do noscript/httpsb negate the need for disconnect/ghostery etc?

Discussion in 'other software & services' started by gaiko, Jan 14, 2014.

Thread Status:
Not open for further replies.
  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Oh, OK, then I honestly misinterpreted what was meant by that earlier reply. My bad.

    Hmmm. You probably looked at it, but here is the upgrade request/response (to and from port 80) off the wire (Sec-WebSocket-Key and Sec-WebSocket-Accept values slightly modified because I can't remember what's in those values):
    FWIW, a ||echo.websocket.org^ ABP custom filter rule blocked this upgrade request on Firefox. Perhaps the Chromium guys will eventually expose this request and response to filtering extensions such as HTTPSB.

    PS: Might be nice to have the option of stripping out that referer like Origin header from the request (if doing so wouldn't always break something).

    PS: Are there any other schemes we'd want to be concerned about?
     
    Last edited: Jan 14, 2014
  2. gorhill

    gorhill Guest

    Interesting article re trackers, although a bit dated:
    Tracking the trackers

    The graph below the middle of the page is relevant to this thread.

    Food for thoughts when pondering the aim of HTTPSB:

    "Request Policy, a Firefox extension, takes the opposite approach: all requests to third-party domains are blocked, save those the user explicitly allows. While Request Policy offers nearly comprehensive protection from third-party tracking, properly configuring it requires substantially greater patience and expertise than the average user can reasonably be expected to possess."​

    (something weird with the page on Chromium 31, the CPU is working very hard, no idea why -- all is blocked except img/css)
     
  3. fixanoid

    fixanoid Registered Member

    Joined:
    Feb 17, 2011
    Posts:
    24
  4. gorhill

    gorhill Guest

    Interesting. I did some tests, but nowhere as comprehensive as 1000 most popular sites, which outcome is surely more relevant results.

    Regarding HTTPSB vs Request Policy, I just want to say that HTTPSB can be used in an allow-all/block-exceptionally mode (reverse), but in this mode I'm not so sure how well it would compare to other blockers.

    I would say HTTPSB's main advantage from others in the above page the ability to block inline javascript and to let the user blacklists/whitelists whatever they want.

    I am curious about the methodology...

    When you mention "HTTP Set-Cookie Responses", do you actually count every occurrence of "HTTP Set-Cookie" as a negative point? I asked because for instance, HTTPSB lets cookies enter the browser, however it doesn't let them leave if they are blocked. Maybe some other blockers you tested do the same?

    Edit: Added a link to the page above this page. (My own tests do look outright ridiculous now compared to testing against one thousand web pages...)
     
    Last edited by a moderator: Jan 15, 2014
  5. fixanoid

    fixanoid Registered Member

    Joined:
    Feb 17, 2011
    Posts:
    24
    Hey gorhill, cudos on HTTPSB, I like it =)

    The source of AWPY is actually open, and you may take a look here: https://github.com/ghostery/areweprivateyet, tho it is been designed with Firefox and Selenium in mind. We have a copy for Chrome that we may switch to at some point, but its not quiet there yet. The methodology for cookies is implemented here: https://github.com/ghostery/arewepr...com/evidon/areweprivateyet/Analyzer.java#L376

    So it counts occurrences of the Set-Cookie set by 3rd parties. I realize that different extensions strip this stuff in different ways and generally it correlates the more important HTTP Requests metric. areweprivateyet.com displays aggregated results, but we have complete runs and excel akin to the original: -http://dl.dropbox.com/u/37533397/tracking_the_trackers/tpl_study/results.xlsx-
     
    Last edited by a moderator: Jan 15, 2014
  6. tlu

    tlu Guest

    Very interesting. However, it would be nice to know how Adblock Plus would perform with Acceptable Ads disabled. And I wonder if there are errors in the numbers if the Adblock Plus-fork Adblock Edge with exactly the same filterlists but without Acceptable Ads performs a bit worse than Adblock Plus (it should be the other way round) ...
     
  7. fixanoid

    fixanoid Registered Member

    Joined:
    Feb 17, 2011
    Posts:
    24
    ABP easylist had acceptable ads disabled. The other configurations we kept it on so to compare exactly what you suggesting. I'm not sure what exactly causes the deviation, but you can see through the several months that ABE an ABP (with ads enabled) are pretty much neck in neck.

    We currently do not account for deviation between runs and site changes between runs. ABP runs in the morning, ABE runs immediately after, but thats still up to an hour or even two of difference.
     
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    I don't know if Adblock Edge has been keeping up with all of Adblock Plus's changes and if it truly is supposed to be equivalent to the latest ABP without "Acceptable Ads" enabled, but I think that head to head would be interesting. So you'd test, for at least one round:

    Adblock Plus (Suggested Lists) and "Acceptable Ads" enabled
    Adblock Plus (Suggested Lists) and "Acceptable Ads" disabled
    Adblock Edge (Suggested Lists)

    Suggested Lists = Fanboy's Social, EasyList, Malware Domains, EasyPrivacy or whatever (as long as they are exactly the same).
     
  9. OuterLimits

    OuterLimits Registered Member

    Joined:
    Nov 13, 2009
    Posts:
    66
    Panopticlick sees my browser config as 1 in 3,785,299.

    "Your browser fingerprint appears to be unique among the 3,785,299 tested so far."

    On Chromium with HTTP Switchboard there is, imo, no need for Disconnect, Ghostery, Ad Block - what so ever.

    I do use 'tracking token stripper' & 'Fix URL Links Redirect'.

    HTTP Switchboard is the most important Chrome extension in existence. 'Epic' is the word that comes to mind.
     
  10. gorhill

    gorhill Guest

    Wait.. One in almost 4 millions, not sure this is a good number. My understanding is that the lower the number the better.

    I currently get one in 66,410, and that is on Linux (less common).

    Just went to VM Windows 7 with latest Chrome, and got the same number as yours. One refresh, result is now one in 1.8 million. Refresh again = one in 1.27 million. Etc.

    I am starting to wonder if there is a bug going on with Panopticlick for visitors who aggressively block.
     
  11. OuterLimits

    OuterLimits Registered Member

    Joined:
    Nov 13, 2009
    Posts:
    66
    Its most likely a bug causing it but it's nice to be called unique!
     
  12. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    that's correct.
     
  13. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    that's correct.

    though myself i don't really care about this.
     
  14. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    IIRC, Panopticlick uses a cookie to detect that the same browser is retesting. Trying enabling cookies and testing several times while making no changes. The results should hold steady. If you block the cookie and reload multiple times, each time it goes through an estimation technique and results will change. I think this is described in a FAQ, whitepaper, or wherever (can't remember where).
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Because of this, I give zero credibility to the site.
     
  16. fixanoid

    fixanoid Registered Member

    Joined:
    Feb 17, 2011
    Posts:
    24
    Panopticlick is just an example of what fingerprinting is able to do. Its there to let the world know that trackers do not need to leave cookies to recognize any specific user.

    Fingerprinting itself is a relatively complex problem to solve, we've started an effort to add fingerprinting detection to Ghostery, but its a slow process. In the meantime, there are addons that combat it: http://fingerprint.pet-portal.eu/?menu=6. However, using the methodology FireGloves is using will break a lot of websites for a user runnign it.
     
  17. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    74
    Yeah, this will happen when preventing cookies from being set on the test page. Their research paper describes in detail the steps they took to correct for this in their offline analysis.
     
  18. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    Good thread. I have often wondered about overlap too and have been reluctant to add more extensions or even replace the ones I already have with ones that seem more powerful. AdMuncher and AdFender are not extensions but are also in the mix.

    My extensions on Chrome are ADP and Traffic light, but I also have Adfender installed. If I add HTTPSB should Adfender go and what about Traffic light ... should it go too?
     
  19. gorhill

    gorhill Guest

    Difficult to tell. One way to verify for sure is to run your own tests. I just finished collating stats for www.wired.com, which I am using as an example here: https://github.com/gorhill/httpswitchboard/wiki/How-to-use-HTTP-Switchboard:-Impact-on-www.wired.com

    You could run your own tests and compare the results if you don't mind playing with the dev console to use this online tool: http://raymondhill.net/httpsb/har-parser.html
     
  20. gorhill

    gorhill Guest

    I just want to be sure this is on the record.

    Today I was testing impacts of blocking/not blocking, etc., and I found this curious behavior. I was testing/benchmarking the front page of www.wired.com and here is what is consistently reported as behind-the-scene requests:

    Code:
    http://pagead2.googlesyndication.com/activeview?id=lidar2&v=93&adk=1725362882&p=0,73,82,273&tos=6707,0,0,0,0&mtos=6707,6707,6707,6707,6707&rs=6&tfs=1103&tls=103523&avi=BC_TeEcfaUuG3N6L56AG-6oDwBgAAAAAQATgByAEJwAIC4AIA4AQBoAYg&amd=3379%2Fwiredcom.dart%2Fhomepage%2C200%2C82%2C17653192060730791213%2C0.02%3B&tp=&eop=1&r=u&bs=1145,865&bos=1162,983&ps=1145,3523&ss=1920,1080&tt=102423&pt=1100&deb=1-1-1-6-9-2&iframe_loc=http%3A%2F%2Fwww.wired.com%2Fads%2Fnewad.html%23http%253A%252F%252Fad.doubleclick.net%252Fadj%252Fwiredcom.dart%252Fhomepage%253Bsz%253D200x82%253Btile%253D1%253Bdcopt%253Dist%253Bkw%253Dall%253Bkw%253Dapple_test%253Bkw%253Dhome%253Bkw%253Dl031%253Bkw%253Dlotb1824%253Bkw%253Dlotdmale%253Bkw%253Dlotmale%253Bkw%253Dltd7%253Bkw%253Dp13%253Bkw%253Dp7%253Bkw%253Dpt1%253Bkw%253Dtech%253Bkw%253Dw1%253B!c%253Dapple_test%253Bconde%253Dsv%253Bu%253D81388120016112376554002590097965727886%257Call%257Chome%257Cl031%257Clotb1824%257Clotdmale%257Clotmale%257Cltd7%257Cp13%257Cp7%257Cpt1%257Ctech%257Cw1%253Bord%253D7043249120470%253F&is=200,82&url=http%3A%2F%2Fwww.wired.com%2F
    
    http://pagead2.googlesyndication.com/activeview?id=lidar2&v=93&adk=3596625843&p=0,673,82,1073&tos=6701,0,0,0,0&mtos=6701,6701,6701,6701,6701&rs=6&tfs=800&tls=102999&avi=BGCF1EsfaUu7UIsiG6wHyiYCwCAAAAAAQATgByAEJwAIC4AIA4AQBoAYg&amd=3379%2Fwiredcom.dart%2Fhomepage%2C400%2C82%2C17653192060730791213%2C0.02%3B&tp=&eop=1&r=u&bs=1145,865&bos=1162,983&ps=1145,3523&ss=1920,1080&tt=102201&pt=799&deb=1-1-1-3-9-1&iframe_loc=http%3A%2F%2Fwww.wired.com%2Fads%2Fnewad.html%23http%253A%252F%252Fad.doubleclick.net%252Fadj%252Fwiredcom.dart%252Fhomepage%253Bsz%253D400x82%253Btile%253D2%253Bkw%253Dall%253Bkw%253Dapple_test%253Bkw%253Dhome%253Bkw%253Dl031%253Bkw%253Dlotb1824%253Bkw%253Dlotdmale%253Bkw%253Dlotmale%253Bkw%253Dltd7%253Bkw%253Dp13%253Bkw%253Dp7%253Bkw%253Dpt1%253Bkw%253Dtech%253Bkw%253Dw1%253B!c%253Dapple_test%253Bconde%253Dsv%253Bu%253D81388120016112376554002590097965727886%257Call%257Chome%257Cl031%257Clotb1824%257Clotdmale%257Clotmale%257Cltd7%257Cp13%257Cp7%257Cpt1%257Ctech%257Cw1%253Bord%253D7043249120470%253F&is=400,82&url=http%3A%2F%2Fwww.wired.com%2F
    
    http://pagead2.googlesyndication.com/activeview?id=osd2&adk=3776237132&p=519,88,520,89&tos=6015,0,0,0,0&mtos=6015,6015,6015,6015,6015&rs=3&ht=0&tfs=3&tls=101470&fp=correlator%3D1496784489676800%26oid%3D3%26ifk%3D1632970174%26url%3Dhttp%253A%252F%252Fwww.wired.com%252F&afp=%26output%3Djson_html%26impl%3Ds%26dt%3D1390069523022%26adx%3D95%26ady%3D519%26ifi%3D1%26flash%3D11.2.202&r=u&bs=1145,865&bos=1162,983&ps=1145,3523&ss=1920,1080&tt=101470&pt=0&deb=1-1-1-5-8-9&iframe_loc=http%3A%2F%2Fwww.wired.com%2Fads%2Fnewad.html%23http%253A%252F%252Fad.doubleclick.net%252Fadj%252Fwiredcom.dart%252Fhomepage%253Bsz%253D970x418%253Btile%253D3%253Bkw%253Dall%253Bkw%253Dhome%253Bkw%253Dl031%253Bkw%253Dlotb1824%253Bkw%253Dlotdmale%253Bkw%253Dlotmale%253Bkw%253Dltd7%253Bkw%253Dp13%253Bkw%253Dp7%253Bkw%253Dpt1%253Bkw%253Dtech%253Bkw%253Dw1%253Bconde%253Dsv%253Bu%253D81388120016112376554002590097965727886%257Call%257Chome%257Cl031%257Clotb1824%257Clotdmale%257Clotmale%257Cltd7%257Cp13%257Cp7%257Cpt1%257Ctech%257Cw1%253Bord%253D7043249120470%253F&is=985,1&avi=BqVY4EsfaUuO2NsXi6gGl14DwBgAAAAAQATgByAECwAIC4AIA4AQBoAYU
    
    http://pagead2.googlesyndication.com/activeview?id=lidar2&v=93&adk=2046124833&p=519,88,520,1073&tos=6693,0,0,0,0&mtos=6693,6693,6693,6693,6693&rs=6&tfs=806&tls=102993&avi=BXDuQEsfaUqCnI9Sj6QHAkIHoAwAAAAAQATgByAEJwAIC4AIA4AQBoAYW&amd=3379%2Fwiredcom.dart%2Fhomepage%2C970%2C418%2C17653192060730791213%2C0.02%3B&tp=&eop=1&r=u&bs=1145,865&bos=1162,983&ps=1145,3523&ss=1920,1080&tt=102188&pt=805&deb=1-1-1-2-9-1&iframe_loc=http%3A%2F%2Fwww.wired.com%2Fads%2Fnewad.html%23http%253A%252F%252Fad.doubleclick.net%252Fadj%252Fwiredcom.dart%252Fhomepage%253Bsz%253D970x418%253Btile%253D3%253Bkw%253Dall%253Bkw%253Dhome%253Bkw%253Dl031%253Bkw%253Dlotb1824%253Bkw%253Dlotdmale%253Bkw%253Dlotmale%253Bkw%253Dltd7%253Bkw%253Dp13%253Bkw%253Dp7%253Bkw%253Dpt1%253Bkw%253Dtech%253Bkw%253Dw1%253Bconde%253Dsv%253Bu%253D81388120016112376554002590097965727886%257Call%257Chome%257Cl031%257Clotb1824%257Clotdmale%257Clotmale%257Cltd7%257Cp13%257Cp7%257Cpt1%257Ctech%257Cw1%253Bord%253D7043249120470%253F&is=985,1&url=http%3A%2F%2Fwww.wired.com%2F
    
    http://pagead2.googlesyndication.com/activeview?id=lidar2&v=93&adk=4263037951&p=540,773,790,1073&tos=6684,0,0,0,0&mtos=6684,6684,6684,6684,6684&rs=6&tfs=804&tls=102989&avi=Bwxg_EsfaUvrEI42h6AG_tIDQBAAAAAAQATgByAEJwAIC4AIA4AQBoAYf&amd=3379%2Fwiredcom.dart%2Fhomepage%2C300%2C250%2C17653192060730791213%2C0.02%3B&tp=&eop=1&r=u&bs=1145,865&bos=1162,983&ps=1145,3523&ss=1920,1080&tt=102187&pt=802&deb=1-1-1-0-9-1&iframe_loc=http%3A%2F%2Fwww.wired.com%2Fads%2Fnewad.html%23http%253A%252F%252Fad.doubleclick.net%252Fadj%252Fwiredcom.dart%252Fhomepage%253Bsz%253D300x250%253Btile%253D4%253Bkw%253Dall%253Bkw%253Dhome%253Bkw%253Dl031%253Bkw%253Dlotb1824%253Bkw%253Dlotdmale%253Bkw%253Dlotmale%253Bkw%253Dltd7%253Bkw%253Dp13%253Bkw%253Dp7%253Bkw%253Dpt1%253Bkw%253Dtech%253Bkw%253Dw1%253Bconde%253Dsv%253Bu%253D81388120016112376554002590097965727886%257Call%257Chome%257Cl031%257Clotb1824%257Clotdmale%257Clotmale%257Cltd7%257Cp13%257Cp7%257Cpt1%257Ctech%257Cw1%253Bord%253D7043249120470%253F&is=300,250&url=http%3A%2F%2Fwww.wired.com%2F
    
    http://www.linkedin.com/analytics/?wt=framework&type=widgetJSTracking&trackingInfo=%7Bp%3A%7Bbl%3A1%2Cbe%3A1%2Cfl%3A226%7D%7D&trk=cws-fwk-anonymous&1390069625899&or=http%3A%2F%2Fwww.wired.com%2F
    The above is actually sent at some regular interval while the page is opened and idle.

    What I find troubling is that these are sent as behind-the-scene requests. Now HTTPSB catches and reports these, but I don't think it is true for other blockers out there, at least I just checked with AdBlock+, Ghostery and Disconnect and I can confirm these do not block these tabless requests.

    I did double-check that this was not a bug in HTTPSB by adding a log command in the code, and this really happens. Anybody should be able to replicate.

    I find this troubling, as it means the above requests bypass typical ad/tracking blockers which users are trusting.

    Ok, I corrected myself. If pagead2.googlesyndication.com/www.linkedin.com are blocked in the first place, then these behind-the-scene requests will not happen anyways. Derp derp.
     
    Last edited by a moderator: Jan 18, 2014
  21. OuterLimits

    OuterLimits Registered Member

    Joined:
    Nov 13, 2009
    Posts:
    66
    The terms they use say just the opposite.

    "one in x browsers have this value" if you are 1 in 500 and they have tested 4,000,000 browsers then there are 8,000 identical fingerprints.

    When they use the term 'unique' do you believe that means alike?

    I accept cookies including third party cookies but I have Google Opt Out and Privacy Choice Keep More Opt Outs.

    Their testing may be screwed up but can you point me to where it states that the lower number say 1 in 10 is better?

    https://panopticlick.eff.org/browser-uniqueness.pdf

    "In this sample of privacy-conscious users, 83.6% of the browsers seen had an instantaneously unique fingerprint, and a further 5.3% had an anonymity set of size 2. Among visiting browsers that had either Adobe Flash or a JavaVirtual Machine enabled, 94.2% exhibited instantaneously unique fingerprints and a further 4.8% had fingerprints that were seen exactly twice. Only 1.0% of browsers with Flash or Java had anonymity sets larger than two. Overall, we were able to place a lower bound on the fingerprint distribution entropy of 18.1 bits, meaning that if we pick a browser at random, at best only one in 286,777 other browsers will share its fingerprint. Our results are presented in further detail in Section 4."
     
  22. gorhill

    gorhill Guest

    I originally said "the lower the number the better". Here you say it is "the opposite". Are you saying the higher the number the better? Because what you say above is essentially the same thing I said, the lower the number the better.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.