Enhancing uBlock Origin with uMatrix

Discussion in 'other software & services' started by Jarmo P, Sep 20, 2016.

  1. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    You have missed the point. Back up and look at the problem at a basic level. Your kernel can only leak shared memory to software running on your local machine, right? So there is no harm in being of control of the code that is executing on your local machine. Browser script control in no way mitigates the actual bug, but if you can limit the untrusted 3rd party code running in your browser, you could reduce your risk exposure, right?

    So if you have verified that all local code is signed and trusted, that is not the adversary that is potentially going to read your memory and exfiltrate your data. The main remaining risk is the scripts (code) that run in your browser, particularly the 3rd party kind. The Firefox fix was only a partial mitigation to the problem, and I have not seen a release yet for Chrome. Regardless, it will require a PC firmware fix to completely mitigate this bug, and some older hardware may never see an update.

    If you do not agree, please move along and discuss the kernel leak in the appropriate thread.

    We came over here strictly to discuss uMatrix/uBlock, and avoid side channel discussion in the other thread.
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    :thumb:
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,405
    If uMatrix is your desired script controller then you also have to enable Hosts Files in uMatrix, else you'll experience the following:

    In the case of visiting a domain with for example 8 third-party requests (4 of them are requests to malware sites)​
    • You can see no difference between legitimate and blacklisted requests in the matrix
      • = no "4 blacklisted hostname(s)" is being shown (because Hosts files are enabled in uBlockO)
      • You don't really know if a domain is a malware/ad/tracking domain just by looking onto the matrix.
    • After allowing all third-party requests for a domain (you click on "Script" in the matrix)
      • You have allowed all third-party request for this domain in uMatrix (legitimate and not legitimate requests). This has no consequences for now (uBlockO is still blocking them), but:
        • After temporarily disabling of uBlockO all 8 requests will be made (Hosts Files are enabled in uBlockO, not uMatrix)
    In the case you need to whitelist a blacklisted domain you need to do it in both (uBlockO and uMatrix)​

    With enabling of Hosts Files solely in uMatrix you have a much better control and overview and you don't need to switch to uBlock (to find out what domain has been blacklisted):
    • The matrix is correctly reflecting the status of domains (=blacklisted/not blacklisted)
    • The possibility that uBlockO intervenes is much less now (uMatrix will be the main controller, uBlockO is doing ad-related things)
      • If there are problems with ads, it can be done with uBlockO
        • only ad-related filters are enabled in uBlockO
      • Scripts/Frames/XHR-request etc. can be done with uMatrix
        • Hosts-Files are enabled in uMatrix
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,021
    you still mix up two things - the general security of a used software and some limits when filtering content to avoid malicious code.

    each user has a different method of filtering, some less, some more. but at some point you need to allow scripts in a certain way you can not control. scripts are going to be gathered in one script to avoid ad-script filtering - no ad-containg script -> no content. at this point you need to be sure that the used browser is safe.
    (it does nor matter if the scripts are injected client side or server side)

    and that is something which some people still using firefox 56 dont understand.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    Thanks,I was wondering after reading post #23.

    I do recall @gorhill stating to disable hosts in one of the two add-ons, and I must say I did think it was in uBO, but I can't find that statement now ...
     
  6. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    Well that is a good explanation. I think I had it set up that way originally, but changed it for some reason. Don't remember why.
     
  7. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    The only 100% security is to either turn off all scripting, or unplug from the net. Either way you break the internet, so there has to be a few compromises. Up to the end user to decide what works best for them. ;)
     
  8. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    Here are some background links from #gorhill regarding uMatrix.
    https://github.com/gorhill/uMatrix
    https://github.com/gorhill/uMatrix/wiki/Changes-from-HTTP-Switchboard
    https://github.com/gorhill/httpswitchboard/wiki
    https://www.reddit.com/r/uMatrix/
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,905
    Excellent post, mood - I couldn't have said it better :thumb:
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,405
    You're welcome :)
     
  11. paranoidsecurity

    paranoidsecurity Registered Member

    Joined:
    Mar 20, 2018
    Posts:
    7
    Location:
    A big advantage of uBlock Origin is that uBO denies connection to the blacklisted domains, so with disabling 3rd-party filters in uBO you disable this advantage. Also, the 3rd-party filters are feeding the static filtering of uBO, with disabling 3rd-party filters you also weaken your static filtering of uBO and so the ad-blocking of uBO. In my opinion it is not advised to disable any 3rd-party filters in uBO.
    https://github.com/gorhill/uBlock/wiki/Dashboard:-3rd-party-filters

    My opinion is to use uBlock Origin as a first line of defense and use uMatrix as a second line of defense with better and finer control over the domains in what I allow of deny.

    I use uBlock Origin in medium mode and make local noops for the domains I want to allow on a site, instead of nooping 3rd-party scripts and 3rd-party frames as uBO medium mode manual describes. In nooping only the domains I want I have a bit more control, for example allowing facebook or twitter on sites, where nooping 3rd-party scripts and 3rd-party frames would allow that.
    https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode
    For embedded videosites or CDN's you can choose to make a global noop. For example for embedded youtube video's, I make a local noop on youtube.com for that site, in this way I still control if I want to allow or deny youtube video's on a site, but I make global noops for the other domains youtube need, like ytimg.com and googlevideo.com.

    In uMatrix if have my second line defense. I don't disable hosts files, or Assets in uM 1.3.4, in this way uM will still show the blacklisted domains, maybe performance-wise not the best solution, but it is just what I prefer. I change the default rules of uM to deny all, global allow images, first party allow css, scripts and XHR. My rules are:
    * * * block
    * * image allow
    * 1st-party css allow
    * 1st-party script allow
    * 1st-party xhr allow
    And from this I allow the things in uM needed to make the site work. For embedded video of CDN's you can choose to make global rules. For example, in uM I have global rules for youtube.com, ytimg.com and googlevideo.com, it is in uBO where I choose to allow a (local) noop on youtube.com for a site and from that the global rules are used so I don't have to make them for every site seperately.
    If you want less strict rules for uM you can choose to globally allow CSS.
    * * * block
    * * css allow
    * * image allow
    * 1st-party script allow
    * 1st-party xhr allow
    If you want even lesser strict uM rules you can even choose to allow scripts globally, because with uBO in medium mode with my approach of nooping only the 3rd-party domains needed you will already block all 3rd-party scripts and with (local) nooping the 3rd-party domains in uBO you already control and allow scripts, so with these even lesser strict uM rules you don't have to concern for that anymore in uM.
    * * * block
    * * css allow
    * * image allow
    * * script allow
    * 1st-party xhr allow

    So if I go to a site and it is broken then I first go to uBO and noop the 3rd-party domains needed to make the site work. In uM I also have to allow the items needed for those 3rd-party domains for that site to make the site work. It takes a little bit of work and sometimes trying to get a site work properly, but it is a good way in using uBO and uM together, well, at least for me for now. :)
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,905
    Everyone is entitled to use uMatrix and uBlock Origin to one's own taste. But quite frankly: I think with your approach your missing the point. @mood 's post above provided an excellent advice how to use both add-ons together. Nobody suggested to disable 3rd-party filters in uB0: The discussion is only about disabling the hosts files in uB0 which are also used in uMatrix. Static filtering in uB0 would still be performed based on the enabled ABP- and Adguard-compatible filterlists. Dynamic Filtering would basically be done in uMatrix (on stereoids).

    Using the hosts files in uMatrix means that the (sub-)domains contained therein are blacklisted and, hence, all related network requests blocked. Period. Using the same hosts files in uB0, too, makes no sense at all: You cannot "double-block" the same domains. And as @mood clearly explained, the big advantage of this approach is that requests to (potentially) legitimate 3rd-party sites (light-red) and to (probably) illegitimate 3rd-party sites (dark-red and separated at the lower part of the matrix) are clearly distinguished in uMatrix but not in uBlock Origin. This has a number of advantages - please read @mood 's post thorougly again.

    I hasten to add that this approach has one minor disadvantage: URL filtering is unfortunately only available in uBo. If you want, e.g., to block all scripts for a domain except one specific script, you would have to allow scripts for that domain in uMatrix, block scripts for it in Dynamic Filtering in uB0 and allow that one specific script in URL filtering. It would be much easier if URL filtering were available in uMatrix, of course. But that is an extreme example and, again, only a minor disadvantage as I haven't come across such cases in practice so far.
     
  13. paranoidsecurity

    paranoidsecurity Registered Member

    Joined:
    Mar 20, 2018
    Posts:
    7
    Location:
    I understand that with my approach uBO and uM will use the same hosts files and will block the same domains and that you can't double-block domain. And I also understand that mood is not talking about disabling ALL 3rd-party filters in uBO, only the ones used in uM. So there is no misunderstanding about that on my side and I perfectly understand mood's approach.
    But as this is an open discussion about using uBO and uM together I only gave a view on my approach, that is all, and like you said everybody is entitled to use uBO and uM to it's own taste and I only gave a view on my taste. :) Remember that I, I hope so, made clear that I have a different approach as I mentioned that I use uBO as a first line of defense and after that uM as a second line of defense, that is why I don't (wanna) disable any 3rd-party filters in uBO. I understand that uM is doing the same blocking again, but I accept that and the penalty on performance, but it is just easy that uM is showing blacklisted domains. Like I said, it is something I just prefer.

    For the best it would be nice if uBO and uM merged or uBO get an extra option, something like 'Enter the matrix' under "I am an advanced user'. :)
     
  14. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    Same for uMatrix, this is not specific to uBO.
     
  15. paranoidsecurity

    paranoidsecurity Registered Member

    Joined:
    Mar 20, 2018
    Posts:
    7
    Location:
    Ok, yes I was wrong in that. My apology for that to @mood and @summerheat for this misunderstand on my side.

    Do you have plans for integrating uM capabilities in uBO? :)
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,905
    I'd prefer the other way round ;)

    Such an add-on existed already: It was called HTTP Switchboard which is no longer maintained since gorhill decided to offer two separate add-ons. It would be great, indeed, to have them both reunited - I'm dreaming of such an add-on every night ;) But I'm afraid it won't happen ...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.