lcamtuf, (edited )

You know, I really dislike ad blockers from the security perspective. They need exceptionally broad permissions that make the extension a juicy target for attacks. Pop one of the maintainers' Google or Github accounts and own hundreds of millions of people overnight - their email, bank accounts, social media identities, and all that.

The consequences of simple coding errors are similarly disastrous - and I bet that there are some good UXSS bugs lurking in all that JavaScript.

For these reasons, I resisted ad blockers for 20+ years, and I endured countless cookie prompts, subscription interstitials, "sponsored results", and unskippable ads. But around 2020, the anti-user patterns on the web have gotten unbearable. And I say this as a person who grew up in the era of auto-playing Flash-based pop-under ads.

I'm not a security absolutist. It's all about trade-offs: the convenience of using a modern web browser, for example, generally outweighs the risks of living with its massive attack surface. But in the case of ad blockers, you gotta take a hit just to continue to browse in peace. It blows.

KarlE,

@lcamtuf my "adblocker" is a combination of NoScript and a few dozen diverts to 127.x.x.x IPs in /etc/hosts
It doesn't free me from the increasingly obnoxious youtube ads, but other than that it cleans things up quite well, I just keep wondering why pages have big gaps in their content.😉
I am well aware, this is all dependent on preferences and browsing habits. "YMMV"
@isotopp

happyborg,
@happyborg@fosstodon.org avatar

@lcamtuf thanks for flagging that, I still use Firefox + uBlock Origin for a few things but have dropped Firefox mostly.

One easy safe option is to use Brave Browser, though I hate to recommend it. Should be harder to introduce malbugs there I guess?

I started using Brave with all the bullshit turned off because Firefox was crashing daily on my mobile, and grinding to a halt on my laptop.

They just added tab groups and the UX for that works quite well even on a 5" mobile screen.

mattsqu,
@mattsqu@chitter.xyz avatar

@lcamtuf I've been running with JavaScript off on my primary browser for years now, then just white listing domains when I have to. Quite a lot of effort, but as you say the web experience is awful by default. =|

xdydx,
@xdydx@mastodon.social avatar

@lcamtuf
One can minimise the risk by using a multi-browser strategy.

One browser. Preferably , set to not accept cookies at all. as you go. Use for email, banking and

One browser. Maybe or . Use for general browsing. Install as many extensions as you like to remove ads, cookie permission notices, etc.
Clear when it becomes slow.

Cont...

iquaanyin,
@iquaanyin@mastodon.social avatar

@lcamtuf @tqbf ive always felt exactly the same. finally had to start using an ad blocker a couple years ago. it was either that or get off the web and i want to be on the web.

chadgeidel,
@chadgeidel@mastodon.cloud avatar

@lcamtuf I have not reviewed the code, but I generally trust the EFF and have used their plugin as my adblocker.

In my case Privacy Badger combined with modern browser tech is an acceptable trade-off.

tommertron,
@tommertron@masto.yttrx.com avatar

@lcamtuf This. A thousand times this. I actually want to support sites by viewing their ads (or paying them) but the auto playing videos, css screen takeover pop ups, tracking cookies, JavaScript bogged sites make it so difficult. Just have a simple banner ad and I won’t block it I swear.

maarteuh,
@maarteuh@mastodon.workingweb.nl avatar

@lcamtuf considered pi-hole and similar dns blocking solutions?

lispi314,
@lispi314@mastodon.top avatar

@lcamtuf The proper solution would start with something like uMatrix being built into the browsers.

The user should be in control of what resources and from where a site is even allowed to load them anyway.

Of course for that to work without pre-existing lists the user has to be willing & able to function a whitelist approach, which many aren't.

mark,
@mark@mastodon.fixermark.com avatar

@lcamtuf I suppose one could hypothetically consolidate risk by choosing a browser with an integrated ad blocker.

The risks are still there, but the trust story overlaps when the ad blocker vendor is the same one that created the whole user agent.

albertcardona,
@albertcardona@mathstodon.xyz avatar

@lcamtuf

One solution is to use different browsers: one for trusted websites (e.g., for banking), another for shopping online, and yet another for everything else. The latter one has an ad blocker.

You can have your cake and eat it too.

lispi314,
@lispi314@mastodon.top avatar

@albertcardona @lcamtuf That works only insofar as none of them manages to compromise the rest of the system.

Most shopping sites are also filled with infohazards (ads) though.

John,
@John@socks.masto.host avatar

@lcamtuf I can see how you ended up there, but for what it's worth I might call out one unanticipated downside.

My method is to not block ads, but to avoid sites which advertise too much. I bail fast from any site that has an ad for every paragraph.

The thing is, I find these very bad sites often recommended by people .. who perhaps have ad blockers.

djm,
@djm@cybervillains.com avatar

@lcamtuf Manifest v3 takes care of many of the supply chain and extension bug concerns

tisha,
@tisha@htt.social avatar

@lcamtuf So nice to know I'm not the only one who is concerned about security issues with adblockers 😅

balu,
@balu@muenster.im avatar

@lcamtuf On the other hand, I am fairly sure my ad blocker has blocked a ton of malicious ads, trackers and websites...

endofline,

@lcamtuf well risk of well maintained ad blockers like unlock origin is very, very small comparing to windows updates which have been known to bring outdated tools with newest update installation. I guess ad blockers go into the category of risk assessment how paranoid you are

pele75,

@lcamtuf Agreed. I run NextDNS at the router and the app on my phone when not on my own WiFi.

mathaetaes,

@lcamtuf i installed a pihole, and while there are definitely some risks that come with letting an ad blocking device own your DNS, I still feel a lot better about that than about some random dude owning my JavaScript.

No exaggeration, the web is now unusable to me from outside my own network because I can’t tolerate the ada… but the internet when I’m at home is so nice.

C3nC3,
@C3nC3@social.tchncs.de avatar

@lcamtuf
Isn't the bigger attack vector the regularly updating lists those adblockers are using?

Was thinking about switching away from ublock again and again but I don't think the alternatives are as convenient. Especially for family members not tech-savvy

gray17,
@gray17@mastodon.social avatar

@lcamtuf Instead of an ad-blocker, I turn of JS and allowlist JS for sites I use regularly that need it (eg, github). Most of those sites don't have ads, or have very curated ads.

Most news/blog/etc sites are readable but slightly broken with JS off. A few have a covering element or opacity 0 that gets removed by JS, and if I visit those sites often, I fix that with a custom CSS rule (with Stylus).

Occasionally, I'll copy a URL to a non-persistent Chrome profile with JS enabled

lmk,

@lcamtuf Very well said and if I had business cards I'd consider putting "I'm not a security absolutist" on them.
However, when I click something and get deluged with tons of distracting ads I hit the back button and figure that I can live without knowing whatever clickbait (it's never really anything important or valuable).
What I do doesn't matter to the web, of course, but if more people simply avoided these miserable websites it could be a powerful signal.

sten,

@lcamtuf Thank you. For me, the breaking point was about 2021. It became simply unbearable.

TheTomas,
@TheTomas@toot9.de avatar

@lcamtuf Speaking of ad blockers in general. I dislike the concept of lists:. 1) they are always incomplete and 2) regular updates cause privacy issues. My approach to this problem: Disable 3p-frames, 3p-scripts and additionally all 3p-content at all. I am surfing the web basically with everything not coming from the original domain blocked. It works! If any browser would offer this, I would drop uBlock. Interestingly, no browser does.

BoredomFestival,
@BoredomFestival@sfba.social avatar

@lcamtuf I really need to switch to a mobile browser that supports uBlock or similar. Firefox, I guess?

lcamtuf,

deleted_by_author

    •
    BoredomFestival,
    @BoredomFestival@sfba.social avatar

    @lcamtuf I don't either, but sometimes I'm in the kitchen and look up a recipe and OMG WTF I am assaulted with nonsense

    C3nC3,
    @C3nC3@social.tchncs.de avatar

    @BoredomFestival
    Firefox mobile is a godsent. It saves battery as well because of blocking all the ads.
    @lcamtuf

    ottumm,
    @ottumm@mastodon.social avatar

    @lcamtuf Safari (both iOS and Mac) has a different model for content blockers that prevents them from any access to your browsing — they declare rules and then Safari enforces them. Much better security model.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • ngwrru68w68
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • megavids
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • provamag3
  • JUstTest
  • All magazines
    •