HTTP Switchboard for Chrome/Chromium:

-http://film-stream.tv/-
Script on
Block ajax.googleapis.com

Chrome + HTTP SB:



click with the mouse on the X



Firefox + Noscript:



** Edit** (Dave0291)

OK:

 

I'm not certain which complaint you're making. Is it that Chrome and HTTPSB aren't blocking that Google pop-up, or that the video is being blocked only in that browser? I'm noticing an m2pub.com script down there in the red..did you try granting that request in HTTPSB if it's the video you're talking about? If it's the pop-up, well, all I can say to that one is Chrome doesn't have that good of a default pop-up blocker in my opinion. Though I would have assumed HTTPSB would be taking care of that weakness.

Without knowing what requests you allowed in NoScript on that same page, it might be difficult to figure out what, if anything, is at fault. The pictures and no detailed explanation of your problem isn't enough for me to say much.

**Edit** By the way, there is a single frame showing in the matrix from Facebook that is red. I have serious doubts that is your problem, but frames are often embedded video. I'm going to let Gorhill or someone else more experienced than me take this one.

 

First, I did set the matrix exactly as seen in the picture.

No popup.

Eventually, I figured I needed to allow script from ajax.googleapis.com (as opposed to what you say) in order to gain the ability to have a popup.

However I have "Do not allow any site to show pop-ups (recommended)" set in Chromium settings. It works very well (sometimes users confuse a DOM popup as with a real window popup -- not the same):



If you want to do meaningful tests in order to inform users rather than the opposite, please do select "Do not allow any site to show pop-ups (recommended)". I don't see the need for HTTPSB to have this feature which is already in Chromium and works quite well.

Can you tell me why you would not use "Do not allow any site to show pop-ups (recommended)"?

Imagine if I disabled the popup blocker in NoScript and activated the one in Chromium and reported how NoScript doesn't do well in handling popups compared to Chromium. That would not be in the best interests of users, isn't?

 

How do you disable popup in NoScript? I just tried the above scenario in Firefox (Linux) and I did get a popup. I can't find where the option is.

I can't make the youtube video play on Firefox either. I thought this was because of the blocked iframe but the problem of the video not playing is also on Firefox.

So really, I am not impressed with the methodology (well whatever was disclosed of the methodology) of this test (or whatever that was).

Finally I figured. I use click-to-play, but this one youtube video is covered with an invisible link thus preventing a user from activating the youtube video. That really suck because I had to go manually edit the DOM in order to get rid of the invisible link, in order to be able to start the video.

Using AdBlock Plus take care of the problem though -- it removes the invisible link which covers the youtube frame.

Incidentally on another topic, I have further enhanced my blocker benchmarker today, and just ran some test (I will publish in the wiki), and I can say Adblock Plus is top performer (of course opt-out of acceptable ads and use Fanboy Ultimate). I will post the link to test results once formatted etc. I need to run more test but my advise is leaning toward using HTTPSB and Adblock+ together. HTTPSB for broad and easy control and inline javascript blocking ability, and Adblock+ for fine tuning.

 

Okay, here is what I did to test this site..and stopped immediately: First, when you go there you have to allow the main http://film-stream.tv domain to get all of the images working. Now, when you do this, you immediately get a prompt to install some HD codec. I did not do this because far too often it's some adware/malware plugin after you install these things. The Riddick film as expected did not play. As far as pop-ups go, by allowing only that domain I received none. I will say however that something on that domain is being flagged by MalwareBytes IP blocker, whatever they may be. There is no pop-up blocking option under NoScript though, so it was either handled by Firefox itself or ABP.

**Edit** I didn't see your edit until after I posted this, Gorhill. Glad you figured out what was going on. I wonder though, didn't you originally show ABP to be rather ineffective when you tested competitors against HTTPSB? I remember it being part of your original wiki.

 

Today's benchmarking (https://github.com/gorhill/sessbench) of top 15 most-visited news site:

Code:

repeat 5
clear cache
clear cookies
http://news.yahoo.com/
http://www.huffingtonpost.com/
http://www.cnn.com/
http://news.google.com/
http://www.nytimes.com/
http://www.foxnews.com/
http://www.theguardian.com/
http://www.nbcnews.com/
http://www.dailymail.co.uk/
http://www.usatoday.com/
http://www.washingtonpost.com/
http://www.wsj.com/
http://www.abcnews.go.com/
http://news.bbc.co.uk/
http://www.latimes.com/

Ordered by what finally I consider the most meaningful stats I could extract if one care about privacy and threats: the number of third-party hosts which were hit.

HTTPSB out of the box
Bandwidth: 16,018,841 bytes
Requests allowed (network + cache): 1,293 (1,290 + 3)
Requests blocked: 18
Hosts (1st + 3rd party): 80 (27 + 53)
Scripts (1st + 3rd party): 0 (0 + 0)
Outbound cookies (1st + 3rd party): 0 (0 + 0)

Adblock+ with Fanboy's Ultimate
Bandwidth: 12,049,602 bytes
Requests allowed (network + cache): 993 (983 + 10)
Requests blocked: 800
Hosts (1st + 3rd party): 118 (43 + 76)
Scripts (1st + 3rd party): 204 (83 + 121)
Outbound cookies (1st + 3rd party): 26 (23 + 3)

Ghostery
Bandwidth: 21,609,353 bytes
Requests allowed (network + cache): 1,781 (1,771 + 10)
Requests blocked: 312
Hosts (1st + 3rd party): 158 (61 + 97)
Scripts (1st + 3rd party): 256 (106 + 150)
Outbound cookies (1st + 3rd party): 46 (37 + 9)

HTTPSB allow-all/block-exceptionally with Fanboy's Ultimate
Bandwidth: 21,858,245 bytes
Requests allowed (network + cache): 1,831 (1,798 + 33)
Requests blocked: 256
Hosts (1st + 3rd party): 167 (57 + 110)
Scripts (1st + 3rd party): 282 (108 + 174)
Outbound cookies (1st + 3rd party): 62 (46 + 16)

Disconnect
Bandwidth: 22,756,202 bytes
Requests allowed (network + cache): 1,972 (1,949 + 24)
Requests blocked: 413
Hosts (1st + 3rd party): 210 (71 + 139)
Scripts (1st + 3rd party): 324 (127 + 198 )
Outbound cookies (1st + 3rd party): 75 (61 + 15)

No blocker (reference stats)
Bandwidth: 26,020,235 bytes
Requests allowed (network + cache): 2,925 (2,788 + 137)
Requests blocked: 82
Hosts (1st + 3rd party): 597 (72 + 525)
Scripts (1st + 3rd party): 670 (146 + 524)
Outbound cookies (1st + 3rd party): 277 (65 + 212)

Note that HTTPSB will support Adblock+ filter lists (just the domain-like filters though), and the Fanboy Ultimate list was used for this test for HTTPSB in allow-all/block-exceptionally mode. So now it seems HTTPSB in this mode outperform Disconnect, but not Ghostery, Adblock looks very good here.

 

yeah, but Adblock seems to be leaking like a sieve, from the looks of it.

so does Ghostery.

 

Perhaps have three categories, adding "1st or 3rd" for cases like [noparse]blarg.foo.com[/noparse] vs [noparse]www.foo.com[/noparse]?

Code:

an.avast.com. 470	IN	CNAME	avast.co.jp.ldc.d3.sc.omtrdc.net.
avast.co.jp.ldc.d3.sc.omtrdc.net. 900 IN A	66.235.148.72

Why does "No blocker" show 82 requests blocked?

 

Hello, what do you mean by leaking? I am using ABP so I am curious about it.

 

There:

Comparative benchmarks against widely used blockers

Renamed to keep my options of benchmarking other categories of URLs opened:

Comparative benchmarks against widely used blockers: Top 15 Most Popular News Websites

I will add more benchmarked results on a regular basis each week for the few coming weeks in order to ensure the numbers are consistent across blockers.

EDIT: Argh... I just found out that the number of 3rd-party hosts is over-reported from what really happens, I need to redo the benchmark asap. Turns out the code which was counting 1st/3rd party requests was being executed even for blocked requests.

 

Interesting, but why are you also using the Ultimate list for HTTPSB? AFAIK, ABP subscriptions list has built in whitelisting to prevent site breakage/notifications about blocking ads.
EDIT: I'm actually kinda surprise that HTTPSB out of the box settings uses more bandwidth than ABP. Is it because of the allow all image in rule? I guess this adds another reason to use ABP together with HTTPSB. I just wished ABP devs are as responsive as you. Reported bugs about their android version and no one from the dev even bother to reply.

 

I don't want to overcomplicate the rendering of the results. The same way what looks like a 1st-party request can be a 3rd-party request behind the curtain, what looks like a 3rd-party request could be also be a 1st-party request (i.e. guardian.co.uk and guim.co.uk).

Using subdomains for legitimate reasons is too common for me to start categorizing these subdomains as not being 1st-party. Ultimately, a 1st party could take its log and give them all to the owner of evil.com and there is no way for ever detecting this by analyzing the network traffic at user endpoint.

However if I there a way to unveil the above kind of 3rd-party disguised as a 1st-party programmatically through the dev tool I wrote, I will do it.

The way I test whether a connection is blocked is through the status code. I observed that a status code of "0" is the tell-tale sign of when a request was blocked by an onBeforeRequest() handler. However I believe this can also be the case for when no response was received from the remote server for a given request. I noticed some problem with latime.com when running the benchmark, the page was never marked an completely loaded though visually it looked complete. Might be related to that.

In any case, I finally chose to not report number of blocked hosts given it wasn't very useful. HTTPSB was reported as blocking less requests despite having blocked more if compare to the reference "no blocker" results.

EDIT: I just figured I can differentiate between "blocked" and "no response after request attempted".

 

Yes I need to be explicit that I use only the blacklisted domains part of that list, all the rest is ignored of course.

Yeah I was quite surprised too. Since HTPSB out of the box just load images and stylesheets, this means Adblock+ also blocked images from sources which are not in HTTPSB's preset blacklists. I will try to investigate this using a diff tool -- although there is no guarantee this will still be true today (I didn't obtain that kind of result the prior day).

 

Hello, I tested HTTPSB using the test provided in your site just for curiosity. Javascript is still blocked even if I allowed all.

Is this the actual behaviour?

EDIT: So the test does not use the current blacklists?

 

I think he means the memory. I don't really know if it leaks, but it does have a significant footprint memory-wise.

Both HTTPSB and ADB+ memory usage grow over time. There was an issue with Chromium pre-version 32 about chrome.runtime.sendMessage() which was leaking memory and definitely affecting HTTPSB I found.

For HTTPSB I never found anything else than the above chromium leaks (which was causing tens of 1000s of leaked Event objects) after having investigated thoroughly memory usage. I don't have version 32 yet here (Linux Mint) but I am eager to have it so I can see how it helps improve memory footprint over time.

 

No. You found a bug.

I never disable the preset blacklists for the tests or benchmarks (whichever you are referring to here).

 

Oh, ok.

 

Fixed, the problem was in the test itself, I had changed the name of a directory (a long while ago) and this change was not reflected in the HTML code. Fixed now.

 

The page is riddled with tricks to cause the user to end up on a ad/marketing site. The prompt to install codec is fake, it is not from your browser, this is entirely HTML/javascript to trick you into clicking on it in order to end up on another ad/marketing web site. The youtube video is covered with an invisible layer link which I believe neither FF/NoScript would handle (someone correct me if I am wrong) but thanks ADP+ which did handle this part.

I don't mind HTTPSB being tested, but the frustrating part with the above test is that it barely describes what went on, what was expected vs what resulted, explicitly stating where HTTPSB is deemed to fail or lack (so that I can address the issue), so I am left with a lot of time-consuming work to reproduce and guessing work as to what the issue the author wanted to raise.

In the current case, ABP+ was very useful in removing annoyances from the page itself (it edits the DOM), something HTTPSB doesn't do. The more I look at it, the more I see them as complementary.

 

The pop-up blocker is set in the pc so my daughter since she was born Chrome.......

Block pop-up is partially inefficient.
I installed:

https://chrome.google.com/webstore/detail/javascript-popup-blocker/hiajdlfgbgnnjakkbnpdhmhfhklkbiol

Now is OK.

 

I agree with your other sentences that it is difficult to determine what constitutes "1st party" vs "3rd party" when we interpret 'party' to mean the humans/corporations/organizations that control/access the servers we are contacting. The thought was simply to break out numbers for the different classes of requests and provide information that would help someone get oriented. Although they aren't yet sure what it means in terms of privacy impact (this requires research and knowledge), someone would want to start by determining which requests are going to the host they are explicitly visiting, which are going to other hosts in the "same effective domain" (example.com, or example.co.uk), and which are going to hosts in a "different effective domain" (example.com vs blah.com, example.co.uk vs blah.co.uk).

I don't know what your objectives are for your test tool. You may have already thought of this and decided it isn't of interest, but I think being able to see the hosts that were contacted when visiting a site would make your tool much more informative and useful. This could be done for each URL in your list and each extension you are trying to test. Assuming you can get the IP Address for the host that is being contacted, then you could dump something like:

Code:

Configuration: HTTPS with options XYZ

Test URL: http://www.example.com/index.html
Hosts contacted...

         www.example.com = 122.168.1.5
      images.example.com = 122.168.1.5
         ads.example.com = 220.148.24.23

 scripts.example-cdn.com = 22.89.113.120
     ads.doubleclick.net = 134.187.211.14
   ugh.webtrendslive.com = 189.56.3.212 

I think displaying such information would help to unveil relationships. However, some human interpretation and possibly more investigation would be called for in some cases. I don't think there is a way around that.

You have to budget your time in a way that makes sense. Just thought I'd elaborate on this.

 

HTTPSB prevents me from using right-click > Save Link As... & Save Image As...

Reproduced on my new Chrome profile and Google Chrome Portable with default settings.

 

Yeah that's a quirck of Chromium, when you try to save an image, it does the request for the image through a request of type "other", which means you need to allow "other" in the matrix for the site hosting the image. Example I tried to save your avatar, and this was the request:

[noparse]16:23:53 other <a> https://www.wilderssecurity.com/image.php?u=104121&dateline=1276989022[/noparse]

 

And here I though blocking other would be good against auto-playing HTML5 media. Oh well, those are rarer than the need to save links and images.

Thanks for quickly explaining the problem as always.

 

I think the above is possible. The HAR log format allows for the serverIPAddress property, but unfortunately this is not set by Chromium. However the IP address is apparently returned in one of the Chrome API, so theoritically it appears possible to build a dictionary of hostname <-> IP-address.

Although interesting, my goal currently at this point is just to give a rough measure of how much a user privacy is at risk, the simplest way possible. I figure the more the number of different domains a user ping, the more different parties have a logged trace of that user. So I believe for a rough comparative assessment, the number of domains is good enough.

Today, I dumped the hostnames at the console while in HTTP OOB mode during the benchmark, and I could see that the output were obviously 1st-party domains despite having a different name than the domain of the page URL address (i.e. turner.com for cnn.com, nyt.com for nytimes.com, etc.)

Since in HTTPSB OOB mode only requests for images and stylesheets of non blacklisted hostnames are allowed, I believe the result of the benchmark while in HTTPSB OOB gives a pretty good baseline of legitimate 3rd-party domain names to assess the other benchmarks -- which are all less restrictive.

For example I get 24 3rd-party domain names for HTTPSB OOB. I think it is reasonable to state that for the most part these 24 3rd-party domains are actually legitimate -- because only images and stylesheets were pulled.

So we have now a baseline from which others can be compared. Next benchmark ADP+ returns 39 3rd-party domain names, so 15 more 3rd-party domains than what I now call the baseline benchmark. Then Ghostery return 27 more, and so on. The pages displayed fine with hHTTPSB OOB, so I believe it is also reaosnable to state that anything above the baseline set by HTTPSB OOB is in all likelihood a 3rd-party proper.