Google planning changes to Chrome that could break ad blockers

The APIs that ad blockers depend on are also popular among malicious extensions.

Read the whole story

 

[TomXP411]

I use Firefox. Chrome is cancer.

Ugh. Please stop using "cancer" to describe things you don't like. It's offensive to actual cancer survivors and the families of people lost to cancer.

 

[TomXP411]

Until they start using DNS over HTTPS. Then all of that is gonna be worthless.

Generally speaking, your router IS your DNS server. Or if it's not, you can configure a DNS server on your network and forward that to your ISP's DNS. Both are fairly trivial operations.

However, DNS blocking has limited utility for ad blocking. It will catch a lot of stuff, but I see a lot of ad content that would sneak by a simple domain query.

 

[TomXP411]

I don't use an ad blocker on desktop browsers. I recognize that's the price I pay for free content.

But on my iPhone, I use an ad blocker because it makes sites load faster. That said, I'm very liberal with whitelisting sites I read often. Such as this one.

I started using ad blockers on mobile because the dratted ads would sometimes get me into redirect loops, where an ad runs Javascript that navigates away from the page I was trying to read...

if not for that, I wouldn't bother on mobile. But yes, an ad and video blocker are great ways to reduce mobile bandwidth (and should be a built-in part of all mobile browsers.)

 

[TomXP411]

So someone will make a local vpn to block ads like adguard does on Android? A shame because it was a good run but i'll switch in a heartbeat, fuck ads. i use Chrome because their dev tools are amazing. Did FF catch up?

There's a program that does this on iOS. It creates a black hole VPN connection and redirects advertising domains to the black hole. The nice part is that it works for all browsers, not just Safari.

 

[TomXP411]

Until they start using DNS over HTTPS. Then all of that is gonna be worthless.

Generally speaking, your router IS your DNS server. Or if it's not, you can configure a DNS server on your network and forward that to your ISP's DNS. Both are fairly trivial operations.

However, DNS blocking has limited utility for ad blocking. It will catch a lot of stuff, but I see a lot of ad content that would sneak by a simple domain query.

No, most routers are not DNS servers. They point to a DNS server but that is not the same thing as being a DNS server. You seem to be conflating the two things as equivalent when they are not.

Also, the whole point of DNS over HTTPS is to essentially allow the client to bypass any middle man to directly connect to a DNS server endpoint that it chooses. Whether that middleman be an OS hosts file, etc. Your router can do whatever it feels like and the client doesn't care.

Every home router I've had in the last decade has had a DNS server in it. The computers on my home network request DNS from the router, and it requests the address from my ISP's server.

I'm looking at my DNS setting right now. It's 192.168.1.1.

 

[TomXP411]

Until they start using DNS over HTTPS. Then all of that is gonna be worthless.

Generally speaking, your router IS your DNS server. Or if it's not, you can configure a DNS server on your network and forward that to your ISP's DNS. Both are fairly trivial operations.

However, DNS blocking has limited utility for ad blocking. It will catch a lot of stuff, but I see a lot of ad content that would sneak by a simple domain query.

No, most routers are not DNS servers. They point to a DNS server but that is not the same thing as being a DNS server. You seem to be conflating the two things as equivalent when they are not.

Also, the whole point of DNS over HTTPS is to essentially allow the client to bypass any middle man to directly connect to a DNS server endpoint that it chooses. Whether that middleman be an OS hosts file, etc. Your router can do whatever it feels like and the client doesn't care.

Every home router I've had in the last decade has had a DNS server in it. The computers on my home network request DNS from the router, and it requests the address from my ISP's server.

I'm looking at my DNS setting right now. It's 192.168.1.1.

Home/consumer routers do indeed have DNS services running on them, I think to help connect to other devices on your home network (versus relying on something like NetBIOS); any request it can't resolve gets forwarded to one or more upstream DNS servers, which are generally whatever the ISP provides via DHCP.

Commercial routers, no; you're not likely to find DNS services on those.

That's true... but if you're running a commercial router, you're also likely running your own DNS, right? I know I would be. So either way, it seems logical that SSL encrypted DNS is never going to be a particularly viable way to bypass ad blocking.

Of course, as soon as I said that, I pictured a system where the web server resolves the IP of the advertising server on the back end and passes that in through generated DHTML. So on-site DNS never gets a chance to black hole the ad.

So yeah, we're back to "software attached to the browser needs a chance to intercept the request."

 

[TomXP411]

nmalinoski[/url]"]
DNS also needs the IP of your parent name server, and since that's right there in the IP stack for any application to query, an SSL based DNS client could just use that address to talk to the parent SDNS server.

 

[TomXP411]

So someone will make a local vpn to block ads like adguard does on Android? A shame because it was a good run but i'll switch in a heartbeat, fuck ads. i use Chrome because their dev tools are amazing. Did FF catch up?

There's a program that does this on iOS. It creates a black hole VPN connection and redirects advertising domains to the black hole. The nice part is that it works for all browsers, not just Safari.

I thought Apple banned VPN-based ad blockers from the iOS App Store?

https://www.macrumors.com/2017/07/14/ap ... crackdown/

It looks like you're right. I don't use the browser on my iPad often, so I didn't notice the ads were back.

 

[TomXP411]

It's hard to stay neutral about this change if the headline is "Google planning changes to Chrome that could break ad blockers" and not, for example, "Google planning to restrict Chrome extension APIs, some ad blockers affected"

Ars readers are all incredibly smart and tech-savvy and would never, ever install an extension that hijacks their search results or replaces ads on all sites they visit, but this is an overdue change for everyone else.

And despite the feelings of most people in this comment thread, there are sites that make all their money from ads. Visiting them with an adblocker literally causes them to lose money (by serving traffic, but not getting any ad revenue).

Watching this thread is baffling. How would you react to a grocery store getting rid of self checkout because too many people are ringing up grapes as onions or something? Would you bemoan the slow speed of the cashiers, or their inability to bag groceries according to your specifications? Or would you blame the people abusing self checkout? Because people using adblock are very much like those abusing self checkout.

Flawed metaphor is flawed. I'm not even sure what your analogy is supposed to mean, precisely, so I won't even bother addressing it.

Ad blocking isn't going away. You can argue for "responsible" ads, and probably be right, but that doesn't change the fundamental fact that some advertising is abusive, and that some people don't want ads, period.

The simple fact is that advertising overkill has spawned the current situation. Ad companies have allowed their ads to be used to inject malware, deceive users, or otherwise do strange things. Some ads, for example, mess with page navigation and simply redirect a user to the advertiser's landing page, not even letting them see the page they were trying to view.

When you can demonstrate that the ad networks and web sites have those kinds of things reliably under control, then it's time to talk about whether ad blocking has outlived its usefulness.

Until then, users should have the inviolate right to block advertising, period. If it's moral to use a VCR to record TV and then fast-forward ads, then it's moral to block ads on web sites. End of story.

Now does the technical merits of blocking extension-based malware justifies removing this API? I don't know, but that's really the conversation we should be having, not bickering over whether users have a moral duty to view advertisements.

 

[TomXP411]

Might be time to finally invest in a Pi-hole.

Totally worth it.

And by "it" I mean the almost negligible cost of hardware, then the five minutes it takes to set the thing up and change your network's DNS configuration to use it.

It's almost miraculous opening some app or webpage on your phone and seeing nothing but the content you actually wanted to look at: The internet as it was meant to be.

How does pi-holing deal with sites that have anti-blocking technology and fail to load, or put up covering content when ads don't load?

 

[TomXP411]

That's one way to help Firefox increase market share.

Until Firefox's devs do the same thing for the same reasons... if the issue here is security, FF almost has to do it, at some point.

 

[TomXP411]

Might be time to finally invest in a Pi-hole.

Totally worth it.

And by "it" I mean the almost negligible cost of hardware, then the five minutes it takes to set the thing up and change your network's DNS configuration to use it.

It's almost miraculous opening some app or webpage on your phone and seeing nothing but the content you actually wanted to look at: The internet as it was meant to be.

How does pi-holing deal with sites that have anti-blocking technology and fail to load, or put up covering content when ads don't load?

In most cases, as far as the site is concerned, it successfully sent the request to load the ads on the page. The DNS name of the server hosting the ad just didn't happen to go anywhere useful, but most of them don't seem to be tracking it quite that aggressively.

I've rarely had any issues with things like that, at least not in the way that sites whine about plugin-based ad blockers. Those few that do cause problems end up on my blacklist. Maybe they'll prefer the memory hole to the pi-hole.

Could you pop in to https://www.rockpapershotgun.com/ as a test, and see if it pops up the "You're using an ad blocker. We wondered if you might not?" message?

If those don't work, I will probably implement a pi-hole myself.

 

[TomXP411]

Might be time to finally invest in a Pi-hole.

Totally worth it.

And by "it" I mean the almost negligible cost of hardware, then the five minutes it takes to set the thing up and change your network's DNS configuration to use it.

It's almost miraculous opening some app or webpage on your phone and seeing nothing but the content you actually wanted to look at: The internet as it was meant to be.

How does pi-holing deal with sites that have anti-blocking technology and fail to load, or put up covering content when ads don't load?

In most cases, as far as the site is concerned, it successfully sent the request to load the ads on the page. The DNS name of the server hosting the ad just didn't happen to go anywhere useful, but most of them don't seem to be tracking it quite that aggressively.

I've rarely had any issues with things like that, at least not in the way that sites whine about plugin-based ad blockers. Those few that do cause problems end up on my blacklist. Maybe they'll prefer the memory hole to the pi-hole.

Could you pop in to https://www.rockpapershotgun.com/ as a test, and see if it pops up the "You're using an ad blocker. We wondered if you might not?" message?

If those don't work, I will probably implement a pi-hole myself.

Yeah, I tested it across three browsers, private/regular, with my usual blockers and without.

I only ever saw the page content, bordered by some blank whiteness and the occasional indication that an otherwise-unidentified "advertisement" used to exist here or there. Whatever blocker-detection they're running seems to be part of the ad service, so into the pi-hole it goes.

Pages also load a lot faster, and all the mobile devices on the wifi are passed through as well so the experience on those is also improved.

I've got a few RPi machines here. I'll probably set one up as a DNS server then. Thanks.

 

[TomXP411]

gHacks published an article this morning with news that Opera has also gotten into the "block the ad-blockers game," currently only with search engines.

Opera users who run any recent version of the web browser -- Stable, Beta or Developer -- and either the native ad blocker or a browser extension that blocks advertisement, may have noticed that ads are no longer blocked by either solution on search results pages.

Opera users with content blockers enabled may notice that advertisement is displayed as if no content blocker was enabled in the browser on search results page.

Opera made no mention of the change in recent Opera changelogs. Developers find information about it on Opera's Dev website:

Opera implements an additional privacy protection mechanism. By default, extensions are not allowed to access and manipulate search results provided by most built-in engines.

It feels like it is nearing endgame for web browsers that rely on advertisers for money.

"Now that Microsoft has finally folded and Chromium rules the web, what are you going to do?  Run Firefox? Pfft.  Watch as we break YouTube on non-Chrome browsers.  Then what are you going to do?"

If Google went through with breaking YouTube on non-Google browsers, I would expect alternative video sites to pop up.

Uh, YouTube is already a monopoly on video. And of course YouTube is owned by Google.

Also, Google's behavior with breaking YouTube on non-Google hardware has precedent. When Windows Phone was new and starting to get traction, Google intentionally broke compatibility with YouTube. They inserted a string into the YouTube code where if it recognized that it was a Windows Phone trying to access YouTube, it would block access. Even when Microsoft created their own YouTube app for Windows/Windows Phone, Google blocked them too.

Here's a quote from a Microsoft VP: "It seems to us that Google’s reasons for blocking our app are manufactured so that we can’t give our users the same experience Android and iPhone users are getting. The roadblocks Google has set up are impossible to overcome, and they know it"

Google broke the site for Windows Phone because the Windows Phone viewer wouldn't play Google's ads. Google flat-out gave that as the reason at the time. That's the same reason Google blocks the Echo Show from YouTube.

 

[TomXP411]

All I know is I appreciate all the Ars readers who use the best form of not seeing ads on the web.

https://arstechnica.com/store/product/subscriptions/

What if you had to make a payment to every website you want to visit to make ads go away?

What if every website you visited went away, because you didn't support them and expected free to just work forever?

It's that simple. It doesn't matter what your reason is. You're afraid of malware. Ads slow down your computer. You just don't like them. Whatever. I know all the arguments, and I'm not fighting them.

End of the day it's pretty simple: sites like Ars cannot exist for free. We have a large staff that works very hard to do what we do, everyone likes being able to cash their paycheck and live their life with that. If everybody ad blocks, we go out of business. Unless enough people subscribe to offset that, and right now that seems highly unlikely. Doing my best to work on it.

We're happy to have a sub program, if we could cut out the advertising middle man entirely and be direct to readers, ad-free, that would be amazing. But as you say, everyone doesn't want to pay for every site.

If the journalism you care about vanishes you can blame the greedy ad industry if you like. Blame us for not coming up with a different model. It won't change the reality, and that is that content like what we do does not exist for free, and one way or another users need to help pay for it, or wave goodbye to it. Period.

Some people like that idea, "the web will be pure like it used to be! blogs will replace it all" or whatever. If you think journalism like what we do will just exist out of nothing you're fooling yourself. Of course I'm biased, I want my paycheck too, I like my job. But I think it matters, and people aren't going to like the outcome. Because it will be the sites than can exist with other funding that survive, and that's going to mean rich people get to fund their journalism voice in a much louder way, and sites are going to take paid placements and become hollow shells of integrity to keep the lights on.

While all this is true, the ball is in content producers' court to convince readers that their sites are safe to use with ads turned on.

Honestly, if I had the option I'd happily pay into a shared-subscription system, where my subscription is shared between all of the sites I visit. Pick the top 10 sites I visited in a month and split my subscription money between them on a proportional basis. Something like a $10 or $15 sub would probably net my top 3 news sites more money than my ad impressions, especially because I never, ever click through on display ads.

This could even be done with an ad blocker. Let me subscribe to the ad blocker, and the ad blocker publisher pays web sites based on my viewing habits. This pays sites to participate in the system, as well as blocking harmful ads. Everyone wins.

Individual subs to web sites is not something I'm likely to do, but a shared subscription system is something I'd support and be involved in.

 

[TomXP411]

Honestly, if I had the option I'd happily pay into a shared-subscription system, where my subscription is shared between all of the sites I visit. Pick the top 10 sites I visited in a month and split my subscription money between them on a proportional basis. Something like a $10 or $15 sub would probably net my top 3 news sites more money than my ad impressions, especially because I never, ever click through on display ads.

This could even be done with an ad blocker. Let me subscribe to the ad blocker, and the ad blocker publisher pays web sites based on my viewing habits. This pays sites to participate in the system, as well as blocking harmful ads. Everyone wins.

Individual subs to web sites is not something I'm likely to do, but a shared subscription system is something I'd support and be involved in.

Sounds very similar to the model that Brave browser is trying to push.

I always figured though a dead-simple sort of Patreon-for-websites model, but with much smaller per-user transactions, is just the sort of thing the web needs.

Any model though would necessarily lead to one or more middleman services handling the transactions and knowing each and every website their users donate to and possibly even just visit. The only way I can see around that would be to make bitcoin (or something similar) as simple as *click--done, dropped 50c in the tip jar*.

I honestly don't care that someone is tracking what web sites I visit. My username is all over the search engines anyway, since I've been a prolific forum user and poster with this name since 2002.

If I care to hide what I'm doing (which I might do when researching a law enforcement issue or a less than reputable web site), I can just pop over into Incognito mode or open my second browser profile.

 

[TomXP411]

I honestly don't care that someone is tracking what web sites I visit. My username is all over the search engines anyway, since I've been a prolific forum user and poster with this name since 2002.

If I care to hide what I'm doing (which I might do when researching a law enforcement issue or a less than reputable web site), I can just pop over into Incognito mode or open my second browser profile.

Oh my sweet summer child

https://security.stackexchange.com/ques ... ues/153351

https://medium.com/@ravielakshmanan/web ... ac3c381805

I think you misunderstand the context.

We were talking about a hypothetical patron tool that would track sites I visit and pay those sites based on how many times I go there. Obviously, that tool has to log where i go for that to happen - and I obviously would have to consent to that logging.The purpose of Incognito mode would be partly to temporarily disable this patron tool, so I'm not counting certain web site visits as part of my patronage.

For example, I get a potential spammer on my forum. I don't want to give the spammer part of my patronage money while checking his link, so I right-click and "open in Incognito mode." The patron tool doesn't log that visit, because that visit was made with the patron tool disabled.



If I truly wanted to disable tracking for safety reasons, I'd take other countermeasures entirely.

 

[TomXP411]

Sorry but most brick and mortar stores do not charge a customer to walk into their establishment and browse. And if there is a door fee, typically there is no "free" (with ads) option.

That argument really only applies to e-commerce sites where you're there to spend money directly.

When a site's income is through indirect means, such as advertising, there's a clear case to be made that blocking ads is not fair to the site. (Although, yes, that has to be balanced against the fact that you take a risk with every ad viewed that the ad will be harmful in some way.)

 

[TomXP411]

Two revenue streams (one of which is progressively becoming less profitable) is hardly "diversified".

It is what it is. Clearly you have no genuine interest in helping be part of the solution, so I'll pass on discussing it further with you after this.

But we're not going to survive on selling Moonshark mugs, and we have no interest in taking on sleazy paid placement and turning into paid shills pretending it's not sponsored content, so there you have it.

At the end of the day all the smug people who sit there and go "well your business plan sucked oh well" are still going to end up with the same shitty outcome as the people who lost their jobs.

I wonder if that's what some people want. I honestly think that if 75% of the world's "news" sites went under, that would be a good thing... the problem is that the 75% I would like to see disappear (the Buzzfeeds of the world) are not the ones that actually would disappear.

 

[TomXP411]

"That is a serious question (the sort nobody seems willing to ever answer). Do you think businesses shouldn't have to sustain themselves?"

Of course they do. They follow the social contract.

They create. You consume. You pay for it.

How are you paying for Ars Technica's news, Dark? Are you viewing the ads, or are you a paying subscriber?

Or are you the third choice? What is the third choice?
That's the guy who doesn't pay for what he takes, despite the clear social contract.
What do we call people who take things without paying for it?

Let's ask this guy, I'll bet he knows...

You love Ars Technica. You have posted here over 7000 times. You've been a member for more than 11 years.

So ask yourself, do you think it's really fair to spend so much time here, to soak up all of their hard work, and not pay for it?

Because only one kind of person does that, and I think we all know what kind of person that is.

As for me, I've put my money where my mouth is. I don't want the ads, so I pulled out my credit card.

Will you do the same? Put that et Subscriptor tag after your name, and then you can talk.

 

[TomXP411]

Sites allowing that stuff on their pages are the reason why we can't have nice things - not the people who opt out of loading that (there is no nice way to put it accurately) shit.

Fine. Pay for a subscription and avoid those ads.[/quote]

That works here. It does not work everywhere.

Google is prototyping a "reduced ad" service that allows subscribers to eliminate advertising served by Google. The websites that serve Google ads still get the money, but it comes from the user's subscription, rather than from advertisers.

That needs to be expanded to all ads on all ad networks on all web sites. I'd pay for a service like that, which I know would support the sites I visit while also reducing ad clutter and the various drive-by attacks that happen through advertising engines.

 

[TomXP411]

The article mentions two things: Slowness and safety from malicious extensions.

I never have any problems with browser performance on my 3 GHz i7 with 32GB of RAM...

What, why are you all glaring at me like that?

I think part of the disconnect here is that people running on 10 year old machines or systems with netbook-class CPUs are seeing a different web than those of us with supercomputers on our desks.

Personally, I don't mind the performance hit. I do mind that a malicious plugin can rewrite the page without my permission - but that's one reason I keep my plugins limited to the truly necessary ones.

I'm still back and forth on this. After reading up more, the objectors are probably right, but then how do we fix the underlying issues involving content re-writing?

I'm thinking we really need a better and more reliable trust system for extensions, but I'm not sure precisely what that would look like, at this point.

The only way to ensure security is by moderating the platform extension's are distributed through.

I feel like this is really the only solution. A well-curated extension repository.