Over the years, marketing networks have been infiltrated by hackers who manipulate ads to spread malware. Since the ads were served through a host of web pages, the attackers could do damage to a victim’s computers in minutes. With an ad blocker, though, you can prevent this situation from happening to you.
I use adnauseam (https://adnauseam.io/), which is built on top of ublock origin, and it works pretty well.
The generic nuclear option to hide terrible web design, bypass (some) paywalls, and improve performance 1000x is to disable javascript. ublock and adnauseam both have a button to disable all javascript on a page, which is handy when reading articles on sites filled with garbage.
>both have a button to disable all javascript on a page
Be slightly careful, there's a known issue (limitation of Chrome really) where requests and javascript are not blocked in the first few seconds of launching a browser or an incognito window (you can test this yourself). And this is true even with "Suspend network activity until all filter lists are loaded" enabled, because I think it's some limitation on Chrome as to when exactly extensions get loaded.
So if you do rely on javascript being disabled for safety, after a fresh launch or new incognito window, you should visit a safe webpage first before going to the risky one.
I'm going to just read "limitation on Chrome" as "purposely defective by design" as there's sufficient incentive to delay disabling to let a few telemetric squeaks escape.
Just switch to a browser that respects user privacy. With NoScript you can fine tune which domains you'll accept scripts from when the zero-JS experience isn't usable.
adnauseam is seriously a terrible idea. It's actually dangerous. The idea that you can somehow trick advertisers by polluting your dossier and making it useless to them after filling it with random data is fundamentally flawed.
Every scrap of data collected about you will be used against you. It doesn't matter if it's accurate or not, nobody cares if they data they have about you is accurate, data brokers will happily sell your personal info to anyone even knowing full well that it's got inaccurate and conflicting info in it. Many won't even know because the process is entirely automated.
By automatically clicking on ads and "expressing interest" in random things you're just filling your dossier with ammo which gets handed to others to fire at you. Every random thing you add to your permanent record is one more thing that can only hurt you.
You cannot know what will prejudice someone against you. Maybe one day adnauseam decides to click on something that gets you flagged as having a certain political view, or having a certain sexual orientation, or being an alcoholic, or having a mental illness, or being at a certain income level, or belonging to a certain religion, etc. One day that exact data can cause you to get turned down for a job, or for housing. It can mean that a website charges you more than what your neighbor pays for the same product. It can mean your insurance rates go up next year.
You will never be told when it happens or why. Your health insurance company isn't going to tell you that they raised your rates because you (adnauseam) clicked on too many fast food ads last quarter. You're just suddenly getting a higher bill. Your auto insurance company won't tell you that they raised your rates after you were clicking ads for DUI lawyers, but suddenly they and every other insurance provider you try are quoting you higher monthly prices.
If your browser extension decides to go click on ads about abortions you could even end up being hauled into a texas courtroom and having to defend against charges. Sure, you'd get them thrown out eventually. Probably. But it would still cost you a ton of time and money and stress. The information in your dossier can get you targeted, harassed, or attacked by extremists. It can get be used against you in court rooms. It can get you investigated by three letter agencies. It can be used to impact your 'secret consumer score' or consumer trustworthiness rating.
The information being collected about you is sold to companies, employers, activists, extremists, and law enforcement. That data never goes away. It follows you for the rest of your life and will be used against you in ways you'll never be aware of and cannot today imagine. Filling your dossier with huge amounts of content (random or not) is dangerous and only increases your risk for zero benefit.
All I care about is hiding/obfuscating my personal information. I just don’t like the idea of giving that away for free, even if it’s actually harmless.
I don’t care if I get wrongly labeled/categorized due to this. It’s not like my profile was an accurate representation of who I am before I turned on ad nauseam. If someone gets dragged into a court room for clicking ads, that would be funny, and I doubt they would have a hard time finding support from orgs like the EFF, gofundme, etc.
One long term benefit of this is that if a lot of people use it, advertisers will start seeing diminishing returns on their investment in internet ads. This will lead to reduced spending and less ads overall.
> All I care about is hiding/obfuscating my personal information.
adnauseam does not do this. It only adds to your personal information. It doesn't hide anything.
> I don’t care if I get wrongly labeled/categorized due to this.
Then you must not care when you suffer the consequences of having been wrongly labeled/categorized. Nobody can make you care about yourself, your money, your safety, or your time if you refuse to.
> It’s not like my profile was an accurate representation of who I am before I turned on ad nauseam.
Again, nobody cares about how accurate it is or not. It's about quantity, not quality. Accurate or not, that data will increasingly impact your life in very real ways. The more data they have, the worse it will be for you.
> One long term benefit of this is that if a lot of people use it, advertisers will start seeing diminishing returns on their investment in internet ads.
this isn't actually true, because advertisers don't care. That's why the world is still and increasingly filled with ads that aren't laser focused on you as an individual. We have more and more ads on network TV, on billboards, on radio etc. None of them were stopped because they sometimes showed an ad to someone who doesn't care about it. Seriously, they don't care. You clicked, that's good enough for them. Sales aren't even always the goal. Being seen (or the appearance of being seen) is often all they need.
Right: regardless of what the ad is, just by auto-clicking on it you provide a signal that when aggregated together can roughly piece together your browsing history. As a toy scenario, maybe you only visit tech blogs, and tech blogs usually have tech related advertisements. The fact that you have auto-clicked on ads that were on tech sites, and not say fashion sites, is itself a strong signal that can be used to infer browsing history.
Also I think advertisers are already used to dealing with click fraud and so track metrics that won't meaningfully be impacted by this strategy.
> All I care about is hiding/obfuscating my personal information.
> adnauseam does not do this. It only adds to your personal information. It doesn't hide anything.
It does hide it. It hides it between a bunch of garbage data. That’s the point.
If the CIA wants to assassinate me, a browser extension isn’t going to help. But if I start seeing ads for adult diapers while I’m browsing the internet, I’m going to laugh and feel good about knowing they wasted a few cents.
> Accurate or not, that data will increasingly impact your life in very real ways. The more data they have, the worse it will be for you.
Sorry, but that’s ridiculous. It sounds like FUD a spam blog operator would say lol.
> this isn't actually true, because advertisers don't care. That's why the world is still and increasingly filled with ads that aren't laser focused on you as an individual. We have more and more ads on network TV, on billboards, on radio etc. None of them were stopped because they sometimes showed an ad to someone who doesn't care about it. Seriously, they don't care. You clicked, that's good enough for them. Sales aren't even always the goal. Being seen (or the appearance of being seen) is often all they need.
When something isn’t working, you stop wasting money on it. Ads aren’t going to completely disappear, but if collecting personal data on individuals stops being effective, then marketers will need to turn to other means of targeting. It won’t happen tomorrow, but I did say “long term”
Companies are using every scrap of data they can get their hands on to take more of our money and they want more. The government is buying up data they can't legally collect directly. It's pretty likely that you've already experienced real world consequences of the data taken from your online activities. (https://epic.org/issues/consumer-privacy/data-brokers/)
They tell us that all the tracking we're subjected to is just about ads, but the data being collected is used all over the place offline. What we really need is privacy regulation with real teeth, but that's probably not going to happen any time soon because it's making companies tons of money. There's a multi-billion dollar a year industry around the buying and selling of the our data for a reason.
Should we also not use uncommon resolutions, uncommon browsers, uncommon OSes?
The personal and societal effect of ads are more tangible than the personal effect of tracking. Even if networks are truly able to use this data, it doesn't matter how precisely you can be served with ads if you don't see them.
On Mac and iOS I use and recommend AdGuard which has native content blocker extensions and lets you use Easylist block lists (as well as their own).
On Chrome/Firefox I use uBlock Origin which works well. I’m not sure if the community recommends something else at this point.
I also use various other extensions like StopTheMadness to disable right click hijacking and other bad behavior and Banish on iOS to prevent certain banners from appearing.
uBlock Origin, Privacy Badger, Pi-hole, and a mobile browser like Firefox that allows for extensions for those times when one is not browsing on the same network that the Pi-hole runs on. One may also use a VPN on all devices that connect to a network with DNS-level ad-blocking.
I know most people trash on Brave, but honestly, if you disable its crypto features (which is just a click away), it's actually a decent browser that blocks almost all ads I see, even on iOS!
For example, YouTube has no ads in iOS Brave. Since iOS doesn't allow real browsers and extensions, Brave has been a sanity-saver for me.
Pair that with uBlock on desktop and you're golden. 98% of the sites don't break at all either.
Safari on iOS does allow extensions. It also is a “real” browser, whatever that means. iOS does not, however, allow _alternate rendering engines_, which is different.
I find Safari extensions inferior than Chrome/Firefox extensions. Who thought it's a good idea to show extensions as apps on the springboard/launchpad??
I now have 68 extensions on my Brave (desktop). Imagine seeing 68 additional icons on my macOS launchpad!
Safari is clearly a real web browser, you can use it to browse the web. It is a weird comment, the more straightforward and honest way of putting it would be “alternative browsers.”
> Since *iOS doesn't allow real browsers* and extensions, Brave has been a sanity-saver for me.
I mean, the comment is pretty straightforward, I don’t really see the need to come to this person’s defense. I agree that the iOS policy is dumb, but deliberately misinterpreting this person to make them correct is silly.
I feel like, for those asking for cursory information about setting up an ad blocker, ublock origin should be recommended, and not pi-hole. Ublock Origin is a one click solution that works great for everyone, while pi-hole requires setup and does quite a lot. For instance, when I was using pi-hole, Windows Update and Epic Games Launcher simply stopped working for me. I'm not sure what was going on, it could have been something wrong on my end, but nonetheless, I'd hate having to help a user with issues like this after recommending pi-hole when all they wanted in the first place was a simple ad blocker. In my opinion, pi-hole is great, but it should only be brought up in cases where the user has already communicated they want something more than UBO.
I respect your feelings, but Ublock Origin is not available on my Android phone or on my iPad. It's also not available for all browsers. It may not work for you, but for me Pi-hole is a wonderful solution for my whole family, and they don't ever need me to touch their devices in order for it to work for them.
That's fine if you have no other option, but it is inferior to uBlock Origin since it can't do any cosmetic filtering. Better to use pi-hole on your network for clients that have no other choice, but to then also use uBlock Origin on any client you can.
No script is excellent, but it is certainly not for the faint of heart. It basically breaks the (modern) internet and then you have to go in yourself an unfuck each website.
The upside though is big, stops all the insane bloat that runs on most pages. Many websites run fine with all their scripts blocked too.
NextDNS + Ublock Origin (or Brave Browser, since it uses the UBO lists by default) is a really good combo on its own, and easy enough for my self-proclaimed "tech illiterate" friends to set up and use.
If you're on Android also use Blockada to block ads in app. It's a local VPN server that filters out requests to ad servers. I think there are other apps like that but I never used anything else.
It ultimately depends on what your threat model is, what are you trying to defend against? I use Qubes dispvms (whonix if possible) for personal browsing, but that's pretty far toward the extreme end of the scale.
A combination of uBlock Origin + NoScript + Bypass Paywalls Clean + FastForward + ClearURLs as well as a pop-up blocker of your choice, will make your web browsing experience a bit cleaner. Not all of these might available for Chromium, I personally use Firefox for my daily use, with some Chromium browsers as backup.
NoScript will break pretty much 50% of the web. It'll take you about a day to whitelist all the sites you use daily and then it's smooth sailing.
The former team left Privacy Tools and that is now just arbitrary recommendations by one guy who mostly spruiks cryptocurrency bullshit. He also has no experience when it comes to auditing, verifying any of what is recommended, not a sysop, not a programmer either.
to add one that hasn't been mentioned in this thread, a good hostfile can both block ads and speed up your internet.
https://github.com/StevenBlack/hosts
Any serious schizo worth their weight would only be using an airgapped system at home and only connecting to the Internet from public APs with a completely separate computer.
I stopped using adblockers generally when I considered both 1) we get very little visibility on when an extension changes-hands/updates, combined with 2) you have to give it access to all your browsing data.
People sell popular browser extensions to malicious parties all the time and AFAIK there's no systematic way to notify users when this happens.
Pretty late to the game there, FBI. There are examples going back decades of drive by downloads and exploits from ads on popular websites. It's not enough to avoid shady websites. Any website filled with ads is already a shady website.
Yep. The only time I ever had a malware-infected computer it was one of those drive-bys. You didn't even have to click through the link to the site advertised at all, the browser would just go ahead and start prefetching it, so in case you did, it would seem quicker. And meanwhile the Adobe plugin would just happily start executing whatever code came from it.
I had to thoroughly wipe my computer and the computers of two others that fell to the same malicious ads.
Now ublock origin is standard and no Adobe products are allowed.
Brave, Firefox, Bromite all do, or you can use nextdns or adguard as a private DNS in your network settings. I think the last option is a little wireguard set up to route traffic to a server or small pc that has unbound and pinhole on it
So for example YouTube serves their own ads so you can't skip YouTube ads with a DNS level adblock you need ublock origin which can block anything referenced in HTML which is why it works for skipping ads on YouTube.
You can not say a browser is built to block ads when showing ads is literally how it makes money. You maybe turned it off, but most people didn't. If everybody turned it off, it would not have a revenue stream.
> You can not say a browser is built to block ads when showing ads is literally how it makes money.
Sure I can:
It was built to block ads. You have to tell it to do so in a way that blocks "all of them" otherwise it just blocks the terrible/annoying/malicious ones.
Sure, but do they also not collect any analytics for their ads? Will that last through a financial crisis if advertisers offer them more money? Will it last if they gain market dominance?
If their money comes from advertisers and not users, they serve advertisers and not users. Supporting them as a temporary solution just means if they succeed we have all the same problems when the same incentives come into play.
> Sure, but do they also not collect any analytics for their ads?
Configurable.
> Will that last through a financial crisis if advertisers offer them more money?
Will Brazil win the 2090 world cup? I'm not sure I get your point...
> Supporting them as a temporary solution just means if they succeed we have all the same problems when the same incentives come into play.
Internet services are run by ads. Unless we can transfer to a model which is publicly funded or subscription based (even free software needs to pay for servers and employees -- the money has to come from somewhere) then the best we can hope for is an ad-funded service which allows you enough control to turn everything off if you want to.
Do you have a better solution and are you willing to start working on it?
Otherwise, you are making 'perfect' the enemy of 'good'.
Remember when you responded to a post about blocking ads by default?
> Internet services are run by ads. Unless we can transfer to a model which is publicly funded or subscription based (even free software needs to pay for servers and employees -- the money has to come from somewhere) then the best we can hope for is an ad-funded service which allows you enough control to turn everything off if you want to.
Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
The internet existed before internet advertising, and the kinds of websites people built for intrinsic reasons rather than for money were far superior. If Facebook et al disappeared completely the world would be a better place.
There is not a shortage of content, there is a shortage of filterability created by low-effort garbage funded by ads. If people aren't willing to pay for something, it's because it's not that great.
Patreon shows that some people are willing to just make donations for free content. And incidentally, Patreon-supported content tends to be higher-quality because they're serving donors, not advertisers.
We don't need ads. Ads are a blight on humanity which provides negative value.
> Do you have a better solution and are you willing to start working on it?
You mean the < 10 lines of code necessary to have an ad blocker installed by default?
> Otherwise, you are making 'perfect' the enemy of 'good'.
Brave is not "good". It's literally no different in any way from a browser which supports adblocking extensions.
> Remember when you responded to a post about blocking ads by default?
It does block ads by default. You then asked about analytics.
> Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
I definitely do not support ads. I block them.
> The internet existed before internet advertising, and the kinds of websites people built for intrinsic reasons rather than for money were far superior. If Facebook et al disappeared completely the world would be a better place.
Yes it did. It was funded by the government, universities, the military, and people through personal servers (you can probably also count BBSs as well). These things had functions orders of magnitudes smaller than are available today (want to see a satellite picture of your house then get walking directions from there to Alaska?).
> If people aren't willing to pay for something, it's because it's not that great.
Someone pays for everything. Do you have a solution? I would happily pay more taxes to publicly fund services like search engines and browsers -- but that isn't politically viable right now.
> We don't need ads. Ads are a blight on humanity which provides negative value.
I agree. That's why I block them.
> You mean the < 10 lines of code necessary to have an ad blocker installed by default?
No, I mean how to fund massive projects and infrastructure without public funding.
> It's literally no different in any way from a browser which supports adblocking extensions.
I never said it was. I said it blocks ads by default.
If you open google.com and search for 'mattress' in Brave, you will see Google ads in Brave, by default.
Furthermore, Brave is capable of blocking these ads, but chooses not to, therefore it does not block ads by default.
>> Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
> I definitely do not support ads. I block them.
"you" was referring to Brave, not yourself. The point is that Brave is a first part ad vendor (showing ads is how it makes money) so for this reason it is not commited to blocking first party ads by default (as it would be ironic I guess).
> Someone pays for everything. Do you have a solution?
Yes, you can chose to support paid search engines and browsers, paid by users, not advertisers.
> I agree. That's why I block them.
Original comment was about which browser is blocking all ads without discrimination, on default settings.
You can make any browser block ads with some effort, through for example extensions.
> If you open google.com and search for 'mattress' in Brave, you will see Google ads in Brave, by default.
It doesn't block all ads everywhere -- I don't know any browser or extension that does. It certainly blocks most of them. I don't see google ads because I don't use google for search (and I also run a pi-hole), so I wouldn't know.
> "you" was referring to Brave, not yourself.
Well 'you' use strange sentence structure and grammar and it doesn't communicate your point clearly -- or you are retroactively changing what 'you' mean after 'you' write it.
> Yes, you can chose to support paid search engines and browsers, paid by users, not advertisers.
Does 'you' refer to 'me'? Because I already do that. 'I' was speaking of browsers and software and services in general. And I already brought up the subscription model but that doesn't work for browsers, apparently. Why don't you make one?
> Original comment was about which browser is blocking all ads without discrimination, on default settings.
Original comment was about browsers blocking ads. I mentioned Brave was built to block ads. You seem to have changed this conversation to be about Brave supporting ads and how if it does then it doesn't 'count' when it blocks them. Try to keep up.
Here are a few things I do to combat nasty websites:
- blacklists entire domains using wildcards (using an "unbound" DNS resolver and forcing all traffic to my DNS resolver, preventing my browser to use DoH -- I can still then use DoH if I want, from unbound)
- reject or drop a huge number of known bad actors, regularly updated: they go into gigantic "ip sets" firewall rules
- (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.
I do not care about what this breaks. The Web still works totally fine for me, including Google's G Suite (yeah, I know).
EDIT: just to be clear seen the comments for I realize I wasn't very precise... I'm not saying all IDN domains are bad! What I'm saying is that in my day to day Web surfing, 99.99% of the websites I'm using do not use IDN and so, in my case, blocking IDN, up until today, is totally fine as it not only doesn't prevent me from surfing the Web (I haven't seen a single site I need breaking) but it also protects me from IDN homograph attacks. Your mileage may vary and you live in a country where it's normal to go on website with internationalized domain names, then obviously you cannot simply drop all UDP packets attempting to resolve IDNs.
I'm not even a native english speaker and my native language does have accentuated characters so there's that...
I don't like to have to set rules in browsers: I'll do it when mandatory but I prefer things that the browser won't change during it's next update and, also, I use several browsers.
Mainly homoglyphs. Characters that LOOK like Latin characters but aren't. Scammers register domains to make it look like at a glance you're visiting a reputable site.
It's why many browsers started defaulting to showing "xn--<whatever>" (punycode representation of IDN characters).
It sucks for domains that are emoji but whatevs. Scammers ruining things for everyone, as usual.
International domain name - blocking them prevents look alike URLs from working. But also, IMO, this is bad advice for anyone who uses not English as a language...
If there's any non-English-speaking culture that embraced IDNs, I'd love to hear it. E.g. in my experience as a Russian speaker, Cyrillic very rarely shows up in domain names for legitimate websites, and correlates strongly with malware.
While these are all good practices, killing DoH conclusively on your home network is more difficult than you've made it seem, as ultimately all you can really do is use domain blacklists at your firewall. It's no longer as straight forward as just control port 53 traffic, not like you can realistically shut down 443... Blocking DoH is largely whack-a-mole and I think is only going to get worse as this and similar techniques spread. There are so many sneaky ways to resolve a hostname an app or device can choose to use now.
You can force traditional port 53 DNS protocol traffic to your own resolver with firewall rules, the same doesn't work for DoH. a DoH request to a domain your firewall blacklist doesn't have looks just like ordinary https/443 traffic and will pass unhindered.
> While these are all good practices, killing DoH conclusively on your home network is more difficult than you've made it seem
Oh I know but so far you can still ask both Firefox and Chromium to not use DoH and hence force them to use port 53 and from what I've seen they really honor that. For the moment.
I don't doubt that in a not so distant future we may see companies hardcoding DoH into apps without any possibility of removing that setting!
What I do is no panacea but it gets rid of a lot of things.
> There are so many sneaky ways to resolve a hostname an app or device can choose to use now.
But I whitelist apps that can connect to the net. Browsers, apt (for Debian/Devuan package update), the one that update the NTP/time, SSH out and that's basically it.
I know it's a game of whack-a-mole, but I'm still playing it : )
Maybe this is so but I have yet to see it. AFAIK all the DoT/DoH are on known dedicated IP addresses. I know they don't have to be. They could be on generic Akamai/CF/BunnyCDN/etc... end points but I have yet to come across one utilized in the wild. Have you found any? What are their IP addresses? I would like to add them to my DNS timing/monitoring scripts.
I null route about 24 DoT/DoH IP addresses and my one smartphone seemed to figure out automagically that my router was serving up DoT on 853. I can tell if something is bypassing Unbound because there are things I know should not resolve correctly.
I confine everything on my network and if anything is able to resolve any one of the sanctioned countries or if the domains I override resolve to their correct address I will see it. I can only think of one opaque device I have that could even try to do that but I know it doesn't because I have to unblock .cn to get vehicle updates for it. I should add that I do not let random IoT's onto my network and that vehicle diagnostic tool from China is only on my network about once per year for a few minutes. I should also add that I have fascist firewall rules for anything I do not trust and all new SYN packets are logged. DoT and DoH use TCP.
Funny you should mention that. I have a few Squid-SSL-Bump proxies that I use for a few devices. For several years I even used that to visit HN and to my surprise was rarely rate limited or blocked when accessing from a VPS. With Squid I can also make decisions on content types, file sizes and more. There are only a handful of sites it doesn't work with because they for whatever reason are still using public key pinning. A few google sub-domains, eff.org, paypal but interestingly no banks.
This only works with devices that I can install my own CA key onto. I have not figured out how to do that with the vehicle diagnostic tool.
> This only works with devices that I can install my own CA key onto
Yes, that's why I don't use any commercial IoT devices. I have no actual control over them. Before I shed the few I did have, I kept them segregated on their own subnet so that at least their presence didn't have to impact anything else.
This is exactly why DoH is a trojan horse. You can't control it as a network administrator, all it takes is a piece of software to simply remove the controls for users to configure their own DoH and bam, end user has little to no control over how their applications perform name resolution.
Little pro-tip for anyone who tries to run their own private DoH infrastructure too, Firefox doesn't like RFC1918 addresses for the DoH resolver. Set `network.trr.allow-rfc1918=true` if you run DoH on a private IP.
> It's only true when all of the computers on it are too.
I was unclear. This is exactly the case I'm talking about. The network, and all of the devices on the network, are mine.
> What? No it doesn't.
It does. It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.
> You're not supposed to be able to have control over what tools other people use on their own computers.
Again, I'm talking about having control over my own machines, not anyone else's.
> It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.
If that makes DoH bad, then privacy is bad too since it makes it easier for terrorists and pedophiles to evade the law.
On my network, running my machines, these privacy mechanisms really are bad. Having them doesn't give me any privacy (the entire system is my private system to begin with -- who am I being private from?).
The only privacy they are affording is specifically to entities that I don't want operating on my machines to begin with, who are mostly interested in violating my privacy.
So this privacy mechanism, in this use case, really is bad because it reduces my privacy.
You can't control it as a malicious censor who's trying to control what Web sites other people's computers can access just because they're on your Wi-Fi. You can absolutely control it on computers that are actually yours.
For now. I would point out that the browser with the largest market share by a considerable margin is created and developed by a company that makes most of its money by selling ads, and that choosing your own DNS server with the capability of blocking those ads is a direct threat to that revenue model.
They will tell you it is to defeat censorship though and to improve network resilience, because they are deeply committed to having the image of being a champion of internet freedom.
They don't need DoH to stop you from being able to block ads at the network level. For a while, a lot of sites have been proxying their ads through their own domains to do that.
And besides, every browser that supports DoH also lets you pick what server to use, and adblocking DoH servers exist.
Yes you can. Do what corporate firewalls do. MITM all TLS connections with your own personal CA. Don't allow any traffic streams that you can't MITM to leave your network.
1. couldn’t you “just” (yea yea I know) install a cert on all your devices and force all 443 traffic though a proxy (like some corporate networks do)?
2. (Something I’ve been meaning to get around to trying for a while) default-block outgoing connections unless unless the external host was recently resolved for the corresponding internal host via your internal resolver? That seems like it would kill anything that tries to avoid your ad-blocking resolver. It seems like that might block hard-coded addresses too, but that could be a good thing..
That's insufficient. There's nothing stopping a web site (or ad on a website) from forming its own DoH request that bypasses the browser and the port. It can be done entirely within the HTTPS stream.
If you're monitoring the HTTPS stream, you'll see it. The point of the proxy is exactly to inspect the content of HTTPS requests (that's why you need to install your own certificate).
The biggest problem with 1) is that you lose the ability for your browser to perform checks on the certificate. If the certificate fails, the only option is to deny the connection. (Or fake it and return an error page but that can have unintended consequences.)
And with 2), that would work, though you'd probably want to whitelist port 53 so that you can resolve names in the first place. Sounds like it should be effective, though.
Those checks are then performed on the MITM device. Instead of an error page the device could return the same sort of page that your browser would otherwise display for you. The connection has been MITM'd after all.
A successful mitm with an injected trusted cert should appear 100% valid to the browser. That's the point. According to your device setup the connection has not been tampered because you as the device owner allowed a new root cert to be trusted.
The rest is just fear mongering, I'm sorry, not sure how to phrase that more elegantly or politely. I'm not an uber smart domain expert wrt certs, but we shouldn't have to be to know that valid device MITM with certs is a normal use case. And it shouldn't be used as a boogeyman man on layman users.
It can be more of an issue if you have a lot of "smart" products or IoT products that essentially operate as black boxes on your network though. Would just recommend not doing that, if you have devices on your network that you don't control, someone else does.
That only affects things that use the browser's facilities to engage in DoH. A web page could decide not to do that, and manufacture their own lookups using JS, for instance.
Oh? I thought I answered it. What are you really asking for here? A tutorial?
If that's what you want, you need to give me time to put it together. I set this up a number of years ago and don't remember the details off the top of my head.
here's what I do remember: I use a squid proxy and replace all of the HTTPS certs on my other machines with my own. When HTTPS is negotiated, it's with my proxy, not the end destination.
Then the proxy does its proxy thing and sets up a normal HTTPS connection with the destination.
In my proxy, I have a script that is looking for the HTTP lookup exchanges detailed in RFC8484 (https://www.rfc-editor.org/rfc/rfc8484). When it finds them, it drops them on the floor. Everything else just gets passed through.
While these are two common standards, you can easily implement DoH almost anyway you want if you are building a service or device. Its just replying to a request for a hostname record over HTTPS fundamentally - it can be as simple as an extra REST API you run. The number of "protocols" here is effectively limitless. I cant stress enough how simple it can be - check the specs you linked, the example HTTP request/response for the DNS over HTTP3 example is really basic - you could build your own in less than an hour if you really wanted and understand how traditional DNS works.
There is no such thing as right or wrong way to do DoH so long as the DNS messages are passing over HTTPS - the standards are largely to help make it easier to deploy and avoid common pitfalls of course (simpler to integrate to browsers and other software "for free" if the message response body format is standardised), but devices, apps and even javascript in the browser are free to solve this anyway they want, with whatever kind of message payload they can dream up.
DoH is just an HTTP request over SSL in most implementations, nothing more, with the record usually in the payload body in a JSON message or similar.
There's nothing stopping you just making your own REST API and responding over HTTPS that returns hostname records for any service you build or run - it doesn't even need to use an existing DoH standard. These are exactly the sort of tricks stuff like IoT devices are already using to ensure they can phone home regardless of your network's DNS settings.
DoH is literally just "DNS over HTTPS" (hence the TCP a lot of the time) and you can build this a ton of different ways, including as a basic RESTful API. Local javascript on the page could literally just call any old HTTPS web API to get hostnames resolved, and thanks to HTTPS is much harder to detect, inspect and interfere with than traditional DNS. Fundamentally, a DNS request is a really basic API to implement.
This is why DoH is so hard to conclusively block - its by design to look like "normal" web traffic so bad actors are prevented from manipulating your DNS responses, and the implementation can be done pretty much anyway you want - there are a million different ways to pass a message over HTTPS, and to a firewall they all look like the exact same normal HTTPS traffic if you don't explicitly block the IP or domain serving the DoH.
I personally use Timescale magicDNS on all my devices, with pihole DNS running on a home server. The magicDNS can make my home server the 1st responder for DNS queries and it'll block a lot of ad domains.
DoH was designed to prevent the network operators from interfering with or snooping on DNS. The stated purpose was to prevent your carrier or country from seeing which domains you access, and/or blocking you from accessing them. However, it also prevents devices like piHole from passively blocking ad requests as easily.
I venture onto the Asian and Russian parts of the Internet semi-regularly, and in all these years I have seen perhaps one or two sites with IDN that were actually useful to me.
I don't do any of that stuff and don't think I am running into nasty websites. What is it supposed to do?
I do uBlock origin with pretty standard lists and have a list of allowed persistent cookies. Are the uBlock lists doing all that work in the background?
> (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.
I couldn't see how to do this in Windows Firewall. Which OS/firewall/rule are you using?
Does anyone have any adblockers they recommend that still show "safe" ads (e.g. non-malware) by default, without having to whitelist every site? I'd be open to the security benefits of an adblocker if I could still passively support all the sites I visit.
The only "good" ads are those you have to specifically go out of your way to view because you want to view them; such as product catalogues.
All other ads are physiological assault and should be made illegal. Particularly those ads which exist "IRL" and can't otherwise be blocked, such as billboards.
If you want to harm advertisers while possibly support the sites, you can use AdNauseum, which basically does what uBlock Origin does, but will randomly access a percentage of the ads blocked, to waste the advertiser's money.
I don't particularly want to harm advertisers; I'm just interested in the proposed security benefits from OP. This does seem like a realistic middleground though. Thanks for the suggestion.
It is infuriating that Google seems to be doing nothing about scam ads. For years I have been seeing "Click to install iPhone update!!!" ads on YouTube mobile. Easy to have huge profit margins when your company hires no humans to do things like customer support and ad vetting.
I still get ads for Slovenian brides on YouTube. Not only is it incredibly gross and objective to me, Google clearly knows nothing about my demographic.
I still see extreme right wing propaganda on a pristine profile on YouTube’s flipping homepage. I would love to use expletives on the YT management right now, but I refrain.
Yea, I think we can all conclude they just don't care if it effects their bottom line. So short-sighted. About a month ago people in the AMD subreddit were complaining about compromised drivers and software appearing as the #1 search results due to these kind of ads.
Pretty sad state of affairs that Google can't or won't stop this, especially since they gradually redesigned the ads spots to look practically identical to the search results. Be very careful clicking anything on Google's search results.
And weird speech-synthesied rousing music: ‘Jim worked for a big electronics manufacturer, and had an idea. <Electronic item>s for the people. They they wouldn’t let him make it. They stole his idea and made a bad version. Now Jim is making <Electronic item>s himself that are twice as good and only a quarter the cost! Buy one to support Jim and stick it to the big evil corporation!”. How did that get to be a genre?
And “buy my video course to learn how to make thousands of dollars a day!” scams.
I find it frankly astounding how much obviously fraudulent advertising there is. Isn’t it illegal? Is there no authority that police’s it?
The big "DOWNLOAD NOW" ads placed on webpages for software downloads are pretty bad too. Whenever I'm setting up a fresh windows machine I haven't grabbed an adblocker yet and am not used to seeing ads so they get me every now and then.
The number of times I had to yell at family members to NOT CLICK THAT ITS AN AD is maddening. It required getting a pretty nasty virus and a complete wipe to actually convince my dad to install adblock.
The download sites also make the correct arrow smaller and harder to spot so you click on the ad. I was thinking this today: the last thing a download page wants is for you to be successful and download the thing and then f-off
Google are literally profiting from the promotion of malware and scams, resultant from the business decision to reduce human interaction within the process.
I think browser Notifications help drive these attacks. How many web sites do you visit that offer a pop-up that says the site would like to send you Notifications? You click Allow and suddenly start seeing Ads popup in your Notification area, not a site notification but an Ad.
I had a user show me one of these Notification ads just this week, telling here that McAfee found a virus and click the Ad to remove the virus. We do not even use McAfee, it was a straight up attack ad. Thanks Chrome!
Is it time for an open source adblocker that only blocks bad actors?
I am perfectly fine with ads, I've previously run sites where it was a small source of income myself. I know it would be in a cat and mouse game with the bad guys but if it blocked most of them it would certainly help a lot of people.
Let's build that company that serves ads and blocks bad actors. We can then offer the blocklist to other blockers.
Problems:
* vetting ads costs a lot of time (= money). So you're getting less money per impression
* requires a massive amount of infrastructure if you want to ensure that the ad doesn't change in between you vetting it and you serving it to your clients (= money).
Meaning the consumers of our company will get less money per ad they show to their visitors.
So they'll go to one that offers more. Simple as that.
In order to fix the bad actors we need to start making the websites serving the ads (like Reddit) and/or the networks (DoubleClick) responsible for what they offer up.
As long as that doesn't happen it'll remain a cesspool.
It is already a cat and mouse game, adding another handicap for the good guys seems like too much. Plus, perverse incentives might creep in on the “bad actor” definition.
Adblock Plus is already like this and everybody technical quickly realised the reality of an advertising "Whitelist" instantly creates a de facto protection racket where getting an exclusion from the adblocker becomes a valuable commodity. It's worth paying WHATEVER the adblock operator is asking to get on the whitelist. Adblock Plus got big bucks from Google who in turn have saved billions from striking a deal with them. The small guys - well they got screwed - you need to go through certain well financed ad networks to deliver "Acceptable ads". Adblock Plus is still popular for some reason but I don't know any technical people who still use it because well it's corrupt and hostile to its own users and has a clear drop-in replacement.
In the opinion of the vast majority of adblocker users, agree with it or not, ALL advertisers are bad actors. So they will never voluntarily choose filter lists which allow "good ads" the vast majority of the time. As such this will only happen if you get the adblocker to set allowing "acceptable ads" as a default, which makes what you're talking about INTRINSICALLY corrupt and paternalistic. If you want people to actually do this, show up at the houses of Adblock developers with suitcases of money, plenty of drugs, and beautiful prostitutes and whisper sweet stories into their ears about how they can help small businesses find markets for their products. Sadly ublock origin's developers appear to be incorruptible.
Google has figured out trying to push "acceptable ads" any harder is pointless and has instead moved to simply make adblocking technically harder to do by taking control of web standards.
Just put relevant ads locally and the problem goes away.
By that I mean, if you're a site about say, board wargames, and there's some new board wargame that wants to advertise on your site, ok. Edit your page to add an ad graphic with a link to the seller. That's cool. And maybe the people reading your page will actually want to buy it!
But there's just no way that third-party ads through some generic ad network will ever achieve that fit or reliability. And ads based on tracking people's data and suggesting things based on what you interacted with on social media or whatever? That's always going to be hot garbage at best. Adding in a third-party ad network (and probably behind that brokers and other middlemen) can't possibly make it better, it can only make it worse. So that's what we have today.
But go back to simple static ads relevant to the content of the page and problem solved.
Most ads are bad. I think uBlock Origin's list leaves most static banners intact. I don't mind seeing ads too much if they are the same for everyone that visits the website and is relevant to the content.
Make ad brokers share responsibility for losses due to scam ads. If the ad broker is unable to clearly identify the advertiser for lawsuit purposes, the ad broker should face consequences. They're assisting the criminal by helping them hide.
Some businesses useful to criminals have extra requirements for identifying customers. Pawn shops. Junk yards. Auctioneers. Auction services and ad brokers should be added to that list.
Google and Meta seem to have no idea what's going on within their own advertising networks.
Similarly to all the stories (with two currently in the front page of HN, eBay and PayPal) about algorithms that are just insufficient for the range of realistic scenarios these companies must deal with on a regular basis.
It's merely the equation of profit outweighing customer service. Admittedly, they're working on a scale that's difficult to comprehend, but that shouldn't absolve them of aiding and abetting criminal use of their systems.
Google's and Meta's profit motives are the base cause of this continuing escalation of the ubiquity and user-hostility (to put it mildly) of internet advertising.
It's only been predictable for the last 20 years...
> Google and Meta seem to have no idea what's going on within their own advertising networks.
Which is the problem.
Distributors of ads need a solid Know Your Customer program, so you can find the crooks. Otherwise, they have to accept liability for scams they help promote.
The same should be conveyed to the user too. Ads should have a landing page that tries to inform kids and computer haters about ads and about the company and product and what changes it makes to your PC and charges it makes to your bank.
No "let Onedrive cloud your photos" in my gallery app, no "keep using Edge" when downloading Chrome, no recommended apps on my Samsung phone.
hehe makes sense to send all the pages you visit to the FBI/NSA, etc. If they have multiple sources (DNS and AdBlockers, VPNS, etc. They can verify the data on one or the other.
Or, in other words, FBI now recommends using Android :-) It's baffling how much better uBlock Origin + Firefox experience on Android is compared to any iOS ad blocker I have tried. They kind-of work but let half of the ads through.
I'm wondering if those still are the majority, worldwide. Smart-phones have done a lot to democratize computing power (now if only they weren't used to put >90% of their users in corporate controlled walled gardens...)
Smart phones didn’t change anything here: 99% of their users didn’t care about the “open” nature of desktops before they were a thing, too. A vanishingly small percentage of computer users care about tinkering and openness. It’s been decades since tinkerers and hackers were the majority of computer users.
one could argue that the mobile era has put computers in the hands of the vast majority of people on the planet that couldn't even be bothered to operate a pc.
I don't actually believe smart-phones have done much to democratize computing power because phones don't give you much control over computing power. You can't develop software on a phone using a phone. And frankly the vast majority of phones have way more computing power than is actually used.
On a related point, the push to the cloud is befuddling when everyone has a phone with "free" (from the developer's point of view) computing power sitting there unused. Everyone's wasting money on centralizing compute despite more distributed compute being available than ever before.
I'm still here. I've used a browser on my phone exactly once to register my phone. With exception to that one time I only use Firefox on Linux on an old PC.
Why did you bother to register your phone then? I've used many smartphones and never registered any of them. I wouldn't give the time of day to Google or Apple let alone my personal details.
Similarly, I use Firefox on Linux but I also regularly browse the web or post to HN on a phone that's been heavily deloused of Google using Firefox and other browsers—but never Chrome.
I've used many smartphones and never registered any of them.
When I say register, I meant sign up for the wireless service. I did not already have an account. I was on my wifi and browsed to the wireless provider to activate my sim card and get a phone number. I could have done this on my PC but doing that on my cell verified with the vendor that my phone was supported since I am using an off-brand device. It was easier to copy the IMEI that way.
For Googles app store I used a throw away Gmail address that is not used anywhere else. I would love to put a new image on the phone but AFAIK there are no custom roms for my make/model of device. I would love to install GrapheneOS but they have sadly limited device support to Pixel. I am learning more about using adb since this is my first smart phone and with time I will neuter Google without replacing the rom, hopefully. It's mostly harmless for now since I rarely have the phone on.
Fine, that all makes sense. As I posted elsewhere here, the problem of getting replacement ROMs is considerably harder than it was a few years back. I now go to considerable lengths to check if a suitable ROM is available before I buy a phone. I also don't buy one when first released, I want to see how a ROM market develops or if it's well supported. It's also a reason for keeping old phones or getting friends and relatives to give me their old ones, chances are they're easier to root/re-ROM.
I don't have the data to back this up, but I've been operating under the assumption that the majority of people access the internet through their smart phones more than any other devices. Maybe it's my age, but a lot of people I know don't own traditional computers and if they do it's a single laptop they occasionally use for office tasks.
I’m sometimes shocked at how much my wife relies on and accomplishes through her Pixel 3. She uses a computer only when she wants a bigger screen - photo editing or watching a show. Everything else she uses her phone. Is very surprising to me. I feel like I can barely do anything on my phone.
It depends a lot on how much typing you do. If it's mostly reading, phone is tolerable. For HN or Reddit, I want my damn keyboard.
But, conversely, the way we interact online also changes to accommodate these trends. Twitter was an early example of that, and so is the focus on audiovisual content over text for the more recent social networks.
I honestly don't understand how people can stand to browse the web on their phones. I almost never do, because it's such a pain in the butt. But c'est la vie!
It will probably end up like C. P. Snow's The Two Cultures and for many never the twain shall meet. This shouldn't be surprising really given the diversity of people, views, etc.
As for myself, I use both regularly but for serious work the PC/large screen predominates.
In recent years I've often found myself working on the PC with a collection of phones about me all with different but related information on them. It's akin to having multiple textbooks open on one's desk for reference. It's also a handy way of not cluttering up my PC screens with multiple windows/tabs open.
I think this was meant to point out that trading ads for system wide tracking isn’t necessarily a deal you are forced to make if you are a person who is motivated not to make that deal. For most people avoiding tracking isn’t even a thought. Their first order of business is inviting Facebook, Twitter, and Tik Tok to the party.
AFAIU it's all F-Droid apps that are GPS-free. I rely on a small handful of others installed from the Aurora, Google Play is a requirement for some of those.
I may be hallucinating that shim, though I'm pretty sure it actually exists...
"...I rely on a small handful of others installed from the Aurora, Google Play is a requirement for some of those."
Later thought. I also occasionally install Play Store apps via Aurora Store and it's worth noting that some state that they require Google Play Services but in fact they do work without it (I normally have GPS/Google Play disabled or uninstalled).
I've not bothered to research why but I presume it's the reporting mechanism that's not working, the core operation of these programs being independent of GPS (presumably this would simplify programming if the programmer is also coding the program for iPhone).
I'd be most interested if you or anyone else has more info about this.
I have been running Graphene for years and find that few proprietary apps really need GAPS. I get a warning that it is required when they try to serve an ad, but I just dismiss it and enjoy the ad free experience. Graphene has great shims and even a sandboxed Google Play Services for those who want a lot of notifications. I don't use it myself, but my partner does.
Right, Android trades ads for system wide tracking and that's rotten for the user. Moreover, Android's tacking mechanism is brilliantly effective—one has to admire Google's ingenuity for its receiver/signalling system. It's so integral to Android that one can view the O/S as built around it rather than it as an addition/add-on to the O/S. Essentially, Android is an O/S built around an ingenious spying system.
It's just not possible to use
an Android phone as Google intended (and as the vast majority of users actually do) without that tracking mechanism taking center stage.
My solution is to disable or uninstall Google Play Services/apps and I never create a Google account. Also, wherever possible, I use a rooted phone.
The penalty for such action is that many of the attractive so-called free services are unavailable to me. However, the benefits of closing down or uninstalling all unnecessary services and apps and disabling JavaScript are that my battery now lasts for days, ads are a thing of the past and the phone and internet access are much faster.
I accept however the vast majority of users either aren't capable of making such a tradeoff or aren't prepared to do so and Google knows that—that's why it's a winner. For Google, users like me are just insignificant noise.
> It's just not possible to use an Android phone as Google intended (and as the vast majority of users actually do) without that tracking mechanism taking center stage
These things are not as tightly woven into the OS as you make it seem.
It is very much possible. GrapheneOS, CalyxOS, roll your own AOSP-based image.
A completely degoogled Pixel series is even practical and realistic for casuals. As you say you miss out or have to fiddle a big for many apps which break without SafetyNet and other malware.
"These things are not as tightly woven into the OS as you make it seem."
I know that but try and tell it to the average user. Even many of my techie colleagues aren't game to make changes to their phones for fear of losing some beloved feature. Frankly, I'm amazed at how tolerant people are to this level of surveillance.
That said, much can and does go wrong, resurrecting bricked phones seems to be a pastime of mine. As you know, whether one can decouple Google's spyware subsystem easily or not depends on the phone. If you can't gain access to the OS then it's not possible to roll one's own ASOP-based image or use some other one.
These days, many manufacturers are making it harder and harder to bypass security features, unlock the boot loader and install custom ROMs. Nevertheless I won't buy a phone without first checking whether I can install a custom ROM and it's definitely harder now than it was say five years ago.
Man, some people are just crazy. You’re so hell bent on using android you limit the functionality of your phone to it essentially just being a brick.
Buy an iPhone, install an ad blocker, disable all the tracking, and be done with it while still being able to use the features of the phone you bought.
1. I've owned iPhones and Apple is hell bent in locking me out of its tech. If you want to live in a straightjacketed tech world then that's fine. In my world that's a truely bricked environment.
2. When I make phone calls I use a feature phone, it's incapable of doing anything else. That is, it has no Internet access—not even Bluetooth.
3. I wouldn't be seen dead on social media or using a Gmail account, and I've no need of Apple's store or Netflix, etc. so the functionality you refer to isn't an issue.
4. My Android phones are for limited internet use only and or portable computer use. Similarly, the functionality you speak of just doesn't apply. They are hacked and tailored specifically for my requirement and they do exactly what I want. Right, I'm in control (unlike iPhone users).
5. Even then, as a rule, my Android phones don't use SIM cards, they connect to the internet wirelessly via separate pocket routers which further isolates them from internet gumpf and garbage.
Imagine not being able to have root, uBlock origin, or third party Youtube clients. Oh, and now also, sending every one of your pictures to Apple so they can call the cops on you to cover their asses[1].
Maybe I'm reading this response wrong, but your comment doesn't seem to make much sense to me. The amount of freedom from surveillance the GP seeks is not something Apple hardware will offer to you at any price. Google makes it painful and onerous, but Apple makes it impossible.
I develop a popular iOS and macOS ad blocker that block almost all ads[1] including all YouTube ads.
Will be interested to hear if you've tried it out and what may have been missing?
The only things we don't block at the moment is some non-English content and Adult sites. With a small team these haven't been the primary focus for the time being. Other than those though we should stop pretty much everything else.
Hey thanks for Magic Lasso. I've had it installed for years. Only after starting my app library from fresh did I realize how much I missed it (and it took me quite a while to figure out and remember that it was magiclasso doing the heavy lifting - easy to install and forget!)
The app works well enough but I deleted it. After setting it all up there’s no mention that it will work without the subscription. There’s no mode to say “continue without the subscription using the free services” just a very large button and a description of the price to subscribe. That’s hella sus. Also the very first screen doesn’t let you opt out of notifications or skip it with “setup later” etc etc — these customer / user hostile patterns had me so jaded I deleted the app and won’t go back.
Appreciate the feedback. We'll take it on board for improvements in the future.
We recently moved to a paid app model with a 30-day free trial available (from a freemium app model).
Understand that this is not as appealing as a free-forever product. We found that we had hundreds of thousands of free users and not enough paid users. After developing the app for many years under this model, we had to make some changes so that we could continue to fund the ongoing app development and updates.
The notification prompt can also be declined in the alert that appears; though we could make this more obvious with a clear 'Skip' button.
Understandable, but if I’m getting ads because I’m not subscribed to things, I don’t want to suscribe to avoid those ads. I would likely pay a one time fee, but not yet another subscription.
I know you have your reasonings, but I’ll give you my raw unfiltered train of thought of why I wouldn’t sign up in case it helps you in your business:
“It’s only 30 bucks a year” say 100 other apps. I get it, you’re trying to make money, but there are many other ways of doing this for free. You’re not offering that much product to me that’s worth a subscription. Netflix? I actively use it every night. Spotify? Several hours a day. Blocking ads? Maybe a one time fee.
Other than paying yourselves which makes 100% sense what if any serverside or other costs does this app/plug-in incur if the filtering is being done from within safari?
While Chrome uses the same rendering and JS engines as Safari under the hood, it doesn't share all features (like the extensions API). I think only DNS-based ad blockers work for both and content API-based ad blockers like Magic Lasso don't.
As others have said, .mobileconfig or official app work great.
I geek out a bit and use Surge for iOS (pricey and not for non-techie users) and run a few proxies. It'll also allow for DNS override, which I use NextDNS's DNS over HTTPS.
You don't need pihole. there are adblockers on iOS. They aren't as flexible as ublock on android but they're 98% there and good enough with the added advantage that google isn't spying on your every move and sending it back to the mothership.
1Blocker has a built in internal device local VPN service that also covers all apps on the phone - not just Safari. Breaks any of the "free with ad" games so yeah, it's effective!
GeckoView is literally Gecko with an Android API wrapped around it, so that sentence doesn't really explain anything.
The actual thing is that simply each app embedding Gecko needs to be brought up to speed separately, and if Android is lagging behind, it just is, "GeckoView" or not. (Even before the invention of GeckoView, due to understaffing Android Firefox used to lag behind in terms of multi-process capability, so nothing new under the sun…)
Most blockers are running through Safari Extensions, so they’re limited to whatever Apple allows them to do. It’s no uBlock, but I made an app that lets you run your whole device’s traffic through a blocker [0].
Those who are a bit tech minded – consider adding DNS filtering on your home network (using pi-hole or something else). It has drastically changed my web experience for the better, including across iPhone apps, smart TVs and other surfaces where ad blockers can't help.
I see this advice a lot but I can't imagine it working better than using a system level adblocker like AdAway on my phone. (Smart TVs I understand, though mine seem to be unusually ad-less compared to what I've heard Samsung does).
What if you're out and about disconnected from WiFi? What if you need to turn the thing off for a sec to click on a sale/promotion in an email?
Out and about: yeah install something on your phone (or use a self hosted vpn that plugs into pihole? never tried it)
Need to click on sale: You can easily temporarily disable it in the web interface in 1 click
It's a nice way to block ads for any wifi connected device in your house without additional setup. There are probably 10+ ad-serving devices in my house between the TV's, laptops, tablets, and phones.
> use a self hosted vpn that plugs into pihole? never tried it
Not that it plugs _into_ PiHole per se, but rather that the Self Hosted VPN makes your phone use your home DNS server (including the PiHole itself). It works! I use https://www.pivpn.io/ but there are many others.
I am puzzled here. Why is the FBI expecting the free market to solve the problem created by the free market? Are these scams somehow legal? If the scam is illegal, and search engines are promoting the scams at the top of search rankings, doesn't that make the search engine an accomplice in the scam?
If I invited crack dealers to deal out of my house for a small cut of the proceeds, I'm pretty sure I go to jail when they're caught. That's essentially what search engines are doing here.
444 comments
[ 0.19 ms ] story [ 316 ms ] threadThe generic nuclear option to hide terrible web design, bypass (some) paywalls, and improve performance 1000x is to disable javascript. ublock and adnauseam both have a button to disable all javascript on a page, which is handy when reading articles on sites filled with garbage.
Be slightly careful, there's a known issue (limitation of Chrome really) where requests and javascript are not blocked in the first few seconds of launching a browser or an incognito window (you can test this yourself). And this is true even with "Suspend network activity until all filter lists are loaded" enabled, because I think it's some limitation on Chrome as to when exactly extensions get loaded.
So if you do rely on javascript being disabled for safety, after a fresh launch or new incognito window, you should visit a safe webpage first before going to the risky one.
Every scrap of data collected about you will be used against you. It doesn't matter if it's accurate or not, nobody cares if they data they have about you is accurate, data brokers will happily sell your personal info to anyone even knowing full well that it's got inaccurate and conflicting info in it. Many won't even know because the process is entirely automated.
By automatically clicking on ads and "expressing interest" in random things you're just filling your dossier with ammo which gets handed to others to fire at you. Every random thing you add to your permanent record is one more thing that can only hurt you.
You cannot know what will prejudice someone against you. Maybe one day adnauseam decides to click on something that gets you flagged as having a certain political view, or having a certain sexual orientation, or being an alcoholic, or having a mental illness, or being at a certain income level, or belonging to a certain religion, etc. One day that exact data can cause you to get turned down for a job, or for housing. It can mean that a website charges you more than what your neighbor pays for the same product. It can mean your insurance rates go up next year.
You will never be told when it happens or why. Your health insurance company isn't going to tell you that they raised your rates because you (adnauseam) clicked on too many fast food ads last quarter. You're just suddenly getting a higher bill. Your auto insurance company won't tell you that they raised your rates after you were clicking ads for DUI lawyers, but suddenly they and every other insurance provider you try are quoting you higher monthly prices.
If your browser extension decides to go click on ads about abortions you could even end up being hauled into a texas courtroom and having to defend against charges. Sure, you'd get them thrown out eventually. Probably. But it would still cost you a ton of time and money and stress. The information in your dossier can get you targeted, harassed, or attacked by extremists. It can get be used against you in court rooms. It can get you investigated by three letter agencies. It can be used to impact your 'secret consumer score' or consumer trustworthiness rating.
The information being collected about you is sold to companies, employers, activists, extremists, and law enforcement. That data never goes away. It follows you for the rest of your life and will be used against you in ways you'll never be aware of and cannot today imagine. Filling your dossier with huge amounts of content (random or not) is dangerous and only increases your risk for zero benefit.
I don’t care if I get wrongly labeled/categorized due to this. It’s not like my profile was an accurate representation of who I am before I turned on ad nauseam. If someone gets dragged into a court room for clicking ads, that would be funny, and I doubt they would have a hard time finding support from orgs like the EFF, gofundme, etc.
One long term benefit of this is that if a lot of people use it, advertisers will start seeing diminishing returns on their investment in internet ads. This will lead to reduced spending and less ads overall.
adnauseam does not do this. It only adds to your personal information. It doesn't hide anything.
> I don’t care if I get wrongly labeled/categorized due to this.
Then you must not care when you suffer the consequences of having been wrongly labeled/categorized. Nobody can make you care about yourself, your money, your safety, or your time if you refuse to.
> It’s not like my profile was an accurate representation of who I am before I turned on ad nauseam.
Again, nobody cares about how accurate it is or not. It's about quantity, not quality. Accurate or not, that data will increasingly impact your life in very real ways. The more data they have, the worse it will be for you.
> One long term benefit of this is that if a lot of people use it, advertisers will start seeing diminishing returns on their investment in internet ads.
this isn't actually true, because advertisers don't care. That's why the world is still and increasingly filled with ads that aren't laser focused on you as an individual. We have more and more ads on network TV, on billboards, on radio etc. None of them were stopped because they sometimes showed an ad to someone who doesn't care about it. Seriously, they don't care. You clicked, that's good enough for them. Sales aren't even always the goal. Being seen (or the appearance of being seen) is often all they need.
You're honestly only hurting yourself.
Right: regardless of what the ad is, just by auto-clicking on it you provide a signal that when aggregated together can roughly piece together your browsing history. As a toy scenario, maybe you only visit tech blogs, and tech blogs usually have tech related advertisements. The fact that you have auto-clicked on ads that were on tech sites, and not say fashion sites, is itself a strong signal that can be used to infer browsing history.
Also I think advertisers are already used to dealing with click fraud and so track metrics that won't meaningfully be impacted by this strategy.
> adnauseam does not do this. It only adds to your personal information. It doesn't hide anything.
It does hide it. It hides it between a bunch of garbage data. That’s the point.
If the CIA wants to assassinate me, a browser extension isn’t going to help. But if I start seeing ads for adult diapers while I’m browsing the internet, I’m going to laugh and feel good about knowing they wasted a few cents.
> Accurate or not, that data will increasingly impact your life in very real ways. The more data they have, the worse it will be for you.
Sorry, but that’s ridiculous. It sounds like FUD a spam blog operator would say lol.
> this isn't actually true, because advertisers don't care. That's why the world is still and increasingly filled with ads that aren't laser focused on you as an individual. We have more and more ads on network TV, on billboards, on radio etc. None of them were stopped because they sometimes showed an ad to someone who doesn't care about it. Seriously, they don't care. You clicked, that's good enough for them. Sales aren't even always the goal. Being seen (or the appearance of being seen) is often all they need.
When something isn’t working, you stop wasting money on it. Ads aren’t going to completely disappear, but if collecting personal data on individuals stops being effective, then marketers will need to turn to other means of targeting. It won’t happen tomorrow, but I did say “long term”
Companies are using every scrap of data they can get their hands on to take more of our money and they want more. The government is buying up data they can't legally collect directly. It's pretty likely that you've already experienced real world consequences of the data taken from your online activities. (https://epic.org/issues/consumer-privacy/data-brokers/)
They tell us that all the tracking we're subjected to is just about ads, but the data being collected is used all over the place offline. What we really need is privacy regulation with real teeth, but that's probably not going to happen any time soon because it's making companies tons of money. There's a multi-billion dollar a year industry around the buying and selling of the our data for a reason.
just blocklist known garbage
The personal and societal effect of ads are more tangible than the personal effect of tracking. Even if networks are truly able to use this data, it doesn't matter how precisely you can be served with ads if you don't see them.
On Chrome/Firefox I use uBlock Origin which works well. I’m not sure if the community recommends something else at this point.
I also use various other extensions like StopTheMadness to disable right click hijacking and other bad behavior and Banish on iOS to prevent certain banners from appearing.
For example, YouTube has no ads in iOS Brave. Since iOS doesn't allow real browsers and extensions, Brave has been a sanity-saver for me.
Pair that with uBlock on desktop and you're golden. 98% of the sites don't break at all either.
I now have 68 extensions on my Brave (desktop). Imagine seeing 68 additional icons on my macOS launchpad!
Oh you Apple users.
I mean, the comment is pretty straightforward, I don’t really see the need to come to this person’s defense. I agree that the iOS policy is dumb, but deliberately misinterpreting this person to make them correct is silly.
Single app, all devices, works great out of the box.
https://noscript.net/
But I sort of think this may be more of an issue with Cell Phones.
The upside though is big, stops all the insane bloat that runs on most pages. Many websites run fine with all their scripts blocked too.
Also, it's pretty cool that NextDNS has this: https://github.com/nextdns/nextdns/wiki
https://encrypted-dns.party/
https://gitlab.com/nitrohorse/ios14-encrypted-dns-mobileconf...
No idea if I should really trust them, or if there’s a better way to install profiles directly from CIRA or Mullvad like I use.
Nice thing is that it’s device wide and all free (hopefully not for malicious intents).
NoScript will break pretty much 50% of the web. It'll take you about a day to whitelist all the sites you use daily and then it's smooth sailing.
I would also highly recommend this privacy focused list. https://www.privacytools.io/
The former team left Privacy Tools and that is now just arbitrary recommendations by one guy who mostly spruiks cryptocurrency bullshit. He also has no experience when it comes to auditing, verifying any of what is recommended, not a sysop, not a programmer either.
If you want to know specifics about that see https://www.privacyguides.org/about/privacytools
Also see https://github.com/arkenfox/user.js/wiki/4.1-Extensions
Never using an adblocker again.
It's a rational assumption and should be taken in to consideration to the extent any particular threat-model should or shouldn't.
People sell popular browser extensions to malicious parties all the time and AFAIK there's no systematic way to notify users when this happens.
https://www.pcworld.com/article/435020/hackers-make-driveby-...
https://money.cnn.com/2013/02/22/technology/security/nbc-com...
https://blog.fox-it.com/2014/01/03/malicious-advertisements-...
https://www.cbsnews.com/news/huffpo-readers-hit-with-ransomw...
I had to thoroughly wipe my computer and the computers of two others that fell to the same malicious ads.
Now ublock origin is standard and no Adobe products are allowed.
Just because I'm paranoid doesn't mean they're not out to get me ;)
dns blocking would only see the domain coolblog.org, and doesn't see that it loads ad.js, so it won't block anything.
But e.g. uBlock, also sees that your browser tries to visit ad.js, if uBlock had ad.js in its blocklists it can block loading this script.
AFAIK only Orion browser [1] comes with full 1st party and 3rd party ad and tracker blocking, by default.
[1] https://browser.kagi.com
Sure I can:
It was built to block ads. You have to tell it to do so in a way that blocks "all of them" otherwise it just blocks the terrible/annoying/malicious ones.
If their money comes from advertisers and not users, they serve advertisers and not users. Supporting them as a temporary solution just means if they succeed we have all the same problems when the same incentives come into play.
Configurable.
> Will that last through a financial crisis if advertisers offer them more money?
Will Brazil win the 2090 world cup? I'm not sure I get your point...
> Supporting them as a temporary solution just means if they succeed we have all the same problems when the same incentives come into play.
Internet services are run by ads. Unless we can transfer to a model which is publicly funded or subscription based (even free software needs to pay for servers and employees -- the money has to come from somewhere) then the best we can hope for is an ad-funded service which allows you enough control to turn everything off if you want to.
Do you have a better solution and are you willing to start working on it?
Otherwise, you are making 'perfect' the enemy of 'good'.
Remember when you responded to a post about blocking ads by default?
> Internet services are run by ads. Unless we can transfer to a model which is publicly funded or subscription based (even free software needs to pay for servers and employees -- the money has to come from somewhere) then the best we can hope for is an ad-funded service which allows you enough control to turn everything off if you want to.
Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
The internet existed before internet advertising, and the kinds of websites people built for intrinsic reasons rather than for money were far superior. If Facebook et al disappeared completely the world would be a better place.
There is not a shortage of content, there is a shortage of filterability created by low-effort garbage funded by ads. If people aren't willing to pay for something, it's because it's not that great.
Patreon shows that some people are willing to just make donations for free content. And incidentally, Patreon-supported content tends to be higher-quality because they're serving donors, not advertisers.
We don't need ads. Ads are a blight on humanity which provides negative value.
> Do you have a better solution and are you willing to start working on it?
You mean the < 10 lines of code necessary to have an ad blocker installed by default?
> Otherwise, you are making 'perfect' the enemy of 'good'.
Brave is not "good". It's literally no different in any way from a browser which supports adblocking extensions.
It does block ads by default. You then asked about analytics.
> Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
I definitely do not support ads. I block them.
> The internet existed before internet advertising, and the kinds of websites people built for intrinsic reasons rather than for money were far superior. If Facebook et al disappeared completely the world would be a better place.
Yes it did. It was funded by the government, universities, the military, and people through personal servers (you can probably also count BBSs as well). These things had functions orders of magnitudes smaller than are available today (want to see a satellite picture of your house then get walking directions from there to Alaska?).
> If people aren't willing to pay for something, it's because it's not that great.
Someone pays for everything. Do you have a solution? I would happily pay more taxes to publicly fund services like search engines and browsers -- but that isn't politically viable right now.
> We don't need ads. Ads are a blight on humanity which provides negative value.
I agree. That's why I block them.
> You mean the < 10 lines of code necessary to have an ad blocker installed by default?
No, I mean how to fund massive projects and infrastructure without public funding.
> It's literally no different in any way from a browser which supports adblocking extensions.
I never said it was. I said it blocks ads by default.
If you open google.com and search for 'mattress' in Brave, you will see Google ads in Brave, by default.
Furthermore, Brave is capable of blocking these ads, but chooses not to, therefore it does not block ads by default.
>> Now we get to the point: you support ads, so you aren't actually committed to getting rid of them.
> I definitely do not support ads. I block them.
"you" was referring to Brave, not yourself. The point is that Brave is a first part ad vendor (showing ads is how it makes money) so for this reason it is not commited to blocking first party ads by default (as it would be ironic I guess).
> Someone pays for everything. Do you have a solution?
Yes, you can chose to support paid search engines and browsers, paid by users, not advertisers.
> I agree. That's why I block them.
Original comment was about which browser is blocking all ads without discrimination, on default settings.
You can make any browser block ads with some effort, through for example extensions.
It doesn't block all ads everywhere -- I don't know any browser or extension that does. It certainly blocks most of them. I don't see google ads because I don't use google for search (and I also run a pi-hole), so I wouldn't know.
> "you" was referring to Brave, not yourself.
Well 'you' use strange sentence structure and grammar and it doesn't communicate your point clearly -- or you are retroactively changing what 'you' mean after 'you' write it.
> Yes, you can chose to support paid search engines and browsers, paid by users, not advertisers.
Does 'you' refer to 'me'? Because I already do that. 'I' was speaking of browsers and software and services in general. And I already brought up the subscription model but that doesn't work for browsers, apparently. Why don't you make one?
> Original comment was about which browser is blocking all ads without discrimination, on default settings.
Original comment was about browsers blocking ads. I mentioned Brave was built to block ads. You seem to have changed this conversation to be about Brave supporting ads and how if it does then it doesn't 'count' when it blocks them. Try to keep up.
- blacklists entire domains using wildcards (using an "unbound" DNS resolver and forcing all traffic to my DNS resolver, preventing my browser to use DoH -- I can still then use DoH if I want, from unbound)
- reject or drop a huge number of known bad actors, regularly updated: they go into gigantic "ip sets" firewall rules
- (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.
I do not care about what this breaks. The Web still works totally fine for me, including Google's G Suite (yeah, I know).
EDIT: just to be clear seen the comments for I realize I wasn't very precise... I'm not saying all IDN domains are bad! What I'm saying is that in my day to day Web surfing, 99.99% of the websites I'm using do not use IDN and so, in my case, blocking IDN, up until today, is totally fine as it not only doesn't prevent me from surfing the Web (I haven't seen a single site I need breaking) but it also protects me from IDN homograph attacks. Your mileage may vary and you live in a country where it's normal to go on website with internationalized domain names, then obviously you cannot simply drop all UDP packets attempting to resolve IDNs.
[0]: https://chromium.googlesource.com/chromium/src/+/main/docs/i...
I don't like to have to set rules in browsers: I'll do it when mandatory but I prefer things that the browser won't change during it's next update and, also, I use several browsers.
There are a bunch of file variants to weed out specific bad actors.
It's well currated though I will disclaimer it has broken a few websites in the past for me. Maybe that's a good thing.
It's why many browsers started defaulting to showing "xn--<whatever>" (punycode representation of IDN characters).
It sucks for domains that are emoji but whatevs. Scammers ruining things for everyone, as usual.
Chinese is the most popular, but only 760 for 2022 and the aggregate trend is down:
2016: 2378
2018: 2252
2020: 1675
2022: 1518
Internationalized Domain Name (IDN) Annual Report 2022
[1] https://www.icann.org/en/system/files/files/idn-annual-repor...
You can force traditional port 53 DNS protocol traffic to your own resolver with firewall rules, the same doesn't work for DoH. a DoH request to a domain your firewall blacklist doesn't have looks just like ordinary https/443 traffic and will pass unhindered.
Oh I know but so far you can still ask both Firefox and Chromium to not use DoH and hence force them to use port 53 and from what I've seen they really honor that. For the moment.
I don't doubt that in a not so distant future we may see companies hardcoding DoH into apps without any possibility of removing that setting!
What I do is no panacea but it gets rid of a lot of things.
> There are so many sneaky ways to resolve a hostname an app or device can choose to use now.
But I whitelist apps that can connect to the net. Browsers, apt (for Debian/Devuan package update), the one that update the NTP/time, SSH out and that's basically it.
I know it's a game of whack-a-mole, but I'm still playing it : )
Maybe this is so but I have yet to see it. AFAIK all the DoT/DoH are on known dedicated IP addresses. I know they don't have to be. They could be on generic Akamai/CF/BunnyCDN/etc... end points but I have yet to come across one utilized in the wild. Have you found any? What are their IP addresses? I would like to add them to my DNS timing/monitoring scripts.
I null route about 24 DoT/DoH IP addresses and my one smartphone seemed to figure out automagically that my router was serving up DoT on 853. I can tell if something is bypassing Unbound because there are things I know should not resolve correctly.
How would you be able to tell?
This only works with devices that I can install my own CA key onto. I have not figured out how to do that with the vehicle diagnostic tool.
Yes, that's why I don't use any commercial IoT devices. I have no actual control over them. Before I shed the few I did have, I kept them segregated on their own subnet so that at least their presence didn't have to impact anything else.
Little pro-tip for anyone who tries to run their own private DoH infrastructure too, Firefox doesn't like RFC1918 addresses for the DoH resolver. Set `network.trr.allow-rfc1918=true` if you run DoH on a private IP.
That’s the design intent. Because not all network administration is benign.
DoH is a tool like any other. Good or bad entirely on why and how it’s used. And your own perspective on that use case.
DoH opens me up to security problems that I wouldn't otherwise have, and the extent I have to go to in order to stop it is crazy.
> DoH is a tool like any other. Good or bad entirely on why and how it’s used.
Except that it's a tool I have little control over, and no control over how and why it's used. That's the problem.
DoH is a plague.
That's not true when the just the network itself is yours. It's only true when all of the computers on it are too.
> DoH opens me up to security problems that I wouldn't otherwise have, and the extent I have to go to in order to stop it is crazy.
What? No it doesn't.
> Except that it's a tool I have little control over, and no control over how and why it's used. That's the problem.
You're not supposed to be able to have control over what tools other people use on their own computers.
I was unclear. This is exactly the case I'm talking about. The network, and all of the devices on the network, are mine.
> What? No it doesn't.
It does. It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.
> You're not supposed to be able to have control over what tools other people use on their own computers.
Again, I'm talking about having control over my own machines, not anyone else's.
If that makes DoH bad, then privacy is bad too since it makes it easier for terrorists and pedophiles to evade the law.
The only privacy they are affording is specifically to entities that I don't want operating on my machines to begin with, who are mostly interested in violating my privacy.
So this privacy mechanism, in this use case, really is bad because it reduces my privacy.
You can't control it as a malicious censor who's trying to control what Web sites other people's computers can access just because they're on your Wi-Fi. You can absolutely control it on computers that are actually yours.
Of course, this is not the fault of DoH providers themselves - at worst, they have just made it easier to perform this.
And it's a good thing that DoH is easy, because it helps protect vulnerable people from censorship and surveillance.
They will tell you it is to defeat censorship though and to improve network resilience, because they are deeply committed to having the image of being a champion of internet freedom.
And besides, every browser that supports DoH also lets you pick what server to use, and adblocking DoH servers exist.
Yes you can. Do what corporate firewalls do. MITM all TLS connections with your own personal CA. Don't allow any traffic streams that you can't MITM to leave your network.
1. couldn’t you “just” (yea yea I know) install a cert on all your devices and force all 443 traffic though a proxy (like some corporate networks do)?
2. (Something I’ve been meaning to get around to trying for a while) default-block outgoing connections unless unless the external host was recently resolved for the corresponding internal host via your internal resolver? That seems like it would kill anything that tries to avoid your ad-blocking resolver. It seems like that might block hard-coded addresses too, but that could be a good thing..
That's insufficient. There's nothing stopping a web site (or ad on a website) from forming its own DoH request that bypasses the browser and the port. It can be done entirely within the HTTPS stream.
And with 2), that would work, though you'd probably want to whitelist port 53 so that you can resolve names in the first place. Sounds like it should be effective, though.
The rest is just fear mongering, I'm sorry, not sure how to phrase that more elegantly or politely. I'm not an uber smart domain expert wrt certs, but we shouldn't have to be to know that valid device MITM with certs is a normal use case. And it shouldn't be used as a boogeyman man on layman users.
True.
I had to install a system to MITM all my https traffic in order to block DoH requests.
It's actually not too difficult if your users use Firefox. You can use enterprise policies https://support.mozilla.org/en-US/products/firefox-enterpris...
It can be more of an issue if you have a lot of "smart" products or IoT products that essentially operate as black boxes on your network though. Would just recommend not doing that, if you have devices on your network that you don't control, someone else does.Basically the same process that some companies use for similar purposes.
If that's what you want, you need to give me time to put it together. I set this up a number of years ago and don't remember the details off the top of my head.
here's what I do remember: I use a squid proxy and replace all of the HTTPS certs on my other machines with my own. When HTTPS is negotiated, it's with my proxy, not the end destination.
Then the proxy does its proxy thing and sets up a normal HTTPS connection with the destination.
In my proxy, I have a script that is looking for the HTTP lookup exchanges detailed in RFC8484 (https://www.rfc-editor.org/rfc/rfc8484). When it finds them, it drops them on the floor. Everything else just gets passed through.
And hey, maybe one day advertisements will be served directly via IP addresses, not domains:)
It uses TCP.
There's actually two protocols DNS over QUIC https://datatracker.ietf.org/doc/rfc9250/ which has a specific port 853. This can be blocked.
Then there is DNS over HTTP3 https://security.googleblog.com/2022/07/dns-over-http3-in-an...
There is no such thing as right or wrong way to do DoH so long as the DNS messages are passing over HTTPS - the standards are largely to help make it easier to deploy and avoid common pitfalls of course (simpler to integrate to browsers and other software "for free" if the message response body format is standardised), but devices, apps and even javascript in the browser are free to solve this anyway they want, with whatever kind of message payload they can dream up.
DoH is just an HTTP request over SSL in most implementations, nothing more, with the record usually in the payload body in a JSON message or similar.
DoH is literally just "DNS over HTTPS" (hence the TCP a lot of the time) and you can build this a ton of different ways, including as a basic RESTful API. Local javascript on the page could literally just call any old HTTPS web API to get hostnames resolved, and thanks to HTTPS is much harder to detect, inspect and interfere with than traditional DNS. Fundamentally, a DNS request is a really basic API to implement.
This is why DoH is so hard to conclusively block - its by design to look like "normal" web traffic so bad actors are prevented from manipulating your DNS responses, and the implementation can be done pretty much anyway you want - there are a million different ways to pass a message over HTTPS, and to a firewall they all look like the exact same normal HTTPS traffic if you don't explicitly block the IP or domain serving the DoH.
I personally use Timescale magicDNS on all my devices, with pihole DNS running on a home server. The magicDNS can make my home server the 1st responder for DNS queries and it'll block a lot of ad domains.
I do uBlock origin with pretty standard lists and have a list of allowed persistent cookies. Are the uBlock lists doing all that work in the background?
I couldn't see how to do this in Windows Firewall. Which OS/firewall/rule are you using?
Edit: changed "good" to "safe" for clarity
All other ads are physiological assault and should be made illegal. Particularly those ads which exist "IRL" and can't otherwise be blocked, such as billboards.
1 month ago: https://www.reddit.com/r/blender/comments/109yjxm/dont_click...
2 months ago: https://www.reddit.com/r/blender/comments/zewem3/beware_of_p...
4 months ago: https://www.reddit.com/r/blender/comments/xxkx5s/warning_som...
7 months ago: https://www.reddit.com/r/blender/comments/vuqu1r/hey_so_what...
Pretty sad state of affairs that Google can't or won't stop this, especially since they gradually redesigned the ads spots to look practically identical to the search results. Be very careful clicking anything on Google's search results.
And weird speech-synthesied rousing music: ‘Jim worked for a big electronics manufacturer, and had an idea. <Electronic item>s for the people. They they wouldn’t let him make it. They stole his idea and made a bad version. Now Jim is making <Electronic item>s himself that are twice as good and only a quarter the cost! Buy one to support Jim and stick it to the big evil corporation!”. How did that get to be a genre?
And “buy my video course to learn how to make thousands of dollars a day!” scams.
I find it frankly astounding how much obviously fraudulent advertising there is. Isn’t it illegal? Is there no authority that police’s it?
It's gross.
I had a user show me one of these Notification ads just this week, telling here that McAfee found a virus and click the Ad to remove the virus. We do not even use McAfee, it was a straight up attack ad. Thanks Chrome!
I am perfectly fine with ads, I've previously run sites where it was a small source of income myself. I know it would be in a cat and mouse game with the bad guys but if it blocked most of them it would certainly help a lot of people.
Problems: * vetting ads costs a lot of time (= money). So you're getting less money per impression * requires a massive amount of infrastructure if you want to ensure that the ad doesn't change in between you vetting it and you serving it to your clients (= money).
Meaning the consumers of our company will get less money per ad they show to their visitors.
So they'll go to one that offers more. Simple as that.
In order to fix the bad actors we need to start making the websites serving the ads (like Reddit) and/or the networks (DoubleClick) responsible for what they offer up.
As long as that doesn't happen it'll remain a cesspool.
In the opinion of the vast majority of adblocker users, agree with it or not, ALL advertisers are bad actors. So they will never voluntarily choose filter lists which allow "good ads" the vast majority of the time. As such this will only happen if you get the adblocker to set allowing "acceptable ads" as a default, which makes what you're talking about INTRINSICALLY corrupt and paternalistic. If you want people to actually do this, show up at the houses of Adblock developers with suitcases of money, plenty of drugs, and beautiful prostitutes and whisper sweet stories into their ears about how they can help small businesses find markets for their products. Sadly ublock origin's developers appear to be incorruptible.
Google has figured out trying to push "acceptable ads" any harder is pointless and has instead moved to simply make adblocking technically harder to do by taking control of web standards.
By that I mean, if you're a site about say, board wargames, and there's some new board wargame that wants to advertise on your site, ok. Edit your page to add an ad graphic with a link to the seller. That's cool. And maybe the people reading your page will actually want to buy it!
But there's just no way that third-party ads through some generic ad network will ever achieve that fit or reliability. And ads based on tracking people's data and suggesting things based on what you interacted with on social media or whatever? That's always going to be hot garbage at best. Adding in a third-party ad network (and probably behind that brokers and other middlemen) can't possibly make it better, it can only make it worse. So that's what we have today.
But go back to simple static ads relevant to the content of the page and problem solved.
Similarly to all the stories (with two currently in the front page of HN, eBay and PayPal) about algorithms that are just insufficient for the range of realistic scenarios these companies must deal with on a regular basis.
It's merely the equation of profit outweighing customer service. Admittedly, they're working on a scale that's difficult to comprehend, but that shouldn't absolve them of aiding and abetting criminal use of their systems.
Google's and Meta's profit motives are the base cause of this continuing escalation of the ubiquity and user-hostility (to put it mildly) of internet advertising.
It's only been predictable for the last 20 years...
https://youtu.be/YlGklt4BSQ8 (first aired in March 2000)
https://youtu.be/XPGgTy5YJ-g (April 1999)
Which is the problem.
Distributors of ads need a solid Know Your Customer program, so you can find the crooks. Otherwise, they have to accept liability for scams they help promote.
No "let Onedrive cloud your photos" in my gallery app, no "keep using Edge" when downloading Chrome, no recommended apps on my Samsung phone.
There was also an HN discussion at the time: <https://news.ycombinator.com/item?id=34095107>
As a treat
https://apps.apple.com/gb/app/wipr/id1030595027
no issues, works great.
For system wide (including apps) ad blocking, Lockdown has a "local VPN".
On a related point, the push to the cloud is befuddling when everyone has a phone with "free" (from the developer's point of view) computing power sitting there unused. Everyone's wasting money on centralizing compute despite more distributed compute being available than ever before.
Similarly, I use Firefox on Linux but I also regularly browse the web or post to HN on a phone that's been heavily deloused of Google using Firefox and other browsers—but never Chrome.
When I say register, I meant sign up for the wireless service. I did not already have an account. I was on my wifi and browsed to the wireless provider to activate my sim card and get a phone number. I could have done this on my PC but doing that on my cell verified with the vendor that my phone was supported since I am using an off-brand device. It was easier to copy the IMEI that way.
For Googles app store I used a throw away Gmail address that is not used anywhere else. I would love to put a new image on the phone but AFAIK there are no custom roms for my make/model of device. I would love to install GrapheneOS but they have sadly limited device support to Pixel. I am learning more about using adb since this is my first smart phone and with time I will neuter Google without replacing the rom, hopefully. It's mostly harmless for now since I rarely have the phone on.
But, conversely, the way we interact online also changes to accommodate these trends. Twitter was an early example of that, and so is the focus on audiovisual content over text for the more recent social networks.
As for myself, I use both regularly but for serious work the PC/large screen predominates.
In recent years I've often found myself working on the PC with a collection of phones about me all with different but related information on them. It's akin to having multiple textbooks open on one's desk for reference. It's also a handy way of not cluttering up my PC screens with multiple windows/tabs open.
Though I seem to recall GPS shim that's available and which I really should swap in on my BOOX tablet.
That said, I know many can't.
I may be hallucinating that shim, though I'm pretty sure it actually exists...
Clearly you're right (sometimes I'm overcautious). :-)
Later thought. I also occasionally install Play Store apps via Aurora Store and it's worth noting that some state that they require Google Play Services but in fact they do work without it (I normally have GPS/Google Play disabled or uninstalled).
I've not bothered to research why but I presume it's the reporting mechanism that's not working, the core operation of these programs being independent of GPS (presumably this would simplify programming if the programmer is also coding the program for iPhone).
I'd be most interested if you or anyone else has more info about this.
It's just not possible to use an Android phone as Google intended (and as the vast majority of users actually do) without that tracking mechanism taking center stage.
My solution is to disable or uninstall Google Play Services/apps and I never create a Google account. Also, wherever possible, I use a rooted phone.
The penalty for such action is that many of the attractive so-called free services are unavailable to me. However, the benefits of closing down or uninstalling all unnecessary services and apps and disabling JavaScript are that my battery now lasts for days, ads are a thing of the past and the phone and internet access are much faster.
I accept however the vast majority of users either aren't capable of making such a tradeoff or aren't prepared to do so and Google knows that—that's why it's a winner. For Google, users like me are just insignificant noise.
These things are not as tightly woven into the OS as you make it seem.
It is very much possible. GrapheneOS, CalyxOS, roll your own AOSP-based image.
A completely degoogled Pixel series is even practical and realistic for casuals. As you say you miss out or have to fiddle a big for many apps which break without SafetyNet and other malware.
I know that but try and tell it to the average user. Even many of my techie colleagues aren't game to make changes to their phones for fear of losing some beloved feature. Frankly, I'm amazed at how tolerant people are to this level of surveillance.
That said, much can and does go wrong, resurrecting bricked phones seems to be a pastime of mine. As you know, whether one can decouple Google's spyware subsystem easily or not depends on the phone. If you can't gain access to the OS then it's not possible to roll one's own ASOP-based image or use some other one.
These days, many manufacturers are making it harder and harder to bypass security features, unlock the boot loader and install custom ROMs. Nevertheless I won't buy a phone without first checking whether I can install a custom ROM and it's definitely harder now than it was say five years ago.
Buy an iPhone, install an ad blocker, disable all the tracking, and be done with it while still being able to use the features of the phone you bought.
2. When I make phone calls I use a feature phone, it's incapable of doing anything else. That is, it has no Internet access—not even Bluetooth.
3. I wouldn't be seen dead on social media or using a Gmail account, and I've no need of Apple's store or Netflix, etc. so the functionality you refer to isn't an issue.
4. My Android phones are for limited internet use only and or portable computer use. Similarly, the functionality you speak of just doesn't apply. They are hacked and tailored specifically for my requirement and they do exactly what I want. Right, I'm in control (unlike iPhone users).
5. Even then, as a rule, my Android phones don't use SIM cards, they connect to the internet wirelessly via separate pocket routers which further isolates them from internet gumpf and garbage.
1.https://sneak.berlin/20230115/macos-scans-your-local-files-n...
The user isn't in control but Apple is.
At least on Android there's a way to use a custom rom even if it's difficult.
Will be interested to hear if you've tried it out and what may have been missing?
The only things we don't block at the moment is some non-English content and Adult sites. With a small team these haven't been the primary focus for the time being. Other than those though we should stop pretty much everything else.
[1] https://www.magiclasso.co/
If you use an ad blocker for a long time, it's easy to forget how bad the web can be without one.
We recently moved to a paid app model with a 30-day free trial available (from a freemium app model).
Understand that this is not as appealing as a free-forever product. We found that we had hundreds of thousands of free users and not enough paid users. After developing the app for many years under this model, we had to make some changes so that we could continue to fund the ongoing app development and updates.
The notification prompt can also be declined in the alert that appears; though we could make this more obvious with a clear 'Skip' button.
Have you tried advertising? :)
I know you have your reasonings, but I’ll give you my raw unfiltered train of thought of why I wouldn’t sign up in case it helps you in your business:
“It’s only 30 bucks a year” say 100 other apps. I get it, you’re trying to make money, but there are many other ways of doing this for free. You’re not offering that much product to me that’s worth a subscription. Netflix? I actively use it every night. Spotify? Several hours a day. Blocking ads? Maybe a one time fee.
I clearly need more sleep...
Chrome iOS app is just a skin over safari with some of the history/bookmark/etc syncing.
I geek out a bit and use Surge for iOS (pricey and not for non-techie users) and run a few proxies. It'll also allow for DNS override, which I use NextDNS's DNS over HTTPS.
https://www.nssurge.com/
https://browser.kagi.com/faq.html#iosext
https://browser.kagi.com/
And bonus points - my ad blocker works with embedded web views
Carrying a smartphone is incompatible with privacy. Unfortunately, so is using a credit card (https://www.fastcompany.com/90490923/credit-card-companies-a...) and having a face (https://www.wired.com/story/get-used-to-face-recognition-in-...).
We're all doomed, so you may as well just use the software that makes you happy.
https://sneak.berlin/20230115/macos-scans-your-local-files-n...
https://support.mozilla.org/en-US/kb/firefox-focus-ios
1Blocker is fantastic.
AdGuard for iOS is fantastic.
MagicLasso is free.
You can even run uBlock on Kagi Orion if that's your thing.
I use one of the above + NextDNS* and am entirely ad free all the time everywhere.
* See also the new AdGuard DNS.
magiclasso isn't free
This is because the desktop browser uses the full "Gecko" renderer, but mobile uses "GeckoView", that doesn't have that implemented yet.
The actual thing is that simply each app embedding Gecko needs to be brought up to speed separately, and if Android is lagging behind, it just is, "GeckoView" or not. (Even before the invention of GeckoView, due to understaffing Android Firefox used to lag behind in terms of multi-process capability, so nothing new under the sun…)
[0]https://apps.apple.com/us/app/tulabyte/id1566083358
Though yes, this story dates from December and was covered at the time (from a different source):
<https://news.ycombinator.com/item?id=34095107>
What if you're out and about disconnected from WiFi? What if you need to turn the thing off for a sec to click on a sale/promotion in an email?
Do iPhones still really not have a way to block in-app ads?
It's a nice way to block ads for any wifi connected device in your house without additional setup. There are probably 10+ ad-serving devices in my house between the TV's, laptops, tablets, and phones.
Not that it plugs _into_ PiHole per se, but rather that the Self Hosted VPN makes your phone use your home DNS server (including the PiHole itself). It works! I use https://www.pivpn.io/ but there are many others.
https://cloudinfrastructureservices.co.uk/how-to-block-websi...
If I invited crack dealers to deal out of my house for a small cut of the proceeds, I'm pretty sure I go to jail when they're caught. That's essentially what search engines are doing here.