Ask HN: Who else uses adblockers for safety?
I have been programming immersive ads. I could modify from an embedded iframe the content of information sites, suck data out of people, manipulate data (like navigation history). And I got really not confident in what unethical people could do and seen no way we could detect misbehaving code.
I feel like the potential of vulnerabilities dynamic ads (JS based) exposes the users to is under stated by the industry.
I use adblockers to just protect myself. Who else does it?
And who else think their may be an ad-gate of the ads companies not stating the risks clearly? I mean to any coder that actually coded ads, we know what it actually can do, right?
93 comments
[ 5.1 ms ] story [ 167 ms ] threadPerceived performance and (expecially on mobile) reduced bandwidth/energy usage is the seelling point for my non-tech friends.
It is also a prophylactic measure that is efficient. And yes, I missed the non ads dynamic contents that could also be unsafe. Then I would get paranoid with thousands sloc of JS included of minified code per project build with complex build chains. Knowing that ff extensions are in JS, I should purely stop using JS with my reasoning.
But as pointed out it results on some websites to serve degraded contents.
So it makes you choose between full access of web content, or safe access to a smaller part of the web.
http://arstechnica.com/business/2015/11/fcc-wont-force-websi...
But it's getting harder. More JS frameworks that depend on JS to render anything other than an empty white page. Then you whitelist that site, and it needs a couple of other domains to render anything. Then you're playing "guess which domain hosts the JS framework", which is not obvious, then you can also go back and play "unwhitelist the wrong answers", which since we're probably talking about a page that takes ten seconds to render and fifteen to be sure it didn't render when I blocked that site is quite a pain.
Also cloudfront is getting more popular, and that's all but an opaque domain now when it serves JS.
I'm getting seriously tempted to throw up my hands and do a serious adblock switch. I don't think using somebody else's list of domains is ethical, for various long and complicated reasons, but I'm finding myself having to balance that against the fact that the advertising industry doesn't seem all that worried about ethics at all, so I feel like I may be bringing an ethics knife to an ethics gun fight.
For those that don't trigger reader mode I'm increasingly hard nosed and just start ignoring that domain. I'll not enable JS just to read an article or see some images, only when it adds functionality. Most of the time I don't need to - most sites work remarkably well with little or no JS, so I can afford not to care about those that don't. I'm very reluctant to enable anything that's not the visited domain.
EDIT: uBlock+NoScript+Stylish almost always active.
For some reason Iceweasel doesn't seem to display the reader icon. It's a bit of a nuisance …
http://www.privoxy.org/
Also, Privoxy requires to either run a proxy locally or on your router. Both not exactly easy for non-techies.
Yet, ads have gotten so out of hand that I'm about to install adblockers partly for safety, partly for other issues. They track my information when I would not expect it. And I just had a simple news website suck up 2GB of memory. And on my phone, simple websites with 1K text frequently suck up 5MB for ads - and I can't easily predict and control that.
Edit: ADP now installed. And it says it doesn't block "non-intrusive" ads unless I ask it to - which sounds pretty good from my perspective.
Static ads bring less revenues than dynamic ads per exposure thus less $ / kb loaded. That's all.
But does the ads industry fairly give them enough information to make a rational choice?
Course the question is the would anyone trust them enough to actually white list them?
Quick rebuttal:
- People who use adblockers aren't likely to click ads anyway (maybe improving CTR for advertisers?).
- Server logs can still tell you how many 'hits' you've had, which were bots etc. even if various JS analytics snippets are blocked. These can be shared with ad partners, even if 100% of your visitors use adblocking.
- Advertising is not the only way to make money from writing/media and I'm becoming ever more convinced that it is even an immoral and hostile action on behalf of the advertisers and their partners (unless done in a mutually beneficial way, such as keyword bidding/ads relevant to expressed commercial needs).
Sadly the response to all this seems to be increased product placement. There are cultural divides between various countries and the web will most likely homogenise over the average at one point, but in areas of ad-desensitized culture we'll see the worst of advertising (or best, depending on your viewpoint).
EDIT(3): uMatrix + pihole user (uMatrix for me, pihole for everyone else on the network, mobile and tab included)
2: "Advertising is not the only way to make money from writing/media"
-> I don't think this is a very good argument. It may be the only reasonable way for that content creator to make money.
3: "I'm becoming ever more convinced that it is even an immoral and hostile action"
-> Some of these ads are hostile, but some are attempting to make money in a very reasonable way. You're demonizing the entire group, including some who are creating value for you and me.
Edit: A little anecdote: There is a project I'd like to do that involves investing considerable time and money in creating content that will be shared with the world and would help a lot of people. I'd like to make some money back out of it for my time and costs. Free but with ads is the best way to help the most people but still make money. However, it might be difficult to make much and I would have to deal with people attacking me for trying to make money off ads. This is a factor that is actually affecting my decision as to whether or not I pursue this project (which I will decide in the next several months).
As for your project; do it! If it'll help people, write it all and release it under a creative commons licence. Spread it far and wide. It could be your legacy, long after you've left the earth and stopped worrying about money.
I self-published a book in 2011. I charged for it. It ran its course, the product lifecycle played out and I'd made more than it cost to put it together. It's now free to read on my site and will soon be added to the creative commons as a PDF to be freely shared. I continue to benefit from its existence in other ways than monetary.
If you really do want money in return for the effort, charge for the publication. Get it published professionally or self-publish and promote it widely. Do you think the ad model is best because you are convinced people will only find what they're looking for through a search engine or social media?
EDIT: Would the people you help with your publication be helped even more by the ads displayed alongside it? Who would click the ads to make the project pay?
Have these become code words for something beyond or outside of the dictionary definition? I have seen both of these words used recently in such a hyperbolic manner that defied any other explanation.
- Many advertisers pay by the impressions, especially "premium" ad slots. They treat ads as billboards and pay for "reach."
- (1) If you're using a CDN, hits don't got to your server (2) Advertisers trust numbers from an industry-common analytics solution, they don't trust something hand-rolled
- Agreed on your last point, I think ad-supported content is creating perverse incentives for content creators.
- Potential improvement to adblockers: a sacrificial server needs setting up that displays these ads to nobody in a dark room somewhere when triggered by the adblock software, thereby maintaining 'reach' figures for the scattergun advertisers.
- (1) Potential improvement to CDN services: display hit counters for users. (2) Many industry-standard analytics solutions use server logs for quantification.
- Agreed on your agreement point.
I try my best to whitelist ad content from websites that I frequent for this very reason. Ads don't inherently bother me, but the extra bandwidth can be ridiculous.
Because I visited your site, you don't get to follow me around for the next day or year...
Why don't advertisers make ads I want to consume?
Trick question: they actually do, and it's called native advertising. Ad-blockers block the grimy, scummy, bottom-of-the-barrel ads that are little more than an assault on the senses.
The myth that ad-blockers prevent content-creators from monetizing is just that: a myth. Ad-blockers just mean you can't be lazy about your monetization strategy.
Patron is great.
Unfortunately, that's the worst part of ABP and many other adblockers - they allow companies to pay them off to be whitelisted. The program is meant to sound consumer-friendly, but it's just another way to get their cut of the ad spend.
I'm not going to go as far as calling this extortion, but it's definitely misleading.
A more upfront way of doing it would be to call them sponsored ads or something that implies it being paid.
This is a reasonably common argument, but I never quite understand it. Ad blockers deny content creators a (one) means of making money, but not a (any) means of making money.
One particular business model is unlikely to survive as ad blockers become ubiquitous. That business model was not good for visitors, and that's why it's becoming obsolete in the face of resistance.
However, there are plenty of other viable business models on the web. I'm not sure it's a bad thing that sites with good content will increasingly have to look to those, and that users will have to get used to providing real financial support to content creators if they want good quality material to be available. Perhaps as a result we'll even develop some new mechanisms for efficiently transferring small amounts of compensation on a large scale in return for producing worthwhile content.
This all represents a change from the status quo of the past few years, but I don't see anything inherently unethical about it, any more than it's unethical for people to only buy media in convenient formats or wheelwrights to have less business opportunity since horse-drawn carriages became obsolete. The only group I see losing out profoundly in the long term are the ad networks and related services, and to some extent I think they have brought this fate upon themselves.
http://www.nytimes.com/2015/03/08/opinion/sunday/the-cost-of...
(edit: on-topic, I use NoScript/RequestPolicy, Disconnect and UBlock whenever I can)
As it stands, HTTP is all about the client choosing what requests to make, what to render and how to render it. If I don't want to download and view ads, I don't request them. If there is some information on a page that I am not interested in, I don't render it. I couldn't care less if this makes someone's business unviable, because in their use of web technology they are implicitly offering me the option not to be bombarded by information that I am not interested in. User discretion is part of the protocol.
Before this humungous amounts of JS and adverts blocked the screen, slowed loading times, tried to infect the phone, steal browser history data, and sucked down my data allowance greedily.
I use a javascript/flash/etc blocking plugin.
If people show me static advertising assets, I'm fine with that even if it lets them track me a little. If people try to run software on my computer I'm not comfortable with...that is a separate problem.
Only very few pages are on my whitelist. E.g. Stack Overflow because they have good ads which are well-chosen.
The only ads I ever click on are ones I never meant to. Usually because the page loads so slow because of ads so content jumps under my finger on my phone.
I installed a hosts blocker on my Android phone after I found myself hitting a large number of sites which would popup ad alerts and then forcibly redirect to another site (where they'd try and get me to download and run an APK). This might be more prevalent in "poor" countries where the fill rate is bad, and so these kinds of scams end up being the only ads available and possibly aren't noticed by the networks.
Try to explain to some non nerds or your parents what is happening on the last link ;)
I didn't put her up to appreciating it either, I'd just mentioned I'd done it and some weeks later when visiting she noticed the difference. They may not always be the most tech-savvy generation (in general), but some things are universal!
It's the best of both worlds for me. I'll see the ads I don't object to (those not served from an ad network), greatly reduced cross-site tracking, and the risk of exposure to malicious ad content is much reduced.
Occasionally you run into a poorly coded site that fails to render because facebook or twitter didn't return what it expected, but for the most part it's a good compromise between extremes of wide open and noscript.
As for the setup, I made it accept all first-party content, and images+css from third parties, and block everything else by default. Then you play the "guess the source" game for a couple of scripts that you as RequestPolicy user are already familiar with :)
I feel safer online and site tend to function better since I've started using it.
Saw it once on their 'About us' page, can't track it down on web.archive.org just now, but I'm not making it up...
Are you suggesting that it does so other than to download library updates, even if you have opted out of their data sharing (which is a single option on the settings screen)? If so, please give details, because this is a common allegation but I've yet to see anyone substantiate it.
I'd suggest using uBlock Origin instead.
uBO is helpful if you're happy with the defaults, but it's horrendously difficult to configure it or figure out what it's actually doing. This is something AdBlock Plus/Edge were always much better at, whatever their other limitations.
And then make a webbrowser that uses a shadow DOM to remove the ads without the website noticing.
But since more and more malware is now spreading through ad networks, I've taken it one step further and rolled out domain-level adblocking on my router (on the DNS level), mainly as a way of securing non-updateable devices like Android phones of guests.
Note that this means that I cannot whitelist ads for a specific domain, but since adblocking was never my primary concern to begin with, I consider that acceptable. I will always see ads if they are served from the same domain (or from any other domain that is not a known ad server), so there's a clear and easy way for publishers to get ads in front of my eyes, should they decide to give a shit.
I'm not worried so much about safety (e.g., ads as a malware vector), but I know that happens. I don't have too much of an issue with data collection in of itself, unless a) the act of data collection impacts me (e.g., 1MB of tracking JS) or b) if your follow-on processes are sketchy and annoying (e.g., spam emails).
I have explicitly unblocked pure analytics platforms (e.g., Google Analytics), trustworthy ad platforms (e.g., The Deck), and a few "site optimization" libraries because some sites don't work without them (shame on them).
I totally get that ads are a revenue source. The problem is that you (as the publisher) need to convince me that your ad platform is trustworthy—not annoying or malicious. You have failed that test in the past and taken advantage of me as a consumer. So you now need to earn that trust back. It's not that I don't value your content, it's that I don't trust your infrastructure. (And yes, from my perspective, a third-party ad network is still your infrastructure because you've chosen to use it.)
It goes on to say, "We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it."
As a reader: I get it! I want to support you! Of course I'm not here for ads, but I don't care. I care about your malicious ad network—do you? You haven't proven that I can trust you to whitelist you, nor are you even showing that you know what my problem is.
So no, you don't get the trust in a whitelist. I might pay for your content explicitly, but I'm not paying $52/yr when I can get a year-long physical subscription for $10. And, back to trust, I don't trust you with my CC number either.
And finally: I have another channel! I can go get all the Wired content I want through Apple News, which is a) trustworthy, b) ad-free, and c) easy to use.
On work machines, I use µBlock origin and NoScript, but with NoScript set in blacklist mode, so almost all sites run JavaScript.
In this manner I reach what I consider pragmatic tradeoffs.
I'll admit though that I am absolutely, completely livid at the continued destruction of the Web's ideals by JavaScript. The Web is about documents, not executables!
https://chrome.google.com/webstore/detail/ublock-origin/cjpa...
correct ? I am always wary that there is some clone project out there that hijacks the original intent of ublock and is somehow name-camping on some derivative of "ublock origin".
That's the correct add-on in the google chrome store, yes ?
ublock-origin is the cut-down, simplified version, uMatrix is the 'power user' version, giving more finely grained control over what's blocked.
zeveb: you should probably just use uMatrix. Less memory consumption and deduplication of tasks. Not to mention the shady noscript under-the-table deals.