This is the uBlock Origin edition based on the much-maligned WebExtensions Manifest V3, which implements blocking declaratively instead of allowing/requiring live request interception.
Firefox—my daily driver—still supports the "main" uBlock Origin (and I'm a somewhat heavy user of features unavailable in Lite like custom filters), but I had been waiting for Lite to be available and immediately went ahead and replaced uBlock Origin with uBlock Origin Lite.
The security win can't be understated: with its permission-less design (enabled by MV3) I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions. Sure, attackers could still get into Mozilla, Apple (as I run macOS), or cause a backdoored update to be pushed via Homebrew (how I install unsandboxed applications when no web app is available, which thanks to the likes of WebUSB is getting less common), but unsandboxed browser extensions were clearly the lowest hanging fruit, so this update (and MV3) significantly raised my security posture (and transitively that of projects I have access to, and that of their users).
>I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions.
It's my understanding that because uBlock Origin is a "recommended extension", it must undergo a formal code review each time a new update is published. A malicious update would not face zero obstacles.
Actually every extension on AMO must go through manual inspection to push as auto update. You may push new version to market without manual inspection. But it won't auto update to users' computers until then.
So human review really isn't the real difference on firefox's side. Because it is required since day one
I'm pretty sure that once you factor in the security reduction from ad blocking being less effective, switching from uBO to uBOL is actually a net worsening of security posture.
In what way does ad blocking improve your security? It significantly improves your user experience and slightly improves privacy, but it doesn't have anything to do with security, unless you click on random "download" links, which I assume people on HN don't do
You could just disable automatic updates on extensions. uBlock origin is a featured extension, so it's already audited.
MV3 is safer, but so is running no adblocker at all. There is a tradeoff. I get much more ads on Safari+AdGuard (iPhone) which uses MV3 or some similar declarative approach, than on Firefox+uBlock-Origin where I get basically none.
I still prefer to trust one extension like uBlock Origin, just like I trust other software packages on my system, and to really fend off all the web tracking nonsense.
It seems like this issue could also be sidestepped by simply not silently pulling updates, especially in the case of something like browser extensions where the extension is sandboxed (so the potential negative impact of not immediately getting out a "critical security update" is bounded) but the developer is not fully trusted. Have we normalised micromanagement of the user by software vendors so far that this is no longer a default that anyone would consider?
a regular user would not have the capability to audit an update. A power user, with entirely too much time on their hands, could of course, but one should not be designing systems based on such niche scenarios.
For me this security scenario isn't relevant at all. It reminds me of the dysfunctional situation on mobile OS. Sure, theoretically a plugin could get compromised and an update would be malicious. That is true for any software I run on my machine.
But it also comes with costs. The browser is less customizable and further locked down. That reduces possibilities without netting advantages for me. Overall this is security FUD in my opinion. And the negatives can be observed in mobile OS.
> I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions
Yeah, but is this really a risk for anyone who isn't the sort to have installed Bonzi Buddy back in the day?
That attack surface, compared to that of brew, npm, pip, gem, etc., is miniscule. And browser plugins don't yank in obscure dependencies at install time.
I only run uBlock, and I suspect I'm in the majority here, and my choice of browser is predicated on the availability of a non-crippled ad blocker, because malicious ads are the primary threat.
The issue with v3 is when it's the only solution.
Which is not the case here :
> However, uBOL allows you to explicitly grant extended permissions on specific sites of your choice so that it can better filter on those sites using cosmetic filtering and scriptlet injections.
Which I would expect allow it to work as well as uBO.
> Which I would expect allow it to work as well as uBO.
Note that there are still some adblocker workarounds that will foil MV3, such as CNAMEs. uBO will always be more effective than MV3, unless some substantial improvements are made to MV3.
No, it won't work as well as uBO. Many features from uBO are missing in uBOL even in full mode, more prone to anti-adblock/ads-reinsertion (problems with `redirect-rule` and unable to fast updates) and ads/trackers/popups can slip through if cannot be caught by regex filters.
> The security win can't be understated: with its permission-less design (enabled by MV3) I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions.
Can you or someone else elaborate way it would be more secure? I dont quite follow or see the benefit.
Look at the security on mobile OS. It is perfectly secure for Apple and Google. But seriously, the benefit is theoretical and only with the assumption that you believe Apple and Google to treat your data better than a third party. Brave assumption in my opinion.
I don't like the goal of giving less power to extensions. Extensions have traditionally generated independent innovation, when they're allowed to. They're an escape hatch.
How is the FDE story on macOS? Isn't it closed source - how can you tolerate that as a cryptographer? (Not saying Linux is perfect, cryptsetup doesn't have a secure AEAD mode)
An AEAD mode on a physical disk doesn't make a lot of sense. You are mapping disk blocks to disk blocks (in the case of cryptsetup, literally via devicemapper) and so you have two choices: a) alter the sector size to something weird so you can fit in tags per sector, likely breaking a lot of code that can't cope with this or b) just use XTS and accept that you can't have AEAD.
It isn't like the average hard disk permits padding oracles and chosen plaintext/ciphertext attacks to be mounted easily, except of course if you are storing disk images in the cloud, but then you're using the wrong tool anyhow - do crypto at the file level where you aren't constrained by sector sizes.
Firefox's implementation of MV3 allows both async permission-less blocking (declarativeNetRequest API) and permissioned synchronous blocking (webRequest API). uBO Lite uses the former to provide an ad-blocker without read/write permissions.
You can still write a unsandboxed extension with MV3 (and in Firefox it will still be able to intercept requests, while in Chrome it will not be on the network hot path) but the point is that you can also write a permission-less ad-blocker now, which is what I want.
You need the webRequest API (that uBO Full is using) from manifest v2 to be able to read the traffic. Without it, you can just block/allow based on rules.
Chrome is deprecating it with v3, Firefox supposedly no.
If you sideload an extension, you can achieve your 0 third-party silent autoupdate goal without compromising on any functionality
(though this misfeature should be a per extension toggle at the browser level)
I considered that a few times, but eventually complex things like modern ad-blockers rot, so I would be forced to update every once in a while, and let's be honest: I am neither qualified nor prepared to audit the diff.
I guess deferring updates would give me lead time to let others get targeted / detect an issue before it's likely I would get the update. Still, installing the permission-less version is so much simpler and reassuring.
That only makes a difference if you’re auditing each extension update. Switching to extensions with per-site permissions reduces the attack surface drastically and you don’t have to worry about auditing or disabling updates.
So can you tell Firefox to only allow MV3 (or MV3+sandboxed, I guess) extensions then? Or have you manually audited your list of extensions?
I was sort of aware but your post clearly reminds me that Firefox extensions are probably my single biggest point of general vulnerability on my phone and computer, given how much is done in browser.
> attackers could still get into Mozilla, Apple (as I run macOS), or cause a backdoored update to be pushed via Homebrew [..] but unsandboxed browser extensions were clearly the lowest hanging fruit
This is a total non-sequitur. The source of all malicious browser extensions is Google, Apple and Mozilla, and none of them have demonstrated any willingness whatsoever to fix the problem, even when a mere grep across their distributed extension base can trivially identify all the various openly advertised trojan SDKs that cause millions of users to be tracked or have their internet connection reused for various shady proxy websites.
You have a different definition of "malicious" than the general public. In fact most of us on HN do. That shouldn't be dictating what browser vendors think of as malicious extensions. Consider an extension that tracks your browsing in exchange for giving you promo codes to get 5% off on some purchase. Plenty of users have considered this kind of trade off and decided that the 5% discount is worth the privacy impact. Most HNers would consider it malicious. But if browser vendors start to block these extensions we would sooner hear news reports of tech companies being overly paternalistic.
You are not speaking for all users and you know it.
One thing I've noticed is that for years uBlock used to say 7% of all data requests was blocked; in this past year it's climbed to 8%. So almost 10% of data transferred is useless to me as it consists of ads, trackers and annoyances.
I wonder in my lifetime how much bandwidth and energy I've saved if a blocker has blocked around 10% of all data requests.
It's far more than that. uBO is only counting the initial requests. Each of these would load up an entire ad ecosystem that sends follow-on requests and downloads resources. If you look at the total number of requests prevented it would doubtless be far higher.
Seems low. My pihole (and I’m not trying to compare products just mentioning what I use) routinely blocks about 25% and we don’t tend to go to any shady sites.
One interesting thing I noticed while trying to port little-rat to FF, using the same declarativeNetRequest API as uBOL last week:
In Chrom*, extensions can intercept calls from other extensions, while in Firefox, they can't. If anyone happens to have any insight, please let me know.
EDIT: removed links as I'm being downvoted, not trying to promote, just would love to make it work in FF.
It uses browser provided APIs for filtering, instead of running script injection on every page. This improves security, and performance at the cost of some capability. The reduction in capability comes from the inability to do all kinds of cosmetic filtering, but it lets you enable this on a per site basis.
Check the details on the extension page for more information.
Actually as a volunteer for the project, I personally consider the lack of regex filters, `redirect-rule` and unable to fast updates are more severe than "hiding elements" ability.
Safari still has a limited implementation of Manifest v3, so that might affect the timeline. E.g. declarativeNetRequest API, which all adblockers use heavily, is missing very important functionality like redirects.
If this extension doesn't use the missing features then porting is as simple as running a single command to generate an Xcode project and then building the extension executable.
Safari already has a long list of content blockers which blocks ads by supplying a list of urls to the browser. I use Ka Block! for iOS and it works well enough.
I tried it and after a short time I came across websites that locked me out and told me to disable my adblocker. Even at the highest block level it doesn't change anything. With the normal uBlock Origin version, most sites just work and don't even show the anti adblock notice. An ad blocker that is not able to bypass the annoying anti adblock measures is useless garbage.
I was a Firefox user since Phoenix/Firebird and only recently switched to Brave for performance (although I think I'm going back, given the recent performance gains).
I have also been using uBlock Origin heavily since the start.
I'm not sure I fully understand the purpose of this. If this is a Manifest V3 thing, I thought Mozilla wasn't adopting it ... so why would uBlock need to adopt it on Firefox?
Firefox is also moving to Manifest V3, but a more "relaxed" version that still allows a lot of what is being removed in Chrome.
What seems to have happened here, is that uBO decided that, since they now have a declarative version for Chrome, they may as well release it for FF also (but with a few improvements, apparently).
I think it's a smart move on FF's part (a more relaxed V3). If Chrome goes too heavy-handed with anti-adblockers in V3, people might leave Chrome. Yes, they might leave Chrome for a different Chromium browser, but if they get too heavy-handed there, Firefox and its forks are the last large alternative left.
Wouldn't it be more ethical to not visit ad supported websites in the first place? Instead of removing the source of their income while still consuming their content?
Someone should make an extension "SiteBlock Origin": Everytime it detects the presence of an ad, the whole website gets blocked, not just the ad. That would be ethically consistent.
The ethical principles written clearly by World Wide Web Consortium are for users, NOT for websites:
> 2.12 People should be able to render web content as they want
> People must be able to change web pages according to their needs. For example, people should be able to install style sheets, assistive browser extensions, and blockers of unwanted content or scripts or auto-played videos. We will build features and write specifications that respect peoples' agency, and will create user agents to represent those preferences on the web user's behalf.
I ran without an adblocker for a long time with a similar sort of reasoning. What got me to finally install an adblocker is an increase in malvertising. Going to legitimate sites with third party ads resulted in drive by downloads, fake update warnings, fake AV warnings, attempts to get you to install shady extensions, etc. I disable the adblocker for websites that use better ad sourcing methods.
I think this is a key to the argument for ad-block. If it was literally just banner ads without tracking, sure, go right ahead. Modern web advertising is so much more than that (aggressive tracking, data collection without consent, or worse).
I miss getting those banner ads for decreasing my mortgage rates as a 14 year old who doesn't even pay rent yet
Unfortunately “better ad sourcing methods” require a lot of human capital to support (direct-sold ads, constant monitoring of inventory, being able to afford higher bid floors, etc.) or ultimately access to better advertisers by having a large amount of traffic.
All of these are features of larger publishers, unfortunately, which means that smaller publishers suffer more malvertising. So you’re basically just supporting large publishers. Which is definitely better than supporting none, so I still commend you :)
> Wouldn't it be more ethical to not visit ad supported websites in the first place? Instead of removing the source of their income while still consuming their content?
That's fundamentally not how the web works. If you want me to pay for content, you need to get me to agree to pay for content. Just requesting a page, which I have no way beforehand of knowing contains ads, is not me agreeing to pay for the content. If you didn't want me to view the content without paying for it, why did you send me the content?
This is morally equivalent to the fake monk scam[1] in NYC where a fake Buddhist monk gives you a prayer bracelet and then demands that you pay them for it. You don't get to give people things and then demand that they pay for it when that was never agreed upon. Even if the payment is with their attention.
This is all setting aside the ethical blight that advertising, by its very nature, poses in the first place. Advertising is just lying--either literally, or by omission through presenting a one-sided view of products. There is never a case where advertising is ethical.
Note that the NYT has mostly stopped serving up content to people who haven't agreed to pay for it, and they're doing quite well financially lately.
I don't think it is that unpopular of a take. Generally speaking, Ads and subscriptions pay for the website.
The issue I personally have is:
1) When the Ads themselves contain malware.
2) Eat up all your bandwidth/mobile data.
2.1) Have auto-playing videos / popups.
1) is somewhat rare. But it is something that has happened multiple times with major websites and services.
If I remember correctly, the Washington Post and Yahoo have previously had this issue. Google's Advertisement platform has repeatedly allowed malware to spread via their advertisement system. (Both on Mobile devices, and desktop devices, but usually more focused on mobile devices.)
2) is something I have to deal with everyday on the phone. When on a train filled to the brim, a lot of times the connection speed drops precipitously. In short, I don't have bandwidth to spend on an Ad, especially a video Ad. So I block them all, and usually try not to browse any image or video heavy sites.
- I ask for a resource
- you give it to me
- any linked resources (stylesheets, scripts, images etc) are up to me to request
Therefore there is no "ethical" conundrum in blocking ads. The ad industry brought this on themselves by trying to push malware, spam and actively trying to make the web worse.
Agreed. Advert blocking wasn’t a necessity until adverts became intrusive, tracking and targeting became pervasive, and every site flooded with cookie banners.
I remember when AdWords was just a humble bar of contextual text links, absolutely manageable. Not so much the case now.
It’s an arms race. The utopian hyper-civilized ethics are replaced when your adversary are doing everything possible to turn you into a product. Tracking, fingerprinting, creating shadow profiles for you, etc etc, etc without any meaningful consent.
If the adversaries followed idealized ethics, they would respect DNT header, for one.
That said, actively avoiding those actors who are unethical is commendable. It’s just very difficult to do in practice, since basic communication with eg neighbors, parents, friends are mainly through these channels.
This is an interesting argument. I own my computer and network, should I not be allowed to control what content is or is not allowed in my network? I guess the corollary that would follow from MY argument is that they should be permitted to block me from accessing their site if they see I'm not permitting ads
Exactly, users are the ones who should allow and block what contents to be served to their devices, NOT the websites.
> 2.12 People should be able to render web content as they want
> People must be able to change web pages according to their needs. For example, people should be able to install style sheets, assistive browser extensions, and blockers of unwanted content or scripts or auto-played videos. We will build features and write specifications that respect peoples' agency, and will create user agents to represent those preferences on the web user's behalf.
>I guess the corollary that would follow from MY argument is that they should be permitted to block me from accessing their site if they see I'm not permitting ads
That's pretty much what Medium and many general news sites are doing. I haven't paid for one yet, but I can respect the move if it means they don't need to rely on clickbait to build a customer base.
People don’t block ads because they want to deprive websites of income. They block ads because they have been driven to it, by the ads themselves.
This could be avoided if websites served ads responsibly: no JS, no animations, no video, no audio, no tracking, no scam merchants, no tricks, no manipulation, no unskippable ads, no dishonesty.
Almost no websites do this, so I have no ethical qualms giving of the ads the banhammer.
Once websites start respecting their users, then we can have this conversation about ethics, but not a second before.
Why some sites are blocked from net due to having just a link to a «bad» website, while many other sites and ad networks receive zero punishes for their active attempts to scam victims or harm victim computers?
Fair point and I do pay for ad free browsing in a few sites. But consider
1. sites that don't have any other model. e.g. my favorite game news website is Gematsu, but holy heck is the ads crazy intrusive. On mobile we are talking full screen video ads that have a tiny X to remove... for maybe 1 minute. I've expressed interest multiple times to donate or otherwise do something to directly fund the site but nothing has come up. And even if I did move on to make a point, this model isn't something that has spread to many, if any, modern gaming news site (and I've long since left Reddit, a topic in and of itself). Do I just give up on gaming news and let clickbait Youtubers inform me instead of written articles?
2. Exploratory purposes. I'm not going to know which and what websites do or do not have ad support, and most of my browsing when searching is very casual. I wouldn't feel too compelled to neither turn off my ad block nor pay a sub for some place I googled up once 3 months ago for a quick answer. I don't quite have an answer for this one.
3. ublock isn't simply blocking ads. trackers, certain cookies, overly large media elements, java script, remote fonts, even individual pieces of HTML elements you specify in a CSS manner. It's so much more powerful and privacy-oriented than a simple ad blocker. If it closed off any site with any of these issues there simply wouldn't be an interet to browse.
It's a compromise at the end of the day, and I can only look out for myself at some point. I'm not necessarily trying to teach websites a lesson per se.
I don't think it's quite the same because ads don't care if you are "focusing on the ad". Well, they kinda do, but not by any useful metric (idling on a computer =/= engaging with the ad).
It's more equivalent to changing the channel during a commercial, which seems to be what the GP is implying as an action.
I'd use that. As it is, I often back out from sites that ask me to disable my adblocker, and often do the same when the cookie-choice pop-up is present; it's a helpful check on how I'm spending my time. I'm absolutely spoiled for choice there, and as with a meal of mostly minimally-processed plants, I feel best after reading a book.
Which is not to say I never eat/read the snack/article that is quickly but momentarily diverting.
As my hair grays I have reached the determination that for-profit advertising itself is systematically unethical. Maybe it was ethical many, many decades ago; here today any moral values it once had are long gone.
To that end any mechanism that reduces the presence and effect of advertising is a moral imperative.
The web is, in theory, an open venue, and somebody publishing on the web is not unlike somebody performing in the street. It is not your duty, as the consumer, to ensure the producer’s income—particularly not at the expense of your privacy. The producer has something to say, and you the consumer are willing to hear it: that may just as well be the extent of your relationship. How, or even whether, the producer monetizes this state of affairs is not the consumer’s responsibility, though some consumers (who can) may choose to patronize the producer.
If the site offers an ad-free paid subscription model, that's reasonable. I mean, it'd be much better just to redirect to the sign-up page. However, if the site is so user hostile that they think bombarding users with invasive ads is the only way to monetise, well that's on them.
Even better: if it offers a way to pay a few cents to read _this one article_. I don't want to subscribe to hundreds of websites for reading a single article every so often.
I don't care about the ethics here because the ad companies, the parasites they are, don't give a shit about ethics. They track every single possible thing there is to track about a person and sell that information to anyone with a couple of bucks to spend.
Funnily enough, of all websites out there one of the best is still 4chan when it comes to ads. They have 2 banners, one at the top of the page, one at the very bottom of the page. These are static banners, at most a gif, with no tracking pixels or fingerprinting capabilities or any other similar form of horrid, unethical behavior. No embedded ads masquerading as regular content, nothing that blocks interaction on the page, just simple banners that target the site's particular niche like anime or cheap junk from Japan.
But as long as websites aren't using this model of ads and are instead opting for something disgusting like https://fingerprint.com then you won't see an iota of sympathy or care for "ethical" behavior from me.
Not visiting cost them nothing. No serve, no cost.
Viewing the ad made them money.
Visiting and not viewing the ad lost them money. They paid for the server but made no money.
Only one of these three options is painful enough for them to get the point. It’s harsh i know, writers need to eat, but they need to understand I won’t “pay” them with my eyeballs unless the site is usable in return at a bare minimum.
IMO showing advertising itself is unethical and there’s no right to force anyone to see an advertisement, no matter how much some companies would like there to be.
Any content you make available publicly is fair game to be remixed, reformatted, summarised, and yes, ad-blocked.
It’s not the user’s job to make someone’s business model work.
Advertising is unethical. If you publicly provide data I have no ethical contract to be forced to use that data in a certain way. If you want to force ads then use a different delivery mechanism and at that point I will gladly entirely avoid it
> Wouldn't it be more ethical to not visit ad supported websites in the first place?
There is a negative feedback loop where most third party content is only published on the most popular sites, so it becomes impossible to entirely avoid these sites even if the companies behind them are cancer.
> That would be ethically consistent.
Don't drag ethics into a mud fight with billion dollar companies. I lived through ads that faked download buttons, faked virus alerts, provided links to fake "official" download sites with malware or directly tried to infect your computer. The only ethical thing you can do with the ad industry is rob those rotten sociopaths blind.
no, the web wasn't intended to be such a commercial hellscape. if you want to make money ethically you should come up with your own way to reach people.
Readit News
Firefox—my daily driver—still supports the "main" uBlock Origin (and I'm a somewhat heavy user of features unavailable in Lite like custom filters), but I had been waiting for Lite to be available and immediately went ahead and replaced uBlock Origin with uBlock Origin Lite.
The security win can't be understated: with its permission-less design (enabled by MV3) I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions. Sure, attackers could still get into Mozilla, Apple (as I run macOS), or cause a backdoored update to be pushed via Homebrew (how I install unsandboxed applications when no web app is available, which thanks to the likes of WebUSB is getting less common), but unsandboxed browser extensions were clearly the lowest hanging fruit, so this update (and MV3) significantly raised my security posture (and transitively that of projects I have access to, and that of their users).
It's my understanding that because uBlock Origin is a "recommended extension", it must undergo a formal code review each time a new update is published. A malicious update would not face zero obstacles.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
You can just decide for each case the tradeoff between advanced blocking and security.
So human review really isn't the real difference on firefox's side. Because it is required since day one
MV3 is safer, but so is running no adblocker at all. There is a tradeoff. I get much more ads on Safari+AdGuard (iPhone) which uses MV3 or some similar declarative approach, than on Firefox+uBlock-Origin where I get basically none.
I still prefer to trust one extension like uBlock Origin, just like I trust other software packages on my system, and to really fend off all the web tracking nonsense.
a regular user would not have the capability to audit an update. A power user, with entirely too much time on their hands, could of course, but one should not be designing systems based on such niche scenarios.
But it also comes with costs. The browser is less customizable and further locked down. That reduces possibilities without netting advantages for me. Overall this is security FUD in my opinion. And the negatives can be observed in mobile OS.
Yeah, but is this really a risk for anyone who isn't the sort to have installed Bonzi Buddy back in the day?
That attack surface, compared to that of brew, npm, pip, gem, etc., is miniscule. And browser plugins don't yank in obscure dependencies at install time.
I only run uBlock, and I suspect I'm in the majority here, and my choice of browser is predicated on the availability of a non-crippled ad blocker, because malicious ads are the primary threat.
(as noted by fsckboy): uBlock was the original name for the add-on that subsequently was ethically compromised/"sold out to" advertisers
uBlock Origin is the 2nd version written by the original author (gorhill) and is not compromised.
> However, uBOL allows you to explicitly grant extended permissions on specific sites of your choice so that it can better filter on those sites using cosmetic filtering and scriptlet injections.
Which I would expect allow it to work as well as uBO.
Note that there are still some adblocker workarounds that will foil MV3, such as CNAMEs. uBO will always be more effective than MV3, unless some substantial improvements are made to MV3.
Can you or someone else elaborate way it would be more secure? I dont quite follow or see the benefit.
Why would you even have autoupdates in the first place if that is your threat model?
How is the FDE story on macOS? Isn't it closed source - how can you tolerate that as a cryptographer? (Not saying Linux is perfect, cryptsetup doesn't have a secure AEAD mode)
It isn't like the average hard disk permits padding oracles and chosen plaintext/ciphertext attacks to be mounted easily, except of course if you are storing disk images in the cloud, but then you're using the wrong tool anyhow - do crypto at the file level where you aren't constrained by sector sizes.
You can still write a unsandboxed extension with MV3 (and in Firefox it will still be able to intercept requests, while in Chrome it will not be on the network hot path) but the point is that you can also write a permission-less ad-blocker now, which is what I want.
Chrome is deprecating it with v3, Firefox supposedly no.
Deleted Comment
I guess deferring updates would give me lead time to let others get targeted / detect an issue before it's likely I would get the update. Still, installing the permission-less version is so much simpler and reassuring.
I was sort of aware but your post clearly reminds me that Firefox extensions are probably my single biggest point of general vulnerability on my phone and computer, given how much is done in browser.
Appreciate your original thoughts either way.
Dead Comment
Dead Comment
Deleted Comment
Good on you nonetheless to check one less, but the one still open is much larger, so the fight goes on.
This is a total non-sequitur. The source of all malicious browser extensions is Google, Apple and Mozilla, and none of them have demonstrated any willingness whatsoever to fix the problem, even when a mere grep across their distributed extension base can trivially identify all the various openly advertised trojan SDKs that cause millions of users to be tracked or have their internet connection reused for various shady proxy websites.
You are not speaking for all users and you know it.
I wonder in my lifetime how much bandwidth and energy I've saved if a blocker has blocked around 10% of all data requests.
I'll stick with the full version on Firefox.
Dead Comment
In Chrom*, extensions can intercept calls from other extensions, while in Firefox, they can't. If anyone happens to have any insight, please let me know.
EDIT: removed links as I'm being downvoted, not trying to promote, just would love to make it work in FF.
Check the details on the extension page for more information.
Oh, that's too bad. The cosmetic filtering is incredible. I wonder how much I would be impacted by switching to Lite. Guess I'll try one day.
Anecdotally, I find that blocking ads and associated garbage massively improves page loading, and FF performs fine even with hundreds of tabs open
> reduction in performance
huh?
Also, since it uses manifest v3, how slim are the chances it’ll be ported to safari?
If this extension doesn't use the missing features then porting is as simple as running a single command to generate an Xcode project and then building the extension executable.
I have also been using uBlock Origin heavily since the start.
I'm not sure I fully understand the purpose of this. If this is a Manifest V3 thing, I thought Mozilla wasn't adopting it ... so why would uBlock need to adopt it on Firefox?
I'm clearly missing something.
What seems to have happened here, is that uBO decided that, since they now have a declarative version for Chrome, they may as well release it for FF also (but with a few improvements, apparently).
Wouldn't it be more ethical to not visit ad supported websites in the first place? Instead of removing the source of their income while still consuming their content?
Someone should make an extension "SiteBlock Origin": Everytime it detects the presence of an ad, the whole website gets blocked, not just the ad. That would be ethically consistent.
The ethical principles written clearly by World Wide Web Consortium are for users, NOT for websites:
> 2.12 People should be able to render web content as they want
> People must be able to change web pages according to their needs. For example, people should be able to install style sheets, assistive browser extensions, and blockers of unwanted content or scripts or auto-played videos. We will build features and write specifications that respect peoples' agency, and will create user agents to represent those preferences on the web user's behalf.
https://www.w3.org/TR/ethical-web-principles/#render
---
> Everytime it detects the presence of an ad, the whole website gets blocked, not just the ad. That would be ethically consistent.
By the time the extension knows if there's ads or nots, the trackers/fingerprinting connections are already loaded to users' machines.
Written in literature, it sounds awesome. In practice with real programming, it's awful.
Ex. https://support.mozilla.org/en-US/kb/i-found-fake-firefox-up...
I miss getting those banner ads for decreasing my mortgage rates as a 14 year old who doesn't even pay rent yet
All of these are features of larger publishers, unfortunately, which means that smaller publishers suffer more malvertising. So you’re basically just supporting large publishers. Which is definitely better than supporting none, so I still commend you :)
That's fundamentally not how the web works. If you want me to pay for content, you need to get me to agree to pay for content. Just requesting a page, which I have no way beforehand of knowing contains ads, is not me agreeing to pay for the content. If you didn't want me to view the content without paying for it, why did you send me the content?
This is morally equivalent to the fake monk scam[1] in NYC where a fake Buddhist monk gives you a prayer bracelet and then demands that you pay them for it. You don't get to give people things and then demand that they pay for it when that was never agreed upon. Even if the payment is with their attention.
This is all setting aside the ethical blight that advertising, by its very nature, poses in the first place. Advertising is just lying--either literally, or by omission through presenting a one-sided view of products. There is never a case where advertising is ethical.
Note that the NYT has mostly stopped serving up content to people who haven't agreed to pay for it, and they're doing quite well financially lately.
[1] https://tricycle.org/article/monk-scam/
The issue I personally have is:
1) When the Ads themselves contain malware.
2) Eat up all your bandwidth/mobile data.
2.1) Have auto-playing videos / popups.
1) is somewhat rare. But it is something that has happened multiple times with major websites and services.
If I remember correctly, the Washington Post and Yahoo have previously had this issue. Google's Advertisement platform has repeatedly allowed malware to spread via their advertisement system. (Both on Mobile devices, and desktop devices, but usually more focused on mobile devices.)
2) is something I have to deal with everyday on the phone. When on a train filled to the brim, a lot of times the connection speed drops precipitously. In short, I don't have bandwidth to spend on an Ad, especially a video Ad. So I block them all, and usually try not to browse any image or video heavy sites.
2.1) is really just a quality of life thing.
- I ask for a resource - you give it to me - any linked resources (stylesheets, scripts, images etc) are up to me to request
Therefore there is no "ethical" conundrum in blocking ads. The ad industry brought this on themselves by trying to push malware, spam and actively trying to make the web worse.
I remember when AdWords was just a humble bar of contextual text links, absolutely manageable. Not so much the case now.
If the adversaries followed idealized ethics, they would respect DNT header, for one.
That said, actively avoiding those actors who are unethical is commendable. It’s just very difficult to do in practice, since basic communication with eg neighbors, parents, friends are mainly through these channels.
> 2.12 People should be able to render web content as they want
> People must be able to change web pages according to their needs. For example, people should be able to install style sheets, assistive browser extensions, and blockers of unwanted content or scripts or auto-played videos. We will build features and write specifications that respect peoples' agency, and will create user agents to represent those preferences on the web user's behalf.
https://www.w3.org/TR/ethical-web-principles/#render
Don't fall for what ads companies/corporations are trying to shape users' thoughts.
That's pretty much what Medium and many general news sites are doing. I haven't paid for one yet, but I can respect the move if it means they don't need to rely on clickbait to build a customer base.
This could be avoided if websites served ads responsibly: no JS, no animations, no video, no audio, no tracking, no scam merchants, no tricks, no manipulation, no unskippable ads, no dishonesty.
Almost no websites do this, so I have no ethical qualms giving of the ads the banhammer.
Once websites start respecting their users, then we can have this conversation about ethics, but not a second before.
1. sites that don't have any other model. e.g. my favorite game news website is Gematsu, but holy heck is the ads crazy intrusive. On mobile we are talking full screen video ads that have a tiny X to remove... for maybe 1 minute. I've expressed interest multiple times to donate or otherwise do something to directly fund the site but nothing has come up. And even if I did move on to make a point, this model isn't something that has spread to many, if any, modern gaming news site (and I've long since left Reddit, a topic in and of itself). Do I just give up on gaming news and let clickbait Youtubers inform me instead of written articles?
2. Exploratory purposes. I'm not going to know which and what websites do or do not have ad support, and most of my browsing when searching is very casual. I wouldn't feel too compelled to neither turn off my ad block nor pay a sub for some place I googled up once 3 months ago for a quick answer. I don't quite have an answer for this one.
3. ublock isn't simply blocking ads. trackers, certain cookies, overly large media elements, java script, remote fonts, even individual pieces of HTML elements you specify in a CSS manner. It's so much more powerful and privacy-oriented than a simple ad blocker. If it closed off any site with any of these issues there simply wouldn't be an interet to browse.
It's a compromise at the end of the day, and I can only look out for myself at some point. I'm not necessarily trying to teach websites a lesson per se.
That's actually not true. It's just that it's much harder to find that internet, because search engines are controlled by advertisers.
It's more equivalent to changing the channel during a commercial, which seems to be what the GP is implying as an action.
To that end any mechanism that reduces the presence and effect of advertising is a moral imperative.
Very interesting. Can you please expand a bit more on why do you think this is the case?
Funnily enough, of all websites out there one of the best is still 4chan when it comes to ads. They have 2 banners, one at the top of the page, one at the very bottom of the page. These are static banners, at most a gif, with no tracking pixels or fingerprinting capabilities or any other similar form of horrid, unethical behavior. No embedded ads masquerading as regular content, nothing that blocks interaction on the page, just simple banners that target the site's particular niche like anime or cheap junk from Japan.
But as long as websites aren't using this model of ads and are instead opting for something disgusting like https://fingerprint.com then you won't see an iota of sympathy or care for "ethical" behavior from me.
Viewing the ad made them money.
Visiting and not viewing the ad lost them money. They paid for the server but made no money.
Only one of these three options is painful enough for them to get the point. It’s harsh i know, writers need to eat, but they need to understand I won’t “pay” them with my eyeballs unless the site is usable in return at a bare minimum.
Any content you make available publicly is fair game to be remixed, reformatted, summarised, and yes, ad-blocked.
It’s not the user’s job to make someone’s business model work.
Deleted Comment
There is a negative feedback loop where most third party content is only published on the most popular sites, so it becomes impossible to entirely avoid these sites even if the companies behind them are cancer.
> That would be ethically consistent.
Don't drag ethics into a mud fight with billion dollar companies. I lived through ads that faked download buttons, faked virus alerts, provided links to fake "official" download sites with malware or directly tried to infect your computer. The only ethical thing you can do with the ad industry is rob those rotten sociopaths blind.
Deleted Comment
Reddit mastodon lemmy etc already sanitize websites I read, and often I just read the comments, not the article.
Often people quote important parts of the article in the comments.
Ad blockers is like an antibiotic, I use them but I also try to not expose myself to germs.
Deleted Comment
Oh well...