Technology Surfaces That Can Fight and Neutralize Ad Blockers

Discussion in 'privacy general' started by ABaird3, Feb 1, 2016.

  1. ABaird3

    ABaird3 Registered Member

    Joined:
    Jan 27, 2016
    Posts:
    19
    Last edited: Feb 1, 2016
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    There's too much money in online advertising so they will try to get adds to users any way they can. Blocking 3rd party content would probably defeat those countermeasures.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Let's hope this tech will not become more and more effective.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    LOL, seems like this site has implemented an anti-ad-blocker. And if you block first party scripts the site won't work. So I decided to whitelist it, and guess what, the site is full of scripts and trackers, and very slow to load. So guess what, I won't be using your site. What a bunch of morons.

    http://www.insidermonkey.com/
     
  5. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
    The users of these programs are, or are dangerously close to committing felonies Under The Federal Computer Fraud and Abuse Act,as amended:

    "18 U.S. Code § 1030 - Fraud and related activity in connection with computers...

    (a) Whoever........

    (5)

    (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;.........

    (e) As used in this section—

    (2) the term “protected computer” means a computer—..................

    (B) which is used in or affecting interstate or foreign commerce or communication,
    including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; [This covers just about every computer connected to the internet]

    8
    the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;.........."

    LOL NB: If you put "8 in parenthesis you get a blue smiley :)

    https://www.law.cornell.edu/uscode/text/18/1030
     
    Last edited: Feb 4, 2016
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Weird, all of a sudden the site does work. Perhaps they are seeing that people refuse to white-list it?
     
  7. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Yep, with requestpolicy extension preventing requests for third-party assests, their toothless anti-anti-thing never gets loaded.

    I'm immediately sure. I feel they're peddling snake oil to would-be investors.

    Coming down the pike though, "subresource integrity" checks
    (implemented by chrome and by firefox "for your safety")
    https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/
    will become yet another PITA to deal with, in terms of ad blocking.
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    For my safety - sure it is. Pity they never thought to use some kind of code signing mechanism, because the current scheme is vulnerable to MITM and rogue sites generally.
     
  9. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Yes, SRI provides exact that -- enables authors to specify href attributes like rel="thisisahash: dh3k5bm3d988d"
    and the browser is expected to perform a hashsum on the retrieved asset (and, in case of mismatch, refuse to load/display it).

    Safety... vs personal choice and empowerment:
    SRI subverts the possibility of employing a local (personal, ad-blocking) proxy.
    If we can toggle browser's consideration of SRI on and off, at will, it would be welcome while visiting banking sites.
    I doubt browser vendors will provide a toggle though.
     
    Last edited: Feb 5, 2016
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Isn't there still a problem with someone doing MITM because they can calculate the correct hash for the malicious code and serve it up to you?
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    You mean hash collision attack? With newer hash algorithms it probably wouldn't be so easy.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    No, I was thinking that the page may be/is untrustworthy (if it can be subverted, it is publishing its own assertion of the hash of the code - which can also be modified). I don't know if I've misunderstood, but the point of code-signing (for what that's worth) is both assertion of ownership of the publishing certificate and verifying that the code has not been modified. It seems like this mechanism doesn't do both, so all your left with is being able to verify the code of a publisher you can't trust! Or is the point here relying on ssl certificates?
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    As I understand browser only compares hash of a script with hash specified on website. If both hashes match, script is executed otherwise not. This way owner of site can control which scripts from 3rd party network are loaded. If third party server is compromised and scripts are modified, browser won't run script from 3rd party network (hashes wouldn't match). If webpage itself is compromise then all this is meaningless.
     
  14. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    lol
     
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    OK, thanks - so it's of limited value, to the extent that you have to trust the webpage (delivered over https with a trusted/known certificate with all the issues associated with that), and that it has specified all the hashes of scripts it references.

    I can see an immediate maintenance problem, namely that quite a few 3rd party scripts do not specify version and might get modified outside the webpage owner's control.

    I just don't understand why they wouldn't also provide the option to sign the script file itself with a PGP key for example.
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,875
    Location:
    Australia
    Please excuse my ignorance, but shouldn't NoScript prevent this new technology?
     
  17. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Anyone discusssing SRI in this thread should (please!) read some background info, e.g.
    http://githubengineering.com/subresource-integrity/

    BTW, someone has already presented an intended approach for thwarting adblockers by employing SRI:
    http://f ckadblock.sitexw.fr/beta/
    (for the correct URL, replace the space character with letter "u")

    Also, to qualify my earlier comment about regarding SRI as "another PITA do deal with",
    I'll mention that I first heard of SRI (and went searching to read about it) while reading this:
    https://github.com/Synzvato/decentraleyes/issues/26
    The "decentraleyes" plugin is brilliant; it acts as an "in-browser proxy" to serve surrogate copies of oft-requested scripts.
    It creates both a privacy win and a speed (via reduced http requests) win.
     
    Last edited: Feb 6, 2016
  18. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
    "Adblock Plus, scourge of websites, seeks industry deal

    Berlin (AFP) - For its users, Adblock Plus stands as a bulwark against intrusive advertising. But websites dependent on advertising revenue to remain free-of-charge see the open source software as a scourge.

    Now the German firm behind Adblock Plus is taking a more conciliatory tack, reaching out to its adversaries to find an "acceptable" level and form of advertising on the net..."

    http://news.yahoo.com/adblock-plus-...5bzY5BGNvbG8DYmYxBHBvcwMzBHZ0aWQDBHNlYwNzcg--
     
  19. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    @inka - thanks for the links, unfortunately, I'm deeply underwhelmed by what they're trying to achieve with it, against the breadth of the problem.
     
Loading...