WingNews logo WingNews GitHub [2]
top | item 34916239

The FBI now recommends using an ad blocker when searching the web

734 points| taubek | 3 years ago |standard.co.uk

430 comments

order
[+] emacdona|3 years ago|reply
I recommend using an ad-blocker while visiting that site :-/

Lately, I find myself using more and more plugins to make the "modern web" tolerable. To list a few:

Channel Blocker (lets me block channels from search results on Youtube); uBlock Origin; Disconnect; F.B Purity; Consent-O-Matic (auto fill cookie consent forms); Kagi Search; PopUpOFF; Facebook Container; Privacy Badger; ClearURLs; Return YouTube Dislike

Basically, if I visit a website and don't like the experience, I either never go back (Kagi lets me exclude it from search results) or find a plugin to make it tolerable.

What I really want now is the ability to exclude entire websites from any permissions I grant to plugins. I feel like in the last year, I've read a couple stories about companies buying successful plugins and then using them to track you or show ads or whatever. I'm worried this will be the next stage in the battle for our attention -- best case: companies will buy popular plugins to track us and show us intrusive ads; worst case: nefarious actors will buy them to scrape information we think is private and collect it.

IE: I just want to be able to say "Hey, Firefox... those permissions that I granted to plugins x, y, and z? They don't apply to www.myfavoritebank.example.com"

Is there a browser that has that feature yet? I spent a few hours trying to figure out if Firefox did. It did not appear to.

edit: Added semicolons to separate plugins in list b/c HN stripped the newlines from my comment.

[+] dngray|3 years ago|reply
> Consent-O-Matic (auto fill cookie consent forms)

This will modify the browser fringerprint making you more unique.

I would not install so many extensions as you're trusting a huge number of organizations/people with privileged access to your browser. Anything that modifies CSS, Document Object Model (DOM) will make your browser stand out.

We wrote a blog post about this: https://blog.privacyguides.org/2021/12/01/firefox-privacy-20...

That includes any extensions that modify what is requested etc. See:

https://github.com/arkenfox/user.js/wiki/4.1-Extensions

See https://www.privacyguides.org/desktop-browsers/#firefox, you really don't need to do anything more than that.

> Facebook Container

etc, not needed unless you login to multiple Facebook accounts.

> Disconnect

Not needed, you should enable Firefox's ETP Enhanced Tracking Protection, this includes anything on that list. https://support.mozilla.org/en-US/kb/enhanced-tracking-prote...

[+] Groxx|3 years ago|reply
Yeah, the permission model in browser plugins is all kinds of messed up.

In absolutely no way is it the plugin's decision where it should be allowed to run. It's great if it self-restricts and we should encourage that, but it's absurd in the extreme that any version of plugin support ever shipped without a way for users to override and restrict them further. Trusting the author of a thing to do what they claim to do is literal security insanity, and it always has been.

Chrome is sightly improving here, with click-to-activate extensions, but it's still pretty far from just giving me a frickin list field.

[+] TacticalCoder|3 years ago|reply
Here are a few things I do to combat nasty websites:

- blacklists entire domains using wildcards (using an "unbound" DNS resolver and forcing all traffic to my DNS resolver, preventing my browser to use DoH -- I can still then use DoH if I want, from unbound)

- reject or drop a huge number of known bad actors, regularly updated: they go into gigantic "ip sets" firewall rules

- (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.

I do not care about what this breaks. The Web still works totally fine for me, including Google's G Suite (yeah, I know).

EDIT: just to be clear seen the comments for I realize I wasn't very precise... I'm not saying all IDN domains are bad! What I'm saying is that in my day to day Web surfing, 99.99% of the websites I'm using do not use IDN and so, in my case, blocking IDN, up until today, is totally fine as it not only doesn't prevent me from surfing the Web (I haven't seen a single site I need breaking) but it also protects me from IDN homograph attacks. Your mileage may vary and you live in a country where it's normal to go on website with internationalized domain names, then obviously you cannot simply drop all UDP packets attempting to resolve IDNs.

[+] giobox|3 years ago|reply
While these are all good practices, killing DoH conclusively on your home network is more difficult than you've made it seem, as ultimately all you can really do is use domain blacklists at your firewall. It's no longer as straight forward as just control port 53 traffic, not like you can realistically shut down 443... Blocking DoH is largely whack-a-mole and I think is only going to get worse as this and similar techniques spread. There are so many sneaky ways to resolve a hostname an app or device can choose to use now.

You can force traditional port 53 DNS protocol traffic to your own resolver with firewall rules, the same doesn't work for DoH. a DoH request to a domain your firewall blacklist doesn't have looks just like ordinary https/443 traffic and will pass unhindered.

[+] eurticket|3 years ago|reply
Steven Black runs a hosts file on GitHub with regular updates. https://github.com/StevenBlack/hosts

There are a bunch of file variants to weed out specific bad actors.

It's well currated though I will disclaimer it has broken a few websites in the past for me. Maybe that's a good thing.

[+] userbinator|3 years ago|reply
I venture onto the Asian and Russian parts of the Internet semi-regularly, and in all these years I have seen perhaps one or two sites with IDN that were actually useful to me.
[+] cgb223|3 years ago|reply
What’s an IDN and what does blocking them help with?
[+] whiw|3 years ago|reply
> (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.

I couldn't see how to do this in Windows Firewall. Which OS/firewall/rule are you using?

[+] maxerickson|3 years ago|reply
I don't do any of that stuff and don't think I am running into nasty websites. What is it supposed to do?

I do uBlock origin with pretty standard lists and have a list of allowed persistent cookies. Are the uBlock lists doing all that work in the background?

[+] srcreigh|3 years ago|reply
what's the advantage of DoH?

I personally use Timescale magicDNS on all my devices, with pihole DNS running on a home server. The magicDNS can make my home server the 1st responder for DNS queries and it'll block a lot of ad domains.

[+] madars|3 years ago|reply
Or, in other words, FBI now recommends using Android :-) It's baffling how much better uBlock Origin + Firefox experience on Android is compared to any iOS ad blocker I have tried. They kind-of work but let half of the ads through.
[+] Animats|3 years ago|reply
Make ad brokers share responsibility for losses due to scam ads. If the ad broker is unable to clearly identify the advertiser for lawsuit purposes, the ad broker should face consequences. They're assisting the criminal by helping them hide.
[+] VFIT7CTO77TOC|3 years ago|reply
It is infuriating that Google seems to be doing nothing about scam ads. For years I have been seeing "Click to install iPhone update!!!" ads on YouTube mobile. Easy to have huge profit margins when your company hires no humans to do things like customer support and ad vetting.
[+] saklash|3 years ago|reply
Over the years, marketing networks have been infiltrated by hackers who manipulate ads to spread malware. Since the ads were served through a host of web pages, the attackers could do damage to a victim’s computers in minutes. With an ad blocker, though, you can prevent this situation from happening to you.
[+] vinay_ys|3 years ago|reply
It is simultaneously impressive and sad and hilarious that security of millions of people depend on the work of one volunteer software developer (gorhill – ublock origin) and a bunch of volunteer block-list maintainers.
[+] autoexec|3 years ago|reply
Pretty late to the game there, FBI. There are examples going back decades of drive by downloads and exploits from ads on popular websites. It's not enough to avoid shady websites. Any website filled with ads is already a shady website.
[+] halfjoking|3 years ago|reply
FBI must have infiltrated ad blocker servers containing malicious url lists.

Never using an adblocker again.

[+] kerkeslager|3 years ago|reply
At this point it's irresponsible for browsers not to come with ad blocking preinstalled.
[+] freediver|3 years ago|reply
You are correct ads have become popups of late 90s. Yet, very few browsers do, as most of them depend directly or indirectly on ad revenue.

AFAIK only Orion browser [1] comes with full 1st party and 3rd party ad and tracker blocking, by default.

[1] https://browser.kagi.com

[+] rmason|3 years ago|reply
Is it time for an open source adblocker that only blocks bad actors?

I am perfectly fine with ads, I've previously run sites where it was a small source of income myself. I know it would be in a cat and mouse game with the bad guys but if it blocked most of them it would certainly help a lot of people.

[+] westcort|3 years ago|reply
Any recommendations for a good ad blocker and other precautions to take?
[+] _rs|3 years ago|reply
On Mac and iOS I use and recommend AdGuard which has native content blocker extensions and lets you use Easylist block lists (as well as their own).

On Chrome/Firefox I use uBlock Origin which works well. I’m not sure if the community recommends something else at this point.

I also use various other extensions like StopTheMadness to disable right click hijacking and other bad behavior and Banish on iOS to prevent certain banners from appearing.

[+] behnamoh|3 years ago|reply
I know most people trash on Brave, but honestly, if you disable its crypto features (which is just a click away), it's actually a decent browser that blocks almost all ads I see, even on iOS!

For example, YouTube has no ads in iOS Brave. Since iOS doesn't allow real browsers and extensions, Brave has been a sanity-saver for me.

Pair that with uBlock on desktop and you're golden. 98% of the sites don't break at all either.

[+] dooglius|3 years ago|reply
It ultimately depends on what your threat model is, what are you trying to defend against? I use Qubes dispvms (whonix if possible) for personal browsing, but that's pretty far toward the extreme end of the scale.
[+] haunter|3 years ago|reply
I use uBlock Origin on PC and Adguard Pro on iOS (with the uBlock Origin filters 1:1)
[+] sys42590|3 years ago|reply
I recommend uBlock Origin and the anti-malware DNS from Cloudflare
[+] Zetice|3 years ago|reply
On MacOS I like Little Snitch for OS level stuff, with some rule groups like ads_stevenblack and malwares_prigent.
[+] pmontra|3 years ago|reply
If you're on Android also use Blockada to block ads in app. It's a local VPN server that filters out requests to ad servers. I think there are other apps like that but I never used anything else.
[+] ezfe|3 years ago|reply
I use Wipr on Safari for Mac & iPhone
[+] nathanaldensr|3 years ago|reply
uBlock Origin, Privacy Badger, Pi-hole, and a mobile browser like Firefox that allows for extensions for those times when one is not browsing on the same network that the Pi-hole runs on. One may also use a VPN on all devices that connect to a network with DNS-level ad-blocking.
[+] lemoncookiechip|3 years ago|reply
A combination of uBlock Origin + NoScript + Bypass Paywalls Clean + FastForward + ClearURLs as well as a pop-up blocker of your choice, will make your web browsing experience a bit cleaner. Not all of these might available for Chromium, I personally use Firefox for my daily use, with some Chromium browsers as backup.

NoScript will break pretty much 50% of the web. It'll take you about a day to whitelist all the sites you use daily and then it's smooth sailing.

I would also highly recommend this privacy focused list. https://www.privacytools.io/

[+] wrycoder|3 years ago|reply
I use AdBlock+, never had a reason to switch.
[+] bogwog|3 years ago|reply
I use adnauseam (https://adnauseam.io/), which is built on top of ublock origin, and it works pretty well.

The generic nuclear option to hide terrible web design, bypass (some) paywalls, and improve performance 1000x is to disable javascript. ublock and adnauseam both have a button to disable all javascript on a page, which is handy when reading articles on sites filled with garbage.

[+] lakomen|3 years ago|reply
Well too bad Google won't let you on the phone, Firefox at least allows you to install ublock.
[+] exodust|3 years ago|reply
The FBI page in question[0] (I hope ic3.gov is legit!) says "Before clicking on an advertisement, check the URL to make sure the site is authentic." But on a mobile device nobody knows how to do that. And the URL will be some kind of ad redirect a mile long.

FBI: "Rather than search...type the business’s URL into an internet browser’s address bar..." I'm not sure about this one. Typos easily happen, and it's the typo'd domain that scammers might own. Risky whatever way you go I suppose. For well known businesses I'd rather search and click on organic links than trust my own typing of a URL.

"Use an ad blocking extension". Third time's the charm. Great to see this advice coming from the FBI.

https://www.ic3.gov/Media/Y2022/PSA221221

[+] PeterisP|3 years ago|reply
The same applies to corporate networks - there is no good reason why the default office computer installations for your employees should have a browser without an ad blocker, there are some (not huge, but some) security benefits that make it a reasonable IT policy almost everywhere.
[+] walrus01|3 years ago|reply
I can't believe people use mobile browsers now that are not Firefox.

Firefox on Android can have the full powered ublock origin addon installed in it. Same as desktop. It makes things so much better.