RE: IE9 Tracking Protection Lists

Discussion in 'privacy technology' started by m00nbl00d, Apr 22, 2012.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Note: I couldn't reply to a thread by that name. So, I'm starting this one.

    Basically, this is still about something that happens, most likely, with a few TPLs. Some of them are whitelisting third-party communications, without any need. With this, I mean that, if there's no entry blocking communication, then this communication is allowed, therefore no need to an explicit allow entry.

    You can read it here, for instance: -http://msdn.microsoft.com/en-us/library/hh273399(v=VS.85).aspx

    This means that, as I mentioned above, if there's an allow rule, it will be allowed; if there's a block rule, it won't be allowed. (Third-party comms won't be allowed.) This also means that, if you don't want to block, you simply don't put an entry in the TPL.

    Let's take as an example, the example I mentioned that thread sometime ago ( May 25th, 2011).

    There's an entry (among others) in this list -https://secure.fanboy.co.nz/adblock/ie/fanboy-tracking.tpl

    +d track.dhl.co.uk

    The +d means that communication will be allowed to that tracking service/domain. Now, why does that happen? There is no block entry in that list, therefore no need for an allow entry either.

    Communication is never blocked, if there's no entry blocking. There is no need of whatsoever to explicit allow rules.

    There was some controversy about Truste TPL because of this same situation - too many allow rules, without needing them. You can read that in here -https://www.eff.org/deeplinks/2011/03/tracking-protection-lists ; maybe in other places as well.

    Truste now only has a few allowing rules. Most of them actually block comms. This is the link: -https://easy-tracking-protection.truste.com/easy.tpl

    What this achieves is that, if you are blocking third-party cookies, for instance, then they will be allowed, because there's this entry allowing communication in the TPL.

    There are a few more examples in that same list, as you can see from the screenshots.

    So, I'd be careful about the TPLs that one's using. Sometimes, one may think one has privacy, while it's actually being compromised in some situations. o_O

    A few lists that I've checked, and that actually are about BLOCKING comms are:

    -https://www.abine.com/tpl/abineielist.txt
    -https://www.abine.com/tpl/abinekidsteens.txt (I'd use the two of them in conjunction.)

    -http://www.privacychoice.org/trackerblock/all_companies_tpl

    -https://ie.microsoft.com/testdrive/browser/p3p/google.txt


    I suppose you could manually edit the other lists, because the files are downloaded to C:\Users\username\AppData\Local\Microsoft\Internet Explorer\Tracking Protection.

    But, I'm not sure if it will work afterwards, or if there's some sort of checking. You'd also have to keep an eye when they are updated.

    I don't know about you, but considering there's no reason for explicit allow rules in the TPLs, one has to wonder why they are there in the first place. :ouch:

    I'd stay away from any of the lists that are allowing comms, because even if you are blocking third-party cookies, then they will be allowed. :ninja:
     

    Attached Files:

  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I've said it before and I'll say it again. There's a reason for every allow rule in Fanboy's lists, and I speak for Fanboy's lists only, because they are the only ones I use. Just because you don't know the reason doesn't mean it shouldn't be there, Fanboy doesn't add allow rules for the hell of it, there's an entire forum dedicated to false positives. Successful blocking of tracking and ads REQUIRES allow rules to prevent site breakage, hence why HOSTS file methods are terrible.

    I can easily imagine a situation here where a website used a script from the DHL domain for functionality and blocking it broke it, this is more common than you think.

    Also, there is 0 need for the Google list, Fanboy's covers it. Infact, it covers every other TPL. Note: The EasyList TPL is really a "hack", they don't officially support IE and probably never will, their conversion script is flawed and I haven't seen them interested in maintaining it.

    If you really want to know the reason that allow rule is in Fanboy's list I suggest you PM him or make a post on his forum.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, you have said it before, and to be honest the false positive answer bears no reasoning, of whatsoever. I do know that a TPL doesn't need any ALLOW entry, because, by default, unless is specifically blocked, then it is allowed. Period.

    False positives? What false positives? How exactly would a TPL have false positives? Care to explain it further? o_O
    Sure, there could be a BLOCK false positive, which then the list maintainer would have to remove from the BLOCK rules, and not have it anywhere. But, this is not what's happening. So, what false positives?

    You're saying I don't know the reason why they're there; but, the reality is, neither do you. I'm just exposing something I've seen happening for a long time.

    I personally do not use Internet Explorer, and therefore not concerned by it, at all. I just figured I'd give a wider warning about it, because it isn't just about one domain... there are actually quite a few being allowed third-party communications.

    Otherwise, many may actually be allowing third-party cookies, even when blocking them, and not know about it. If they're concerned about it, then they should contact the authors of the lists. This is the sole purpose.

    But, no one ever thought that Truste's old TPL was a "false positive".

    Also, you are confusing things mate. A HOSTS file is a whole different matter. But, just like a HOSTS file, if there's no BLOCK rule, then there's no need for an ALLOW rule.

    And, there we go... if no block rule is there, then what is an allow rule for? The same applies to every other entry, by the way. No BLOCK rule = nothing broken.

    Whether or not there's a need for the TPL provided by Microsoft, that will depend on what the user wants to use; so, saying there's 0 need is quite a bold statement, IMHO.

    I actually just wanted to warn about it, in case others have no clue about the situation. If you'd like to provide more info, based on facts, you're more than welcome. But, this much I know: No block rule = nothing blocked = nothing broken = no need for allow rules.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    -edit-

    For instance, as you can see in my second screenshot, there's an ad domain that I highlightned. You can also see it's the only entry there. There are no other rules blocking it; only one allowing it. There is no need to allow any of those, because if a TPL has no such entry, then it won't block it. As simple as that. lol

    By the way, you said that I could PM the Fanboy's list author? Is he a user in this forum? It would actually be great to hear what he has to say about it. :)
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Yes it does, you simply don't see it. If I block tracker.com, all subdomains are blocked. If I got to website.com and it loads a REQUIRED script from api.tracker.com then an allow rule is needed for api.tracker.com

    No, see above explanation and also see: http://forums.fanboy.co.nz/forums/viewforum.php?f=8 for many many examples.

    There's only 1 reason I don't know why they're there, I don't read every post in the FPs forum. If I did, I could easily tell you. But I know for a fact that every allow rule originates from that forum.

    For good reason.

    I've said this before too, I've never experienced this issue.

    Don't take this the wrong way but I don't really care nor trust other lists, there's a reason I always push people to stick to fanboy's.

    Again, see above. HOSTS files are flawed because of said issue, no allow rules.

    Is there a reason you've repeated this 4 times!?!? It's as if you're that sure of yourself when you're clearly wrong :/

    Been using fanboy's for over a year with no issues.

    There's nothing to warn about.

    You seem to be ignoring the hundreds of generic deny rules that can apply to any and every domain e.g. "-ad-big."

    You can PM Fanboy on his forum.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why would I take it the wrong way? :) I got nothing against Fanboy's lists. I actually think he does a tremendous work.

    OK. Yes, I get that. :thumb:

    The question here, isn't warning about something bad regarding Fanboy, rather about that any user could very well be allowing some third-party cookies, without realizing it.

    Actually, I didn't ignore them, but I overlooked one aspect about of the screenshots I provided; the second one. I mistakenly searched for ads in the generic rules, instead of adx, where x is an algarism. Based on that, I couldn't find any match, which was causing me confusion about it.

    But, I did not overlook track.dhl.co.uk, though. I couldn't find any match for track, dhl or co.uk, that would justify the specific allow rule. I actually checked it before starting this thread, and before mentioned it back then.

    Anyway, and I'd like to make emphasis on it once more: My purpose is to let others know about it; not just about Fanboy's list. I actually showed Easylist as well, which is far far worse. As you mentioned, looks like they got no interest in maintaining it.

    Anyway, users can manually override it, though. It's actually mentioned in the MSDN page where I've pointed to.

    Well, I'll have to pass. If he was a member here, I'd gladly PM him, though.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    You still don't understand, look, here is the actual rule:
    That means only allow track.dhl.co.uk when loaded by a third party (which converts to a TPL perfectly). I can easily imagine a scenario:

    go to website xyz.com
    it loads an essential script from track.dhl.co.uk
    the script is stopped by generic rule track.zyz
    An allow rule is added to track.dhl.co.uk to overwrite the track.xyz generic rule

    There is no malicious intent here, it is REQUIRED to maintain crucial functionality on another website.

    Again, I've yet to experience your "3rd party cookies allowed" issue. Also, what makes you think track.dhl.co.uk has anything to do with tracking whatsoever? It could be related to order tracking, which makes more sense to me considering what DHL is.
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Wait a minute... now that I think about it I'm confusing myself. I decided to re-read the ABP API and I believe ~ is an "opposite" signifier. In other words, only allow when loaded by first party... I'll PM fanboy and see if he can clarify it to me, it could be a bug in the IE import script... or I could be going insane :p
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    The first party issue has been fixed in both EasyList and Fanboy's lists, those entries will no longer appear.
     
  10. Volare

    Volare Registered Member

    Joined:
    Jul 31, 2012
    Posts:
    52
    Location:
    Australia
    G'day Funkydude and Moonblood,

    Well done for starting this thread. There's not much around when it comes to threads on "do not track" or "tpl" for "ie9" users.

    I guess I'm just a n00b like most "ie" users. I only recently become aware of DNT and TPL's when I became an AVG customer and it installed its own DNT plug-in into IE. Ever since the upgrade to AVG 2013, the DNT plug-in no longer exists (only because they've folded it into their own AVG Toolbar, which I chose not to install).

    I then went on to research alternatives, which exist, such as Ghostery and Albine's DNT+. As a result of my research, I learned more about TPL's and thought I'd give these a go before installing another browser plug-in. How do you guys compare the use of tpl's in comparison to using a browser plug-in such as Ghostery or DNT+? Would a tpl (or two) be just as effective as a browser plug-in? I'd prefer to avoid installing browser plug-ins if tpl's are capable enough.

    I'm currently running EasyList Standard + EasyList Privacy. However, since coming across this thread, I'm thinking of trying Fanboy + Fanboy Adblock. I'm not sure if I'm going to notice a difference, so I'm curious as to why I should chose the Fanboy pair over the Easylist pair (the only arguments I've read in this thread is that Easylist is a "hack" and its "flawed" and they don't care about ie users, etc. However, I've been using the EasyList Standard + EasyPrivacy over the last week and I'm happy with it so far. I haven't noticed any drop in browser performance, which is great and website's seem intact (the last thing I'd want is a tpl that makes web-sites look really odd).

    I did read in a post somewhere that Easylist plans to never support IE, however this was some old post over 18 months ago. I've noticed Easylist is one of the recommended tpl's on the MS IE Gallery, therefore has perception changed about EasyList not caring about IE? There's also the argument that many users prefer EasyList because its based on Adblock Plus. I've also read that Easylist is best for IE, since it has the most users, which means more support, better and quicker updates, etc. According to the graph I located on this link ( https://www.wilderssecurity.com/showthread.php?t=315810&page=3 ) you would assume the protection offered between EasyList and Fanboy are almost on par. BTW - this graph is based on Fanboy tpl+ad's+annoy - I think "annoy" is not available for ie anyway, so this might reduce its effectivesness in comparison to Easylist+EasyPrivacy.

    So what's the update on where EasyList stands today in comparison to Fanboy? Has EasyList caught up to deliver similar levels of protection for IE9 users, or is Fanboy still the outright leader?

    Therefore, what would be better and why?

    1) EasyList Standard + EasyPrivacy
    2) Fanboy + Fanboy AdBlock
    3) A plug-in such as DNT+ or Ghostery
     
  11. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    I don't know what's best because I don't use IE, but you should also enable the personal filter, check "Choose content to block..." and set the "Show content providers..." to 3 (I think that's the minimum allowed).
     
  12. Volare

    Volare Registered Member

    Joined:
    Jul 31, 2012
    Posts:
    52
    Location:
    Australia
    Hi Wroll,

    Thank you for your reply.

    I was under the impression that it was not a requirement to enable "Your Personlized List" if you were to use the TPL's from EasyList or Fanboy. I'm guessing its probably best to keep "Your Personalized List" disabled and just allow the installed TPL's do its job. It would be interesting to see if anyone else uses any set TPL's from Fanboy or Easylist as well as using "Your Personalized List".
     
  13. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    I told you that because none of those tpl's will block the facebook, google & the rest of the gang trackers/adds. Or maybe they will now, but when I tested them one year ago they weren't.
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    There is no requirement to use the personalized list and I recommend against it because in my opinion it's rubbish. It basically guesses that just because something loaded frequently it's suddenly tracking and should be blocked. Leave it up to the experts to make the lists I say, and less work for you to maintain!

    I personally stick to using fanboy's lists as I had issues with other lists either not blocking something they should or blocking something they shouldn't:
    http://www.fanboy.co.nz/ie.html
    You should generally use the top 2 lists, or just the tracking list if you want to see ads but not be tracked.

    There is also the "annoyances" list used for blocking facebook/twitter "likes" etc on pages but this is in beta at the moment, I can PM you a link if needed.
     
  15. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    It actually doesn't guess anything if you set it to choose manually what to block. It will show you a list of domains which you encountered as third party during your browsing sessions.
     
  16. Volare

    Volare Registered Member

    Joined:
    Jul 31, 2012
    Posts:
    52
    Location:
    Australia
    G'day Funkydude,

    Thanks for sharing your thoughts. "You should generally use the top 2" - Do you mean the tracking list and ad block list? So is Fanboy just your preference, or do you still believe EasyList is flawed/hacked? Just wondering why you think its flawed if you still think so, or maybe your perception has changed? However, I will give Fanboy+Fanboy Adblock a go just to see for myself.

    BTW - as per my original post above, what are your thoughts on them browser plug-ins, such as DNT+ and Ghostery? Do you think these plug-ins become redundant if you're using a good combination of tpl's/adblocking such as Fanboy+Fanboy adblock? There's also many users who use a browser plug-in like DNT+ as well as tpl's - but I'd assume this would have to affect your browsing experience, either by slowing down your browsing or making web-pages look odd. I'm not totally paranoid about getting tracked, because I really do think they know enough about us already, but I'd like to find a nice balance between performance, decent looking web-pages and an added level of privacy. I'm guessing I should disable adblocking, because all this does is block ad's and this is what can make web-pages look odd. EasyPrivacy seems to block most ad's, but web-pages seem to look OK.

    I'll keep an eye out for the Fanboy annoyances for IE. Thanks for the heads-up. Since many web-sites have social plug-ins these days, wouldn't an annoyances list make web-pages with social plug-ins look really odd?

    Cheers,
     
  17. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    A well made addon should make browsing faster not slower because it stops things to load (on many sites lots of things). These addons usually increase the startup time of your browser.
     
  18. Volare

    Volare Registered Member

    Joined:
    Jul 31, 2012
    Posts:
    52
    Location:
    Australia
    Thanks Wroll,

    That's a fair argument, however I'm thinking it still might be best to stick with tpl's such as fanboy+fanboy adblock or EasyList+EasyPrivacy, as these are probably "lighter" on the browser. I'd prefer to avoid stuffing my browser with toolbar add-ons, which might just generally affect it unecessarily (same reason as to why I avoided installing the AVG Toolbar, but AVG adds a whole heap of other unecessary junk as well, which is off topic).

    Something like Ghostery doesn't sound like it makes it any easier anyway as it doesn't block anything by default, therefore this will require a lot of time invested in trial and error. I'd rather just use a tpl, which is based on whatever the experts chose to block and allow. This is non-intrusive and you'd never even realise its there. DNT+ sounds like its maintained weekly by updates, therefore would require less maintenance, but I'm not sure how much more effective this would be than using Fanboy (or Easylist) tpl's anyway. Its just sounds like to me that both Fanboy and EasyList have large user communities who contribute to improving their lists - therefore maybe they are just as effective or even more effective then the browser plug-ins.

    Cheers,
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    No matter what plugins you use there will always be varying amounts of slowdown (also dependant on language the plugin was written in), and there will always be the chance of an increased attack surface against you. It just depends how useful the plugin/addon is. For example I can't wait until HTTPS Everywhere comes to IE, it will be the first addon I install in IE10 and will definitely cause some kind of slowdown due to carrying a large list, but it will be worth it.

    TPLs however are faster than addons as they don't run at the addon level, I believe they make use of the Windows Filtering Platform for speed so on the average website (full of tracking and ads) you're guaranteed a speed boost.

    Yes I mean the tracking and adblock when I say the top 2, as in the top 2 on the page. What do you mean by hacked?? I never mentioned such a thing. They are probably better than they used to be, but when I tried them they were most definitely flawed. Mainly because the authors didn't seem to have any interest in properly maintaining them. The reason I recommend NOT using other lists is because allow rules overwrite block rules, so lists can conflict. Hence why I recommend the sole use of Fanboy's lists.

    Yep some very well may look odd, it's a matter of what you prefer. A slightly odd looking faster loading website with no social tracking, or a perfect looking slow loading website. Then again, sometimes blocking ads alone can make a site look odd!
     
  20. Volare

    Volare Registered Member

    Joined:
    Jul 31, 2012
    Posts:
    52
    Location:
    Australia
    Thanks for sharing your thoughts Funkydude :thumb:

    Sorry, not "Hacked". Meant to say "Hack" as per your post on 22 April (scroll up this thread). You mentioned the following "The EasyList TPL is really a "hack", they don't officially support IE and probably never will, their conversion script is flawed"

    I guess I just wanted you to eleborate a little, because since using Easylist+EasyPrivacy, I've been fairly happy with it, but perhaps you're aware of specific deficiencies with Easylist, so I was just hoping you could elaborate in which ways they are flawed, including their flawed conversion script (which I assume you mean converting Adblock Plus for IE TPL's). I'm guessing Easylist has improved since the time you made that post last April and they do officially support IE. I originally installed EasyList+EasyPrivacy because it sounded like it was the most popular and unlike Fanboy, its based on Adblock Plus, which I assumed is a good thing (this is an interesting post on "EasyList vs Fanboy", but this was almost 3 years ago. It sounds like EasyList didn't have the best reputation a few years ago - https://adblockplus.org/forum/viewtopic.php?t=4884 ).

    A few forums recommend either EasilyList or Fanboy and they can't split the two. I'll be replacing EasyList+EasyPrivacy with Fanboy+Fanboy Adblock to see how it goes. However, I somehow think I probably won't notice much of a difference and therefore either is probably just as good.

    Cheers,
     
  21. Volare

    Volare Registered Member

    Joined:
    Jul 31, 2012
    Posts:
    52
    Location:
    Australia
    Just an update, I tested Fanboy+Fanboy Adblock over the last week. I didn't notice much of a difference between Fanboy and EasyList on most web-sites, apart from Fanboy not always filtering when on facebook. The filter icon would not always appear on the ie address bar, therefore ad's would not be blocked and you'd have to assume tracking protection was also not working. It would not filter or block ad's on facebook more often than not (It might work 10% of the time - I could try refreshing the page a few times and it would come back, but it would not last very long. It would never filter on an individuals page, but only occassionally filtered content on the "News Feed" page). I made a post on the Fanboy Forum 5 days ago, but I didn't receive any replies.

    I've now gone back to EasyList+EasyPrivacy.

    Cheers,
     
  22. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    IE9 Tracking Protection Lists

    IE9 TPLs

    Fanboy (+Fanboy Adblock)

    -OR-

    EasyList (+EasyPrivacy)
     
  23. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    762
    Location:
    UK
    here is my 2 cents.

    I have used all 3 of the following on IE.

    proximitron with which is now obsolete rules.
    simple adblock a commercial addon, It started off free.
    easylist and easylist privacy TPL rules.

    proximitron in its heyday was quite effective and didn't have a huge performance penalty other than what you get for browsing via proxies. But now its way out of date and as such I only use it for debugging (as it has a great debug feature), I also use it as a easy way to switch between 3rd party proxies as the built in IE proxy function is poor. Its filtering is now always set to bypass.

    simple adblock is apparently based on easylist's filtering list and blocks ads very effectively including the intrusive youtube ads, however it slows down IE significantly now. not just in loading up but also in browsing. It is very noticeable so I don't usually use it.

    the TPL lists I have found have no negative impact on performance at all and as suggested above seem to actually speed things up, however don't seem to block as much as simple adblock, youtube a notable issue (all its ads work), so something isn't quite right because the easylist blocks youtube with simple adblock and it also blocks in firefox when using adblock pro.

    so either easylist have modded their IE lists or the TPL function breaks some filters. I also tried fanboy which lets youtube off the hook as well. I can block youtube with some hosts filtering but it has some downsides, one I get error boxes where ads were on the youtube pages (notable on homepage) and videos pause when loading as I assume they waiting for a timeout connecting to adserver's on 127.0.0.1. However the delay is usually shorter than the time lost on enforced ads.

    I made my own TPL list specifically for youtube but cant get it to load into IE.

    even the published ad filtering HOSTS files on the internet seem to excempt youtube ad servers (they there but commented out). This I find odd as if google have made a deal or IE has problems filtering that site so all the adblocker maintainers give it a pass.
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    You cannot block URLs loaded by flash with TPL's, because TPL's don't apply to plugins, only the browser. There is a specific API call that plugins can use if they choose to filter their content via TPL's, this was Microsofts (seriously dumb) decision.

    Adobe has known about this for over a year (I've made tickets on both MS's tracker and Adbobe's tacker) and still hasn't done anything about it. It basically means in-video ads cannot be blocked at the moment.
     
  25. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    762
    Location:
    UK
    ok thank you for the explanation, then I guess for now will keep the hosts file for youtube, (note am not using a full on hosts file as that slows things down also) just a small one specifically for youtube. Also given that adobe bundle chrome, I suspect its not in their interests to enable TPL's. So yes really we need microsoft to enforce TPL's on plugins take the decision away from adobe.
     
Loading...
Thread Status:
Not open for further replies.