Aractus

Blog of Daniel Baxter, now secure! :)

Free SSL from Let's Encrypt!

Google is building an adblocker into Chrome…

Google is playing with fire. In fact so is Opera. So is ABP, Adblock, and PageFair. To understand where we are, we need to go back to the beginning. This will be a long entry, so grab yourself a coffee, install uBlock Origin if you don’t have it, and enjoy your time here.

Ad blocking has long been a side-effect of the MVPS hosts file, which I have used consistently for more than a decade. Back then internet bandwidth was limited as well, and another side-effect of using it was of course that it blocked unwanted internet traffic. It’s also good for preventing malware – in fact that’s the main reason to use it in my opinion.

History

In 2004 the original Adblock extension was developed for Firefox. Already there were complaints from advertisers and webmasters, for example here “blocking ads on Ars is a bannable offense”. You could also get programs that would block ads. In mid-2007, Maxthon 2 became the first browser in the world with a built-in adblocker. The Adblock Plus extension was created in 2006 to pick up where Adblock left-off, and in late 2009, the new Adblock extension was created. For quite some time Adblock and ABP were both very popular. And again, advertisers were not happy – some claimed the extensions are illegal and their use amounts to stealing. Others put up notices in the place of ads – or worse lock the content or use modal overlays. Hank Green and Boogie2988 have both posted rants against the extension, as have many others. Then in 2011 something truly terrible happened: Adblock Plus created a whitelist to allow so-called “acceptable ads”. In 2014, uBlock joined the extension market, and has since become the blocker that is featured in both the Firefox and Edge Extension pages. In 2016, Opera added a built-in adblocker, and now it appears that Google is looking to do the same.

So as you can see, we have a lot to go over.

Blocking is stealing?

This is probably the most ridiculous argument that I have ever heard. Let me put it like this: my PC or other device is MINE, not yours. I own it, and I do whatever I want with it. It doesn’t belong to an advertiser, it doesn’t belong to Microsoft, it doesn’t belong to Google. It belongs to me. Who’s is it? MINE! If you can grasp that simple concept, then you can understand that just like my TV, I can choose to do whatever I want with it – I don’t have to look at any ads if I don’t want to. Now of course, there’s something else that’s mine, and that’s my internet connection. To suggest that an advertiser – or for that matter anyone – has some inherent right to it is just insanely wrong. That’s like a bully who wants to control things that you own, and make you do things with your possessions them that benefit him.

Why you need to block ads

Blocking ads is not merely a convenience issue – it’s a security necessity. And you don’t need to take my word for it, the experts say so:

“The only effective protection against malware advertising is to block the advertising networks that accept adverts from the criminal gangs.” – Comodo computer scientist, Dr. Phillip Hallam-Baker (source). By the way there’s even a specific term for this threat – malvertising.

It’s also recommended by security guru Steve Gibson:

Take a moment to digest this information if this is news to you. And ask yourself: why is it you haven’t heard this?

The reason you haven’t seen this is that it represents a conflict of interest for many websites to tell you this information. They would rather tolerate serving their visitors malware than dare suggest you remove the advertising from their website. In fact, many of these websites are the same ones that pop-up those god-awful modal overlays telling you they “need advertising revenue”.

I am not suggesting that adblocking is a complete solution. You should also completely uninstall adobe flash, keep your system and browsers up-to-date, use the MVPS hosts file, and a good anti-virus program.

The other reason you need to block ads is to protect your privacy. Privacy is an inalienable human right, advertisers create, buy, and sell your unique information that they gather. And they do it without your consent. In some countries, ISPs spy on their customer’s internet usage, and sell that metadata to advertisers. In other countries that is illegal, yet that is what advertisers do. I do not believe there is the legitimate case for user-targeted advertising – it’s a blatant form of spyware. And it can put vulnerable people at risk – for example should an advertiser really know that you are looking crisis accommodation, and if they do learn that and then run ads for these services all over your PC when your abusive partner is using it what might be the consequences?

The problem with Adblock/ABP and built-in adblockers

So you might be wondering, if I’m so in favour of adblockers – particularly uBlock Origin – why do I have a problem with the built-in blockers? Well let’s start with Adblock and ABP – both of those extensions adopt the “acceptable ads” motif. Now, even on the official Adblock website in a recent blog post the CEO acknowledges its use in preventing malware… yet what do you see nowhere in the acceptable ads policies? That’s right, not one mention of malware. They’re more interested in allowing advertising than protecting their clients from the very real harm of today’s┬ácrypto-ransomware. PageFair and Fair Adblocker offer no protection against malware at all. Google supports the Coalition for Better Ads, and they don’t mention malware either.

The issue with all of these existing blockers (except uBlock Origin that is), is that it puts an important security measure in the hands of those who have a conflict of interest. All of these people believe in “acceptable ads” more than they believe in protecting you from harm. To put it in another way, the goals of Adblock, ABP, and Pagefair do not include protecting you from malvertising – their primary goal is retention: they want to capture people that are fed up with internet ads and retain a level of advertising on their device that the user will tolerate. That goal is completely incompatible with the security goal.

Opera’s adblocker is a problem for a different reason: it doesn’t give the user the choice of filter lists or ability to create their own, and it’s not clear what filters it does use. And the other reason I see it as problematic is that uBlock Origin is already available for Opera and provides a better option – why not include it by default for users instead of a closed-source adblocker? Finally, the blocker is not an extension, it’s built right in to Opera and what that tells me is that it can only be updated with Opera – and of course there’s no indication I know of about how often it gets updated – with uBlock Origin the community is in control of all the lists which are regularly peer-reviewed and updated, and the user is in complete control of his or her own rules as well.

I think I really should restate this… the goal of adblocking is to provide you with an effective security measure against malvertising. It’s the only effective preventative measure! It doesn’t mater if you love ads and want to view them all day – it’s more important that you are protected online from malware. So that’s it, and I think that’s where we’re at. That’s why I have an ethical problem with these other blockers – Adblock and ABP used to be great by the way before the introduction of “acceptable ads”.

The problem with Google

Google is obviously the wrong company to be in control of this important security measure that people need. And not only that, but it would be clearly an anticompetitive market move that I suspect would be illegal in many places such as Australia. Do you remember how Microsoft was forced to give people in the EU the browser choice ballot on installation of their Windows OS? Well, can you imagine that the world’s largest internet advertiser would be allowed to write an extension or feature for their software that directly harms their competitors and integrate it into their browser? That has litigation written all over it. I hope they do it actually, and face the consequences. So much for their ‘don’t be evil’ motif.

By the way don’t think this is new to them, they have an absolute monopoly at the moment with their Chrome web browser that sees it as well as most others (this includes Firefox, Maxthon, Safari, and Opera) set the default search engine to google.com. That is extremely anticompetitive – especially given the fact that they pay money to competing web-browsers to make google.com the default search engine. With that said, the recent versions of Firefox have actually improved this by changing the default search engine whenever you use the search bar – but it’s a small improvement as most people only use the omnibar.

Google’s goal is not to improve your protection against malvertising – their goal is to protect their advertising business and to ensure that you will see adsense and youtube ads. All they care about is improving the user experience just enough so that users will tolerate advertising. They think that user experience is more important than their security! Imagine this if you will: Google gives up advertising to become the world’s largest condom manufacturer. Next, they outline plans to become be the authority on quality control for all other condom manufacturers. I think most people can understand that’s a conflict of interest, but then we learn something even worse: their idea of quality control is not to test that the product provides the protection users expect, instead all they care about is the user experience, and if there are major flaws in the products they will deal with the problem after users are exposed to the threat.

You may not believe me, but Google’s own numbers show they had to remove 900,000 ads from their network that were serving Malware! Nine hundred thousand. How many people were infected with crypto-ransomware? Did Google compensate the victims that had to pay large sums to recover their data? Of course not, yet they profited from serving those poor souls the ads in the first place.

Why do I hate ads so much?

I don’t hate ads. As I’ve stated I think quite repeatedly, blocking ads is a necessary security measure. To be protected I have to be prepared to block all the third-party ads – the horribly obtrusive ones that I hate as well as the ones I don’t. As I’ve already mentioned, ad blockers are one of the only effective preventative measures against malvertising – exactly in the way that condoms are the only effective protection against many STIs, other than abstinence of course. So unless you want to disconnect yourself from the internet you absolutely need the best adblocker you can find to help protect you from the ever increasing threat of crypto-ransomware delivered through malvertising.

Now with this said, I do have an ethical issue with third-party internet advertising. As I’ve already mentioned, privacy is an inalienable human right. That’s why you need to consent to questioners. Internet advertisers steal this information from you via analytics without even asking. I think that is morally wrong. Ads that are not targeted using profiles built with analytics like TV and radio I don’t mind, but any ad network that profiles individuals on the internet is below contempt in my opinion. It doesn’t matter if they have an “opt out feature”, if they automatically opt people in it an absolute disgrace of humanity.

But don’t websites need advertising revenue?

This I think is where many advertisers, as well as content creators, and webmasters have got it very wrong. Do they need advertising revenue? Maybe – but that’s not my problem. Nor is it yours. And nor should you be bullied into thinking that it is. Your right to security and privacy trumps a website’s “right” to deliver you advertising. And anyway, the idea that ads should be forced on you completely breaks everything the world-wide web is meant to represent.

I am not arguing that websites shouldn’t be allowed to have ads. Of course they can, but any time they run cross-site scripts that deliver ads, and any time they are not in full control of the ads that appear they are a security risk to you. It’s a misconception by the way that hackers need to hack an advertiser to begin infecting people – one of the ways they’ve actually been doing it is simply by uploading an ad that integrates malware into it that they’ve paid for. To give you an example of how I might get a malicious file to you – let’s say I embed a virus file into a picture file. I offer this picture file for downloads – you don’t know that it contains a malicious executable in it because it looks like an ordinary picture. Once you put the picture on your computer though, you have unwittingly saved a file that looks and behaves like a picture, but is actually an archive that contains the malicious executable. Then, all I need to do is embed code to recover the file, extract it and execute it. And I might hide that code in a completely separate program that appears to be completely safe – but unknown to you it searches your computer for the file so it can extract and run the malicious file.

That might sound convoluted to you – but that’s actually exactly how modern computer infections work. They can hide the malicious file within a picture, a sound file, or a video file, or even something like a font file if they want to get really creative. Those types of files are of course considered to be lower security risk than executable files, so they can get saved into your temporary internet files. What malware does is combine this type of method with a browser exploit that allows them to break the security of your browser and execute the code directly… and there are criminal organisations that are constantly seeking out these exploits. In fact, it’s almost certain that the CIA’s arsenal of cyber-weapons has been used for this purpose as well – both by the CIA and other cyber criminal organisations.

Websites that ask you to disable your adblocker?

What the fuck. I do not even visit my own site with uBlock Origin disabled. What would you think if these websites told you to download and run a binary file on reddit and, oh, disable your antivirus software before doing so? Asking you to disable your adblocker is no different. As mentioned, adblocking is the only currently known general-purpose measure known to protect against malvertising. Yes, I feel bad for those websites that depend on advertising – but it’s not worth risking having my files encrypted for a ransom. As others before me have pointed out, making a living knowingly selling access to every well known ransomware distributor on Earth is pretty goddamned despicable.

Like I said, I don’t even disable uBlock Origin on my site – so why the fuck would I disable it for someone else?

 

You can leave a response, or trackback from your own site.

Leave a Reply