Opened 3 years ago

Last modified 6 days ago

#17569 reopened defect

Add uBlock Origin to the Tor Browser

Reported by: kernelcorn Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability tbb-security, tbb-performance
Cc: arthuredelstein, intrigeri Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I suggest that we add Ublock Origin to the Tor Browser. Ublock Origin has the following advantages:

  1. FOSS under GPL3. See https://github.com/gorhill/uBlock
  2. It is actively maintained and very popular.
  3. It's designed to be efficient on CPU and memory. See https://github.com/gorhill/uBlock#performance

From https://github.com/gorhill/uBlock#philosophy:

uBlock Origin is not an ad blocker; it's a general-purpose blocker. Furthermore, advanced mode allows uBlock₀ to work in default-deny mode, which mode will cause all 3rd-party network requests to be blocked by default, unless allowed by the user.

Its behavior is governed through filter lists, which are maintained by Adblock Plus, Disconnect, the community, or other sources. Users can control which lists are downloaded and most are fetched through HTTPS.

I have read through https://www.torproject.org/projects/torbrowser/design/#philosophy, but this was written several years ago and I believe that the landscape has changed and that it's time to revisit those assumptions. Arguments include:

  1. Default denial of cross-site (3rd party) requests, unless allowed by the users. This eliminates CSRFs and prevents contact with ad networks and trackers in the first place. This supplements browser security by prevent ad networks from tracking users across a browser session.
  2. If all users use Ublock Origin, then everyone has the same fingerprint.
  3. Adblockers are now relatively common by tech-savvy users, to the point where they now consider webpages to be broken if ads get in their way. The existence of ads may drive a user to install an insecure adblocker or to use their native non-Tor browser.
  4. Ublock Origin would save significant bandwidth, reducing the load on the Tor network and increasing the responsiveness of webpages in the Tor Browser.

<n8fr8> might be good to revisit these assumptions, but make sure to read on in the design document to get the full understanding
<helix> I wonder how many people install adblockers anyway. I have like 4 extra extensions for ad/tracking blocking
<n8fr8> true that
<helix> my memory was fuzzy but I recall there also being some concern that blocking ads might increase sites' contempt towards tor users, but this was like 2011-2012 and the situation was quite different
<nickm> It seems like it follows some kind of design antipattern to me; "Assuming that we deliver security with X, Y adds no additional security. Therefore, not Y." then again, I am not a TB person and do not want to step on their toes here
<n8fr8> the world has changed wrt to ad blockers being seen as anti-social... Apple now supports them after all.
<kernelcorn> helix: so many non-Tor users use adblockers that I doubt that Tor users would make a significant impact
<helix> kernelcorn: I agree now - I'm saying that the timeframe in which that decision was made had a different landscape
<helix> I think it's probably worth revisiting the topic to see if it's still true

Ticket #10914 is related.

Child Tickets

Change History (65)

comment:1 Changed 3 years ago by cypherpunks

Related links:

comment:2 in reply to:  1 Changed 3 years ago by gk

Replying to cypherpunks:

Related links:

You forgot to link to the other W2SP one: https://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_24.pdf. Its introduction is actually quite interesting, especially the demo aiming to defeat blacklist-based tracking. Yes, we plan to update the No Filters section in our design document pointing to it. See: comment:3:ticket:15988.

Last edited 3 years ago by gk (previous) (diff)

comment:3 Changed 2 years ago by cypherpunks

Summary: Add UBlock Origin to the Tor BrowserAdd uBlock Origin to the Tor Browser

+1 For bundling uBlock Origin with Tor Browser, great software (thanks gorhill).

I'd suggest adding cached block lists to not have to download them on first run and to prevent users from having different block lists (to prevent fingerprinting).
And disable the auto updating and only update when Tor Browser has a new uBlock Origin version or block lists.

I already have uBlock Origin installed in my Tor Browser, because without it I think I'm less secure and potentially less anonymous with all those connections made to ad networks, big corporations. Since they have greater capability to correlate behavior etc.

Thanks!

comment:4 Changed 2 years ago by user85938544

I came here to post the very same thing so I hope the developers will consider it.

comment:5 Changed 2 years ago by cypherpunks

there is a similiar request upstream https://bugzilla.mozilla.org/show_bug.cgi?id=1280773

comment:6 Changed 22 months ago by arthuredelstein

Cc: arthuredelstein added
Keywords: tbb-usability tbb-security added

FWIW, I also like this idea. I think it will help improve privacy, security, performance, and usability.

comment:7 in reply to:  3 Changed 22 months ago by i139

Replying to cypherpunks:

I'd suggest adding cached block lists to not have to download them on first run and to prevent users from having different block lists (to prevent fingerprinting).
And disable the auto updating and only update when Tor Browser has a new uBlock Origin version or block lists.

I suggest to convert it by patch on TBB (maybe on NoScript) or to use the native firefox tracking protection with our own cached block list.

https://support.mozilla.org/en-US/kb/tracking-protection-pbm
https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection

comment:8 Changed 22 months ago by i139

another alternative is use Privacy Badger By EFF
https://www.eff.org/privacybadger

I read good things about it

comment:9 in reply to:  8 ; Changed 22 months ago by arthuredelstein

Replying to i139:

another alternative is use Privacy Badger By EFF
https://www.eff.org/privacybadger

I read good things about it

I don't think Privacy Badger is appropriate for Tor Browser, because it collects information about what sites you have visited, and constructs a unique filter as you browse. That means it gives you a unique fingerprint.

comment:10 in reply to:  9 ; Changed 22 months ago by i139

Replying to arthuredelstein:

Replying to i139:

another alternative is use Privacy Badger By EFF
https://www.eff.org/privacybadger

I read good things about it

I don't think Privacy Badger is appropriate for Tor Browser, because it collects information about what sites you have visited, and constructs a unique filter as you browse. That means it gives you a unique fingerprint.

OK, you are right.

firefox tracking protection use lists provided by disconnect.me, maybe just change those lists with our own will be enough

comment:11 in reply to:  10 Changed 22 months ago by cypherpunks

Replying to arthuredelstein::

firefox tracking protection use lists provided by disconnect.me, maybe just change those lists with our own will be enough

With the growing amount of nasty anti-adblock tricks in play i wouldn't call a simple change in blocklists future-proof enough.
Reek & Gorhill are quite busy to investigate & solve all the new stuff the companies come up with.

Last edited 22 months ago by cypherpunks (previous) (diff)

comment:12 Changed 21 months ago by cypherpunks

This would be a good idea. Many users already install it.

https://medium.com/@profcarroll/10-terrible-things-about-adtech-35f7e7fcc1ad

comment:14 in reply to:  13 Changed 21 months ago by cypherpunks

Replying to i139:

some informations about filters

The default filter configuration is good, so it should be left untouched for a larger anonymity set.

Last edited 21 months ago by cypherpunks (previous) (diff)

comment:15 Changed 21 months ago by i139

Look more calmly

those are good for usability, in TBB without JS, warnings and killers can disturb the usability

Adblock Warning Removal List‎
Anti-Adblock Killer

those block some social content, how track the user

Anti-ThirdpartySocial
Fanboy’s Annoyance List‎

and ect...

a good filter selection for all users is important, because the users wouldn't have to use different set of list, avoiding fingerprint

comment:16 in reply to:  15 Changed 21 months ago by cypherpunks

Replying to i139:
The place to make this argument is upstream. If we wait until everyone can agree on the perfect filter set, this will never get done.

comment:17 Changed 21 months ago by i139

Tails 2.10 will also use uBlock Origin
https://labs.riseup.net/code/issues/9833

comment:18 Changed 21 months ago by koolfy

I vote for including an ad blocker to the TBB, if this does not become a maintainment nightmare (it shoudln't be?)

(TL;DR at the end)

I'd consider it another tool against privacy-invasive measures, malicious code injection, straight user misguidance (visual clickbaits etc) while also being an actual usability improvement.
The argument was brought up on several cryptoparties, by people with very little technical background, telling me they could not even consider browsing the web without it.

The websites that will pose usability nightmares are well aware of this, as they are very often the very cause of this, and will very explicitly ask the user to disable ad blocking for their website, which has become a relatively straightfoward thing i nterms of UX.

I understand the argument on torproject's image in terms of websites remuneration streams, but as I mentionned, most of these will block ktheir contact when they detect an ad blocker, or ask kindly that the user disable it for their site, which they are still free to do. Moreover tor blocks any ad targeting attempt with current measures, so their ads already have very little value if any at all.

I dot not think it should be a problem for Tor to openly disapprove of a revenue method that literally monetizes user privacy. Subscriptions are less pervasive, offering a balance between "I want to donate to this website, and maybe lose a bit of anonymity if the website insists on linking my account to my donation to let me access content" and "those who don't subscribe aren't profiled and monetized without their consent".

tl;dr: nowadays it's an actual UX improvement, probably reduces a bit of an attack vector, and I don't believe torproject could be criticized for not supporting these privacy monetization methods

Last edited 21 months ago by koolfy (previous) (diff)

comment:19 Changed 20 months ago by niconiconi

I believe that there is no reason to keep NoScript if uBlock Origin or uMatrix are added.

comment:20 in reply to:  19 ; Changed 20 months ago by cypherpunks

Replying to niconiconi:

I believe that there is no reason to keep NoScript if uBlock Origin or uMatrix are added.

I do.
ContentBlocker like UblockOrigin are only as good as their filterlists.
NoScript is a more general approach

comment:21 Changed 20 months ago by i139

uBlock Origin is not an "ad blocker", it is a wide-spectrum blocker, which happens to be able to function as a mere "ad blocker". But it can also be used in a manner similar to NoScript (to block scripts) and/or RequestPolicy (to block all 3rd-party servers by default), using a click-and-point user interface.

https://github.com/gorhill/uBlock/wiki/Blocking-mode

comment:22 in reply to:  20 Changed 20 months ago by niconiconi

Replying to cypherpunks:

Replying to niconiconi:

I believe that there is no reason to keep NoScript if uBlock Origin or uMatrix are added.

I do.
ContentBlocker like UblockOrigin are only as good as their filterlists.
NoScript is a more general approach

I will disagree, uBlock Origin provides every important feature of NoScript and even more with the Dynamic Filtering mode enabled. Also see https://github.com/gorhill/uBlock/wiki/Dynamic-filtering

comment:23 Changed 15 months ago by cypherpunks

contains spyware.
constant connection to raw.githubusercontents.com

comment:24 in reply to:  23 Changed 15 months ago by cypherpunks

Replying to cypherpunks:

contains spyware.
constant connection to raw.githubusercontents.com

For dynamic assets and a few pictures as can be seen in the sourcecode https://github.com/gorhill/uBlock/search?utf8=%E2%9C%93&q=githubusercontent&type=

Hardly spyware.

comment:25 Changed 13 months ago by cypherpunks

I think something concerning just appeared recently with the JS XMR miners in place of ads (such as https://coin-hive.com which was used by thepiratebay for 24hr as an experiment). Imagine if I have like 4 sites that use them, one of CPU's core is already at 100% with only 1 opened, with 4 it would completely bottleneck the browser.

In fact, I tested with Medium security setting (which has JIT disabled) the captcha which is based on mining XMR was still at its beginning even after 15 min https://coin-hive.com/account/signup

But yes, what the Tor Browser design document states is still completely valid - however in the face of new emerging threats I don't think we should ignore them since they definitely impact usability here: So if someone was on one of those sites that had that XMR miner and were using the Medium security setting, then they'll have a 100% cpu use on one of their cores and that will affect their browsing experience. If they realize that this is partly due to JIT they'll lower the security setting, so this could discourage some from using medium security setting. If they don't, then they're still stuck with a 100% cpu core usage.

One potential compromise here is to add uBlock Origin but with only the filer list that handles those JS miners (list is called `dark-patterns`) + the filter lists on badware and malware, and everything else would be disabled.

Note how this compromise only addresses usability and a bit of security and not privacy, which is already handled by design by the Tor Browser. (Edit: and from then on we can discuss whether blocking trackers as well would be meaningful, and I tend to think that after all it may be necessary for mitigating fingerprinting by common trackers for things that haven't been solved yet, such as the recent example of CSS line-height.)

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:26 Changed 13 months ago by cypherpunks

Another reason which I just thought about: The argument in the Tor Browser design documentation assumes that the user in question leaves everything in the Tor Browser by default. But there's no guarantee for that, and in real life many users make themselves more fingerprintable (e.g. by changing the browser's size, ...etc). In such a case, blocking some trackers may turn out to be beneficial, if only to prevent some trackers from easily fingerprinting some users.

The other counter-argument that this would damage ad revenue from websites ignores that there's only 2 million TB users, and the impact would be relatively tiny. Also many major browsers are now starting to block (some) ads by default, such as Brave, Opera, ... and even Google's Chrome which will block some certain types of ads in 2018.

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:27 Changed 13 months ago by cypherpunks

Yet another reason: It's becoming practically impossible to access some bloated websites with the Tor Browser in machines with only 1-2Go of RAM, and with the switch to FF59 which will have 4 content processes this will be even impossible. As has been proven many times, blocking trackers has on average significant benefits in terms of RAM usage, especially on bloated news sites full of trackers (gorhill, the uBlockOrigin maintainer, has some nice examples: 1, 2):

https://pbs.twimg.com/media/C8ka6GvUwAA0sxC.jpg

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:28 Changed 13 months ago by intrigeri

Cc: intrigeri added

comment:29 Changed 12 months ago by cypherpunks

Based on data obtained through the Pulse Test Pilot experiment, Mozilla's Test Pilot team concluded that "Ads hurt user sentiment. One of the strongest effects on sentiment was our proxy for the number of ads: requests made by the page to hostnames on the Disconnect.me tracking protection list. This covaried with the overall number of requests, total page weight, and each of the timers, so it’s unclear if this effect is due to a specific aversion to ads, or to their consequences on performance."

Another aspect: Because of the Tor Browser design targeted ads do not really make sense, all the ads I get - without exception - are for countries where I don't live in despite the fact that there are some exits in my country.

Last edited 12 months ago by cypherpunks (previous) (diff)

comment:30 Changed 12 months ago by cypherpunks

Why not add "RequestPolicyContinued" instead of this? It can block 3rd party trackers instantly.

comment:31 Changed 12 months ago by arthuredelstein

Keywords: tbb-performance added

comment:32 Changed 11 months ago by cypherpunks

I think bundling an extension is ok, but FF already features a contentblocker.
This existing feature should be built upon with the option to insert third party lists and redirections to local scriptlets to keep Sites working that expect certain third party objects.

comment:33 in reply to:  32 Changed 11 months ago by cypherpunks

Replying to cypherpunks:

I think bundling an extension is ok, but FF already features a contentblocker.
This existing feature should be built upon with the option to insert third party lists and redirections to local scriptlets to keep Sites working that expect certain third party objects.

That has the problem that if some website detects that you're blocking some trackers and puts a large adblock detected banner then how are you going to counter that? There's no way to deal with this with a stock Firefox with your suggestion except by disabling the list completely. An addon has the advantage of giving you the option to easily disable it for a given site.

There are additional problems too with the addon method:

  1. What if some user enables more filter lists? Should the filter lists section be blocked from the user or should it be reset with each "New Identity"?
  2. What if some user whitelists some sites? Then they're going to be saved locally but that's bad. Should the whitelist be reset to default with each "New Identity"?

IMHO I'm in favor of resetting everything with each "New Identity".

Last edited 11 months ago by cypherpunks (previous) (diff)

comment:34 Changed 11 months ago by cypherpunks

Adding uBlock to TBB will expose its users to "fingerprinting" attack.

uBlock + (What list) will make unique fingerprint.
(What list) depends on what list you decide to download, and when to download.
Also List supplier could add unique filter for each result to target TBB user.

TBB A: Give me adblockplus.org/list.txt
ABP Server: Here's your list. (which include this line: "#div#thispersonIP#7.5.6.7")

TBB B: Give me adblockplus.org/list.txt
ABP Server: Here's your list. (which include this line: "#div#thispersonIP#1.2.3.4")

Now the 3rd party website can detect this TBB user uniquely.

TL:DR;
No, Don't add ublock to TBB.
Instead, use Firefox's "built-in tracking blocklist".
The blocklist should bundle with TBB itself(like GeoIP files) so TBB don't have to download these lists from internet.

comment:35 Changed 11 months ago by cypherpunks

fyi,I use these in my TBB.

Decentraleyes
RequestPolicy Continued

Both NEVER connect to internet to download "subscription" files.
Why not add them instead?

comment:36 Changed 11 months ago by cypherpunks

puts a large adblock detected banner then how are you going to counter that?

That thing will appear if you allow JS in the first place.
Disable JS, or just leave that evil site.

comment:37 in reply to:  36 Changed 11 months ago by cypherpunks

Replying to cypherpunks:

Now the 3rd party website can detect this TBB user uniquely.

uBO has some hash checking in place? If that's not the case then there should be some bug report.

Instead, use Firefox's "built-in tracking blocklist".

I already explained why it wouldn't work that great in the first paragraph in this comment.

Replying to cypherpunks:

Decentraleyes

Please see #22089

Replying to cypherpunks:

That thing will appear if you allow JS in the first place.
Disable JS, or just leave that evil site.

JS is enabled by default, just telling me to disable JS in those cases isn't helpful.

comment:38 Changed 11 months ago by cypherpunks

"If that's not the case then there should be some bug report."

There are many ways to identify its users. I'm against adding uBO to TBB. This will make unique fingerprint if the user choose filterlist their own and download them from the 3rd party server.

Instead, bundle the "lite" blocklist to TBB itself. Lite-list will block some ads so 99.9999% user will not disable it. By bundle it to TBB, it will NEVER make a connection to the outside. Fingerprints will be the same because everyone use same list.

like; https://github.com/mozilla-mobile/focus-android/issues/1127

comment:39 in reply to:  38 Changed 11 months ago by cypherpunks

Replying to cypherpunks:

There are many ways to identify its users. I'm against adding uBO to TBB. This will make unique fingerprint if the user choose filterlist their own and download them from the 3rd party server.

Instead, bundle the "lite" blocklist to TBB itself. Lite-list will block some ads so 99.9999% user will not disable it. By bundle it to TBB, it will NEVER make a connection to the outside. Fingerprints will be the same because everyone use same list.

Please see my comments on comment 33 on why this isn't a good idea, and a possible solution for clearing custom settings to uBO.

comment:40 Changed 8 months ago by cypherpunks

Even Chromium devs are thinking about doing something to stop the resource abusers and looters like coinhive https://bugs.chromium.org/p/chromium/issues/detail?id=766068

Comment 13 by ojan@chromium.org, Oct 19

Sorry for the delays responding on this. Yes, we should do something about it. Not quite sure what.

comment:41 Changed 8 months ago by cypherpunks

They (Chromium folks) also now have adblockers for *some* sites by default: https://developers.google.com/web/updates/2017/12/better-ads

That's still better than the current situation where we (TB users with not-so-fast CPUs) have to deal with bloated websites and can't block those damn trackers since we'll become easily fingerprintable.

comment:42 Changed 7 months ago by cypherpunks

FWIW Firefox will also move to block some ads by default https://wiki.mozilla.org/Firefox/Roadmap

Last but not least, in 2018, Firefox will get more opinionated. People on the web deserve a browser that represents people first, a browser that isn't neutral when it comes to advertising, tracking and other dark patterns on the web.

[...]

Filter certain types of ads by default: Firefox will offer users a simple ad filtering option. We're in the early stages still, researching types of advertisements that should be blocked by default. (Q3)

Block ad re-targeting: We are working on blocking cross-domain tracking. Details to follow. (Q3)

comment:43 Changed 6 months ago by cypherpunks

#25959 is a duplicate, quoting what the fine person wrote:

tremvonk:

Read before closing as wontfix: I am familiar with the Tor Browser design philosophy of not relying on filters for security. This request, unlike ticket:15279, has nothing to do with possible security benefits of uBlock Origin.

I think that Tor browser bundle would benefit from including uBlock Origin as an adblocker by default. Consider the benefits:

  1. Ads waste bandwidth. To see just how much I ran tests using Tor Browser at medium security level on two major news organizations' sites: the Economist and the New York Times. The results were striking: without uBlock Origin, the Economist's website loaded 12.6 MB with 135 requests and the New York Times' website loaded 7.6 MB with 235 requests. With uBlock Origin, the Economist's website loaded 5.8 MB with 443 requests and the New York Times' website loaded 5.0 MB with 85 requests. uBlock Origin reduced the page size by 54% for The Economist and 34% for the New York Times. Granted, newspapers are particularly bad offenders when it comes to bloating the page with ads, but, however we slice it, we still stand to save considerable amounts of bandwidth.
  1. It makes TBB more usable. Blocking that many MB of ads can only make the webpage load faster and gives an overall nicer user experience (does anybody really want to see those ads?) which, in turn, helps encourage more people use TBB.
  1. It makes TBB and TAILS browser fingerprint look more alike.

Now, I did see the section of the Tor Browser design philosophy that opposed adblockers in TBB. However, consider the objections

  1. Damages TBB's reputation to provide non-filter-based security. I think this is no longer true - TBB has been around for long enough and its reputation well-established enough that I doubt users will be confused - especially that the truth is readily findable by anyone who cares to look. Moreover, TAILS browser has been shipping with uBlock Origin for quite a while now and it caters to an even-more security-conscious crowd than just TBB.
  1. Makes ad-supported websites dislike TBB. Currently, over 1/4 of internet users use an adblocker (see here). If websites dislike adblockers, they have a lot more problems than just TBB. In any case, the fraction of sites that will dislike TBB for using an adblocker will be small compared to the fraction of sites that dislike TBB just for using Tor.

Therefore, Tor browser bundle should follow TAILS' example and add uBlock Origin to the browser by default.

comment:44 Changed 6 months ago by cypherpunks

This would also be a good step in the right direction for Firefox upstream:
https://wiki.mozilla.org/Firefox/Roadmap

has entries like

Filter certain types of ads by default: Firefox will offer users a simple ad filtering option. We're in the early stages still, researching types of advertisements that should be blocked by default. (Q3)

as well as making tracking more difficult and stop auto-play videos like chrome has done it.
Instead of just having the "basics" it could be a joint effort to have the logic for blocking and replacing in FF/TBB and the filter lists by the community.

comment:45 Changed 5 months ago by cypherpunks

Interesting recent research done at Mozilla on the utility of ad blockers for web browser users: https://research.mozilla.org/files/2018/04/The-Effect-of-Ad-Blocking-on-User-Engagement-with-the-Web.pdf

But muuuh what about those who depend on the 2 cents/month from Monero JS miners? You want them to close their business since they will no longer receive those 2 cents/month??????!!!!!!!1!!11

comment:46 Changed 5 months ago by LabraTor

I strongly encourage to implement uBlock Orgin in TBB as it is done in Tails. I'm fine if user customization of uBlock Origin is restricted but please move on with this.

comment:47 in reply to:  46 Changed 5 months ago by cypherpunks

Replying to LabraTor:

I strongly encourage to implement uBlock Orgin in TBB as it is done in Tails. I'm fine if user customization of uBlock Origin is restricted but please move on with this.

I've been lobbying for blocking some useless trash by default in TB (via the Firefox built-in Disconnect blocklist), but for the case of uBlock Origin do you have a solution for comment:33?

comment:48 Changed 5 months ago by cypherpunks

Resolution: invalid
Status: newclosed

Adding an add-on which make internet connection in background is against Tor Browser's design.
Write a concrete proposal and attach to this ticket before you reopen this.

Also we are against adding uBO to Tor Browser.
Such user can add the add-on by themselves WITH THEIR OWN RESPONSIBILITY.

comment:49 in reply to:  48 Changed 5 months ago by cypherpunks

Resolution: invalid
Status: closedreopened

Replying to cypherpunks:

Adding an add-on which make internet connection in background is against Tor Browser's design.
Write a concrete proposal and attach to this ticket before you reopen this.

So let's remove HTTPS Everywhere as well since it makes connections to get ruleset updates? There are valid reasons to be against uBO in the Tor Browser, but this one isn't among them.

comment:50 Changed 5 months ago by cypherpunks

Resolution: wontfix
Status: reopenedclosed

So let's remove HTTPS Everywhere as well since it makes connections to get ruleset updates

Complete BS. Tor Bundled add-on does not make connection at all. uBO is not.

There are valid reasons to be against uBO in the Tor Browser

You wrote your answer already

comment:51 Changed 5 months ago by cypherpunks

Summary: Add uBlock Origin to the Tor BrowserAdd Adblock Plus to the Tor Browser

comment:52 in reply to:  50 Changed 5 months ago by cypherpunks

Resolution: wontfix
Status: closedreopened
Summary: Add Adblock Plus to the Tor BrowserAdd uBlock Origin to the Tor Browser

Replying to cypherpunks:

So let's remove HTTPS Everywhere as well since it makes connections to get ruleset updates

Complete BS. Tor Bundled add-on does not make connection at all. uBO is not.

Please be more respectful and always double check things ;~) https://www.eff.org/deeplinks/2018/04/https-everywhere-introduces-new-feature-continual-ruleset-updates

There are valid reasons to be against uBO in the Tor Browser

You wrote your answer already

Yes, but it needs an official response from a consensus of TB devs and a followup ticket (for the proposed Firefox Disconnect list alternative).

Please don't vandalize tickets as well.

comment:53 Changed 5 months ago by cypherpunks

Resolution: wontfix
Status: reopenedclosed

Please don't vandalize tickets as well.

comment:54 Changed 5 months ago by gk

Resolution: wontfix
Status: closedreopened

Instead of doing this opening and closing dance which is quite annoying, someone could try to actually analyze the proposed privacy, security, and performance gains adding $extension to Tor Browser, especially compared to the privacy, security, etc. means Tor Browser *already* offers. Please, include the downsides of adding $extension to the browser as well (our design document might help).

Regarding Tails including an adblocker, you might want to re-read

https://mailman.boum.org/pipermail/tails-dev/2014-October/007266.html f.
https://mailman.boum.org/pipermail/tails-dev/2015-January/007821.html ff.
https://mailman.boum.org/pipermail/tails-dev/2015-February/008003.html f.
https://mailman.boum.org/pipermail/tails-dev/2015-February/008007.html
https://mailman.boum.org/pipermail/tails-dev/2015-April/008560.html f.

Do make this clear here: there are no short- or medium-term plans to include an adblocker in Tor Browser.

comment:55 Changed 5 months ago by cypherpunks

Don't. Just don't include addon to tor browser.
The browser should focus on itself.

Firefox comes with zero pre-installed addons.
I don't want another junk added into TB.

download page clearly states do not install addons.

comment:56 Changed 5 months ago by cypherpunks

Summary: Add uBlock Origin to the Tor BrowserAdd adblocker to the Tor Browser

Why "uBlock Origin" only?

comment:57 in reply to:  56 Changed 5 months ago by cypherpunks

Summary: Add adblocker to the Tor BrowserAdd uBlock Origin to the Tor Browser

Replying to cypherpunks:

Why "uBlock Origin" only?

Cause it's the best in its job right now. Adblock+ that you're lobbying for is a sellout: https://medium.com/@trybravery/please-stop-using-adblock-but-not-why-you-think-13280e76c8e7

Replying to cypherpunks:

Don't. Just don't include addon to tor browser.
The browser should focus on itself.

Firefox comes with zero pre-installed addons.
I don't want another junk added into TB.

"Yeah let's remove HTTPS Everywhere, NoScript, TORlauncher and TORbutton TOR browser should focus on itself screw the users!!1!"

Replying to gk:

Instead of doing this opening and closing dance which is quite annoying, someone could try to actually analyze the proposed privacy, security, and performance gains adding $extension to Tor Browser, especially compared to the privacy, security, etc. means Tor Browser *already* offers. Please, include the downsides of adding $extension to the browser as well (our design document might help).

Yeah, we're waiting until you officially include those criteria for 3rd party addons in the Tor Browser design doc for us to structure all the details :) (Note that the bulk is already present in these comments, though I lean into the "don't add uBlockO but use Disconnect default blocklist" side)

comment:58 Changed 5 months ago by LabraTor

@cypherpunks

Regarding the FF-inbuilt solution with the disconnect lists, I don't see a problem if a website blocks ad-/tracking-blocking. TBB users then can either avoid the website or use a workaround such as archiving the website and then view the archived version. Obviously, a temporary white-listing of anti-adblocking websites until a reset would be an option too but temporarily reduce anonymity.

You're right about strictly resetting any uBo modifications, if possible at all. This is after all how it is done with Tails. I consider it advantageous to merge the TBB and Tails anonymity groups and therefore favor the uBo approach.

comment:59 Changed 7 weeks ago by cypherpunks3

"... we will start blocking slow-loading trackers by default in Firefox 63." ;)

https://blog.mozilla.org/futurereleases/2018/08/30/changing-our-approach-to-anti-tracking/

comment:60 Changed 5 weeks ago by traumschule

If it is added but disabled by default it would not harm "normal" users and made it easy for all who happen to want it. There should be a big warning "With this plugin you endanger your anonymity. You should only use it to increase browsing performance by blocking trackers and ads." with a link to an article about fingerprinting (that probably needs to be written first).

comment:61 in reply to:  35 ; Changed 12 days ago by gorhill

Replying to cypherpunks:

Both NEVER connect to internet to download "subscription" files.

Not taking a position, I just want to be sure that technical details are accurate.

It's possible to completely disable auto-updating in uBO, it's one checkbox -- all the files needed by uBO at install time are part of the package and loaded from there at launch time (except for region-specific lists). When auto-update is disabled, uBO never ever connects to remote servers without explicit user intervention.

In any case, if *ever* there was a list of specific requirements, I will be willing to do the work for uBO to meet these requirements.

comment:62 in reply to:  61 Changed 12 days ago by arthuredelstein

Replying to gorhill:

In any case, if *ever* there was a list of specific requirements, I will be willing to do the work for uBO to meet these requirements.

Thank you, gorhill, that is much appreciated. We are still discussing the pros and cons of including an adblocker extension in Tor Browser by default.

comment:63 Changed 12 days ago by arthuredelstein

Just for the record, one idea we discussed in our recent Tor meeting would be to introduce an adblocker that is off by default. Then a single toggle switch would be available to activate the adblocker globally. This would result in splitting the anonymity set in two (one bit of fingerprinting, on average).

Also regarding fingerprinting: I think we would want also to minimize the available controls to users to make sure that they can't (easily) add or remove blocklists or apply other global custom settings that will make them fingerprintable. I do think it would be acceptable to include an "allow ads on this site" button *if* the unblocking mechanism is first-party-isolated.

comment:64 in reply to:  63 Changed 12 days ago by cypherpunks3

Replying to arthuredelstein:

Just for the record, one idea we discussed in our recent Tor meeting would be to introduce an adblocker that is off by default. Then a single toggle switch would be available to activate the adblocker globally. This would result in splitting the anonymity set in two (one bit of fingerprinting, on average).

Ok, so what will you do with the by default (in 63 and higher) enabled Mozilla's built-in Tracker Blockers (they misleadingly call it "Tracking 'Protection' ")?

comment:65 Changed 6 days ago by gapegas7uftp

I agree to add ublock origin to tor browser. Nowadays I always install it after, and it take time to install and make update. Probably other tor browser users too.

Maybe good to leave it off by default, like https everywhere does not block non-https by default, but it is easy to turn on block non-https.

TAILS already did the work on this, so can just use that work, so not much extra work?

If philosophy is no ad blocker in tor browser, but there is blocker off by default, the philosophy seems ok.

Note: See TracTickets for help on using tickets.