I wouldn't even mind ads if most sites weren't malicious with how they serve them. Do not make a new window pop up, do not try to download anything to my computer without my explicit instruction, do not make me click an x to view the content, do not interrupt the content to serve an ad. Why can't they just have a nice little ad on the left and/or right side of the page that doesn't interrupt my intake of their content? Heck, even on the top is fine.
Greed. Those kinds of ads pay more. Interrupting the content means they can sell the spot as something people will actually see because they are forced to.
The entire point of ad is to make you notice. As you said you "don't mind", this is not something ads would want. It's a raising bar as people are starting to learn to ignore ads more and more subconsiously.
Well also many sites are now just absolutely covered with ads. Like it went from one on a page to now banner above, banner left and right, pop up video that has to be closed, two to three interstitial ads in the main content, like 2 dozen shitty taboola or similar "articles" popped on the end. Ugh.
Sounds like it might make sense to drop this early hints feature (whatever it is).
I wonder how much longer it will be before the next major escalation happens with ad blockers. I can imagine mainstream browsers that fetch unmodified pages and click ads in the background (do subvert pay per click ad business models and make it harder to compute targeting metrics), but then display an ad/tracking-free version in a separate rendering pipeline.
As far as I know, current ad blockers can't block ads from Widevine (DRM protected) streams, so I guess it's only a matter of time until Chromium team comes up with Widevine for webpages and then it's game over for normal consumers.
Even without early hints, i assume you could do the same thing with the link http header.
Or if you really dont care about performance, just loading the start (e.g. <head>) of the document and wait a little bit to see which subresources are loaded.
AdNauseam does just that. It clicks the adds before blocking them (possible to whitelist non-tracking adds). It's a fork of uBlock and what I replaced the uBlock with on my phone and PC.
Sadly, it doesn't do clicking in the private browsing mode, which I usually use not to crowd the browsing history with hn and other forums' articles.
I don't understand how this feature even came to be. Presumably these resources are cached (it's going to be used for static resources; for dynamic ones, you'd need to have already performed the request on the server to figure out what to send, so you'd just send the response). So what, you're saving 5 ms off the first page load? Assuming it's not already a static response, in which case again you'd just send it.
Meta and Apple are pushing their AR (advertising required) goggles because they are a locked-down systems where it is even more difficult to block ads.
We're all complaining and blaming the big corporations for the pitiful state the internet got to be now but seems we are all contributing our little to bring it even lower. Because corporations pay, I know, but we are the ones pulling the trigger.
But also because we refuse to pay. Any attempt at monetization is widely demonized, yet people still feel entitled to free content, and refuse to put their money where their mouth is and at least abstain from consuming the content if they really don't think it's worth the price
It's funny how scarce the "I'd be willing to pay for good content, but alas, there is no option" claim has become since websites have started widely implemented paid ad-free accounts or outright paywalls
I've never seen someone angry that a supermarket won't give them a newspaper for free, but when it's online this is apparently a valid complaint
Classic security philosphical conundrum. Do you let the black hats figure it out on their own and weaponize it, or do you have a white hat figure it out and release it so it's common knowledge to the world?
Is this already being exploited by any sites in the wild? If not, then I kind of wish that it would have been privately reported to Mozilla and the major ad blocker developers to give them time to patch it.
I definitely see your perspective here, but it also seems like something that isn't likely to be used. There's already good JS ways of detecting ad blockers that don't require nearly as much work.
To take advantage of this, you'd need to alter your web application so that it'd do a two-stage rendering. Most web apps don't even stream their content (rather they wait until the whole content is ready, whether HTML or JS, and then send the whole thing). Your app needs to first send the HTTP 103 with the stuff to pre-fetch. Then it has to wait while holding the state and content it wants to push to the user.
The longer you're holding that stuff in RAM, the fewer requests you can handle per second. Let's say you can handle 100 simultaneous requests and usually a request takes 10ms. Now you've handled that request and you're holding the response for 500ms to see if they hit the no-adblock-detector before sending the rest of the content. All of your Safari/iPhone users hate your website because every page load takes half a second. Awesome, you've pissed off the richest demographic browsing your website. You're paying more for server resources because you're holding onto state longer instead of getting the response to the user and freeing up that RAM so the requests per second you can handle drops. Ok, maybe you look at user agent and only use this technique for Firefox since that's the only browser it's effective with.
In the demo, the DeferredInvoker basically generates a random string and associates it with a request (Map<string, request-response-thing>). Then when a request comes in for the no-adblock-detector, it looks up which request-response-thing is associated with the random string and sends the response to the user. If it doesn't receive a request for a string within a timeout, it'll send the response as adblock-detected. Of course, this only works for a single server since it's an in-memory map.
How do we get it to work in a multi-server environment? Ok, we store "ABCDEF123" in a data store and hold the response until we see the request for "ABCDEF123" on the no-adblock-detector. Do we use listen/notify in PostgreSQL? I mean, at some point we're adding a lot of overhead for these requests. I have to store on my server "ABCDEF123" goes with request/response X and then I have to listen to the database to see if another server has received a request for "ABCDEF123" and that other server needs to do a database write. These can't be database writes that can be batched or deferred because the user is literally seeing the page wait to load on this database write.
It's not impossible to exploit, but it requires real engineering for any company that has horizontally scaled anything to multiple web servers. You can't just drop it in easily. And while we might hate ads and there are concerning things about ads with respect to privacy and many other things, it isn't a security vulnerability. It's certainly interesting, but I can't see a company putting resources into this.
Mozilla says the following about HTTP 103 Early Hints:
> Note: For compatibility reasons it is recommended to only send HTTP 103 Early Hints responses over HTTP/2 or later, unless the client is known to handle informational responses correctly.
> Most browsers limit support to HTTP/2 or later for this reason.
Probably too unreliable to use in real life - for example, I suspect many crappy corporate proxies will block HTTP 103 responses as some unknown danger.
Unfortunately, it can be used opportunistically, as the readme says:
> Browsers that do not fully support early hints can be easily detected by adding a harmless dummy resource to preload that will not be blocked by adblockers.
It seems pretty easy to mitigate this by always loading the early hints though, as in Firefox should adopt Chrome's approach as described in the README.
Haha. The copyright license is a parody of the MIT license [1]:
> Copyright (c) 2024 Mechazawa
> Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software with specific restrictions, provided that the user intends
to use the Software explicitly FOR the purposes of evil or advancing evil,
including but not limited to:
> Genocide, Wanton Destruction, Fraud, Nuclear/Biological/Chemical Terrorism,
Harassment, Prejudice, Slavery, Disfigurement, Brainwashing, Ponzi Schemes
and/or the Destruction of Earth itself,
> with this, including without limitation the rights to copy, modify, merge,
publish, distribute, sublicense, sell and/or run copies Software or any
executable binaries built from the source code.
HN converts single newlines into spaces. The license text on Github [1] has apparently intentionally obstructive newlines within the "paragraphs".
haha, that would've been so incredibly funny... if I was still 15 years old :)
maybe I'm growing old and grumpy, but at a state of affairs where active genocides are going on, I just find that immature and callous. By "that", maybe I mean Dutch attempts to humour ;)
This! I'm actually amazed how rarely it gets brought up, even among my techsavy friends. It literally seems like a perfect win-win for everyone...except ad companies. Queue conspiracy theory: they were clearly the ones that coined the term cryptojacking and spawned a ton of articles about in the press when this idea first surfaced.
Just once and for all understand, people who do not want to see ads and you force ads on them, will not come to your site.
All you're doing is making the user experience worse and decreasing your site's worth.
And people will remember who was so rude to them.
> Chrome does not allow adblockers to interact with resources loaded using early hints, nor does it display resources loaded using early hints in the developer console.
I wonder if Brave has these same limitations? Not sure where its Shields JS fits into the architecture.
SMS is the next big frontier for ads, every few messages with someone you can see a little ad about something related to your conversations. Or if a conversation has gone stale and someone hasn’t replied in several days, inject an ad to wake it back up.
Anyone know what happened to ethicalads.io? Website has been offline for over a month, but founders/engineers seem to be active on LinkedIn & GitHub still
Are people still relying on only browser plugins to de-trash their browsing experience? DNS is your friend. Block the asshats at their media delivery source. DNS Filter, NextDNS, PiHole...
wrigglingworm|1 year ago
a_vanderbilt|1 year ago
YetAnotherNick|1 year ago
unknown|1 year ago
[deleted]
fennecbutt|1 year ago
hedora|1 year ago
I wonder how much longer it will be before the next major escalation happens with ad blockers. I can imagine mainstream browsers that fetch unmodified pages and click ads in the background (do subvert pay per click ad business models and make it harder to compute targeting metrics), but then display an ad/tracking-free version in a separate rendering pipeline.
guitarlimeo|1 year ago
bawolff|1 year ago
Or if you really dont care about performance, just loading the start (e.g. <head>) of the document and wait a little bit to see which subresources are loaded.
wafflemaker|1 year ago
Sadly, it doesn't do clicking in the private browsing mode, which I usually use not to crowd the browsing history with hn and other forums' articles.
ndriscoll|1 year ago
neurostimulant|1 year ago
xnx|1 year ago
soco|1 year ago
flohofwoe|1 year ago
sdflhasjd|1 year ago
didntcheck|1 year ago
It's funny how scarce the "I'd be willing to pay for good content, but alas, there is no option" claim has become since websites have started widely implemented paid ad-free accounts or outright paywalls
I've never seen someone angry that a supermarket won't give them a newspaper for free, but when it's online this is apparently a valid complaint
jedberg|1 year ago
freedomben|1 year ago
josephcsible|1 year ago
mdasen|1 year ago
To take advantage of this, you'd need to alter your web application so that it'd do a two-stage rendering. Most web apps don't even stream their content (rather they wait until the whole content is ready, whether HTML or JS, and then send the whole thing). Your app needs to first send the HTTP 103 with the stuff to pre-fetch. Then it has to wait while holding the state and content it wants to push to the user.
The longer you're holding that stuff in RAM, the fewer requests you can handle per second. Let's say you can handle 100 simultaneous requests and usually a request takes 10ms. Now you've handled that request and you're holding the response for 500ms to see if they hit the no-adblock-detector before sending the rest of the content. All of your Safari/iPhone users hate your website because every page load takes half a second. Awesome, you've pissed off the richest demographic browsing your website. You're paying more for server resources because you're holding onto state longer instead of getting the response to the user and freeing up that RAM so the requests per second you can handle drops. Ok, maybe you look at user agent and only use this technique for Firefox since that's the only browser it's effective with.
In the demo, the DeferredInvoker basically generates a random string and associates it with a request (Map<string, request-response-thing>). Then when a request comes in for the no-adblock-detector, it looks up which request-response-thing is associated with the random string and sends the response to the user. If it doesn't receive a request for a string within a timeout, it'll send the response as adblock-detected. Of course, this only works for a single server since it's an in-memory map.
How do we get it to work in a multi-server environment? Ok, we store "ABCDEF123" in a data store and hold the response until we see the request for "ABCDEF123" on the no-adblock-detector. Do we use listen/notify in PostgreSQL? I mean, at some point we're adding a lot of overhead for these requests. I have to store on my server "ABCDEF123" goes with request/response X and then I have to listen to the database to see if another server has received a request for "ABCDEF123" and that other server needs to do a database write. These can't be database writes that can be batched or deferred because the user is literally seeing the page wait to load on this database write.
It's not impossible to exploit, but it requires real engineering for any company that has horizontally scaled anything to multiple web servers. You can't just drop it in easily. And while we might hate ads and there are concerning things about ads with respect to privacy and many other things, it isn't a security vulnerability. It's certainly interesting, but I can't see a company putting resources into this.
zzo38computer|1 year ago
> Note: For compatibility reasons it is recommended to only send HTTP 103 Early Hints responses over HTTP/2 or later, unless the client is known to handle informational responses correctly.
> Most browsers limit support to HTTP/2 or later for this reason.
guitarlimeo|1 year ago
yjftsjthsd-h|1 year ago
happymellon|1 year ago
Load a page and replace everything that matched with an empty div when rendering.
HWR_14|1 year ago
cornedor|1 year ago
josephcsible|1 year ago
thenewnewguy|1 year ago
josephcsible|1 year ago
> Browsers that do not fully support early hints can be easily detected by adding a harmless dummy resource to preload that will not be blocked by adblockers.
eli|1 year ago
kevmo314|1 year ago
It seems pretty easy to mitigate this by always loading the early hints though, as in Firefox should adopt Chrome's approach as described in the README.
hn_acker|1 year ago
> Copyright (c) 2024 Mechazawa
> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software with specific restrictions, provided that the user intends to use the Software explicitly FOR the purposes of evil or advancing evil, including but not limited to:
> Genocide, Wanton Destruction, Fraud, Nuclear/Biological/Chemical Terrorism, Harassment, Prejudice, Slavery, Disfigurement, Brainwashing, Ponzi Schemes and/or the Destruction of Earth itself,
> with this, including without limitation the rights to copy, modify, merge, publish, distribute, sublicense, sell and/or run copies Software or any executable binaries built from the source code.
HN converts single newlines into spaces. The license text on Github [1] has apparently intentionally obstructive newlines within the "paragraphs".
[1] https://github.com/Mechazawa/103-early-anti-adblock/blob/mas...
4gotunameagain|1 year ago
maybe I'm growing old and grumpy, but at a state of affairs where active genocides are going on, I just find that immature and callous. By "that", maybe I mean Dutch attempts to humour ;)
ahmedfromtunis|1 year ago
Lending webpages some CPU-cycles (probably to mine crypto) in a controlled and safe way would be a win-win(-win) situation.
Websites won't have to submit to their advertising overlords and still be able to incrementally monetize their content.
Users won't have to deal with the downgraded experience — while sacrificing compute cycles anyway to download and display the awful ads.
Even advertisers would win, as they won't have to deal with content farms trying to fake impressions and clicks.
LikesPwsh|1 year ago
YetAnotherNick|1 year ago
[1]: https://i0.wp.com/fourweekmba.com/wp-content/uploads/2024/02...
crtasm|1 year ago
2cynykyl|1 year ago
gxonatano|1 year ago
lakomen|1 year ago
I've been there.
Don't do it.
golergka|1 year ago
CoastalCoder|1 year ago
esbranson|1 year ago
I wonder if Brave has these same limitations? Not sure where its Shields JS fits into the architecture.
deadbabe|1 year ago
TylerE|1 year ago
unknown|1 year ago
[deleted]
shmde|1 year ago
jalapenos|1 year ago
If adblock doesn't catch it, my thumb twitch reflex when a popup appears will.
SushiHippie|1 year ago
skrtskrt|1 year ago
ericholscher|1 year ago
Tabular-Iceberg|1 year ago
extraduder_ire|1 year ago
ublock origin has a "DNS unmasking" feature in firefox that defeats this. I think there's a less effective workaround used for other browsers.
gkbrk|1 year ago
failedartifact|1 year ago
darepublic|1 year ago
terrycody|1 year ago
ceving|1 year ago
CaptainFever|1 year ago
harrygeez|1 year ago
unstatusthequo|1 year ago
Hetzfogz|1 year ago
[deleted]