1. 51

It is good to see that Firefox retains many advantages over Chromium extensions.

More troubling is what Raymond says about Instart Logic. They have tech which allows websites to:

  • Disguise 3rd-party requests as 1st-party requests
  • Disguise 3rd-party cookies as 1st-party cookies
  • Detect when the developer console opens, and cleanup everything to hide what it does

  2. 17

    Dug a little deeper… this Instart thing is no joke http://go.instartlogic.com/AppShield-Ad-Integrity-Data-Sheet.html

    Web publishers make simple DNS changes to flow the network domains that carry their HTML through the Instart Logic system. This allows our system to inject a small piece of JavaScript that can detect the presence of ad blockers. When an ad blocker is detected, the JavaScript-based virtualization layer Nanovisor, together with our intelligent cloud-based, machine learning platform, encrypts and delivers all the elements of the page using the customer’s existing delivery services.

    As a result, each resource on the page, and any signals and actions such as measurement beacons or user clicks, will have its URL encrypted and obscured. This renders ad blockers ineffective, as they can no longer search for patterns which would indicate a resource is related to advertising.

    The result is simply the experience that the web publisher intended on delivering to the end user with no changes to the ad delivery or measurement systems; end users have no need to be aware the technology is even being used.

    For now it looks like their tech mainly targets Chromium-based browsers. If you use Chrome, look into the uBO-Extra plugin (not necessary for Firefox).

    1. 10

      In my opinion browser vendors themselves need to take action and block this so hard that companies doing this are put out of business.

      Otherwise this approach will be the only one left in a few years, with more ethical actors which allow users to decide how they want to read content gone out of business.

      That it mainly targets Chromium-based browsers is kind of ironic for me: I migrated from Firefox after 15 years of loyal use to a closed-source, Chromium-based browser (Vivaldi) yesterday.

      1. 10

        Consider for a moment that it’s browser vendors who have created all the tools necessary to make this happen.

        1. 2

          There’s a couple of issues with browser vendors doing this themselves.

          First, it’s a moving target: maintaining a block list takes continuous effort. False positives, new technologies, anti-block strategies, domains changing hands - it’s a fair amount of effort to keep on top of things like this.

          Second, this would mean that browsers are then policing the web. There’s an argument that this is bad: you are then trusting your browser to tell you what’s OK, and what’s not OK, to view. I’ll leave a detailed discussion of this to others, but I hope it’s obvious what issues that might raise.

          1. 7

            Right now, I am trusting my web browser not to issue 3rd party HTTP requests under disguise. This is honesty and transparency towards the end-user, rather than policing: I should be allowed to block any outgoing connection from my computer at my discretion.

            If someone maliciously undermines one of the staples of the internet (DNS), especially to allow a corporate, for-profit entity to do something on my computer against my will, I would like for my browser vendor to act accordingly.

            1. 1

              For what it’s worth, I believe Instart uses first-party subdomains. You could allow requests from www.example.com, and disallow from 7zs4gc2n.example.com or similar fishy-looking subdomains.

            2. 2

              With that reasoning brwosers should stop asking for permission to display site notifications, requests for location, and allow access to microphone and webcam by default.

              What’s wrong with it if you consider users’ machines to be just temporary extensions to tracking companies’ ad-serving networks?

              The reason why I want browser vendors to step in is that no company will care if their action lands them on a blocklist of an extension they never even heard of. But if the response is “if you do this, you will land on Google’s/Mozilla’s/Microsoft’s shit list” then these practices will stop within minutes of the announcement.

              1. 3

                I tried fairly hard to phrase my comment in a way that didn’t disagree. I just wanted to point out some of the reasons why browser vendors might now have done this themselves already.

                Circumventing intended behaviour is definitely something they should prevent, but that might be more of a technical issue.

            3. 2

              This is where Brave browser + Basic Attention Token could actually be a viable option.

              1. 1

                with more ethical actors which allow users to decide how they want to read content gone out of business.

                If Users care about using browsers that let them decide how they want to read content, then the actors would not go out of business.

                If Users don’t care, then I don’t see why such a actor should exist.

                I don’t see why you need to invoke the great vendors to decide for us what can or cannot be allowed. Not to mention, if you ought to be allowed to run whatever code you want on your machine, that should include dodgy javascripts. You don’t have to go to these websites and I don’t see why they shouldn’t be allowed to choose who gets to access their contents.

                1. 1

                  I think I could agree with this stance if I had infinite time and energy to put into securing my browser.

                  I spend quite a bit of time reading about privacy issues and taking steps to protect myself, and it still doesn’t feel like enough.

                  It’s not that users don’t care, it’s that they don’t care enough to take full responsibility for their privacy. What are we supposed to do, write our own browsers from scratch?

                  In fact there is probably a meta level to it as well: people haven’t invested the time/effort to educate themselves about privacy issues. How many people would care about these things, but simply don’t know?

                  Furthermore, the whole point of this technology is to secretly bypass content blockers - users have already made the explicit choice to not see this sort of content! Who in their right mind “wants” to run code which hides itself from the developer console to avoid detection? It’s like arguing “if you didn’t want headlice you shouldn’t have let the louse live in your hair.”