Hacker News new | comments | show | ask | jobs | submit login
Adblock Plus “typo correction” feature adds affiliate IDs to links (translate.google.com)
167 points by AlexanderHektor 1261 days ago | hide | past | web | 167 comments | favorite

I cannot verify the claims, but I'll state the reasons once again about why I'm not using ad blockers:

1) free websites and web services need revenue and as long as the ads are tasteful, I don't mind them

2) I actually want websites to annoy me with lots of stupid ads, as I want to stop using such websites, because I want to reward publishers that don't do that

Ad blockers are trying to fix a symptom of the disease and in doing so they only help spreading and growing that disease.

"as long as the ads are tasteful"

This is the problem: the ads stopped being tasteful. Remember pop-ups? Remember how, when browsers started having pop-up blockers as a default, the response by the advertising industry was to try to circumvent the blockers, resulting in even more annoying ads? Remember how ad companies did not get the message when people stopped accepting their cookies, and now use dozens of techniques to track people? Remember how they said they thought Do Not Track meant "track but do not show targeted ads?"

Unfortunately, the annoying, intrusive, privacy-invading advertising is not limited to a handful of sites. It is all over the place. That's why ad blocking is important and necessary: we users should not have to suffer because of the advertising industry's greed.

I agree with both of those principals, but I continue to run an ad filtering proxy on my home network.

I don't do this because ads annoy me (of course they do, but for the above reasons, it feels wrong). I do this because a few years ago, certain less technical members of my family received a nasty bit of malware/rootkit combo delivered -- as best I could discern -- via a song lyric look up site. Another laptop picked up malware around the same time, though its source was more difficult to discern. In addition, about this same time, Microsoft and Google's ad networks were found to have some Flash ads that were malicious.

After spending a few hours reloading laptops (with the offending individual being my first experiment with Ubuntu on a non-technical user's PC), I got fed up and installed a proxy.

My computers all have local firewalls and anti-virus, but I'm sure nobody's surprised that they were still infected.

I wonder, is the state of these ad networks improved at all? Are there advertisement blocking tools that just target ads that have the greatest probability of being exploits (flash, java, smaller ad networks)?

Out of curiosity, how did the experience go for the non-technical Ubuntu user? Did it work out well?

I ended up switching to openSuSE because she was having a difficult time remembering how to connect to our network shares and I didn't have the spare time to sort out what it took to get Active Directory membership working. After the switch, though, we never went back. This was 4 or 5 years ago, and she's now my ex- (unrelated to software choices), but for what she used it for -- e-mail, basic document creation, YouTube (Flash at the time), music organization (I believe we used SongBird? ... whatever it was, she was happy with it), and (at the time) a SageTV client. Aside from having to learn what did what, where (which was pretty minimal, she was already using OpenOffice on Windows, and Firefox was Firefox, SageTV was SageTV, most things were familiar), it was great. She figured out, on her own, how to customize the background and some of the other user settings.

And I had fun from time to time connecting via SSH and making a song or two play when I knew she had to be cheered up. She thought that was a little creepy, but hey.

Not all of us block ads because they are annoying to look at. They are also a very real threat to privacy because ad companies track us across multiple websites (yes, I block Google Analytics and other trackers as well).

OTOH, I also feel tremendous sympathy towards websites trying to survive on ad revenue. I'm actually the type of person who still buys music to support artists.

I don't know what the solution is. We are forced to choose between being watched as we browse the web, staying completely offline, or blocking ads but not supporting the websites we visit.

Would you pay to subscribe to a service that paid the sites you use instead of them showing you ads?

No. Not because I won't pay certain sites for their content (I subscribe to LWN, for instance), but because I don't want to pay some aggregating middleman service that by necessity can then track across all the sites I visit.

In principle I like the concept of paying a fixed amount per unit time and splitting that across the sites I care about. In practice I don't see any obvious privacy-respecting way to do that.

That is an excellent point about micropayments. Creating a system that pays sites without a middleman that tracks visits would be challenging (though I imagine it's technically feasible).

Sure, I was always intrigued by the micro payments idea. Heck, if that we're the norm I wonder if it wouldn't promote better web content. I'd be more likely to spend more time on sites I wanted to support than the sensational sites I may feel guilty about having clicked through to.

But I don't think most folks think this way, so practically speaking I don't see micropayments ever working. Would love to be proven wrong.

Plus a huge number of people that adblock have been doing it for years and are basing the continued usage on the assumption that adverts now are similar to the adverts in 2006 - 2009. I use a lot of different websites with advertisements and I can't think of the last time I've seen an advertisement that auto-played sound or caused lag, whereas in 2008 it was a daily occurrence. The value that advertisements provide (support websites) greatly outweighs the inconvenience that current advertisements cause, even Youtube pre-roll adverts are not that bad after getting used to them.

I started blocking ads less than a year ago because of YouTube's pre-roll advertisements, since I'm perfectly capable of filtering out text based ads but a format that requires me to watch the ad to be able to view the content without letting me pay them is a deal-breaker for me.

Is it really that hard to let me pay a monthly fee to turn ads off?

Google is serving the vast majority of ads online and they already have the infrastructure in place to channel part of that fee to the content creators including knowing whom I visit and when.

Exactly this. Everyone needs to offer the option to pay in some way. If we could pay for a bundle of all sites even better.

Someone should make a paid adblocker service that shares revenue with site owners. Site owners can opt in to get a share of the revenue, so that each time a visitor using the adblocker visits their site, the site owner gets paid an amount equivalent to the potential ad revenue from that visit. That means they could serve up a custom ad-less page that's designed to look nice sans ads.

Users get a good adblocker that they don't have to feel bad about using, and site owners get to sustain the revenue they would've lost.

Maybe it could provide more benefits than just ad blocking? Perhaps it would just be a "premium membership to the internet". Site owners can take even more revenue if they implement even more features. More web app options, custom styling options, social badges, etc. The more a user pays a month, the more features he gets all over the internet.

The tech I'm developing makes this possible. The basic model is subscription sharing based on views, but it can be adjusted for time on-site etc. My intention is that the agreement with publishers is that they won't show ads to subscribers.

Yep I'd buy it.

If you're old enough to remember the start of cable TV, one of the promises was that it would have few/no commercials, because you're paying for it.

I'd trust very few web sites to stay ad-free if they switched to a pay model. The money is just too good for them.

The ethics of Ad-Blocking when you were promised / sold on something that was "Ad Free" only to end up with ads is a different question.

See Hulu, which says they still have ads in order to lower the subscription price.


I happen to be working on the technology to make this possible.

Exactly this? WTF? The "this" response was bad enough as it was. Now we are lowering the SNR even more by prepending "Exactly"?

s/Exactly this/I agree

Or eliminate it. He provided a small comment afterwards, and the replies to that comment are good. Not what I'd call noise.

Your comment and my response however...

I thought that "this" meant I agree. What additional information is conveyed by adding "Exactly"? Now when I encounter "This" I am going to be confused as to whether the author is agreeing in whole or in part with the parent comment.

Your comment has convinced me to turn off AdBlock; we'll see how it goes.

As if I need every single website hooked into Google Ads, all of them reminding me that I'm single, trying to sell me clothes, trying to sell me dating websites, trying to predict what I want in life.

It's invasive, and quite frankly, it's disturbing and creepy that the same advertisements follow me regardless of website. I feel like the guy in Pachebel's Rant, finding Canon in D across modern music, except what I'm finding is invasive Google ads, and I find them on most websites...

So no, I actively refuse the narrow demographic Google placed me into, and chases me around the internet with.

FYI, you can change some settings for google ads[1] so that you're not shown targeted ads at all (for example). You can also block ads to have them and related ads never be shown again.

[1] https://www.google.com/ads/preferences

Google also has an add-on if you want to opt out from Google Analytics.

[1] https://tools.google.com/dlpage/gaoptout

You can opt-out of retargeting. Seems that would solve your problem.

I opt-out by preventing the browser from emitting that HTTP requests. Why will I trust the ad-server from doing evil things?

We should live in a world where people who want this need to opt-in.

Conversely, three very practical reasons to use ad blockers:

1) You save battery life

2) You save data

3) Pages load quicker

And you lose no content in the process. So why wouldn't you? If you're using a fast machine hooked up to fibre broadband, perhaps it's a different matter, but as a mobile user it's a no brainer. And that isn't even mentioning the content of ads or privacy concerns...

If you think ads are necessary for the health of the internet, then they need to be presented a way that doesn't actively harm the experience of using the internet.

There's a growing segment of users that just don't want advertising in their faces, period. Thankfully a not-insignificant portion of these are willing to pay for it through subscriptions on sites that offer this. Not enough sites offer this.

I envision an "ad network" appearing eventually that doesn't display any ads, just distributes revenues from an aggregate subscription. Then sites can still be supported by spontaneous visitors and users can control their exposure to advertisements online.

This idea has been around for a while; I call it "microsubscription". Several companies have tried and failed to make a go of it. Kachingle is still limping along, though fatally hamstrung itself by picking a dumb, public fight with the New York Times.

As I said in reply to another of your comments, I've been working on the technology to make it possible to do this reliably for some time now. It's harder than it looks.

Very interesting. I figured someone must have tried it but hadn't found examples. Kachingle looks like a deeply flawed implementation of it.

What were the others?

From memory there was a few, but I've lost the links file I had. Contenture was one of them. There was a project at one of the journalism schools trying to push the same model too.

It's a good idea on paper, but actually making the market-building side work is really hard.

I've been focused on the technology side because hey, that's how I'm wired. Essentially, you can't rely on standard web bugs or javascript approaches; they're much too easy to subvert.

In my honours dissertation I identified 9 distinct attacks on the "naive" protocol and developed countermeasures for each. But that design is fatally flawed too. I have another design which ... well, watch this space: http://robojar.com/

I pay for Arstechnica premium for this reason. I have adblockers turned off on The Verge, and emailed them asking for a subscription option but received no reply.

I don't want advertising in my face, full stop.

That would be tricky. People would need to have a good idea of which sites they care about would have ads removed if they pay X dollars/month. Then maybe their favorite sites use three different networks, all of which they have to pay for. Maybe you could do it where the user picks the network, not the site.

Having looked at this for a while, the show/not-show needs to be decided at the publisher's server based on input from an authentication service.


    if ( auth.is_subscriber )
      puts advertisement_block

Right, my idea is that the user gets to pick which auth object to check against on the server

My design is authenticating per-request, so the publisher's server is the one that would decide what to query. From the user perspective it's opt-in.

The reason everyone should have ad blockers is to be free from exploitative coercion.

If someone could attach electrodes on your cranium and "reprogram" it so that it would permanently increase your propensity to buy product X by 10% in exchange for viewing an article on a website would you do it? Would you justify doing it by statements like "free websites and web services need revenue and I don't really mind the electrodes"?

I block all advertisements because the majority I've seen are manipulative and push us to constantly be purchasing shit we don't need by making us afraid we aren't good enough. Or they're just nakedly bold; "come spend your real dollars on this online game featuring this witch's breasts".

If websites have a problem with this they can just respond 402 to all my requests and I won't cry to anyone.

Some advertisers are just honest people trying to make money and I hope word-of-mouth will cover those. But for the rest of it, let's just say my life is much better without TV, radio, or magazines.

I do acknowledge a moral conflict when using add blockers, for the first reason you give. But ads and trackers have gotten out of hands, to the point where most of the chrome extensions I have installed deal with that type of things:

- Adblock - DoNotTrackMe - Disconnect

in addition to

- Quick Javascript Switcher (if I really get pissed)

Malware is also delivered by ads, a very important reason to block ads.

Ad blockers are trying to fix a symptom of the disease and in doing so they only help spreading and growing that disease.

They are like antibiotics creating stronger bacteria?

I don't block ads, I block surveillance. The lack of ads that I see is just a side effect of this.

Hmm, I haven't seen it that way. I guess I start stop using adblockers, too.

Now some of my daily news sources will become pretty unbearable ... but I guess I better look out for other websites that don't need to put up full site flash wrap-banners.

I too do not mind "tasteful" ads but unfortunately being a gamer leads me to man game related sites I do not trust and for good reason. More than once I have read postings where ad servers were hacked to server malicious items and more than once it was suggested the site operators didn't care. Fortunately being on a Mac as well as defaulting to strict blocking has protected me in every case.

I would not mind a solution that provides trusted ads. A system by which I can inspect what the site is trying to feed me and whitelist what I am willing to deal with.

How do ad blockers affect revenue? Don't they still fetch the ads but just limit the presentation of the ads? So it would be indistinguishable from someone who just does not click on the ads?

1. No they don't

2. Even if they did this would be very unreasonable, either you view adverts and the publisher gets paid or you don't view adverts and the publisher doesn't get paid. If you're triggering the pay-out criteria without actually doing whatever is required (view, click, interact) it's just moving the financial hit to the advertiser, which is still unreasonable.

Not my problem. The entire point of HTML is that the server sends files and I have a client that decides how to interpret them. I may be using a browser that is set to display larger fonts for my poor eyesight, or I may be using a mobile browser that decides to use different CSS, or I may be using Lynx that doesn't show images, or I may be using a browser that displays some images and not others based on a blacklist. It's not up to the server to determine.

No, one of the advantages of ad blockers is that they cut down on the amount of traffic, you don't download the ads.

In fact, several websites show you a warning message, or refuse to load, if you're running an adblocker.

Most block the loading of the url that contains the ad content. The website owners rarely host the ads they're displaying.

In that regard, it's very easy to detect if someone is using AdBlock or not.

Only if you own both the site and the ad network otherwise you'll be unable to tell if they made a request for the ad or not. There are also ways of getting false positives with that sort of test, for instance if for whatever reason the server that has the ad on it isn't reachable from the client (say a problem in one of the major backbones, or a bad DNS entry).

The usual approach I've seen sites take is they have some sort of "Please disable your ad-blocker" image that they load everywhere ads go, and then just overlay the ad image on top of that one when it loads.

I use mainly so I can search with Google. Without adblock, it's a nightmare on many searches, the first screen of my laptop is all ads (not including youtube, maps, Google local etc.

> Fuenfzehn Mitarbeiter, davon zwei Geschaeftsfuehrer, weitere Stellenanzeigen sind geschaltet, Bueros im Koelner Clusterhaus? Und das einzige Produkt ist eine kostenlose Browser-Erweiterung? Wie kann das funktionieren?

Fifteen employees, two of those managers, further job ads are taken out, offices in Cologne's Clusterhaus? And the only product is a free of charge browser extension? How does that work?

Additionally, this part seems important as well:

> Viel wichtiger: das ist also Till Faidas Verstaendnis von akzeptablen Werbeanzeigen: gefakte Testberichte und Auszeichnungen, pseudoneutrale Bewertungen auf anonymisierten Blogs. Artikel, geschrieben von der PR-Abteilung und Geschaeftsfuehrung eines Unternehmens, suchmaschinenoptimierter Content-Dreck fuer das eigene Produkt. Scam nennt man sowas in Fachkreisen!

More importantly: so this is Till Faida's understanding of acceptable advertisements: faked test reports and awards, pseudoneutral ratings on anonymised blogs. Articles, written by the PR-department and by the management of a company, search-engine-optimised content-dreck [i.e. crud] for their own product. Expert circles tend to call this scam!

[the translation isn't the prettiest but hopefully quite close to the original in both meaning and intent]

[edit] The whole "mafia" argument seems to stem from these questionable practices of "anonymous" and thus seemingly neutral feedback, originating from within the company itself.

[edit 2] fixed first translation, since I forgot the half-sentence "weitere [...]"

Interestingly, Amazon is changing the terms of their Associates program to (among other things) specifically prohibit browser plugins from being eligible for sales commissions:

  7.	Except as agreed between you and us in a separate written agreement 
  referencing this Participation Requirement, you will not use any Content or 
  Special Link, or otherwise link to the Amazon Site, on or in connection with:

  a.	any client-side software application (e.g., a browser plug-in, 
  helper object, toolbar, extension, or component or any other application 
  executable or installable by an end user) on any device, including 
  computers, mobile phones, tablets, or other handheld devices;
- https://affiliate-program.amazon.com/gp/associates/help/oper...

Lets try an experiment with Amazon referrers.

(a) Take a "randomly" sourced blog post for a book review:


(b) Check links to amazon:


(c) Click through and check URL:


Looks OK. Anything I'm missing?

It has something to do with their feature called typo corrections, only available for Firefox right now (I have only ABP for Chrome/FireFox). It has to be enabled, if it is enabled by default for all user or not, I'm not sure.

typoRules.js downloads urlfixer.org/download/rules.json?version=2 where the redirect is made if you type for an example: amazon.comm, I get (FireFox only) redirected to their affiliate amazon.com link.

For an example, amazon.co.ukk gets redirected to http://www.amazon.co.uk/?tag=uf07d-21


Some of the lines of that file:


reply to edit:

If I change the .com to .comm it changes the URL to:


So this is only for mistyped (edit) manually typed referrer URLs?

I guess so. Here they even admit it's their revenue source and that it won’t be enabled by default....


I tried with typo corrections on, but did not see any differences.

I edited my answer a bit, try for an example amazon.co.ukk, still no difference?

AdBlock Plus confirms most points via heise.de (updated half an hour ago): http://www.heise.de/newsticker/meldung/Schwere-Vorwuerfe-geg...

> In einer Stellungnahme bestätigen die Macher von AdBlock Plus die von Pallenberg aufgezeigten Zusammenhänge weitgehend. "Ein Großteil der Informationen zu der Zusammenarbeit mit unseren Partnern ist korrekt recherchiert, einiges nicht", heißt es in einer Stellungnahme von Mitgründer Till Faida, den Pallenberg in seinem Artikel kritisiert hatte. "Im Gegensatz zu Sascha Pallenberg sehen wir in der Vernetzung keinen Gewissenskonflikt."

The makers of AdBlock Plus largely confirm Pallenberg's connections in a statement. "The bulk of the information about the cooperation with our partners is investigated correctly, some isn't", according to a statement by co-founder Till Faida, who Pallenberg had criticised in his article. "Unlike Sascha, we do not see a moral conflict in this interconnectedness."

>Das Unternehmen ist überzeugt, dass sich Werbeformen wie die "Acceptable Ads" langfristig durchsetzen wird. Das Whitelisting sei für kleine und mittelgroße Webseiten kostenlos. "Dabei haben wir immer transparent geäußert, dass große Unternehmen unsere Initiative finanziell unterstützen." Eine Bevorzugung dieser Firmen gebe es jedoch nicht, die Kriterien seien für alle gleich. Auch die Kriterien der Entscheidungen durch die Community seien "vollkommen transparent".

The company is convinced that advertisement forms like "Acceptable Ads" will prevail in the long run. Whitelisting is free of charge for small and medium-sized websites. "We have always transparently communicated that big companies support our initiative financially." However, preferential treatment of these companies does not exist, the criteria are the same for everybody. The criteria for decisions by the community are also "completely transparent." [1]

[1]: The whole paragraph is difficult to translate since it makes extensive use of indirect speech, which is marked by the German Konjunktiv, without a clear marker of a speaker. The whole paragraph is a mixture of direct quote and paraphrasing of the company's own words and thus represents entirely the company's view and assurance that everything is fair, transparent and openly communicated.

[edit] tense in the first paragraph [had criticised]

I'm struggling to fully understand the article due to the poor Google Translation. Anyone offer some concise clarification as to what ABP is actually doing? Is it "just" that they are changing Amazon referral links on websites to their own referral links so they get money instead, or is there more to it than that? Are they even actually doing that? (Or is it just that they aren't blocking referral links made with software by one of ABP's creators?)

EDIT: I came across this from a few months back: http://www.digitaltrends.com/web/adblock-plus-accused-of-sha...

Seems to be about some similar stuff

They are also allegedly not filtering a set of white-listed ads, most of which come from companies that pay 30% of their ad revenue to the company behind AdBlock Plus.

ABP has had an option to enable some white-listed ads for a while. It's ticked by default, but it's not exactly hidden...

I came across this article which seems to back that up: http://www.digitaltrends.com/web/adblock-plus-accused-of-sha...

(from a few months ago)

Allegedly they are changing Amazon referral links and on top of that they automatically convert non-affiliate links to affiliate links with their own ID wherever possible.

that paragraph is difficult to understand even in german, to me it sounds like not apb, but another addon ( http://urlfixer.org ) is the one with the amazon link tampering.

What I find disturbing: the author of Adblock Plus famously went on a rant a long time ago about how people approached him to pay him to do various things with his popular extension, such as change default search engines. He refused, very publically, and bemoaned the likelihood that other extension authors might not.

And then the oxymoronic "Acceptable Ads" happened, and the painfully bad "typo correction" anti-feature (no, I really mean wikimedia, not wikipedia), and now this which ties into the "typo correction" bits. All of which are either on by default or pester the user to turn them on. And every one of these creates a new support issue for me with people I set up Adblock Plus for.

Is this in any way related to the "AdBlock" extension (not "...plus")? https://chrome.google.com/webstore/detail/adblock/gighmmpiob...

Apparently not:

"AdBlock is not to be confused with Adblock Plus. The developer of AdBlock for Chrome claims to have been inspired by AdBlock Plus, which is a community supported development effort, but otherwise the two efforts are unrelated."[1]

[1] http://en.wikipedia.org/wiki/AdBlock_(Chrome)

Huh... well that clears up a lot.

I've tried both and was curious as to why the "Plus" version of an extension allowed tons of ads when the regular "AdBlock" did a perfect job of never showing me ads. I guess that answers that question.

Correct. Adblock is supported by donations only.


Thanks, I was getting mighty confused about adblock and thinking, "I didn't think this was even a German property"

From the article: Investors in Adblock Plus / Owners of the company behind Adblock Plus also invest/own ad-network companies, which they put on the white list while they keep out competitors. The article claims one can buy oneself onto the whitelist.

http://adblockplus.org/en/features :

"Adblock Plus will always block annoying ads. Still, many websites rely on advertising revenues so we want to encourage websites to use plain and unobtrusive advertising instead of flashy banners. That's why the Adblock Plus community has established strict guidelines to identify acceptable ads, and Adblock Plus allows these out of the box. You can always disable this feature if you want to block all ads."

Could this be related?

Link to the guidelines: http://adblockplus.org/en/acceptable-ads#criteria

Edit: I just contacted Till Faida about this, will keep this post updated.

A blog post on the Adblock Plus-website from 44 days ago mentions a "joint campaign" by several German newspapers against ad blockers. I imagine this is part of it, although that's doesn't necessarily mean that they are wrong and/or exaggerate their accusations.

See here: https://adblockplus.org/blog/our-thoughts-on-the-unity-of-ge...

no that is something different. (at least the joint campaign had pretty much no arguments, whereas the submission raises a few doubts, to say the least.)

I have Adblock Plus installed, but comparing an Amazon affiliate link in Firefox with Adblock Plus, with one in Chrome (no Adblock Plus) shows no difference.

There are several points at which the link can be changed from when it loads to after it is clicked. Did you compare every scenario?

I compared before clicking, and the final page I ended up on at Amazon's site. Both were the same.

I can't find any reference to Amazon in the source code.

The source code is over there (GPL): https://hg.adblockplus.org/adblockplus/

The article seems to say this is related to the typo feature, but https://hg.adblockplus.org/adblockplus/file/tip/defaults/typ... has never changed since the introduction of the feature in 2012-11.

typoRules.js downloads http://urlfixer.org/download/rules.json?version=2, which contains (among others):


Okay. It seems that if I enable the typo feature (which is disabled by default, I've just checked in a clean profile) and go to amazon.comm, I get redirected to http://amazon.com/?tag=uf024-20

ABP notifies me of the redirection, and I can accept or blacklist it.

Yeah it seems to be default off, and they're not hiding the fact that this is a monetization source: https://adblockplus.org/blog/typo-correction-feature-in-adbl...

However it appears to add that tag only if I typo the name, if I follow a good Amazon link (with or without the affiliate) then it doesn't get 'corrected'.

Although since the rewrite rules are downloaded from a remote location (over HTTP, not even HTTPS!) they could in theory decide to rewrite any links in the future, without many people noticing.

While they could update the list, it's still typo correction. As implemented, the url needs to be typed in the location bar and the domain can't exist.

Edit: sorry about that last part. http://amazon.co does exist and does get corrected.

IIRC I've seen it suggest me typo corrections even when visiting valid websites.

So what's a good alternative (Firefox)? I'm using GlimmerBlocker, but due to being a proxy, it can't filter HTTPS pages.

Adblock Edge looks like a decrapified fork of Adblock Plus.

I just founds this, it's a fork of Adblock Plus:


I use the venerable (but still actively maintained) Privoxy, which is a proxy but still does most of what I want on HTTPS pages. It can't examine the page contents themselves, but it can block 3rd-party requests by hostname, which gets most of the web-bugs and such.

I had some problems with loading times/pipelining in Opera (12.x) and Privoxy and hence changed to AdBlock (which appears to be the same as AdBlock Chrome referred to above). Browsing became much smoother afterwards.

The easiest to audit is to change /etc/hosts to send malware sites to I use Dan Pollock's hosts file, which is well-commented:


I keep a Git repository with the contents that I update from time to time - this makes it easier to do diffs against past versions: https://github.com/chalst/pollockhostsfork


On the hardware I've looked at, loopback requests are handled in well under a microsecond - I guess this case is not worth optimising.

On Linux, is a broadcast address, while on Windows, it is a sink address.

If you want a smaller HOSTS file (useful with Windows) that only targets advertisement and tracking servers, I've found HP Hosts' ad_servers.asp list to be good.


Firefox addons for privacy and security with usable settings:

- AdBlock Edge. Filter subscriptions: EasyList, EasyPrivacy, Disable Malware, Fanboy's Annoyance List, Prebake

- NoScript. Use "allow scripts globally" or otherwise most websites won't work. It will still protect against know attacks.

- Cookie Monster. Then set global/default preference to saving cookies for session only.

- FireGloves. Uncheck "disable plugin and mimeType lists" in Cloak Settings.

- HTTPS Everywhere

- LastPass

Is there some mistake in your NoScript item? Installing the plug-in and then using "allow scripts globally" is the equivalent of never installing the plug-in. It provides almost no value at all when run that way.

No. It stills protects against known attacks, like XSS attacks. If you block scripts by default you'll have to configure what scripts to allow every time you visit a new site, or every time the site adds new assets.

requestpolicy <- simply blocks all traffic to external webserver

RequestPolicy suffers of the same problem as NoScript with default settings: it blocks everything and you have to waste time configuring what JS files are allowed in each site you visit. Your browsing becomes 10,000% more inefficient.

I use noscript as well as adblock plus.

Ghostery. Can't recommend it highly enough; also works on Chrome, Safari, Opera and IE.

Ghostery users should be aware of: http://www.businessinsider.com/evidon-sells-ghostery-data-to... (no judgement on the practice implied, just flagging it as something for potential users to consider).

Ghostery alternative: https://disconnect.me

Disconnect has generally been working better for me than Ghostery did too; although some parts of the Disconnect UI I still find more confusing and harder to use than analagous parts of ghostery.

And open source apparently! https://github.com/disconnectme/disconnect

But isn't that only if you enable Ghost Rank, which is disabled by default?

That's correct.

Changing Amazon referencial links... Seriously? and this guy is asking for donation putting forward his wife and his life.

I think you are talking about AdBlock, Adblock Plus is different.

Are those two programs made by different people? I thought one was just the paid version of the free one.

Adblock Plus - company in question.

AdBlock - Donationware. They also run this http://chromeadblock.com/catblock/download/ It replaces ads with pictures of cats. Hilarious

They are different, but can anyone be blamed for confusing the two?

Adblock just very noisly requests a donation, it doesn't require you to actually pay. Adblock plus does not do either.


FYI: The article is separated on 2 pages:

http://www.mobilegeeks.de/adblock-plus-undercover-einblicke-... http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...

The allegation concerning rewriting links is on this second page, for example.

Just did it.

(Edit: The headline used to be "Adblock Plus is changing Amazon refs", but it has been fixed. I commented on the new one below [6].)

I'm a developer at Eyeo, working on Adblock Plus. Adblock Plus is not changing Amazon links. TFA is ripe with FUD, but it doesn't even go this far.

Maybe this was a major misunderstanding of the typo correction feature [1], which is opt-in, only implemented in Firefox and merely corrects typos in URLs, always telling what it corrected. I was never really sure how it fits into ABP, but I fail to see how this could be considered shady.

Other than that, the only thing Adblock Plus does is block content. Which content that is depends on the filter lists you use. There are defaults, but you're free to use any you like, or create your own. It's usually ads, but ABP is also pretty good at blocking any kind of tracking [2].

Back to TFA. The main allegations are:

1. The CEO and the angel investor at Eyeo have ties to the ad industry

2. Adblock Plus is letting ads through if sites pay for it

3. Adblock Plus is burning money

One at a time:

1. This is true. Eyeo was founded to find a middle ground between users blocking ads and sites monetising from ads. The idea is that there are decent ads that most people wouldn't want to block, in the sea of horrible ads - "acceptable ads" [3]. "The ad industry" is not a single evil entity that wants to blind us all, some people in it actually want to make ads better. Hence Wladimir joined forces with them.

2. Every site can have their ads whitelisted, and ads that violate the criteria [4] will not be whitelisted. Some sites are supporting us financially, others don't. I think the main controversy is that this feature is opt-out rather than opt-in.

3. I disagree. More than half of the employees on the payroll are working remotely, deliberately. We wouldn't even all fit into the office, which is nice, but cheap (it's a building that's going to be demolished in 1-2 years). We're barely profitable, nobody's getting rich. We manage the infrastructure that delivers the filter lists - which are used by literally every other ad blocker out there, for free, and that's fine. Everything we create is open source [5], everything can be forked, and that's fine.

[1] http://adblockplus.org/blog/typo-correction-feature-in-adblo...

[2] http://adblockplus.org/en/features#tracking

[3] http://adblockplus.org/en/acceptable-ads

[4] http://adblockplus.org/en/acceptable-ads#criteria

[5] https://hg.adblockplus.org/

[6] https://news.ycombinator.com/item?id=5947553

Wow, the headline has been fixed. Gotta love HN. It used to be: "Adblock Plus is changing Amazon refs", now it's "Adblock Plus “typo correction” feature adds affiliate IDs to links". (I'll have to point out though that this is not a major point in TFA, I didn't even see that mentioned in there.)

Yup, that's right. This is the URL fixing functionality only implemented in ABP for Firefox. If you type amazorn.com, Adblock Plus will correct it for you (if you activated this feature, it's opt-in), sending you to amazon.com.

ABP does indeed add an affiliate ID to those links, it was a monetisation idea. We've been open about this [1] (See "Monetization"), nobody's being tracked and nobody's seeing any extra ads.

I had and have some doubts about this making sense as a part of ABP, but I wouldn't consider it shady.

[1] http://adblockplus.org/blog/typo-correction-feature-in-adblo...

There are some things you could improve about typo correction to make it consistent with how you handle ad-blocking rules:

* Update the rules over HTTPS, not HTTP

* Filter preferences should show the typo-correction-rule URL, just as it does for ad-blocking rules, and it should be possible to inspect them by clicking

* typo correction should probably only be used if the target website doesn't actually exist. See elsewhere in the comments, that is what how one would normally expect it to work.

As it is now the fact that typo correction even uses an insecure, remote list of rules is not at all obvious from the UI, instead its hidden away in the code.

Of course its also a bit confusing on why typo correction is even part of AdBlock Plus to begin with, as there is another extension just for that purpose - urlfixer. If someone wants typo correction you could suggest them to also install urlfixer, but it doesn't really make sense to have two unrelated features in one extension. Don't try to become an extension that does everything...

Frankly, I have no idea why it's not being served over HTTP (there must be a technical reason, Wladimir is a HTTPS zealot), and I'm not sure why the corrections URL is not configurable. I bet we discussed that in the blog or the forum, but unfortunately the site's down right now :(

As for correcting URLs that do exist, I think the idea was to avoid phishing sites and parking sites. But IIRC we did have a considerable number of false positives, so it's a questionable approach.

I'll argue for removing it from ABP now. URL Fixer is from us as well (it's the same code we have in ABP), so anyone who liked it can just install that. I'd rather have ABP do one thing, and do it well, feature creep is a thing...

Edit: It's decided, we'll remove the feature.

Thank you for stepping in with some info before the pitchforks come out. Combining your statements with the fact that the js itself shows Amazon URL rewrites are only happening for people who have opted-in to the typo correction feature makes this seem much ado about nothing. The company could have been more transparent to begin with, but you guys have done a lot to improve the online advertising experience.

Thank you for the thanks :) What we do attracts bad press and subsequent flamewars, and I usually shy away from getting into those. But I couldn't bear this unreflected FUD on HN, which is important to me.

I suppose we could have communicated better. Maybe we should have talked more about our employees and their backgrounds, about who is whitelisted and why. We've made mistakes, and we're trying to learn from them.

The allegations concerning changing referal links are based on a source file of the extension. Did anybody check that? Any real proof or is this just a leftover?

This must be why Amazon Associates changed their Terms of Service starting July 1. https://affiliate-program.amazon.com/gp/associates/help/oper...

> “7. Except as agreed between you and us in a separate written agreement referencing this Participation Requirement, you will not use any Content or Special Link, or otherwise link to the Amazon Site, on or in connection with:

> a. any client-side software application (e.g., a browser plug-in, helper object, toolbar, extension, or component or any other application executable or installable by an end user) on any device, including computers, mobile phones, tablets, or other handheld devices;

> [...]

There is NO proof or evidence of tampering with amazon refs.

Still a lot of people are reporting the extension or looking for alternatives in this thread.

Seriously: Not everything you read on the web is true. This smells like a smear campaign, nothing more - until real evidence or proof is shown of the claims.

You have to enable the typo option and it happens.

See https://news.ycombinator.com/item?id=5946194

Objection here from Till Faida (CEO) here: http://t3n.de/news/adblock-plus-geschaftsfuhrer-476502/ (German)

The link refers to a given interview (http://j.mp/138mDHs) with Till Filda (Owner of Ad Block Plus) who gives the information that user can opt-out of the build in "Acceptable Ads program".

In his words the reason for an acceptable ads program seems to be showing acceptable ads (non flashing, blinking, annoying, ...) to the user which seems legit.

Can't understand the 'Mafia' term in this. It's a free product this is their business model. You as a user choose if you accept (or opt-out) this or leave the product behind.

For Firefox users, there is Adblock Lite, a fork created after the "Acceptable ads" story on AdBlock Plus a few months ago:


"Adblocklite is a fork of the Adblock Plus version 1.3.10 (classic UI) extension for blocking advertisements on the web. This fork will provide the same features as Adblock Plus 2.X and higher while keeping the old UI but without "acceptable ads" feature."

Site also seems to be suffering a mafia-like DDoS attack.

This seems a lot like cookie-stuffing.

AdBlock and AdBlockPlus are free to run their company any way they want (within reason). However, this is a serious breach of trust. They should inform me of any change or re-direct they perform - before they do it.

The essence of this is you need to decide the answer to two questions:

1. What are your personal ethics?

2. Who do you trust?

To put (1) in context, the content on the Internet is largely provided free but is ad-supported. When it comes to display advertising, it's sold almost entirely on a CPM basis (it may be resold on an eCPC or eCPA basis). It is at best only partially sold on an intent basis (meaning it's enticing you to click on the ad or otherwise take some kind of action).

The relevance is that the most common "defence" of ad-blocking is "I never click on ads anyway". While that might be true (let's just say that the people who claim to have never clicked on an ad is a proper superset of the people who have never clicked on an ad) it's also irrelevant since that may not be the intent and the publisher is getting paid to display the ad, not for you to click on it (unlike, say, search advertising, which is intent based).

So the ethical part here is you need to decide if you're OK with denying publishers income yet still consuming their content. If you are against ads for whatever reason and don't consume the content, that's a position I can respect, otherwise it just strikes me as rationalized freeloading but YMMV.

As for (2), the big players like Google who dominate display advertising are regulated and deeply concerned (believe it or not) about privacy and the user experience. That's why you can opt out of personalized ads [1], for example. I may be biased [2] but I trust Google far more than I trust some fly-by-night operation. Again, YMMV.

Recently there was a story about Ghostery reselling user data to advertisers [3]. How much can you really trust these basically unaccountable groups (in comparison)?

I should point out that there are two issues here that intertwine:

1. Ad-blocking;

2. Privacy.

My personal code of ethics is I don't block ads because honestly I mentally block them out anyway. Going to the Westin site then seeing ads for the Westin everywhere doesn't particularly bother me.

If a site has particularly egregioius ads (I include popups, most interstitials and any ads you need to dismiss in this category) then all bets are off. Block away. Banner ads however? Sure, why not?

But where I draw the line is with uselessly giving away your privacy in a way that doesn't benefit publishers at all. I include all the various "Like" and "Share" buttons here. All of these track for no benefit to the publisher (other than the hope that you might use one).

Those I'll happily block. Likewise if you're Quora and you blur answers because I'm not logged in with Facebook, well you'll get technically circumvented as well and I may just block any ads you have just because you're being offensive.

Anyway, just consider that ad-blockers have access to a wide range of your data as well and ask yourself what they are doing or might do with that data. Is it really worth denying publishers income to not see an ad for shoes? Really?

[1]: http://www.google.com/ads/preferences

[2]: Disclaimer: I am a Google engineer working in display advertising

[3]: http://www.lifehacker.com.au/2013/06/ad-blocking-extension-g...

I don't use Adblock Plus. I don't block ads as such, just because they are ads. I don't mind ads. I believe in supporting sites thru advertising.


* I cannot tolerate anything moving on the page. It prevents me from reading text, and I'll do whatever is necessary to turn it off, regardless of the effect on the site's advertising schemes.

* Sites don't have any right to expect me to run their Javascript or other code. I'll turn it on only for functionality that I have a need for.

* I won't tolerate tracking, and therefore turn off requests to domains other than those necessary to read the content on the page.

So, again, I'm fine with ads - they just have to respect my reasonable limitations.

And the line about Google respecting privacy doesn't pass the laugh test. If I'm tracked across the web by Google includes, the privacy violation has already occurred at that point, regardless of what Google does with the data after they collect it (same goes for other data-miners).

You mention the privacy implications of "Like" buttons but neglect to mention the privacy implications of the ad networks.

Remember when Double Click started building a database of every Internet user and their preferences (and were foolish enough to mention it publicly)? Your employer now owns that database.

For me, it boils down to this: every time I turn off AdBlock I have to turn it back on because of the blinking and other very distracting ads. They are so "in your face" that I can't concentrate on the content. I usually last a day.

Perhaps I should just selectively block ads on the sites that do this, but I've found that tedious in the past.

At the end of the day the ads hurt my brain. I don't think you can really block them out mentally, as you claim. Can you block out really loud noise, for example? I don't think the brain works that way. You might think you blocked something out mentally, but you would probably still have increased stress levels.

I don't really feel unethical for using Ad Blockers. I don't think watching ads is the same as paying. I figure ads are about statistics and advertisers count on only reaching part of the audience. Since I definitely never click on ads, I am not part of that target audience (except for the unavoidable minor brainwashing).

I might still help out a site owner by recommending their site, thus attracting other people who might then click on ads.

I am not responsible for a site owners business model, either.

In the age of AdWords I figure pay-per-view ads must be very rare?

>Recently there was a story about Ghostery reselling user data to advertisers [3]. How much can you really trust these basically unaccountable groups (in comparison)?

Except all the data collected and sold was opt-in and they told you it was anonymized and sold on the page next to the opt-in checkbox

I don't think the personal ethics issue is that simple and clear-cut. For example, I use both an ad blocker and a readability tool (in my case, it's Evernote Clearly). I started blocking ads long before stuff like Clearly was invented, but the motivation is the same: I want to read the stuff I came to read and all the other crap on the page is making it difficult to do so. If I stop using an ad blocker, I would still use Clearly.

My point is, would your ethics also preclude you from using a readability tool?

Now, one can argue that a tool like Clearly is okay, because it requires you to click on it and it gets rid of the stuff that distracts you, but the ads still get displayed in the first place. What if someone made a tool that downloads the ads, as if to display them, without ever displaying them? By using such a tool, you wouldn't be denying publishers income while consuming their content, but you would still be gaming the system. How ethical would that be?

Again, the hard line would be to either a) suck it up and consume both the content and the crap together, or b) refrain from consuming the content altogether. But the hard line approach doesn't really solve anything, except giving you the moral high ground.

There's a real problem with the ad-supported content and the problem is the conflict between what the advertisers want, which is to force you to pay attention to their ads, even at the cost of breaking your experience, and what the content consumers want, which is to consume the damn content without being distracted or even badgered.

Even most of the so-called non-intrusive ads are annoying, because they're inserted where they're supposed to draw your attention.

Ads aren't just screen real estate. They're also bandwidth and CPU hogs.

And a security risk, to boot.

I don't know if you'll see this, but I'm curious: would you prefer to live in a world without AdWords? That is to say, all things being equal, if Google magically had revenue from another source and AdWords did not exist, would you prefer that world?

If not, what value do you believe AdWords brings to the table, beyond the value of organic search results?

I think Adblock is a reasonable choice as I woulda rather have micropayments for content vs advertising. However, I mostly browse on an iPad which does not seem to have any add block options.

The defense of advertising is the desire not be coerced.

*The defense of ad blocking


>Whenever typo correction brings you to the site of a large online shop an affiliate ID will be added to the address. This makes sure that if you buy something there we get a small amount of money from the shop.

Mentioned on their website.

The original, german text does not state that ABP actually rewrites amazon affiliate links. It mentions "Amazon" once, in a sentence which could be translated at "..how to justify drying up financial base (which are amazon links) for thousands of small blogs.."

(That doesn't mean ABP does not change amazon referral links, though)

There is a second page that is overlooked quite easily: https://news.ycombinator.com/item?id=5945942

Could it be a typo, i.e. that adblock plus charges (money) for allowing people's amazon refs through the filter? Although if you check exceptionrules.txt there are only 3 domains that have amazon links whitelisted.

EDIT: apparently the 2nd page of the article writes about the possibility of changing links.

It's not a typo. Here is a manual translation of the paragraph containing the allegation:

    Schaut man sich den Quellcode von Adblock Plus an, dann stolpert man ueber die “typoRules.js”" welche Vertipper in der Adresszeile des Browsers ueber eine dann nachgeladene Datei http://urlfixer.org/download/rules.json korrigiert. Den Spass gibt es uebrigens auch als separates Add-On http://urlfixer.org, ebenfalls vom feinen Herrn Palant!

    Und jetzt anschnallen, denn dabei werden fuer alle internationalen Amazon-Shops automatisch die eigenen Amazon-IDs angehaengt!
"If you take a look into Adblock Plus' source code, you will trip over a "typoRules.js", which corrects typos made in your browsers' URL bar with the help of the subsequently loaded file http://urlfixer.org/download/rules.json. By the way, you can obtain this funny little gadget as a standalone add-on from http://urlfixer.org as well, from the same honorable Mr. Palant!

Now fasten your seatbelts, because this automatically adds their own Amazon IDs for all international Amazon shops!


How so?

Isn't it possible to just check the source code of FireFox addons?

Would be good if somebody could confirm if that is the case.

Can anyone confirm/deny if the article points to any specific code? It's down.

Can anyone actually confirm this?

You have to enable the typo option and the amazon referrer rewrite happens.

See https://news.ycombinator.com/item?id=5946194

I think the word "rewrite" is misleading in that context. ABP does not rewrite existing referrers (which would in fact be "mafia style"), instead it adds its own referrer when correcting/rewriting links with a typo:

  amazon.com/?tag=someReferrer will not be changed 
  amazon.comm will be rewritten to amazon.com/?tag=uf024-20

Not much better, arguably worse. If my intention was to go to Amazon.com, they're now "helping" me and writing a cookie that wouldn't have been there, and earning $ in the process. A bare WWW request should never result in affiliate income.

I tend to agree with you, but I'd be happy for Pinterest to convert any non-affiliate links to affiliate links. They'd need to make it very clear what they were doing before doing it.

I get value from Pinterest's collection, so I'm happy for them to skim a little bit of money from my purchase. Shopping is hellish, and Pinterest makes it easier for me.

I am aware that they got into trouble for using skimlinks to convert links. (I think they were converting affiliate links to their affiliate links which is pretty dodgy.)

Who's been using Adblock Plus after they whitelisted sites behind your back? It jumped the shark. Move on to one of the dozens of lightweight, superior forks.

Recommend us one?

When I click the page, it just loads google translate recursively. http://imgur.com/JJJ231i

On a related note, has anyone considered the fallout of a popular extensions like Adblock/Adblock Chrome etc being compromised?

NoSCript http://noscript.net/ is way better

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact