Not sure how I feel about this yet. http://news.softpedia.com/news/new-...fight-and-neutralize-ad-blockers-499734.shtml " A new service is being rolled out, aimed at helping online publishers counteract users that employ ad-blocking browser extensions when accessing their sites. This new tool is called BlockBypass and was developed by BlockIQ, a subsidiary of AdSupply, an advertising network."
There's too much money in online advertising so they will try to get adds to users any way they can. Blocking 3rd party content would probably defeat those countermeasures.
LOL, seems like this site has implemented an anti-ad-blocker. And if you block first party scripts the site won't work. So I decided to whitelist it, and guess what, the site is full of scripts and trackers, and very slow to load. So guess what, I won't be using your site. What a bunch of morons. http://www.insidermonkey.com/
The users of these programs are, or are dangerously close to committing felonies Under The Federal Computer Fraud and Abuse Act,as amended: "18 U.S. Code § 1030 - Fraud and related activity in connection with computers... (a) Whoever........ (5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;......... (e) As used in this section— (2) the term “protected computer” means a computer—.................. (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; [This covers just about every computer connected to the internet] 8 the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;.........." LOL NB: If you put "8 in parenthesis you get a blue smiley https://www.law.cornell.edu/uscode/text/18/1030
Weird, all of a sudden the site does work. Perhaps they are seeing that people refuse to white-list it?
Yep, with requestpolicy extension preventing requests for third-party assests, their toothless anti-anti-thing never gets loaded. I'm immediately sure. I feel they're peddling snake oil to would-be investors. Coming down the pike though, "subresource integrity" checks (implemented by chrome and by firefox "for your safety") https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/ will become yet another PITA to deal with, in terms of ad blocking.
For my safety - sure it is. Pity they never thought to use some kind of code signing mechanism, because the current scheme is vulnerable to MITM and rogue sites generally.
Yes, SRI provides exact that -- enables authors to specify href attributes like rel="thisisahash: dh3k5bm3d988d" and the browser is expected to perform a hashsum on the retrieved asset (and, in case of mismatch, refuse to load/display it). Safety... vs personal choice and empowerment: SRI subverts the possibility of employing a local (personal, ad-blocking) proxy. If we can toggle browser's consideration of SRI on and off, at will, it would be welcome while visiting banking sites. I doubt browser vendors will provide a toggle though.
Isn't there still a problem with someone doing MITM because they can calculate the correct hash for the malicious code and serve it up to you?
No, I was thinking that the page may be/is untrustworthy (if it can be subverted, it is publishing its own assertion of the hash of the code - which can also be modified). I don't know if I've misunderstood, but the point of code-signing (for what that's worth) is both assertion of ownership of the publishing certificate and verifying that the code has not been modified. It seems like this mechanism doesn't do both, so all your left with is being able to verify the code of a publisher you can't trust! Or is the point here relying on ssl certificates?
As I understand browser only compares hash of a script with hash specified on website. If both hashes match, script is executed otherwise not. This way owner of site can control which scripts from 3rd party network are loaded. If third party server is compromised and scripts are modified, browser won't run script from 3rd party network (hashes wouldn't match). If webpage itself is compromise then all this is meaningless.
OK, thanks - so it's of limited value, to the extent that you have to trust the webpage (delivered over https with a trusted/known certificate with all the issues associated with that), and that it has specified all the hashes of scripts it references. I can see an immediate maintenance problem, namely that quite a few 3rd party scripts do not specify version and might get modified outside the webpage owner's control. I just don't understand why they wouldn't also provide the option to sign the script file itself with a PGP key for example.
Anyone discusssing SRI in this thread should (please!) read some background info, e.g. http://githubengineering.com/subresource-integrity/ BTW, someone has already presented an intended approach for thwarting adblockers by employing SRI: http://f ckadblock.sitexw.fr/beta/ (for the correct URL, replace the space character with letter "u") Also, to qualify my earlier comment about regarding SRI as "another PITA do deal with", I'll mention that I first heard of SRI (and went searching to read about it) while reading this: https://github.com/Synzvato/decentraleyes/issues/26 The "decentraleyes" plugin is brilliant; it acts as an "in-browser proxy" to serve surrogate copies of oft-requested scripts. It creates both a privacy win and a speed (via reduced http requests) win.
"Adblock Plus, scourge of websites, seeks industry deal Berlin (AFP) - For its users, Adblock Plus stands as a bulwark against intrusive advertising. But websites dependent on advertising revenue to remain free-of-charge see the open source software as a scourge. Now the German firm behind Adblock Plus is taking a more conciliatory tack, reaching out to its adversaries to find an "acceptable" level and form of advertising on the net..." http://news.yahoo.com/adblock-plus-...5bzY5BGNvbG8DYmYxBHBvcwMzBHZ0aWQDBHNlYwNzcg--
@inka - thanks for the links, unfortunately, I'm deeply underwhelmed by what they're trying to achieve with it, against the breadth of the problem.
