µBlock, a lean and fast blocker

Strange thing it looks like I found a bug in mobile firefox. I was not able to post reply in it. I had to use mobile s default browser

 

I haven't been using uMatrix for some time now. I would also appreciate info about how uMatrix implemented protection from those pixel tags.

 

Tada, we agree, you only need third party blocking for the easy ones

Websites trying to fingerprint. E.g. when you are looking for something to buy which by nature the price is related to availabilty and timing (like a ticket or accomodation), visitors can be fingerprinted. When you show interest in a particular destination, you will see the prices rise. Now phone a friend and ask them to look for the same reservation and ask them what price is shown (pre-book challenge). It is my experience that major ticket and hotel search/compare/book websites apply these tricks to some degree.

Both you and your friend can't disable first party scripts on that website, because you won't see the information you are looking for. Fair chance these websites are not listed in the third party blacklist as indicated by research of Leuven University (don't have the link at hand now).

So with current state of "tracking & tracing blocking": you can't protect yourself against websites applying these tricks. I tried to craft my own using this thread, but at a level my wife was able to use it. The pre-book challenge when booking a holiday always showed lower prices at our friends house. So I gave up (and now simply jump in a car and book at my friends house ).


Regards Kees

 

Gentlemen please, you are asking for flying cars, have a read https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy

 

Then what did you mean in post #1363:

 

Maybe it is because English is not my first language, but without the advanced anti-tracking features you won't be noticing any difference in privacy (protection) when comparing the simple block third party rule versus using all third party list (with thousends of rules)

Meaning the easy ones are blocked with the simple block third party rule, you can't stop the sophisticated ones, so there is little benefit in using all those third party filters. In regard to all third party malware filter, I can't imagine those free filters cover more when using Google blacklist in the browser and for instance Norton's blacklist at the DNS service. Also by blocking third-party you cover probably 95% of the malware URL-links.

Bottem line (only when you block third-party scripts and iframes)
- Why add all those blocklist when they add little real world protection?

- Why not offer an option to seperate HTTP and HTTPS. Adblock offers this, so why not uBlock?
Now I have to use a workaround with the My filter "hxxp://*^$script,third-party" rule.

EDIT IN RED

 

OK, so I didn't understand your post - uBlock and uMatrix both don't protect you from sophisticated tracking and there is nothing in uMatrix that could be added to uBlock, which would prevent that.
When it comes to 3rd party, I see some benefits when 1st party objects are blocked. I also temporary disable 3rd party blocking on sites which don't work correctly and I don't visit them regularly. In this case I still get some protection from 3rd party lists.
For me internet is too big to use whitelisting method only. So whitelisting + blacklisting combined together as it is with uBlock is perfect for me.

 

Umatrix does a better job than uBlock origin and uBlock origin does a better job than uBlock in regard to privacy.

With the strict blocking feature you won't be able to get the content when it is blacklisted somewhere (on uBlock origin). But I fail to see how tracking could influence your browsing experience when you don't visit a specific website frequently. Your searches provide a lot more useable information on user preferences (so using DuckDuckGo or Startpage would provide more real world privacy).

 

I just do general browsing around the net..I don't usually browse controversial sites and I use Windows firewall (W7 x32) and a good AV and FireFox with the usual recommended hardening applied and of course Ublock with several filters added to those 'out of the box'..Are 'they' out to get me?...Or are 'they' just after the super paranoid?

Edit...I haven't had a AV warning in the past 6 years accept for some softwares I've downloaded and those were expected...I do regular scans with MBAM and Hitman pro.

 

as Woody Allen would say!

On another hand recovering from paranoia may indeed let them catch you! That is, of course, if THEY're after you

 

@clubhouse1 and @PallMall

Using uBlock (or uBlock origin) without third-party blocking => third party filters have usage (uBlock is an improved version of Adblocker)

Using uBlock with third-party blocking ==> third party filters have no real world benefit, using them is a for peace of mind purpose only

 

When you say third-party blocking, Are you strictly referring to "3rd-Party" Or "3rd-Party Scripts/Iframes"

If it is strictly 3rd-Party only, it has little benefit only, unless the filters exists blocks from 1st Party resources (which is not rare in today's world - see the screenshot)

And if you are referring to later, I think it adds more than adequate benefit. Just browsing a couple of sites with 3P Script/Iframe blocking - see the screenshot

As you could see few of the resources blocked with filters by just browsing couple of sites, i think it is safe to say to use both kinds of blocking in uBo. It is not just for peace of mind only!

 

@harsha_mic 3rd-Party with uBlock means strictly 3rd-Party : all external calls from a site (or any site if global) towards the 3rd-Party site are blocked.

 

Yes, I know!!
I was just unsure if @Windows_Security is referring to that. Hence i expressed uncertainty.

In any case, filters do provide little benefit, even with 3rd-Party blocking, when filters starts blocking from 1st party, as seen in my screenshot above.

 

I don't think that's correct.
1. If you search in EasyPrivacy for, e.g., 1x1 you'll find many rules that block those tracking pixels.
2. Read what Wladimir Palant wrote about canvas fingerprinting:

3. Default deny in Dynamic Filtering is certainly superior but it breaks many sites and needs a lot of noop exceptions, and that's not everyone's cup of tea. At the end of the day everybody has to decide about the right Blocking Mode that suits him/her.

 

@summerheat

3. Agree, everyone to his own liking, default deny third-party is option 2, using blocklist only is option 1 in post 1386.
"Why add those blocklist" should be asked when blocking third-party, I made an EDIT in RED in post 1381 to make that clear, thanks

1. They block on domain or name, not on the size properties of the content

2. Only valid when scripts or domain is block list, same as with pixeltags, but there are more fingerprint options, so it is and remains a partial solution IMO

@harsha_mic
Blocking first party is to much of a trouble for me. I loosened up third-party blocking of scripts only for scripts (allowing third party scripts on https).

@gorhill
I tried uBlock origin again. Is the logic to determine whether a script is first party improved?

 

Yes, Blocking 1st-Party scripts is not at all advisable. It is too much of an hassle. I don't think i advised it anywhere..

Again, I am curious for examples on tracking pixels, where it bypasses..

Agreed!

 

Pixel tags are used to track people. EasyPrivacy's purpose is to foil tracking. Hence my answer that blocking pixel tags is the primary purpose of EasyPrivacy. If ever it fails somewhere, the action is to report to the maintainers, so they can address the specific failures. Given that EasyPrivacy is a blacklist, you are right that there is no guarantee that everything in existance for tracking purpose will be blocked. That does not change EasyPrivacy's intended purpose. It does a rather good job given that it aims at being a way to block tracking without breaking sites. EasyPrivacy is responsible for most of the difference between EasyList vs. EasyList+EasyPrivacy in this chart (very easy vs. easy mode).

A more thorough way to foil tracking is of course to block everything 3rd-party, but that is not for everybody. Another way, which I intend to document is to start using dynamic filtering in uBlock by creating block rules as needed using the default settings as baseline. For example, just adding a couple of block rules to uBlock default settings can boost significantly tracking protection -- i.e. blocking facebook.com, twitter.com, etc. globally.

 

I agree, I also get 1st party elements blocked and a lot of times filters make pages I visit more "clean" and aesthetically nicer.

 

If by "improved" you mean the ability to guess and allow what might be a 1st-party based on some heuristic (as done with another extension which I forgot the name), the answer is no. Frankly I had forgotten about this. How about you open an issue on GitHub with a link to code in the other project as a reference? This will help me keep the issue in mind and think about various solutions. Ultimately maybe what the other extension is doing might be the optimal approach, they probably gave a lot of thoughts about this.

 

I know you only maintain uBlock Origin to suit it to your personal preferences and you kept your own fork so nobody else can walk away with your baby (over a million users ).

THIS IS NOT A FEATURE REQUEST (just challenging your creativity )

Apguard also has an option for HTML injections which can determine content size. The user rules of Apguard don't have the granularity of your dynamic filtering, but may be you could have a look at it and see whether it might be usefull for your own ideas?

Regards Kees

 

I disagree with "no real world benefit". As pointed out by @harsha_mic, there is such a thing as 1st-party tracking.

There is another benefit: the ability for a user to noop the blocking of 3rd parties with a single click for a given site (say the user does not want to hunt for the required rules), in which case the blocking will be taken care of by whatever static filter lists are enabled. Just knowing you can neutralize default-deny with a single click and yet not end up completely "naked" makes default-deny less repelling for many users. Even without noop-ing all 3rd-parties, with just noop-ing one single 3rd party to fix a site, it is nice to know that if ever that 3rd party engage in some tracking, the static filter lists are there to potentially neutralize that specific behavior.

When using default-deny, the static filter lists have real world benefit, they complement dynamic filtering -- that's the whole point of the noop rule.

 

For some reason I thought that when example.com is 1st-part, the scripts from great.example.com also were allowed (hence classified as first party) in the short test run I did with uBlock origin.

 

That is the case.

 

Good enough for me