a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by user-inactivated
user-inactivated  ·  3241 days ago  ·  link  ·    ·  parent  ·  post: Forbes.com serves malware if you disable your adblocker

uBlock Origin on default deny requires much more training than NoScript.

Here's slashdot.org without training on uBlock default deny (left) and NoScript without training (right):

Default deny basically requires you to train every website you visit individually, and it does it for not just Javascript, but also CSS, images, and other static external content. So NoScript will have you allow a domain but you are allowing it on every website. For instance, if it pulls jQuery's code from jquery.com and you allow it on Site A, Site B which you've never visited will end up running Javascript from jQuery as well.

So basically, all I had to do with slashdot was pretty simple, I added fsdn.com which is slashdot's content distribution domain and it displays the same as the right. In most cases this is pretty easy and quick to do, but it many cases I don't even bother since the page ends up loading 20 times faster without the ridiculous CSS overhead that they end up pushing. It's not necessarily that the web is requiring more overhead because technology itself requires it, but because web developers are getting lazier at optimizing their code and also that more and more people are using heavy external libraries.

The reason that this matters in terms of tracking is readily apparent after using default deny mode. It's amazing what percentage of the internet uses Akamai, Amazon, CloudFlare and the like to serve simply their CSS. It's also incredible how many major websites will not host their own copies of jQuery, but pull from jquery.com directly, or how many websites use ajax.googleapis.com. Even if you block the Javascript tracking of Facebook like buttons, the image might still get pulled off their servers. There are many other cases of this, but basically every major website now has your browser pull from some sort of shared domain that a large portion of the internet uses.

So basically, in order to track and monitor you, all that needs to happen is they monitor the HTTP requests on these bottlenecks or these bottlenecks end up selling your data to advertisers. You can use all the Javascript based tracking blockers you want, and none of those will block this form of invisible passive tracking. Ghostery will not protect you from this, and nothing that is blacklist based can either because the web is semi-unusuable without manual intervention for this type of blocking.

As I said, it's for the completely paranoid and insane like myself :). I also run Firefox in multiple SELinux sandboxes, and you really don't want to know the amount of scrubbing that image above had to go through before I'd post it, so really it's not a good thing to use me as a benchmark of practical internet use.





user-inactivated  ·  3240 days ago  ·  link  ·  

    The reason that this matters in terms of tracking is readily apparent after using default deny mode. It's amazing what percentage of the internet uses Akamai, Amazon, CloudFlare and the like to serve simply their CSS. It's also incredible how many major websites will not host their own copies of jQuery, but pull from jquery.com directly, or how many websites use ajax.googleapis.com. Even if you block the Javascript tracking of Facebook like buttons, the image might still get pulled off their servers. There are many other cases of this, but basically every major website now has your browser pull from some sort of shared domain that a large portion of the internet uses.

Honestly, once you hit the internet, from a tracking point of view, you are fucked. Your ISP is tracking you, connecting your modem with behavior. So you would need to use free wifi and change locations... except then we only need to connect times and security camera footage. This should be its own thread as running down the paranoia hole is fun and creepy.

You use adblockers and script blockers not to stop tracking, but to prevent malware and virus infections. And reducing exposure to advertising in general makes you happier in the long run.

kleinbl00  ·  3240 days ago  ·  link  ·  

I appreciate all this, but I spent two weeks trying to get NoScript to behave and 10 minutes replacing ABP with UO. NoScript was hands-on and tedious while UO was utterly transparent. It's entirely possible that I'm running a different level of paranoia than you... but I guess that's kind of my point. At the level of paranoia most users operate at, UO is a lot less of a hassle.

What level of paranoia we should all be at is a whole 'nuther discussion...