Add uBlock Origin to the Tor Browser
I suggest that we add Ublock Origin to the Tor Browser. Ublock Origin has the following advantages:
- FOSS under GPL3. See https://github.com/gorhill/uBlock
- It is actively maintained and very popular.
- It's designed to be efficient on CPU and memory. See https://github.com/gorhill/uBlock#performance
From https://github.com/gorhill/uBlock#philosophy:
uBlock Origin is not an ad blocker; it's a general-purpose blocker. Furthermore, advanced mode allows uBlock₀ to work in default-deny mode, which mode will cause all 3rd-party network requests to be blocked by default, unless allowed by the user.
Its behavior is governed through filter lists, which are maintained by Adblock Plus, Disconnect, the community, or other sources. Users can control which lists are downloaded and most are fetched through HTTPS.
I have read through https://www.torproject.org/projects/torbrowser/design/#philosophy, but this was written several years ago and I believe that the landscape has changed and that it's time to revisit those assumptions. Arguments include:
- Default denial of cross-site (3rd party) requests, unless allowed by the users. This eliminates CSRFs and prevents contact with ad networks and trackers in the first place. This supplements browser security by prevent ad networks from tracking users across a browser session.
- If all users use Ublock Origin, then everyone has the same fingerprint.
- Adblockers are now relatively common by tech-savvy users, to the point where they now consider webpages to be broken if ads get in their way. The existence of ads may drive a user to install an insecure adblocker or to use their native non-Tor browser.
- Ublock Origin would save significant bandwidth, reducing the load on the Tor network and increasing the responsiveness of webpages in the Tor Browser.
might be good to revisit these assumptions, but make sure to read on in the design document to get the full understanding I wonder how many people install adblockers anyway. I have like 4 extra extensions for ad/tracking blocking true that my memory was fuzzy but I recall there also being some concern that blocking ads might increase sites' contempt towards tor users, but this was like 2011-2012 and the situation was quite different It seems like it follows some kind of design antipattern to me; "Assuming that we deliver security with X, Y adds no additional security. Therefore, not Y." then again, I am not a TB person and do not want to step on their toes here the world has changed wrt to ad blockers being seen as anti-social... Apple now supports them after all. helix: so many non-Tor users use adblockers that I doubt that Tor users would make a significant impact kernelcorn: I agree now - I'm saying that the timeframe in which that decision was made had a different landscape I think it's probably worth revisiting the topic to see if it's still true
Ticket #10914 (moved) is related.
Activity
Related links:
- xttp://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf (scheme changed to xttp because trac thinks http is spam)
- https://lwn.net/Articles/646339/
Replying to cypherpunks:
Related links:
- xttp://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf (scheme changed to xttp because trac thinks http is spam)
- https://lwn.net/Articles/646339/
You forgot to link to the other W2SP one: https://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_24.pdf. Its introduction is actually quite interesting, especially the demo aiming to defeat blacklist-based tracking. Yes, we plan to update the No Filters section in our design document pointing to it. See: comment:3:ticket:15988.
+1 For bundling uBlock Origin with Tor Browser, great software (thanks gorhill).
I'd suggest adding cached block lists to not have to download them on first run and to prevent users from having different block lists (to prevent fingerprinting). And disable the auto updating and only update when Tor Browser has a new uBlock Origin version or block lists.
I already have uBlock Origin installed in my Tor Browser, because without it I think I'm less secure and potentially less anonymous with all those connections made to ad networks, big corporations. Since they have greater capability to correlate behavior etc.
Thanks!
Trac:
Reviewer: N/A to N/A
Summary: Add UBlock Origin to the Tor Browser to Add uBlock Origin to the Tor Browserthere is a similiar request upstream https://bugzilla.mozilla.org/show_bug.cgi?id=1280773
Replying to cypherpunks:
I'd suggest adding cached block lists to not have to download them on first run and to prevent users from having different block lists (to prevent fingerprinting). And disable the auto updating and only update when Tor Browser has a new uBlock Origin version or block lists.
I suggest to convert it by patch on TBB (maybe on NoScript) or to use the native firefox tracking protection with our own cached block list.
https://support.mozilla.org/en-US/kb/tracking-protection-pbm https://developer.mozilla.org/en-US/Firefox/Privacy/Tracking_Protection
Trac:
Username: i139-
another alternative is use Privacy Badger By EFF https://www.eff.org/privacybadger
I read good things about it
Trac:
Username: i139 Replying to i139:
another alternative is use Privacy Badger By EFF https://www.eff.org/privacybadger
I read good things about it
I don't think Privacy Badger is appropriate for Tor Browser, because it collects information about what sites you have visited, and constructs a unique filter as you browse. That means it gives you a unique fingerprint.
-
Replying to arthuredelstein:
Replying to i139:
another alternative is use Privacy Badger By EFF https://www.eff.org/privacybadger
I read good things about it
I don't think Privacy Badger is appropriate for Tor Browser, because it collects information about what sites you have visited, and constructs a unique filter as you browse. That means it gives you a unique fingerprint. OK, you are right.
firefox tracking protection use lists provided by disconnect.me, maybe just change those lists with our own will be enough
Trac:
Username: i139 Replying to arthuredelstein::
firefox tracking protection use lists provided by disconnect.me, maybe just change those lists with our own will be enough
With the growing amount of nasty anti-adblock tricks in play i wouldn't call a simple change in blocklists future-proof enough. Reek & Gorhill are quite busy to investigate & solve all the new stuff the companies come up with.
This would be a good idea. Many users already install it.
https://medium.com/@profcarroll/10-terrible-things-about-adtech-35f7e7fcc1ad
-
some informations about filters https://github.com/gorhill/uBlock/wiki/Dashboard:-3rd-party-filters https://filterlists.com/
Trac:
Username: i139 -
Look more calmly
those are good for usability, in TBB without JS, warnings and killers can disturb the usability Adblock Warning Removal List Anti-Adblock Killer
those block some social content, how track the user Anti-ThirdpartySocial Fanboy’s Annoyance List
and ect...
a good filter selection for all users is important, because the users wouldn't have to use different set of list, avoiding fingerprint
Trac:
Username: i139 -
Tails 2.10 will also use uBlock Origin https://labs.riseup.net/code/issues/9833
Trac:
Username: i139 -
I vote for including an ad blocker to the TBB, if this does not become a maintainment nightmare (it shoudln't be?)
(TL;DR at the end)
I'd consider it another tool against privacy-invasive measures, malicious code injection, straight user misguidance (visual clickbaits etc) while also being an actual usability improvement. The argument was brought up on several cryptoparties, by people with very little technical background, telling me they could not even consider browsing the web without it.
The websites that will pose usability nightmares are well aware of this, as they are very often the very cause of this, and will very explicitly ask the user to disable ad blocking for their website, which has become a relatively straightfoward thing i nterms of UX.
I understand the argument on torproject's image in terms of websites remuneration streams, but as I mentionned, most of these will block ktheir contact when they detect an ad blocker, or ask kindly that the user disable it for their site, which they are still free to do. Moreover tor blocks any ad targeting attempt with current measures, so their ads already have very little value if any at all.
I dot not think it should be a problem for Tor to openly disapprove of a revenue method that literally monetizes user privacy. Subscriptions are less pervasive, offering a balance between "I want to donate to this website, and maybe lose a bit of anonymity if the website insists on linking my account to my donation to let me access content" and "those who don't subscribe aren't profiled and monetized without their consent".
tl;dr: nowadays it's an actual UX improvement, probably reduces a bit of an attack vector, and I don't believe torproject could be criticized for not supporting these privacy monetization methods
Trac:
Username: koolfy Replying to niconiconi:
I believe that there is no reason to keep NoScript if uBlock Origin or uMatrix are added.
I do. ContentBlocker like UblockOrigin are only as good as their filterlists. NoScript is a more general approach
-
uBlock Origin is not an "ad blocker", it is a wide-spectrum blocker, which happens to be able to function as a mere "ad blocker". But it can also be used in a manner similar to NoScript (to block scripts) and/or RequestPolicy (to block all 3rd-party servers by default), using a click-and-point user interface.
[https://github.com/gorhill/uBlock/wiki/Blocking-mode]
Trac:
Username: i139 -
Replying to cypherpunks:
Replying to niconiconi:
I believe that there is no reason to keep NoScript if uBlock Origin or uMatrix are added.
I do. ContentBlocker like UblockOrigin are only as good as their filterlists. NoScript is a more general approach I will disagree, uBlock Origin provides every important feature of NoScript and even more with the Dynamic Filtering mode enabled. Also see https://github.com/gorhill/uBlock/wiki/Dynamic-filtering
Trac:
Username: niconiconi Replying to cypherpunks:
contains spyware. constant connection to raw.githubusercontents.com
For dynamic assets and a few pictures as can be seen in the sourcecode https://github.com/gorhill/uBlock/search?utf8=%E2%9C%93&q=githubusercontent&type=
Hardly spyware.
I think something concerning just appeared recently with the JS XMR miners in place of ads (such as https://coin-hive.com which was used by thepiratebay for 24hr as an experiment). Imagine if I have like 4 sites that use them, one of CPU's core is already at 100% with only 1 opened, with 4 it would completely bottleneck the browser.
In fact, I tested with Medium security setting (which has JIT disabled) the captcha which is based on mining XMR was still at its beginning even after 15 min https://coin-hive.com/account/signup
But yes, what the Tor Browser design document states is still completely valid - however in the face of new emerging threats I don't think we should ignore them since they definitely impact usability here: So if someone was on one of those sites that had that XMR miner and were using the Medium security setting, then they'll have a 100% cpu use on one of their cores and that will affect their browsing experience. If they realize that this is partly due to JIT they'll lower the security setting, so this could discourage some from using medium security setting. If they don't, then they're still stuck with a 100% cpu core usage.
One potential compromise here is to add uBlock Origin but with only the filer list that handles those JS miners (list is called
dark-patterns) + the filter lists on badware and malware, and everything else would be disabled.Note how this compromise only addresses usability and a bit of security and not privacy, which is already handled by design by the Tor Browser. (Edit: and from then on we can discuss whether blocking trackers as well would be meaningful, and I tend to think that after all it may be necessary for mitigating fingerprinting by common trackers for things that haven't been solved yet, such as the recent example of CSS line-height.)
Another reason which I just thought about: The argument in the Tor Browser design documentation assumes that the user in question leaves everything in the Tor Browser by default. But there's no guarantee for that, and in real life many users make themselves more fingerprintable (e.g. by changing the browser's size, ...etc). In such a case, blocking some trackers may turn out to be beneficial, if only to prevent some trackers from easily fingerprinting some users.
The other counter-argument that this would damage ad revenue from websites ignores that there's only 2 million TB users, and the impact would be relatively tiny. Also many major browsers are now starting to block (some) ads by default, such as Brave, Opera, ... and even Google's Chrome which will block some certain types of ads in 2018.
Yet another reason: It's becoming practically impossible to access some bloated websites with the Tor Browser in machines with only 1-2Go of RAM, and with the switch to FF59 which will have 4 content processes this will be even impossible. As has been proven many times, blocking trackers has on average significant benefits in terms of RAM usage, especially on bloated news sites full of trackers (gorhill, the uBlockOrigin maintainer, has some nice examples: 1, 2):
Based on data obtained through the Pulse Test Pilot experiment, Mozilla's Test Pilot team concluded that "Ads hurt user sentiment. One of the strongest effects on sentiment was our proxy for the number of ads: requests made by the page to hostnames on the Disconnect.me tracking protection list. This covaried with the overall number of requests, total page weight, and each of the timers, so it’s unclear if this effect is due to a specific aversion to ads, or to their consequences on performance."
Another aspect: Because of the Tor Browser design targeted ads do not really make sense, all the ads I get - without exception - are for countries where I don't live in despite the fact that there are some exits in my country.
Replying to cypherpunks:
I think bundling an extension is ok, but FF already features a contentblocker. This existing feature should be built upon with the option to insert third party lists and redirections to local scriptlets to keep Sites working that expect certain third party objects.
That has the problem that if some website detects that you're blocking some trackers and puts a large adblock detected banner then how are you going to counter that? There's no way to deal with this with a stock Firefox with your suggestion except by disabling the list completely. An addon has the advantage of giving you the option to easily disable it for a given site.
There are additional problems too with the addon method:
- What if some user enables more filter lists? Should the filter lists section be blocked from the user or should it be reset with each "New Identity"?
- What if some user whitelists some sites? Then they're going to be saved locally but that's bad. Should the whitelist be reset to default with each "New Identity"?
IMHO I'm in favor of resetting everything with each "New Identity".
Adding uBlock to TBB will expose its users to "fingerprinting" attack.
uBlock + (What list) will make unique fingerprint. (What list) depends on what list you decide to download, and when to download. Also List supplier could add unique filter for each result to target TBB user.
TBB A: Give me adblockplus.org/list.txt ABP Server: Here's your list. (which include this line: "#div#thispersonIP#7.5.6.7")
TBB B: Give me adblockplus.org/list.txt ABP Server: Here's your list. (which include this line: "#div#thispersonIP#1.2.3.4")
Now the 3rd party website can detect this TBB user uniquely.
TL:DR; No, Don't add ublock to TBB. Instead, use Firefox's "built-in tracking blocklist". The blocklist should bundle with TBB itself(like GeoIP files) so TBB don't have to download these lists from internet.
Replying to cypherpunks:
Now the 3rd party website can detect this TBB user uniquely. uBO has some hash checking in place? If that's not the case then there should be some bug report.
Instead, use Firefox's "built-in tracking blocklist". I already explained why it wouldn't work that great in the first paragraph in this [comment:33 comment].
Replying to cypherpunks:
Decentraleyes
Please see #22089 (moved)
Replying to cypherpunks:
That thing will appear if you allow JS in the first place. Disable JS, or just leave that evil site.
JS is enabled by default, just telling me to disable JS in those cases isn't helpful.
"If that's not the case then there should be some bug report."
There are many ways to identify its users. I'm against adding uBO to TBB. This will make unique fingerprint if the user choose filterlist their own and download them from the 3rd party server.
Instead, bundle the "lite" blocklist to TBB itself. Lite-list will block some ads so 99.9999% user will not disable it. By bundle it to TBB, it will NEVER make a connection to the outside. Fingerprints will be the same because everyone use same list.
like; https://github.com/mozilla-mobile/focus-android/issues/1127
Replying to cypherpunks:
There are many ways to identify its users. I'm against adding uBO to TBB. This will make unique fingerprint if the user choose filterlist their own and download them from the 3rd party server.
Instead, bundle the "lite" blocklist to TBB itself. Lite-list will block some ads so 99.9999% user will not disable it. By bundle it to TBB, it will NEVER make a connection to the outside. Fingerprints will be the same because everyone use same list.
Please see my comments on [comment:33 comment 33] on why this isn't a good idea, and a possible solution for clearing custom settings to uBO.
Even Chromium devs are thinking about doing something to stop the resource abusers and looters like coinhive https://bugs.chromium.org/p/chromium/issues/detail?id=766068
Comment 13 by
ojan@chromium.org, Oct 19Sorry for the delays responding on this. Yes, we should do something about it. Not quite sure what.
They (Chromium folks) also now have adblockers for some sites by default: https://developers.google.com/web/updates/2017/12/better-ads
That's still better than the current situation where we (TB users with not-so-fast CPUs) have to deal with bloated websites and can't block those damn trackers since we'll become easily fingerprintable.
FWIW Firefox will also move to block some ads by default https://wiki.mozilla.org/Firefox/Roadmap
Last but not least, in 2018, Firefox will get more opinionated. People on the web deserve a browser that represents people first, a browser that isn't neutral when it comes to advertising, tracking and other dark patterns on the web.
[...]
Filter certain types of ads by default: Firefox will offer users a simple ad filtering option. We're in the early stages still, researching types of advertisements that should be blocked by default. (Q3)
Block ad re-targeting: We are working on blocking cross-domain tracking. Details to follow. (Q3)
#25959 (moved) is a duplicate, quoting what the fine person wrote:
[ticket:25959 tremvonk]:
Read before closing as wontfix: I am familiar with the Tor Browser design philosophy of not relying on filters for security. This request, unlike ticket:15279, has nothing to do with possible security benefits of uBlock Origin.
I think that Tor browser bundle would benefit from including uBlock Origin as an adblocker by default. Consider the benefits:
-
Ads waste bandwidth. To see just how much I ran tests using Tor Browser at medium security level on two major news organizations' sites: the Economist and the New York Times. The results were striking: without uBlock Origin, the Economist's website loaded 12.6 MB with 135 requests and the New York Times' website loaded 7.6 MB with 235 requests. With uBlock Origin, the Economist's website loaded 5.8 MB with 443 requests and the New York Times' website loaded 5.0 MB with 85 requests. uBlock Origin reduced the page size by 54% for The Economist and 34% for the New York Times. Granted, newspapers are particularly bad offenders when it comes to bloating the page with ads, but, however we slice it, we still stand to save considerable amounts of bandwidth.
-
It makes TBB more usable. Blocking that many MB of ads can only make the webpage load faster and gives an overall nicer user experience (does anybody really want to see those ads?) which, in turn, helps encourage more people use TBB.
-
It makes TBB and TAILS browser fingerprint look more alike.
Now, I did see the section of the Tor Browser design philosophy that opposed adblockers in TBB. However, consider the objections
-
Damages TBB's reputation to provide non-filter-based security. I think this is no longer true - TBB has been around for long enough and its reputation well-established enough that I doubt users will be confused - especially that the truth is readily findable by anyone who cares to look. Moreover, TAILS browser has been shipping with uBlock Origin for quite a while now and it caters to an even-more security-conscious crowd than just TBB.
-
Makes ad-supported websites dislike TBB. Currently, over 1/4 of internet users use an adblocker (see here). If websites dislike adblockers, they have a lot more problems than just TBB. In any case, the fraction of sites that will dislike TBB for using an adblocker will be small compared to the fraction of sites that dislike TBB just for using Tor.
Therefore, Tor browser bundle should follow TAILS' example and add uBlock Origin to the browser by default.
-
This would also be a good step in the right direction for Firefox upstream: https://wiki.mozilla.org/Firefox/Roadmap
has entries like
Filter certain types of ads by default: Firefox will offer users a simple ad filtering option. We're in the early stages still, researching types of advertisements that should be blocked by default. (Q3)
as well as making tracking more difficult and stop auto-play videos like chrome has done it. Instead of just having the "basics" it could be a joint effort to have the logic for blocking and replacing in FF/TBB and the filter lists by the community.
Interesting recent research done at Mozilla on the utility of ad blockers for web browser users: https://research.mozilla.org/files/2018/04/The-Effect-of-Ad-Blocking-on-User-Engagement-with-the-Web.pdf
But muuuh what about those who depend on the 2 cents/month from Monero JS miners? You want them to close their business since they will no longer receive those 2 cents/month??????!!!!!!!1!!11
Replying to LabraTor:
I strongly encourage to implement uBlock Orgin in TBB as it is done in Tails. I'm fine if user customization of uBlock Origin is restricted but please move on with this. I've been lobbying for blocking some useless trash by default in TB (via the Firefox built-in Disconnect blocklist), but for the case of uBlock Origin do you have a solution for comment:33?
Adding an add-on which make internet connection in background is against Tor Browser's design. Write a concrete proposal and attach to this ticket before you reopen this.
Also we are against adding uBO to Tor Browser. Such user can add the add-on by themselves WITH THEIR OWN RESPONSIBILITY.
Trac:
Resolution: N/A to invalid
Status: new to closedReplying to cypherpunks:
Adding an add-on which make internet connection in background is against Tor Browser's design. Write a concrete proposal and attach to this ticket before you reopen this. So let's remove HTTPS Everywhere as well since it makes connections to get ruleset updates? There are valid reasons to be against uBO in the Tor Browser, but this one isn't among them.
Trac:
Resolution: invalid to N/A
Status: closed to reopenedSo let's remove HTTPS Everywhere as well since it makes connections to get ruleset updates
Complete BS. Tor Bundled add-on does not make connection at all. uBO is not.
There are valid reasons to be against uBO in the Tor Browser
You wrote your answer already
Trac:
Status: reopened to closed
Resolution: N/A to wontfixReplying to cypherpunks:
So let's remove HTTPS Everywhere as well since it makes connections to get ruleset updates
Complete BS. Tor Bundled add-on does not make connection at all. uBO is not. Please be more respectful and always double check things ;~) https://www.eff.org/deeplinks/2018/04/https-everywhere-introduces-new-feature-continual-ruleset-updates
There are valid reasons to be against uBO in the Tor Browser
You wrote your answer already Yes, but it needs an official response from a consensus of TB devs and a followup ticket (for the proposed Firefox Disconnect list alternative).
Please don't vandalize tickets as well.
Trac:
Resolution: wontfix to N/A
Status: closed to reopened
Summary: Add Adblock Plus to the Tor Browser to Add uBlock Origin to the Tor Browser-
Instead of doing this opening and closing dance which is quite annoying, someone could try to actually analyze the proposed privacy, security, and performance gains adding $extension to Tor Browser, especially compared to the privacy, security, etc. means Tor Browser already offers. Please, include the downsides of adding $extension to the browser as well (our design document might help).
Regarding Tails including an adblocker, you might want to re-read
https://mailman.boum.org/pipermail/tails-dev/2014-October/007266.html f. https://mailman.boum.org/pipermail/tails-dev/2015-January/007821.html ff. https://mailman.boum.org/pipermail/tails-dev/2015-February/008003.html f. https://mailman.boum.org/pipermail/tails-dev/2015-February/008007.html https://mailman.boum.org/pipermail/tails-dev/2015-April/008560.html f.
Do make this clear here: there are no short- or medium-term plans to include an adblocker in Tor Browser.
Trac:
Resolution: wontfix to N/A
Status: closed to reopened Replying to cypherpunks:
Why "uBlock Origin" only? Cause it's the best in its job right now. Adblock+ that you're lobbying for is a sellout: https://medium.com/@trybravery/please-stop-using-adblock-but-not-why-you-think-13280e76c8e7
Replying to cypherpunks:
Don't. Just don't include addon to tor browser. The browser should focus on itself.
Firefox comes with zero pre-installed addons. I don't want another junk added into TB. "Yeah let's remove HTTPS Everywhere, NoScript, TORlauncher and TORbutton TOR browser should focus on itself screw the users!!1!"
Replying to gk:
Instead of doing this opening and closing dance which is quite annoying, someone could try to actually analyze the proposed privacy, security, and performance gains adding $extension to Tor Browser, especially compared to the privacy, security, etc. means Tor Browser already offers. Please, include the downsides of adding $extension to the browser as well (our design document might help).
Yeah, we're waiting until you officially include those criteria for 3rd party addons in the Tor Browser design doc for us to structure all the details :) (Note that the bulk is already present in these comments, though I lean into the "don't add uBlockO but use Disconnect default blocklist" side)
Trac:
Summary: Add adblocker to the Tor Browser to Add uBlock Origin to the Tor Browser-
Regarding the FF-inbuilt solution with the disconnect lists, I don't see a problem if a website blocks ad-/tracking-blocking. TBB users then can either avoid the website or use a workaround such as archiving the website and then view the archived version. Obviously, a temporary white-listing of anti-adblocking websites until a reset would be an option too but temporarily reduce anonymity.
You're right about strictly resetting any uBo modifications, if possible at all. This is after all how it is done with Tails. I consider it advantageous to merge the TBB and Tails anonymity groups and therefore favor the uBo approach.
Trac:
Username: LabraTor "... we will start blocking slow-loading trackers by default in Firefox 63." ;)
https://blog.mozilla.org/futurereleases/2018/08/30/changing-our-approach-to-anti-tracking/
If it is added but disabled by default it would not harm "normal" users and made it easy for all who happen to want it. There should be a big warning "With this plugin you endanger your anonymity. You should only use it to increase browsing performance by blocking trackers and ads." with a link to an article about fingerprinting (that probably needs to be written first).
-
Replying to cypherpunks:
Both NEVER connect to internet to download "subscription" files.
Not taking a position, I just want to be sure that technical details are accurate.
It's possible to completely disable auto-updating in uBO, it's one checkbox -- all the files needed by uBO at install time are part of the package and loaded from there at launch time (except for region-specific lists). When auto-update is disabled, uBO never ever connects to remote servers without explicit user intervention.
In any case, if ever there was a list of specific requirements, I will be willing to do the work for uBO to meet these requirements.
Trac:
Username: gorhill Replying to gorhill:
In any case, if ever there was a list of specific requirements, I will be willing to do the work for uBO to meet these requirements.
Thank you, gorhill, that is much appreciated. We are still discussing the pros and cons of including an adblocker extension in Tor Browser by default.
Just for the record, one idea we discussed in our recent Tor meeting would be to introduce an adblocker that is off by default. Then a single toggle switch would be available to activate the adblocker globally. This would result in splitting the anonymity set in two (one bit of fingerprinting, on average).
Also regarding fingerprinting: I think we would want also to minimize the available controls to users to make sure that they can't (easily) add or remove blocklists or apply other global custom settings that will make them fingerprintable. I do think it would be acceptable to include an "allow ads on this site" button if the unblocking mechanism is first-party-isolated.
Replying to arthuredelstein:
Just for the record, one idea we discussed in our recent Tor meeting would be to introduce an adblocker that is off by default. Then a single toggle switch would be available to activate the adblocker globally. This would result in splitting the anonymity set in two (one bit of fingerprinting, on average). Ok, so what will you do with the by default (in 63 and higher) enabled Mozilla's built-in Tracker Blockers (they misleadingly call it "Tracking 'Protection' ")?
-
I agree to add ublock origin to tor browser. Nowadays I always install it after, and it take time to install and make update. Probably other tor browser users too.
Maybe good to leave it off by default, like https everywhere does not block non-https by default, but it is easy to turn on block non-https.
TAILS already did the work on this, so can just use that work, so not much extra work?
If philosophy is no ad blocker in tor browser, but there is blocker off by default, the philosophy seems ok.
Trac:
Username: gapegas7uftp -
Trac:
Username: darkspirit
Cc: arthuredelstein, intrigeri to arthuredelstein, intrigeri, jan@ikenmeyer.eu -
It seems ublock Origin has quite some performance issues on higher security levels: https://blog.torproject.org/comment/279536#comment-279536.
-
Replying to gk:
It seems ublock Origin has quite some performance issues on higher security levels: https://blog.torproject.org/comment/279536#comment-279536. Because of #23719 (moved) that I reported some 16 months ago.
Trac:
Username: ArmalsLoveArmalsLife mentioned in issue #24054 (moved)
mentioned in issue #24316 (moved)
mentioned in issue #25959 (moved)
mentioned in issue #27557 (moved)
mentioned in issue #30939 (moved)
moved to tpo/applications/tor-browser#17569
