automatically manages (auto-refuses) these banners. It also has a lot of privacy-preserving features and a distraction-free youtube player that’s nice. And most of all it’s WebKit based, which is good for engine diversity, I guess.


On iOS, the only engine available is WebKit.

On Android, it uses blink (Chromium)


I was talking about macOS where it uses WebKit when it could use whatever they wanted.


they're designed to be annoying, a perfectly reasonable response to GDPR was to stop being fucking creepy


Is not being creepy sufficient? My understanding is that you need consent to collect literally any PII, e.g. an email address.


No, that's not correct. The GDPR is a surprisingly sensible set of rules, e.g. it allows collection and storage of data under certain circumstances. The salient point here is probably that it is allowed to collect and store all data required to fullfil a contractual obligation, e.g your home address, or if you are shopping at a pharmacy your prescriptions. The important part is not what type of data* is collected, but that the collector is restricted to use that is required to fullfil the obligations. If you want to use it for something different (say direct marketing) you have to ask for permission.

This extends to many areas, including e-mail, if they are required to deliver your services you may just save them. However, you may not use the e-mail to send newsletters. Of course, you want to double opt-in e-mails in any case unless you don't mind false or malicious entries and being labeled as a spammer. But that has nothing to do with the GDPR.

* the type of data is of importance when we are talking about data breaches and fines. Losing e-mail addresses is bad, losing prescriptions is much worse.


No. Consent is only needed for data you collect which is unnecessary to provide the service you are offering and is unexpected by the user. If you require an email address for a mailing list or notifications, you do not need consent. If you have webserver logs containing IP addressees you use for debugging and abuse prevention, you do not need consent (though you probably want to not hang onto them for longer than necessary for those purposes). Same with names and addresses for billing and shipping, etc. If you collect data for analytics or targeted advertising, you need consent (which means rejecting that option needs to be the default and at least as easy as accepting in the dialog, something which many of these dialogues fail at. If it takes more clicks to close the dialog without 'accepting', that is not GDPR compliant in the view of most regulators).


Another good one is StopTheScript:

https://apps.apple.com/us/app/stopthescript/id1588394487

It disables JavaScript per website, just like “Disable JavaScript” extension in Firefox. It’s perfect for news websites where you just need to read some text.


This sounds awesome! But I installed it, enabled in extensions, went to instagram in safari and got their massive cookie thing. The app says Hush is enabled, is there anything else I need to do to make it work?



Ah thanks! Looks like that extremely obnoxious one can’t be blocked: https://github.com/oblador/hush/issues/54


GDPR in Europe is what started it all. The law says that you must get explicit user consent for all kinds of data tracking.

However it doesn't say how that should happen.

The annoying banners are completely a decision the industry has made. It's so weird to me that pretty much everyone adopted a near identical way to implement this. It also feels like retaliation -- a way to punish users by making these banners as disruptive as possible, and then blame it on regulations. It's like companies would rather destroy the web than give in and actually make it better.


> It's like companies would rather destroy the web

Weirdly they're only destroying their own sites though.


It’s also a remarkably stupid implementation. If you follow the rules [1] in a strict way, the website should be usable if the user denied consent to non-essential cookie usage. You don’t need consent for strictly necessary cookies.

So a bunch of websites don’t actually need a cookie banner, as long as they’re not using non-essential cookies. You could easily get consent for marketing/tracking cookies in an unobtrusive way.

Instead, a lot of websites must have seen a drop in conversion because no one wants to interact with these awful cookie popups that have a hundred toggles.

AFAIK the page-blocking cookie banners don’t just convert worse, they’re actually not permitted (you can’t block the experience to force consent).

On my end: unless your website is very important to me, I’ll just refuse the cookies or hit the back button and load the next search result.

1: https://gdpr.eu/cookies/


> you can’t block the experience

That doesn’t sound right. I think interstitial are permitted by the law, I don’t think it actually says anything about “the experience.”

> to force consent

The vast majority of website will work after clicking No, so that’s not forced. Only rarely I see “accept cookie or subscribe” banners.

I’m not even sure that this is not allowed either; user is technically forced to accept either because the “close tab” button is always available.


Technically speaking (I enforce GDPR on a technical level, not legal), you’re right on both counts. The interstitial isn’t forcing anyone to accept the cookies, and isn’t preventing the experience.

But… in real-life UX, we all know the users will just hit the most obvious CTA to accept all cookies because their experience is being effectively blocked.

The implementation is technically okay, but reminds me of r/MaliciousCompliance.


Why does the official EU site use them then? https://european-union.europa.eu/index_en


Most of the "turn off a zillion different switches" banners say something like "Powered by OneTrust". There's like 3-4 names I've seen on them, that's just the only one I remember.

There is now an entire sector of the adtech industry devoted to making a GDPR-compliance solution that is carefully designed to make it just frustrating enough that most people hit "sure gimme all the cookies, whatever, I just wanna read this stupid link". Someone was paid well to build these despite any moral qualms they may have had about making the entire Web a little bit shittier.


Exactly, these all look and feel the same, because they are all a third-party "add-on" that websites simply load in via a JavaScript snippet. There a handful of providers, many of which got their start with the original cookie banners.

I worked with one of these original cookie banners and the company behind it was absolute shit and understood nothing about how the internet works. You'd slap their JavaScript snippet on your site, they'd then "scan" your site and figure out which cookies appeared and what they did and display that to your customers, so you'd be complaint, technically. Except they didn't recognize half the cookies (and funnily enough still don't 10+ years later), they didn't understand that you don't need to display the session cookie, if it's just used to keep track of your basket or if you're authenticate, and they didn't scan behind authenticated pages.

These same bozos just extended their business when GDPR was enacted. They still understand nothing, they still do not care about why the law was created. All they do is provide a service that companies can buy and then continue to not change their business practices. This what these popup and banners are for, their are designed to avoid having to change an industry that has zero interest in your privacy.

It's actually remarkable that websites will accept a shitty user experience, if it means that they can track whatever percentage click accept.


> GDPR in Europe is what started it all

Cookie banners are a result of the ePrivacy directive, not GDPR.

Also we could have had something better than cookie banners if browser vendors and companies had collaborated on a standard. Imagine if cookie banners were implemented like the permission system, via <meta> tags or headers, we could get:

- automatic blocking by the browser of cookies not declared explicitly

- ability for websites to mark technical cookies (these are allowed with no consent)

- a global settings view in the browser of all the cookies allowed or denied

- and a uniform implementation everywhere

Instead we ended up with this shit. It’s definitely not the EU’s fault, the directive doesn’t say to use crappy banners.


That's victim blaming. The problem started with massive surveillance by tech companies.


Like DNT didn’t exist, and idiots take it to EU instead of companies


The problem with DNT was that it was a global setting as opposed to one that was per website.


Surely, browsers could create a setting to toggle DNT per hostname?


How is that a problem?


Because sites want users to judge them independently. Some users want to avoid shady sites tracking them, but may allow reputable businesses to track them. Reputable businesses being taken out as collateral from a global DNT is not good for them.


in reality any user which is savvy enough to turn on DNT knows that all tracking is shady


What are some better ways to do it?


Don't track users?

Magazines, tvs never did. Advertisers seemed to survive somehow.


I would love to see an A/B test that shows any significant difference in revenue if you just go whole hog on tracking, vs. tracking nothing for a campaign on any given product.


Respect DNT header


Without a law to enforce that, it's a race to the bottom as the more effective monetization is to use DNT as a signal for improved tracking.


Maybe its a good time to reshare this to check own trackability https://coveryourtracks.eff.org/


on firefox, this is very good:

I don't care about cookies

https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...

or this version (not tried):

https://addons.mozilla.org/en-US/firefox/addon/istilldontcar...


Switch to the second, as the first has been bought by commercial entity Avast: https://www.theregister.com/2022/09/21/avast_buys_i_dont_car...


There's also [Consent-O-Matic](https://consentomatic.au.dk/) for other browers.


Does it automatically mark every option as “don’t track me or store my data plzthnx”? I couldn’t work out from the website if it’s doing that, or just removing banners.


Technically simply removing the banner SHOULD be the same as "don't track me" as you've consented to nothing... in the real world you're going to get tracked.

Honestly I'm not convinced that saying you don't agree to be tracked does a whole lot anyway way. These "We care about your privacy, so let us share your data with 617 partners" popups are generally all pretty questionable.


Everytime I see these kind of software, I wonder if it's really safe as it could be modified before publishing even if it's opensource.


Hush has been around for quite a while and is open, at least.


"Block nags to accept cookies and privacy invasive tracking"

Took me a couple of tries to parse the senetence. Is this blocking or accepting privacy invasive tracking? Guess the former but kept reading it as the latter.


I found https://github.com/oblador/hush#does-hush-accept-or-deny-per...

So neither it seems. Whatever the website does when a user doesn’t make a choice.


That is nice. That is why I don't use 'I don't care about cookies'. I do care, I want to press reject, if for nothing else than to send a signal.


Honestly interested why this was downvoted, which yes makes for boring reading but I hope it results in some interesting argument. If you need a cookie banner it means you are collecting users' personal information. For many websites this is totally unnecessary. I do not like it if a website tells me how important my privacy is to them and then asks me to accept sharing all the information they can about me with other commercial entities. For no functional reason. I don't want to press accept that. As a insignificant little protest I want press reject. I want their statistics to show that some people don't like data being shared.

"I do not care about cookies", when it cannot just hide a popup will accept the terms and removes the option for this small protest from me. That is why I do not use it. Is this somehow wrong, offensive, off-topic?


Finally, I've been looking to find something like this for a while now!


I've been using Hush literally since it came out. Love it.


There's also Consent-O-Matic https://consentomatic.au.dk/ for other browsers/platforms.


All this is doing is effectively accepting the website defaults on the hope that those defaults follow the GDPR rules. No thanks.


Author here, actually it's the opposite. I elaborate this in a comment on the issue tracker:

> Hush will block some specific scripts and hide some elements on the website, but can't and won't interact with the website itself and thus won't click on any buttons etc. I'm in EU so can only speak for our laws, but here the tracking/cookies are opt-in, meaning non-consent means not accepting. It's possible that some websites would adapt the behavior based on your geographical location, but I'd wager that most will go with the least common denominator and respect the GDPR laws everywhere.


You say its doing the opposite, but they you set out that it appears to be doing just that.

You are hoping/wagering that the site defaults to 'no collection if there is no user interaction. Sure they are supposed to do that, but how many do?


Hush is a great tool to manage annoyance blocking and is also free and open source which is nice.

I've developed a full Safari ad blocking app which includes similar features (amongst others), though if you only want simple annoyance blocking to supplement Safari's in-built tracking protection instead of a full ad blocker, Hush is a good option.


I’m trying to think of when I want my browser to make noise.

Outside of Squadcast, YouTube and CBC, and… I’m drawing a blank. I feel like allow listing a handful of websites to make noise would be fine.

Edit: Also, let’s see if anybody replying to this actually read the article I know this isn’t exactly what the article talks about but it’s what came to my mind when I saw the title.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: