Ask HN: What's the best ad-blocking, privacy-enhancing extension set up?

67 points by mlissner ↗ HN
There are a bunch of privacy enhancing and ad-blocking extensions out there, but it's impossible to figure out where their features are unique and where they overlap. Of course, too much overlap, and they start slowing down your browser.

My goal is to make my browser as private as possible with minimal damage to my usual browsing experience. For example:

- LSO and Flash: Blocked. - As many third party cookies blocked as possible without breakage. - JavaScript works most of the time? - Ads are blocked - Various forms of fingerprinting are blocked/disabled - HTTPS is used as much as possible - etc.

I'm currently using Privacy Badger + uBlock Origin + HTTPS Everywhere. It feels like a lot already, but there's also Ghostery, RequestPolicy, and a million others.

63 comments

[ 2.6 ms ] story [ 111 ms ] thread
Privoxy and, for Firefox, BetterPrivacy and Self-Destructing Cookies.
I second privoxy. I never see ads and the memory usage is low, 0.1% on my 8GB laptop. I use it along with polipo (a caching proxy).
Drop this in your hosts file and set up a refresh script to replace it periodically.

http://someonewhocares.org/hosts/hosts

I sincerely hope you don't do this. You're trusting that the people who run that site won't turn malicious in the future; and since your link uses http, you are also trusting that the same applies to their ISP, your ISP, or anyone in between!
Yeah, someone might hijack localhost's address. They might even be so nefarious as to submit RFCs to make that address range publicly routable.
Not the person you are responding to, but it's obvious he's referring to the suggestion that you automatically update the hosts file from the URL.

> set up a refresh script to replace it periodically.

Especially considering the https version of the page isn't valid.

`x.x.x.x foobar.com`

Where x.x.x.x:80 is a redirect to some malicious site.

Here's hoping foobar.com set up HSTS

you could run it through your own sanitizer before deploying even something as simple as

egrep -v "^127.0.0.1|^#|^$" hosts.zero

should help ease your mind that the worst an attacker could do is make some site you want to go to apparently unavailable, but that would be under your control to fix too.

Worked literally for a decade. But I suppose anything can happen.
I had nice results blocking ads with squid+adzapper.

The nice thing is that it does not slow down firefox, ad opposed to the adblock plus extension.

I use Ghostery, uBlock and ClickToPlugin on Safari, and stopped using any other extensions since I came across a couple that were trojans for injecting ads.
I use uBlock Origin to block ads and Ghostery to block social media foo (and trackers, of course). Ghostery makes it easy to enable stuff you want to use all the time (Gravatar, Typekit, etc.) and to temporarily enable stuff like Twitter buttons, Soundcloud player, etc. On top of that I use HTTPS Everywhere.

When I feel the need for real privacy I use the Tor Browser.

// Oh, and I also disable all the fancy features in Chrome and most plugins.

uBlock origin and subscribe to relevant feeds. It's simple, lightweight and covers both privacy / security and ads.
You mean to RSS feeds instead of going to actual websites?
I think mrmondo refers to the "lists" that the ABP-family of extensions support. They are lists of domains and regexes to block, and maintained generally by third parties (not the addon developer).

Some of these lists are specific to geographic regions.

I use uBlock Origin [1] along with the EFF's Privacy Badger [2].

Hard to say how well it really works for privacy without really digging in to exactly what private info I'm leaking across the web but I haven't seen an ad in ages.

[1] https://chrome.google.com/webstore/detail/ublock-origin/cjpa...

[2] https://www.eff.org/privacybadger

Privacy Badger is awesome. ABP basically let's everything through
I use HTTPS Everywhere, uBlock Origin, Random Agent Spoofer with almost everything checked, Self Destructing Cookies and uMatrix.

I do not recommend Ghostery at all, since it is closed source and it collects your data through GhostRank, if enabled.

I think this is a good setup. Not leaking metadata is uber uber important [1]. I feel that by revealing my weird setup e.g., mutt as a mail client I'm really easy to track.

Getting fingerprinted via font browser metrics is also a major worry of mine [2]. Especially if running an exotic setup, it's easy to stand out.

[1] http://www.nybooks.com/blogs/nyrblog/2014/may/10/we-kill-peo...

[2] http://www.guanotronic.com/~serge/papers/fc15-fonts.pdf

I think too this is a good setup.

Self-Destructing Cookies, especially, is rarely mentioned in such discussions, but is a godsend to enable cookies for the convenience of staying logged only in domains you trust (e.g. I have: archlinux.org, feedly.com, mozilla.org, stackoverflow.com, ycombinator.com) but not breaking sites that depend on them (e.g. no gmail if you simply disable them).

Also, if you use Firefox, enabling `privacy.trackingprotection.enabled` in about:config is a good no-addon-required first step [1].

[1] https://wiki.mozilla.org/Polaris#Tracking_protection

Yes, but what's the overlap with uBlock Origin of privacy.trackingprotection? It's very unclear to me. After some experiments and log inspections when it was released I concluded uBlock was a superset. Maybe I'm wrong though.
Asked myself the same question, did the same experiment, and reached the same conclusion :) .

Another unclear thing is the update rate/policy of privacy.trackingprotection's blacklist.

Good to hear :)

What's your addon setup then?

Mostly the same as emanuelmaues above, just a bit lighter: uBlock Origin, Self-Destructing Cookies. Differences:

- No HTTPS Everywhere because I (think I) remember to check for HTTPS when it matters, and access those sensitive sites via bookmarks, where I ensure HTTPS is used.

- No uMatrix because it's too much of a hassle, I'm okay with the 90% provided by uBlock Origin.

- A common custom user agent via (firefox / about:config) `general.useragent.override` rather than Random Agent Spoofer, which pops UAs sometimes so obscure that Google freaks out and serves me a no-js version. I'd use it if it provided a choice like "Random among the last five <Firefox> versions on <any os>", currently to do this I'd have to manually exclude tons of browsers.

(Off-topic) out of the privacy stuff and back into regular addons land,

- dotjs to spruce up custom js in a few sites. When GitHub Enterprise say "maybe, someday" to your feature request, that means "do it yourself" ^^.

- (Not an addon, but worth mentioning) userContent.css to manually uncruft/simplify sites I frequently visit. I prefer this to Stylish, it's all in a single .css file in my profile folder; simple to edit and sync across work/home.

- FlashDisable to pretend I do not have flash (to ensure html5 vid is served in priority, many non-top tier video hosts still serve Flash by default) but be able to activate it quickly when needed (flash game, video with no html5 alternative).

- HighlightAll because I'm so used to this feature from all text editors that I take it for granted even in a browser.

- VimFx to keep my hands on the home row as much as possible.

And you, anything crispy to share?

Nice. I just use vimperator with a couple of commands to make switching around proxies simple. Or custom search keywords with multiple arguments autocompleted.

Apart from that ublock origin, https everywhere and privacy badger. Nothing fancy.

Why do you care about overlap? The green nasties are attacking your privacy in multiple ways, it seems sensible to have redundant layers of protection.
Spoofing user agents will sort of defeat UA-based tracking, but so will using the stock UA for the most common version of your browser. I think it would make more sense to find the most common Firefox UA and switch to that. Probably something like this: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0".

The advantage here is that you aren't likely to run across weird behavior from sites that sniff UA to determine feature set. That's clearly gross behavior, but it's also necessary. For instance, there's no way to determine if a browser supports JPEG2000 other than to sniff the UA for Safari -- it doesn't send an appropriate Accept header. Likewise for many other situations.

What's the overlap between uBlock Origin and other plugins like Ghostery or Privacy Badger? Or even uMatrix?
One major difference is that Privacy Badger doesn't use a blacklist like the others and really isn't designed for the purpose of ad-blocking. It's designed to prevent non-consensual tracking, so it observes which third-party domains try to store high-entropy cookies, and if it sees a third-party domain doing so across multiple first-party sites, blocks any further third-party requests to that domain.

Full disclosure: I work at EFF, which makes Privacy Badger.

That's good. What plugin setup do you recommend on Firefox to protect ourselves?

Furthermore, I'm concerned about useragent and font metadata attacks. Any recommendations for these?

Few folk using Ghostery... but I thought Ghostery was the plugin backed by the advertising industry that just fed your data back to them anyway?

I use AdBlock (original) and Disconnect. Perhaps Disconnect does something with my data tooshrug

Ghost Rank is opt-in, and it does help the advertising industry: [0]

>We rely on Ghostery users who opt-in to participate in a feature called Ghostrank®, which sends us anonymous information about the data collection technology they see, and where they see them. We take that information, add our analysis, and sell it to companies to help them audit and manage their relationships with these marketing tools. None of the information we share is about our users, nor is it stored in a way that could be used to trace back to our users.

Ghostrank® is off by default, meaning you can use Ghostery without sharing anything with us if you prefer. (But please opt-in! It is how we keep Ghostery free and continue to make it the best tool out there!)

Further, from their privacy policy: [1]

>The Ghostrank information we collect helps to increase our tracker intelligence, and to improve our products and solutions for businesses. We do not use any collected information to track individuals or to target ads to them. Ghostrank data may be licensed commercially and incorporated into our solutions for businesses. To learn more, contact Ghostery at privacy@ghostery.com or visit www.ghosteryenterprise.com.

Disconnect is monetized through user payments: [2]

>We are a consumer software company and rely on payments from our users. We believe basic privacy protection should be available to everybody, irrespective of the ability to pay. In support of that goal, we have a two-part pricing model. For our desktop browser extensions, users can “pay what they want.” For our mobile software applications we offer a Basic free version and a Premium paid version that has additional benefits. Payments help sustain our work and also support nonprofits that share our corporate values.

[0] https://www.ghostery.com/en/faq/how-does-ghostery-make-money...

[1] https://addons.mozilla.org/en-US/firefox/addon/ghostery/priv...

[2] https://disconnect.me/help#how-do-you-make-money-

Thanks for this. I just installed ghostery and I'm still reading up on it. I don't have a problem with advertising and people making money and studying usage. I do have a problem with attempts at tracking individual users and trying to create individual user profiles. I like how you started your list at zero.
I use Ghostery and uBlock Origin, plus "Google search link fix".

Ghostery is opt-out by default and works well. I trust it more than I trust AdBlock.

uBlock Origin doesn't use as many resources as any of the versions of AdBlock.

In addition to all the plugins that everyone has listed, I'm also interested in hearing about the default settings that should/need to be disabled in Chrome or Firefox so as to prevent most/all of the "dial-home" features. For example, unchecking the features in Chrome > Settings > Show advanced settings > Privacy, like "Use a web service to detect spelling errors" or the offer to translate pages further below.

While perhaps not as potentially malicious as 3rd party websites, I think that a discussion regarding privacy in web browsers themselves is a useful one.

Some discussion here: http://thesimplecomputer.info/the-private-life-of-chromium-b...

AVG Privacy Fix, HTTPS Everywhere, Ghostery.
Flash is not installed, so there is no need to block. For Adblocking I use Bluhell Firewall, to stop tracking Ghostery and Self-destructing cookies. On top of that I run noScript to kill remaining junk. And because I like to encrypt: HttpsEverywhere.
If you're willing to go through the headaches of having to reload some pages multiple times, a combination of NoScript and RequestPolicy Continued (not the original RequestPolicy) may be your best bet.

For sites that you visit regularly you can simply whitelist them; for rarer sites you may have to reload pages 2-4 times as you allow requests out to CDNs, etc. and allow JS.

I run that way in Firefox as my daily driver, but have Chrome much less locked down with uBlock Origin for things that I just can't get working right. Chrome is also the only version of Flash installed.

I also tend to do most purchasing (or at least checkouts) in Chrome - annoying to get stuff all set then have the order go screwy because you have to reload the payments page several times to make it work.

You're pretty much covered. uBlock Origin + Privacy Badger is awesome.

You can add something like Tab Cookies or Self Destructing Cookies. You can also add something like uMatrix to the mix.

If you really want to go far, add a "User-Agent Switcher" type extension.

I wouldn't add more than this though, it starts to be overkill. Also do note: I used to use noscript and it works well, but going from 0 JS on a domain to all JS on a domain isn't ideal. If you want ultimate security, add noscript as well but maintain the others so that when you whitelist a url you can still expect to be safe.

(comment deleted)
from the page it looks like privacy badger is similar to noscript, care to explain how it's better than noscript?

noscript also has "forbid", "temporarily allow", and "allow" settings for blocking domains

Tried out Privacy Badger and had some bugs early on, refused to block certain domains and did not block things by default which I would expect.

I prefer noscript.

I'm not clear that it blocks anything by default.
That's correct; Privacy Badger doesn't block anything by default because it doesn't use a blacklist. Instead, it observes the behavior of third-party domains and blocks them based on their behavior. (So it may take a bit of normal browsing before it starts blocking things.)

Also, Privacy Badger recently transitioned from beta to 1.0, so if you last tried it more than a month or so ago, I recommend giving it another shot. And if you find bugs, please report them!

Full disclosure: I work at EFF, which makes Privacy Badger.

That's pretty cool, and I guess I should have read the intro slideshow since it's pretty clearly described in there.
I might again, the show stopper bug was me attempting to repeatedly block a domain that would not remain blocked, and it was facebook related so the plugin got uninstalled.
They're both good at different things:

NoScript blocks Javascript/Flash/etc. based either on a list you import, or on a case-by-case basis. I use it as a security measure, blocking potentially harmful content by default and enabling it only if I need it for the site to function.

Privacy Badger is not designed for security so much as it is for protection against non-consensual tracking. It observes which third-parties store high-entropy cookies on your device. If it sees a third-party domain doing so across three different first-party websites, it automatically blocks requests for any content to that third-party from your browser.

So I'd say the big differences are Privacy Badger is set-and-forget, while NoScript isn't; Privacy Badger protects against different tracking (including pixel tags); NoScript protects against some first-party tracking (if you don't allow JS on a first-party domain) and security dangers.

Full disclosure: I work for EFF which makes Privacy Badger.

thanks for answering!
> My goal is to make my browser as private as possible with minimal damage to my usual browsing experience.

Not very long ago I wrote a guide documenting my specific configuration which has precisely this goal in mind [1].

The short version: disable third-party cookies, enable tracking protection (Firefox only), use uBlock Origin with some extra filters, use HTTPS everywhere, Enforce Click-to-Play and Disable Unnecessary Plug-ins.

One tweak I don't cover in the guide that I think I like is disabling custom fonts. In Firefox this is under Options > Content > Advanced > uncheck "Allow pages to choose their own fonts, instead of my selections above". The privacy benefit here is probably negligible, but I quite like that I don't have to wait for giant remote fonts on everyone's blog to load.

[1] https://brashear.me/blog/2015/08/11/hardening-firefox-to-pro...

I use basically this setup with one additional plugin: Noscript. But this has more to do with browser safety than privacy, in that I don't want some shady third party site getting to run whatever JS they want on my machine.
I made myself use NoScript for a few days. I was quite surprised at how performant the web suddenly was, but quite discouraged at how often I had to unbreak websites. Because of that I don't run it anymore, but understand why people do.
Hah, yep, but after a while you get good at guessing which third party sites will unbreak the current page. And sometimes you realize the content isn't worth letting all the garbage run on your computer.
How do you get around the combination of your IP + UA being fairly unique?
Generally speaking, you don't. In my case it's worse. As a user of Firefox Nightly my User Agent is more unique than most.
> Various forms of fingerprinting are blocked/disabled

Be very careful with that. If you're one the few who have the features disabled on a compatible browser, you make your configuration more unique and it becomes easy to identify you.

I'd would also advice not to spoof the User-Agent since the browser can be detected thanks to other parameters and if those ones contradict the User-Agent that's a very specific fingerprint.

I'd also advice not to enable the DNT (Do Not Track) header since it does nothing at all and is used by a minority, so it increases your entropy too.

The combination of your three extensions is very fine as far as I can tell. This is what I would advice in addition to them:

- Whitelist first-party cookie. Make them be deleted when you close the browser (in the privacy settings of Firefox) and whitelist the few sites you need them to be remembered. To whitelist a site on Firefox, click on the thing at the left of its url on the address bar (either a planet or a lock), click on 'More informations...', go to the Permissions tab, scroll to 'Set cookie', uncheck 'Use default' and click the 'Allow' radio button.

Many websites include arbitrary JavaScript that they grabbed in the documentation of some statistic tool or something like that. Such scripts, running directly in the site's pages, can then access first-party cookies.

- Use something else than Google. If you can't deprive yourself of Google results relevance, then use StartPage, it's a Google proxy. They make money by displaying non-targeted self-hosted ads. Unfortunately, I fear that Google might be able to identify you thanks to your queries themselves. Otherwise, just use DuckDuckGo.

- Use your history and bookmarks. Search engines are for discovering new content. To find something you have already seen or to reach a website you already visited, use your history. Ctrl+Shift+H. Or just type some word you remember in the address bar and pick the correct suggestion.

- Use search keywords (https://support.mozilla.org/en-US/kb/how-search-from-address...). They allow you to associate a keyword to about any search form anywhere and then search this form directly in the address bar. This also will reduce your search engine usage.

You should also know that when your browser performs a third-party request, the recipient of the request can know the page you're coming from thanks to the HTTP referer header. It can be disabled in about:config (http://www.technipages.com/firefox-enable-disable-referrer), but I'm not sure it would be a good idea, first because of what I've said about fingerprints in the beginning, second because it might break some websites.

(comment deleted)