There is no "Advertisers" here - blackhats are using advertising tools but there is no advertiser involved at all. This is not a nitpick - advertisers aren't doing this.
1. Ad networks / exchanges allow (don't catch) these ads
So you're saying it's seriously gross negligence and lack of security on the part of ad networks and publishers alike. I can accept that. Due to that negligence, however, they both are, willing or not, part of the threat and have to be defended against.
I also agree that browsers could and should do more to stop unnecessary scripts. At some point, a blacklist will not be enough (I think we're here already) and a whitelist will be the only viable approach going forward. The question is, how to curate a whitelist for the majority of users? Also, why Firefox and other open source browsers don't include things like ad blocking and script blocking by default.
I don't think its negligence really, though it is bad. The problem isn't extremely widespread and it seems only smaller networks that don't have the resources are affected (google fixed that problem on youtube very quickly).
I don't think white/blacklists are the best solution, though they do work most of the time right now - I'd rather see a flag that publishers can enable to browsers that lets them use more resources. IF your site is a web-app, allow it to use a lot of resources. If its a blog / non-intensive site, simply don't let it use a lot of resources or just ask the user if they want to use more resources.
I don't know if sites would self identify or if a browser could just analyze them on the fly, but this approach seems to make sense. (A little rocky at the start, but it would scale effectively).
1. Ad networks/exchanges allow ads to run arbitrary JS and try to rely on "catching" bad ads instead of properly restricting what ads can do.
2. Publishers tolerate this and use such ad networks.
3. Browsers do what they're supposed to do, execute the code delivered by the publisher's site and the resources it references.
The only thing browsers could do is show a warning that "www.publisher.example.com is using large amounts of CPU resources" to discourage web sites from being shitty, but ultimately, it's the responsibility of the publisher to make sure his site doesn't serve malware.
Keep in mind that next time, it could be a 0day exploiting your browser instead of a miner.
I understood the context of the article, but I was encouraging you to go a bit deeper. "bad guys" are not the only group that might be motivated by having your browser mine bitcoin. And "publishers" make the API call out to the ad network and get the ad ready to show in their page pipeline.
I was insinuating that there is a financial interest by the publisher to "make more on ads" that is abetted by injecting bitcoin mining into the ads they serve up. Doing this in the ads gives them a great 'out' when they are discovered "oh its bad actors in the ad network, what can we do?"
The Salon article is a demonstration that publishers do in fact consider this as an alternative. I doubt Salon was the only one and I doubt that all publishers would be so ethical as to "ask first" given their behavior in the adblocking war.
This comment should be higher up. It's not the advertisers. It's the ad network not noticing that bad actors (that aren't advertisers) are gaming the system.
This seems to be an inherent problem with the ad network model.
You've got 3 or 4 different parties involved in the current ad system: The content publisher who host the ads, the ad network, the advertisers, and, possibly, the company the advertiser hires to write the ad. And it's not like old school print ads where the content publisher gets to look over a proof before everything gets sent out. Several of these parties either don't or can't really understand how the ads really work and what the final product is going to be like.
In this kind of situation, whose responsibility is it to maintain integrity and keep the bad actors out? I'm not sure that it's anybody's. _Maybe_ it's the ad network's, but, realistically, they're sitting on top of an immensely complex system that is going to be very hard to police properly, so they won't spend the money on it unless they're forced to.
I suspect that the only way to force them to do it is to have a court find that an ad network hosting a malignant ad is either tortious, or makes them an accessory to a crime.
> In this kind of situation, whose responsibility is it to maintain integrity and keep the bad actors out?
Publishers bear liability for serving up malware to their readers; ad networks for serving up malware to the publishers. We're just waiting for an enterprising lawyer/litigation financier to put the pieces together.
I'm still blocking ads and javascript everywhere I browse. If the ad networks are the ones distributing this malware, they're either complicit or negligent. Either way, the source of the malware from my perspective as a user is still "ads".
Well, I don't think most users care about directing feedback. I know I personally would rather just deprive them of the impressions with noscript and/or ad block.
I don't have time to be submitting complaints to faceless Internet corporations. I just want to use the web without being bothered.
I just commonly see users get mad at "advertisers" when in cases like this, advertisers aren't involved at all. Not to say they don't carry some blame, but its blackhats doing the major wrong.
Advertisers and publishers should pressure ad networks and browsers to do a better job fighting fraud though.
And because you don't notice your PC infected by botnet s/w, does that mean you can expect to get a free pass from spam filters? Ad networks operate for profit, they are not charities, therefore they should invest the effort to secure their systems if they want what little goodwill that remains to not evaporate.
So it has come to this. The Advertisers are shedding their self-righteous camoflage and just being evil. Adblocking is a necessary component of defense in depth.
At least nobody will be able to give the old "Oh, but advertising is necessary for Capitalism" excuse. This is way over the line. Down with the corporate capitalist "internet" of ads!
Use Firefox. Use uBlock. Use NoScript. Use Privacy Badger.
This is such a well defined concept that I'm having trouble believing that even a troll would advocate a "The Advertisers doesn't mean anything" viewpoint. I might as well claim that there's no ad blocker either.
I'm not sure I understand that, why go through the trouble of setting up random domains to bypass filters if you then load https://coinhive.com/lib/coinhive.min.js directly? Any filter will probably already block that URL if no other.
Now if they started serving the JS from random domains and URLs that would mean trouble because you couldn't just use the URL-based filter approach most adblockers use. I'm surprised this doesn't appear to be more common. If it gains steam we might have to use a whitelist approach for trusted 3rd party javascript sources. Not necessarily a bad thing IMO, although that might stifle innovation a bit on the web.
This isn't about adblock. this is cloaking. If someone is employing filters/adblock, their code won't reach the victim. If someone isn't, they can reach out to coinhive directly.
They just need to hide coinhive from the ad platform, which is what they use the random domain for. When the ad platform fetches the ad code from the domain to inspect it, the random domain serves harmless code. When the user fetches the ad code, they get the miner.
The solution is for ad platforms to disallow external resources and custom JavaScript, and for publishers to be held responsible when their sites serve malware (whether directly or because they used an ad platform that sold the space to another ad platform that sold the space to another ad platform that sold the space to a bad guy who was able to serve a custom script because each of the platforms along the chain let everyone include arbitrary scripts).
You can selectively block inline, 1st-party and 3rd-party scripts with uBlock Origin ("uBO").[0]
Moreover, the Firefox/webext version allows you to remove specific inline script tags before the document is parsed by the browser.[1]
uMatrix can selectively block web workers, which are typically used by coin miners.[2] I have long been thinking of bringing that ability to uBO, but I want to do it right UI-wise.
Maybe we should get rid of web workers at browser level until we figure out this mess. Web workers are seldom used and could be enabled manually per site.
If you're using Chrome, check out chrome://serviceworker-internals/. It'll show all the websites you've visited which have registered service workers. Mine has 25 entries, including Twitter, Amazon, Google, Google Drive, Let's Encrypt, etc.
I'm sorry. As a user, to me "offline mobile first experience" sounds like a synonym for "this website takes more than 30 seconds to load and drags my phone down to its knees and the author was just too lazy to write a native app". I don't mean that as an insult, but as a user that is precisely what that sounds like to me. Nothing about web apps I have access to acts to change my mind in this respect. They're all incredibly slow to load, especially over anything less than LTE. For extra credit, they usually take up so much RAM that Chrome RAM usage ends up kicking out all background applications out of RAM on my phone.
Does downloading and installing a native app take less than the time to load a webpage on your phone? In my experience, web pages in general load much faster than native apps.
Consider the whole web hostile. Browse with uBlock Origin and JS off. Enable JS for trusted domains only. Give up, blacklist, and go elsewhere if whack-a-mole enabling needs too many unknown random domains enabled just to read that article.
That has been the model since the beginning. The problem is that web developers and browser developers have a greater interest in doing their thing than in protecting end users. Thus the introduction of cookies, javascript, iframes, etc. It's been a continuous curve of increased scope inside tbe browser. Now we have web assembly, workers, websockets, local storage, etc. and no good way for the end user to actually observe any of this shit. Browser developers are reinventing the operating system, but poorly.
You make me think of the travesty of web video. Flash video worked fine, and Flash blockers worked well and gave users the control of when to play video. Flash blockers were some of the most popular plugins. Then, for reasons that users didn't care about, the web was "improved" to build video into JavaScript APIs. But somehow they failed to add user's top requested video feature: autoplay control. Now we're stuck with publishers using increasingly user-hostile autoplay video with no user control.
I very much cared about proprietary software with loads of vulnerabilities hoggin the CPU being replaced by something more sensible.
That browsers don't implement any effective autoplay control still is idiotic (but then, the solution is simple: deactivate all codecs, and use youtube-dl for a better and ad-free user experience anyway).
Yes. Flash was made click to play by default and all seemed to be fine, then we got HTML5 video. I still can't manage to block some videos on popular news sites from autoplaying each time I visit an article page. Even with media.autoplay.enabled set to FALSE in Firefox's configuration.
I simply can't imagine how one can use the web today w/o this strategy. Frustratingly, I also can't figure out how to instruct my non-technical family and friends on doing this themselves.
It's not that nobody's interested - people I know are interested in finding out how my browser is able to display pages so much faster than theirs, and how my computer remains responsive even when I have a bazillion tabs open. But effectively using NoScript inevitably requires having at least enough technical knowledge to understand how JavaScript works and predict which blocked components are causing the bit of the page that you actually want to fail to load.
It's almost like there needs to be a NoScript-like plugin that crowdsources a whitelist of domains (or, maybe better yet, specific scripts) so that non-technical users can have access to the knowledge of people who have the ability to figure this mess out. But, of course, you'd need to figure out a crowdsourcing method that's resistant to attack, because the ad networks and other malicious players would immediately be paying the click farmers to vote their scripts into the whitelist.
The best solution I have found for my friends and family is the Brave Browser on the desktop, and Firefox Focus on mobile. Neither are perfect, you do have to give up some granular control, but I feel they might be the best solutions for the layman at this time. I've also heard that DuckDuckGo recently made a simplified uBlock time add-on. Haven't had a chance to play with that much however, maybe someone can chime in.
rPi and pi-hole is probably the best option here these days. Friends often ask how their phone is so much nicer when they visit than at home. :D I've converted a couple.
I don't think trying to convey what ad or script blocking choices they should be making really works with non-tech folks any more. To be fair it was always a bit of a stretch...
What tool do you use to manage switching JavaScript on and off on a per site basis? I too want to default off and whitelist but I'm not sure the best way to do it as the browser addons I have found make it easy to turn JS off, but they default to on and don't have a default off capability.
uMatrix is definitely great for this. I consider it a request firewall at browser level. And it works very well at blocking everything (JS, CSS, image, any type of request really) by default, should you wish to do so.
It also allows blocking webworkers which mining sites tend to rely on.
Chrome displays an icon on a tab to convey that it’s playing audio.
Perhaps it would be a good idea to similarly visualize tabs with high CPU/GPU consumption?
A browser does most (if not all) of what an OS does, so it shouldn’t be surprising if a task manager (which shows CPU usage) is also useful for browsers.
I think so. A few days ago someone posted something [1] about how they use their own sub-domain to alias CDNs so they can simply update DNS records to easily fix issues with a CDN site suddenly moving or disappearing. I argued that this breaks any chance for content to be pre-cached before a user visits your site for the first time but I walked away convinced that this one-of-many use cases for CDNs isn't all that useful in practice. Alias real content providing CDNs all you want, but if you want to alias an ad network to get around my proposed rule, then you risk your entire domain getting blocked by the likes of uBlock Origin.
I'm not an expert in any of this. I'm not even remotely sure what I'm proposing is possible or would be effective. I just want to start a conversation because I know what I don't want and throwing ideas out into the wild is better than staying quiet. I know I have no interest in giving up any privacy for a potential few seconds saved on load time for a site I'm not sure I even want to visit in the first place. Load times should be the burden of the site owner. Ideally that would be optimized by serving only what is absolutely necessary to get me to the thing I wanted to see. Not that plus the 10 other things you and/or third-parties decided they deserve to serve and hope my machine has pro-actively pre-fetched so I don't perceive the shit-show going on behind the scenes. Given all the details of how this stuff works, I don't think most users would volunteer for it either.
Yes. Not because you're doing anything wrong yourself, but because the cost to the user of allowing third party scripts is too high to tolerate nowadays.
I use some advanced techniques myself: ublock origin! Seriously though, fuck ads, fuck ad companies, fuck browsers made by ad companies. Each and every one of them is actively working to erode your privacy and use your resources.
The article is about ad companies circumventing adblockers by using autogenerated domain names. Unless you update all of your filters everyday, you are still vulnerable.
Alternative: block all third party objects (script files, iframes, images, the works) except those from sources on a white-list so libraries on CDNs function.
Looks like I finally need to get around to researching the options for this.
I'll have to stick with the more naive DNS blacklist based blocking for network wide protection though, as I don't want to tell others to use something more aggressive then have to support "this site doesn't work!" requests.
On my Mac and linux machines I do the regular block but on Windows it's full block all the way, not even so much for the ads but for the fact that so many networks distribute(d) malware.
Sorry but your website's business model is an infinitely lower priority than me needing to re-image my Windows install yet again because one of your fellow companies is asleep at the wheel regarding security.
I already use Advanced Mode, but uBO makes no distinction between blocking scripts and cookies, XHR requests, and Media elements. uMatrix does make this distinction, so I'm led to believe uBO doesn't block them at all. That's necessary for me.
I use uBO and uMatrix which work well together. uMatrix has "block third party resources by default" behavior that can be precisely customized per domain and resource type (eg, allow images and css but not scripts or XHRs).
I have used them both for a very long time but I'm trying to get away from uMatrix because, even though I love the fidelity of control it gives me, it seems to be utterly broken since Firefox Quantum and will not load any frames, unless it is completely disabled from the Add-ons page.
I've been patient for months but it still isn't fixed, thus I'm trying to shed my dependence of it if uBO can offer me the same thing on its own.
For what it's worth, I've occasionally noticed similar problems with frames (embedded content from other sites especially), and it seems that force-reloading the page with ctrl-shift-r gives a different behavior than the reload button in the uMatrix panel.
I usually unblock the embedded domain, manually allow frames, then force-reload the page, but it usually seems to work.
I'd argue a more subtle point: JS is fine, it's phoning home with all sorts of personal info siphoned off my PC that is the problem. JS is used to do this usually, but isn't the only way as seen in tracking pixels in JS-less HTML emails.
> I'd argue a more subtle point: JS is fine, it's phoning home with all sorts of personal info siphoned off my PC that is the problem.
No, I think that this case demonstrates that it's JavaScript which is the ultimate problem: cryptomining is a code-execution problem (although there is a network-access component to it, since the mining code needs to get block information & submit block results somehow).
I like to imagine that in a few decades we'll wonder how we ever thought it was a good idea to grant frictionless full-execute privileges to all the code everywhere, but honestly I'm far too pessimistic to believe that we'll ever wake up.
We got rid of Flash, for the most part. But people seem to be in denial of JS being an issue even though it's been used time and time again to bypass security.
Personally, my JS has been disabled since Meltdown/Spectre. There are sites that don't work and some of the big ones that I have more trust in I'll whitelist. But for the most part it stays off.
Exactly. Auto-executing third party code that has network access privileges seems like a massively bad idea, surely? Especially as it's virtually invisible to most users.
What would you consider as the alternative?
People are so used to getting news and various services "for free", it's very difficult to get them to pay for it.
Advertising _without tracking_. Advertising was done that way for all of human history until recently. Take away their ability to run arbitrary code on users machines and the problem is completely solved. There just needs to be an advertising company that steps up to the plate and says: We will get your ads to eyeballs and _we_ will ensure sites are holding up their end of the deal instead of deferring that role to user machines. You won't be able to track users, but you never should have been allowed to do that anyway.
Quite a lot of material on the web is only there because of advertising, not because it's any good. Unsurprisingly the "free market" doesn't work very well when everything has a zero cost associated with it.
The downside of losing ad-supported media will be ad-sponsored media paying to write the content itself.
This has certainly been the "common wisdom" trotted out for a long time now, but it's also always struck me as post-hoc reasoning. There simply has never been a modern industry-wide, concerted effort towards creating and requiring use of an extremely convenient web pay system, despite advances in technology and user sophistication over the last 20 years. If ads simply were no longer economically viable, would users really simply give up on all news and such? Everyone would simply throw in the towel?
I'm extremely skeptical. It's not at all hard to think of a lot of different ways that would be enormously convenient and highly transparent to users to have direct pay options. I think they haven't been tried because of the standard technology issues: we're in a local minima and there is enormous inertia with what "everyone uses" already. But that's not at all the same thing as being in an absolute minima, where any change would necessarily be less efficient. Quite the contrary, in tracking flow of money and resources advertising looks to have quite a few unnecessary inefficiencies between user goals and publisher goals. That being the case I see no reason to believe inherently that something better could not be developed if there was sufficient motivation, and an existential threat would certainly be that.
> industry-wide, concerted effort towards creating and requiring use of an extremely convenient web pay system
Without government backing, the system you envisage would ironically be prohibited by antitrust laws. It would be a rather clear example of price-fixing and collusion by competitors. Maybe there's some way to do this through peer pressure or incentives, but I think we've seen that approach fail so often that it's hard to see what could be done differently short of a hardline approach that would trigger regulatory scrutiny.
> People are so used to getting news and various services "for free"
Many people I know (myself included) pay for articles they read on the sources they choose.
It's the websites that copy the articles, mix the words a bit and republish that get into trouble and in my experience have the most problems with ad blockers. I don't think that's a bad thing.
Like others said here, if nobody wants to pay for your articles you either publish them for free or do something else with your life.
I think you should also use quotation marks around the word news.
Maybe the alternative is: if you don't want to charge for the content you produce or give it for free don't bother producing it. There are huge chances your content is just shit anyway.
I've been idly wondering if it would be so bad if advertising on the web simply wasn't profitable. Losing search engines seems like the biggest loss to me, and admittedly it's a doozy. But otherwise, it's not immediately obvious to me that the web is better for all the ad-funded content on it in the first place.
This situation is similar to dumping[1]. The only reason people aren't willing to pay for content is that there's always another company willing to give it away for "free" by leveraging ads. The reason that's economical is that all-pervasive tracking inflates the value of ad inventory and allows for a lot of additional "value" to be created even if the visitor doesn't click on an ad. If some of the most abusive adtech practices were flat out illegal paid services could compete again because a profitable, "free" alternative would not be possible.
The other form of dumping comes from tech companies operating in the red but surviving on investment dollars. Frankly, this is a result of growing wealth and income inequality that leaves investors with few avenues for growth outside of ad-funded moonshots as consumers aren't able to drive growth like they used to due to flat income.
Edit: Imagine a world where the average consumer makes $10k more per year, then turns around and spends some of that on online services. You now have a situation where the interests of the user and web service provider are aligned. The user is now the customer, not the product.
People created content on the internet before there was advertising. So to reiterate the GP's point, fuck ads and fuck ad companies, even the "legitimate" ones are a blight on the landscape and quite frankly scum.
For text, computing resources are cheap enough that it can be entirely non-profit or run by independent bloggers, etc. Wikipedia, blogs, IRC, and sites like HN don't require all that much and could be financed without ads if they chose to be.
Video, particularly HD video, absolutely requires ads or subscriptions. Social networks could probably be built atop WebRTC and run in a federated way, more like IRC... but image or video sharing would start to demand significant resources.
A vast majority of that content is dog shit. Losing it would mean a net loss of precisely nothing. My favorite sites don’t run ads, and either pay for access (NYT), accept donations, or do it for the love of doing it. I’m happy to lose the endlessly nested clickbait in favor of quality that doesn’t update every 5 seconds.
Not really, unless you're about to give up everything Google has created. Advertising is a 12-figure global industry, it takes more nuance than saying "I hate everything".
> Not really, unless you're about to give up everything Google has created.
I basically have. DDG + Fastmail + Firefox. Google is not some magic technology elf that makes the web work. And frankly, their products aren't THAT good. Search has been declining in usefulness for years, YouTube is a hot mess that's in the process of demonetizing all the niche content.
The use of short lived auto generated domain names is the kind of patterns that triggers maleware warning at domain registrars and I know IIS (registry for .se) have people being paid to actually monitor such type of domain abuse. The domain industry see it as abuse and "advanced malware technique" would not be out of the question when describing it.
Also, it not just random domain names. It is random registrant data. It is short lived domain names. It is obfuscated NS infrastructure.
"Conceal" is quite an ambitious term for something that literally makes noise out of your computer fan. `top` to check that Firefox is guilty and `about:performance` to close the guilty tab. There are so many shitty JS single-page sites out there that abuse clients' resources I don't even care whether it's crypto mining or just incompetence.
Plenty of devices have loud fans irrespective of their current CPU load. Being facetious, there also exist fanless PCs submerged in oil which do not make sounds based on CPU load.
Checking your CPU usage via `top` is a relatively "power-user" esque function so your experience is unlikely to be reflective of the general population.
So… the next line of defense is to block all third parties by default (requests to other domains) and only enable specific domains on a case-by-case basis?
Or they can do what the spam industry has been doing for years in order to address random domains names being used for malware.
For example, newly registered domain names tend to get a small added spam score when used in emails. Spammers could wait a month but that gives registrars time to detect the fraudulent registrant data and revoke the name before it can be used.
Spam filters has many years to adapt and develop. The arms race for browser security is just in the beginning. I expect to see score based systems becoming popular, just like it did with spam filters.
Allow me to return the question: how do you prevent scripts from draining CPU resources? How do you distinguish between legitimate resource usage (like a heavy web application that runs a lot of javascript) from a cryptocurrency miner? How do you throttle one without hurting the other?
Easy (?) when you install a new browser, it should load few standard pages in the background and check what's their CPU% usage. Get average value for all the tests, multiply it by 2 just to have a little bit of wiggle room. Next time website runs, monitor the usage, if it's over the threshold block the script and ask user if they would like to continue running the script.
I'm not going to file patent for this, thanks in the code will be enough. Enjoy :)
Except that fails if the browser is installed while something else CPU intensive is running, an update is installing, an antimalware process is doing its initial analysis, or the device is in battery saver mode.
As an alternative, you could do a survey at install time - check if a battery is present, get power profiles, run your benchmark js stuff, check CPU, RAM, disk type (HDD/SSD) - then download profiles for that/those configuration(s). Then put a 'sensitivity' slider in the advanced options to allow power users to tweak/turn off the limit.
Possible but if you set the limit too low you're going to have it pop it all the time on heavier websites (especially on less powerful hardware/smartphones). Then you condition the user to dismiss these warnings without thinking about it because of the high rate of false positives.
On the other hand if you set it too high then those websites will aim for that limit to maximize profit without triggering the warning. You'll still waste a ton of resources and you've only mitigated the issue somewhat.
I'm not saying it's impossible, just that "just add a dialog when CPU usage is high" might be a bit naive. There's a subtle balance to these things.
Because a browser can't distinguish between a CPU-intensive app, game or simulation that you want to run in your browser, a cryptocurrency miner that a website runs in your browser after it explicitly asked you and you agreed, and a cryptocurrency miner running in the background.
Of course, they could start asking for permission before letting a site use more than X CPU, or before letting the site execute JavaScript at all, but most people don't want additional popups like that.
Someone said that Firefox warns you when a site uses a lot of CPU but I couldn't trigger that warning (maybe I didn't run it long enough or the feature is in a newer version).
> Can someone point me in the right direction to learn about or just simply explain how modern-day browsers allow for scripts to drain CPU resources?
They allow it because the point of scripts is to consume some level of CPU resources, and setting an arbitrary limit on how much is too much is bound to cause a bad user experience when e.g. rendering large visualizations or playing a fast-paced game.
Publishers with “legitimate” ad mechanisms are using new techniques to entice people to not use ad blockers.
Are any of the legit ad networks doing anything to combat the problems in the article?
As long as there are bad actors, the good ones will get caught up in the net and must own the major share of combating the problem that affects their core business.
All legit ad networks are trying - this behavior is awful for them and doesn't earn them money (it loses them money when the publisher sees these and stops using the ad network). The miners are just 1/2 a step ahead of ad networks.
I wish I could just throttle javascript execution to 1/100th its current pace. I really don’t need it for most websites after the initial load of content, which is unfortunately driven a lot by javascript these days. They mostly exist to serve more and more annoying ads, best I can tell.
Some kind of execution budget would be really nice for JS. I wouldn't blame browsers for not putting it in though, no normal user would touch that kind of control.
I used to get angry at ads on my laptop, but uBlock Origin took my worries away. That left my Android phone, but recently I've discovered Blokada[0]. The app - which is for obvious reasons not available on the Play Store - appears to run a "VPN" through localhost that filters out an absolutely staggering amount of ads and other nastiness. Suddenly my battery life has improved, and my phone no longer runs too hot to touch. It's a win/win.
> which is for obvious reasons not available on the Play Store
Only if the "obvious reason" you meant there is "Google abusing its Android monopoly power".
I wish the EU would include that part into its anti-trust investigation against Google, too. It should be illegal for Google to ban ad-blockers on its store, for the same reason multiple courts in Europe have found that ad-blockers are legal: the user should have the power to block ads if he or she wants it.
This is especially true in this case, because Google can't even use the "security" argument as it did in the early days of ad-blocker banning. This app is functionally the same as a regular VPN, so unless it's saying that all VPNs are a security risk and it wants to ban all of them, then Google has no technical justification for banning VPN-like ad-blockers.
As as side note, why doesn't Blockada use HTTPS? My trust in that app dropped in half for this reason alone, when it's so easy and free to enable HTTPS these days.
Yes, the lack of HTTPS is baffling. HTTPS is so pervasive these days that one has got to wonder.
On the subject of banning apps: my complete lack of empathy for less technically capable users is probably showing right now, but as long as I'm able to sideload apps onto my phone running AOSP, I'm good with whatever.
If forced they will just add API that allows apps to check if any VPN is used.
BTW was there any discussion on how Google could be split? Android doesn't bring enough money to develop it, it would make sense to just drop it. Manufacturers would need to maintain their own OSes, that might be interesting.
Does that block YouTube app ads? I use Firefox and uBlock Origin on Android, I use YouTube through that and I don't install any apps with ads. But my family seems to be unable to give up using the YouTube app and every time I see my kids wasting another 5 seconds of their day waiting for that skip button, I cry a little inside.
I bought a raspberry pi specifically to run pi-hole, with the assumption it would be able to YT ads but, as far as I can tell, it doesn't. It's been good at blocking in-game ads though. Another bummer is that it only works on my home network.
I have an extension to disable WebRTC to prevent leaks (uBlobk added that too), I have another one that claims it blocks mining, I have uBlock and Disconnect - all fighting for my privacy.
If you disable JS you won't need any ad blockers and you will be surprised how faster the sites will load (if some sites are still not fast enough, try disabling web fonts; they are heavy and block rendering, but sadly Chrome doesn't allow to block them on per-site basis).
It is possible to block web font request on a per-domain basis via an extension, even on Chrome. I have webfonts disabled by default for a while, and thought about building a whitelist of acceptable ones but have been too lazy to implement it yet.
Are there even any legitimate domains under these new super-cheap-50c-domain TLDs like .bid? I've seen a 100% spam bot rate for all email domains ending in .bid on our sites.
I'm considering changing my local DNS to NXDOMAIN the whole TLD if it's this messy.
Doesn't it cost a few bucks to register a domain name? How could a malware group pay to register thousands and thousands of randomly generated top level domains?
Instead of trying to block ad-mining, consider this;
With the right PoW algorithm and the hardware access to optimize it, it really seems like an excellent economic model, specifically if you must opt-in in exchange for seeing no ads.
Today we deal with advertisements that destroy the user experience and have a very real cost to the user in having to navigate through intrusive ads. Which also, by the way, often cause the same over-revving and slow downs as mining do.
In response, ad blockers rewrite or block a site’s code to eliminate the ads, consuming the content but starving the site from its only revenue stream. Not theft, perhaps not even morally wrong, but certainly to the detriment of the site owner.
Microtransactions or subscription-based content pools with view-based payouts have been proposed for years and have had some traction but certainly aren’t widespread.
If you could opt-in to mine on behalf of the sites you visit in a way that respected your real-time compute resources, in exchange for a completely ad-free experience, would you do it?
It seems like mining for someone is the ultimate micro transaction. There is no overhead and no fees and you can mine for a portion of time equal to tiny fractions of a cent of value. In fact, mining for enough cycles to produce even a penny of value would be a fairly substantial amount of computation.
The crucial question is the effeciency of the process. There are no transactions fees whatsoever to mine for someone else, the bandwidth is minuscule, the code is fairly tight. But the one thing that makes it inefficient is if you’re consuming more compute than necessary to most optimally perform the PoW. In other words, if your hashrate per CPU-second is sub-optimal because the sandbox doesn’t allow an efficient PoW implementation, or because the algorithm can be run orders of magnitude more efficiently on specialized hardware, that in itself is a form of transaction fee.
If we can get a PoW algorithm which runs near-optimally on general purpose computers on a blockchain that isn’t dominated by botnets, then the economics should work out that you are paying whoever you mine for approximately the cost of the electricity required to perform the mining, effectively leading to a way to make free micropayments.
Even with perfect algorithm it won't be profitable enough. Value of mined coins will be roughly equal to value of consumed electricity used by computer (if no more efficient miner hardware exists). That gives around $1 if someone stays on your site, mining, for 8 hours. For anyone other than movie streaming sites it is unprofitable, AdSense will bring much more money. And each additional site that uses mining decreases profit for other ones, as they share the same, fixed amount for found block.
“... in a way that respected your real-time compute resources ...”
That is to say, your machine is constantly mining 24 hours / day at an extremely preemptable low-priority on behalf of the various sites you visited that day.
Definitely it can’t work that you’re only mining on behalf of the site while you’re actively looking at it, because when you’re sitting in front of your device is precisely when you don't want to be mining!
As far as how much advertising value does the average internet user provide in a day? Facebooks ARPU is about $25 in the US. And apparently Facebook users spend an average of 50 minutes per day on Facebook. So that’s 8.2 cents per hour, so we’re within an order of magnitude!
Would be interesting if a site had a hierarchy of content, with the top-level content only available to those running fast hardware and therefore generating more revenue.
Those on cheap or slow hardware might be limited to older or less valuable content.
Now that is a dystopia I don't think anyone would like to see.
I’m willing to bet that the value of an ad impression correlates pretty well with the relative compute power of the device. But, sites don’t generally restrict/reserve content for, e.g. Android/iPhone users because they are more/less valuable to advertisers.
The premise is that opt-in mining can be used as an efficient micropayment. Any new technology can be used toward dystopian ends, or not, so it’s not a reflection at all on the merit of the idea.
> profits are slim at best, and you generally take what you can get from a revenue perspective ... publishers today have about as much bargaining power as do Uber drivers [1]
Because of the race to the bottom incentives for publishers, we will see both intrusive, secret crypto-mining AND advertisements, not either-or.
I take it you don't have a powerful one that drains 150W.
I can trivially hear the fans (GPU or CPU) if someone site attempts to over-utilize the available hardware resources.
1. Ad networks / exchanges allow (don't catch) these ads
2. Publishers don't do enough to stop them
3. Browsers allow it to happen