[HN Gopher] uBlock Origin supports filtering CNAME cloaking site...
___________________________________________________________________
uBlock Origin supports filtering CNAME cloaking sites on Firefox
now
Author : gslin
Score : 133 points
Date : 2024-10-07 20:52 UTC (2 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| RockRobotRock wrote:
| CNAME cloaking? Does this mean an ad site may use a randomly
| generated subdomain pointing to a wildcard record?
| ceejayoz wrote:
| Yes. Ads and analytics providers have started doing this to get
| around third-party cookie protections.
| 404mm wrote:
| This is such an intrusion of privacy. I wish I could just
| disable cookies entirely but the usability of many webpages
| just goes down. I should not be punished for not wanting 3rd
| party trackers.
| jrockway wrote:
| Before I get too alarmed someone would have to tell me how
| an adsite.com cookie is being sent to adsite.example.com.
| This workaround seems to let adsite.com profile me as well
| as example.com already can, but it loses the ability to
| correlate my activity across example2.com and example.com
| with a single cookie.
|
| (I guess ad providers have gotten good enough to not need
| cookies? Like they know my browser window size, installed
| fonts, GPU vendor and model, IP address, geolocation,
| header order, etc. so they don't even need cookies anymore
| to track my activity across the web? I suppose it was only
| a matter of time.)
| bongodongobob wrote:
| Browser profiling has been a thing for at least a decade
| if I'm not mistaken.
| jrockway wrote:
| Makes sense. "I am session abcdef12345" always seemed
| significantly guaranteed to me, but in a world with ad
| blockers and third-party cookie restrictions, using
| heuristics is the only way forward.
|
| It's somewhat scary how much information our browsers
| leak to unknown parties.
|
| (I don't really take sides on this. I use an ad blocker
| and am very anti-ad, but am impressed when ad companies
| come up with tech to thwart them. The cat-and-mouse game
| is entertaining to read about.)
| sidewndr46 wrote:
| I always find this development curious. About a decade ago I
| worked in this space. When someone brought up ad blockers I
| just said "put the analytics on our main domain. No one is
| going to block the entire website". The answer I got was "no
| one would ever do that because of the implications of serving
| advertising from your main domain". Yet, here we are.
| alerighi wrote:
| They use a third party domain just because that way they
| can track the user actions with cookies, for example Google
| can track your navigation across multiple websites, and
| thus propose to you more relevant ads. Also using a
| different domain was simpler and cheaper, since you don't
| have to host the AD content and metadata, just include the
| JS from the AD provider somewhere in your HTML.
|
| Now that thanks to EU laws and browser imposing
| restrictions about third-party cookies it's more difficult,
| the whole "serve ads from other domain" may not be that
| relevant anyway.
|
| If you use a random wildcard subdomain... just serve them
| from the main website, what is the difference? On the other
| side with a proxy just route the AD requests to another
| server if it needs to be, of course you have to find a way
| to distinguish which requests are for AD and which are not,
| something you can do with some sort of signature in the
| filename, so that only the server can know which requests
| shall be handled locally and which one forwarded to the AD
| provider server.
| bluGill wrote:
| News payers used to all serve their own ads including in
| house sales and design. Frankly with how key advertising is
| I don't understand why anyone would out source it.
| 627467 wrote:
| This. Everyone and their grandma decided it's cool for
| Google and others to decide what should display on your
| website next to your content because of "magic online
| advertising".
|
| How much of the efficiency of online advertising comes
| from the actual "art" of tracking users and their
| preferences to display "personalized" ads vs the
| "efficiencies" from firing/outsourcing your marketing, ad
| sales and creative workforce.
| Groxx wrote:
| [delayed]
| hypeatei wrote:
| What are the implications?
| sidewndr46 wrote:
| It more or less boiled down to "we would be labeled an
| advertiser and not a destination for information on the
| internet". Like being an advertiser stopped people from
| using Google search or something
| debit-freak wrote:
| Presumably that adblockers (or rather their users) would
| object to blocking domains that folks might actually want
| to load content from. I can't imagine "domain" is the
| only signal one could use to identify ads, though. To
| truly befuddle them you'd make advertisements truly
| indistinguishable from content. This is not trivial.
| sidewndr46 wrote:
| Not entirely true. If you lower the quality of your
| content enough the advertisements are in fact
| indistinguishable. I often enjoy reading the "chumbox" at
| the bottom of the news article more than the reporting
| itself
| A4ET8a8uTh0 wrote:
| There is a part of me that, at a high level, appreciates the
| back and forth between the user and the ad industry. On a
| personal level, I am slowly getting to the point, where I am
| less.. uhh.. understanding.
|
| That said, the average person's conception of what acceptable
| needs to change. I did briefly think that they need suffer
| through more ad-infestation first, but I realized that the
| answer is more in line with what my wife seemed to have gone
| through. The low exposure to ads made her less willing to
| deal with them. This might be the way forward.
|
| It is hard for a person used to existing ecosystem to even
| imagine, there could be something better.
| nodja wrote:
| That's part of it.
|
| Normally when you visit contentsite.com which serves ads from
| adsite.com. Adblocker rules can just block adsite.com and the
| ads won't be shown. CNAME cloaking would have the main site
| have a subdomain like adsite.contentsite.com point to
| adsite.com, now the adblockers have the impossible task of
| blocking millions of subdomains that seemingly belong to legit
| sites, this also allows the legit sites to keep changing the
| subdomain since the adblocker will have no idea which
| subdomains serve legit content vs ads. As a bonus since the
| content is being served from the same domain, they can bypass
| certain cookie browser policies and track users even better.
|
| This update allows you to set rules so that you can filter by
| resolved ip.
| synergy20 wrote:
| this reminds me of domainfronting, who was a super smart way
| to get around of ads and other sites blockers, not sure if
| it's all 'fixed' now.
| vifon wrote:
| The title seems to be wrong, uBlock Origin supported it for many
| years at this point (only on Firefox). This seems to be a
| refactor of that code, not a whole new feature.
| wild_pointer wrote:
| Well, it does support it now. It supported it before, too :P
| itohihiyt wrote:
| uBlock Origin is what makes Firefox even greater and definitely
| one big reason I use Firefox over Chrome etc. It make the
| Internet browsable.
| jajko wrote:
| I moved many years ago to this combo, and never saw a single
| reason to switch away. Same for android phone, the only usable
| mobile web experience I've seen. Those few sites over a decade
| that had some display issues had issues also under chrome.
|
| Plus I personally consider ads a cancer of modern society.
| White and not so white lies, manipulation... nothing
| respectable regardless (or because ) of tremendous money
| circulating in it.
| beeflet wrote:
| I mean there are appropriate applications for advertising
| (like classifieds in a newspaper), but there is no reason why
| advertising should be so pervasive that it requires a massive
| surveillance apparatus like it does today. Advertisements are
| the reason why everyone switched from TV to Netflix, and
| that's back when cable TV was a paid service.
|
| secushare[1] makes the case that this is because the internet
| lacks a secure micropayments layer, so the funding model for
| everything has to be advertising-based instead of patronage-
| based. Paypal and the like are exploited as cash cows because
| of their centralized nature. Cryptocurrencies were later
| tried but have technical limitations that broadly prohibit
| this use case (even with payment channels/LN).
|
| [0] https://secushare.org/broken-internet
| jeanlucas wrote:
| It did not hit me yet, but I'm already rewriting my extensions to
| firefox to switch if Chrome really axes uBO
| TheGlav wrote:
| It's not if. It's when. It has been 'when' since 2020. It is
| coming. It is not going to not come. It will be here in mere
| releases. Get ready.
| jeanlucas wrote:
| Yeah, hence why I started already migrating, slowly.
|
| I have a simple tab organizer extension and some greasemonkey
| scripts that should work perfectly fine on Firefox without
| any changes.
| c2h5oh wrote:
| It's already axed in canary release
| jeanlucas wrote:
| I'm still at the "This extension may soon no longer be
| supported" warning
| godzillabrennus wrote:
| I am switching family over to Brave. They don't even notice the
| difference and I'm more confident the browser will continue to
| support user centric content filtering.
| Exuma wrote:
| Is chrome going to block uBO im never up to date on the latest. I
| do know theyre allowing 3rd party cookies now... so maybe theres
| a chance
| o11c wrote:
| Honestly, it probably is going to depend on whether the US
| continues to have an administration that's willing to take
| blatant monopolists to court.
| anderskaseorg wrote:
| They're doing a slow phase-out over a long time to try to avert
| a wave of bad publicity that threatens their browser monopoly,
| but that timeline has already started as of June.
|
| https://developer.chrome.com/docs/extensions/develop/migrate...
|
| https://www.bleepingcomputer.com/news/google/google-chrome-w...
| TheGlav wrote:
| They're not blocking uBO, they're removing the features in the
| browser that allowed uBO to work by releasing new plugin APIs,
| "Manifest v3". They're eliminating the key APIs needed for uBO
| to identify things that it shouldn't load, and then not load
| them. Google claims this was for "performance" or "security"
| reasons. Of course, the only major 'performance' or 'security'
| affected is the ability to identify, intercept, and stop
| harmful or ad related downloads before they start.
| lelandbatey wrote:
| As an example of what CNAME cloaking is, let's say that a SAAS
| provider A wants to provide you, company Q, with fancy ad
| tracking software. In the olden days, they'd tell you to embed a
| script at e.g. https://A-ads-tracking.example into your website
| at address https://q-company.example
|
| To block those ads, blocklists that uBlock Origin use have rules
| then that say "block requests being made to the _domain name_
| A-ads-tracking.example ", which blocks the ads.
|
| CNAME cloaking is where SAAS provider A sets up their ad-tracking
| services not on domain A-ads-tracking.example, but instead at a
| specific IP address of e.g. 29.1.2.3; then (and here's the
| important part) SAAS A tells you Company Q that _you need to set
| up a subdomain of q-company.example which has a CNAME record
| pointing to 23.1.2.3_ , a subdomain with an innocuous name like
| media.q-company.example; once you've set up that CNAME, you at
| Company Q add a script tag to your website for
| `media.q-company.example` and now SAAS A is able to track all the
| users on your site. This indirection allows for effectively
| infinite cat-and-mouse on the part of you the owner of the Q
| Company vs the blocklists that the public assemble.
|
| To get around this CNAME cloaking problem, the software powering
| extensions like uBlock Origin need to be able to see not only the
| destination domain of requests by browsers, but the underlying IP
| addresses of those domains as well. This commit makes that
| behavior possible, or at least is related to making that code
| work better.
| biglyburrito wrote:
| Thank you for the breakdown!
| itohihiyt wrote:
| And this is a good reason to block all JavaScript in unlock
| advanced and slowly whitelist the scripts you see until the
| site works properly. Slow and error prone but once you get used
| to it it's a breeze. And you're completely immune to this sort
| of shittery.
| marcell wrote:
| What is the uBI status on Brave, Edge and Opera?
| homebrewer wrote:
| I don't care about the two proprietary browsers you've
| mentioned, but Brave is going to (partially) support manifest
| v2 and maintain uBO compatibility for as long as they're able
| to:
|
| https://brave.com/blog/brave-shields-manifest-v3/
|
| Not that you really need it as Brave has its own very capable
| built-in ad blocker with -- last time I checked -- higher
| performance than uBO (since it's compiled into native code) and
| full support for same ad lists.
___________________________________________________________________
(page generated 2024-10-07 23:00 UTC)