a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment
user-inactivated  ·  3244 days ago  ·  link  ·    ·  parent  ·  post: Forbes.com serves malware if you disable your adblocker

uBlock Origin on default deny requires much more training than NoScript.

Here's slashdot.org without training on uBlock default deny (left) and NoScript without training (right):

Default deny basically requires you to train every website you visit individually, and it does it for not just Javascript, but also CSS, images, and other static external content. So NoScript will have you allow a domain but you are allowing it on every website. For instance, if it pulls jQuery's code from jquery.com and you allow it on Site A, Site B which you've never visited will end up running Javascript from jQuery as well.

So basically, all I had to do with slashdot was pretty simple, I added fsdn.com which is slashdot's content distribution domain and it displays the same as the right. In most cases this is pretty easy and quick to do, but it many cases I don't even bother since the page ends up loading 20 times faster without the ridiculous CSS overhead that they end up pushing. It's not necessarily that the web is requiring more overhead because technology itself requires it, but because web developers are getting lazier at optimizing their code and also that more and more people are using heavy external libraries.

The reason that this matters in terms of tracking is readily apparent after using default deny mode. It's amazing what percentage of the internet uses Akamai, Amazon, CloudFlare and the like to serve simply their CSS. It's also incredible how many major websites will not host their own copies of jQuery, but pull from jquery.com directly, or how many websites use ajax.googleapis.com. Even if you block the Javascript tracking of Facebook like buttons, the image might still get pulled off their servers. There are many other cases of this, but basically every major website now has your browser pull from some sort of shared domain that a large portion of the internet uses.

So basically, in order to track and monitor you, all that needs to happen is they monitor the HTTP requests on these bottlenecks or these bottlenecks end up selling your data to advertisers. You can use all the Javascript based tracking blockers you want, and none of those will block this form of invisible passive tracking. Ghostery will not protect you from this, and nothing that is blacklist based can either because the web is semi-unusuable without manual intervention for this type of blocking.

As I said, it's for the completely paranoid and insane like myself :). I also run Firefox in multiple SELinux sandboxes, and you really don't want to know the amount of scrubbing that image above had to go through before I'd post it, so really it's not a good thing to use me as a benchmark of practical internet use.