This is quite unfortunate news but not surprising. This effectively turns Privacy Badger for the majority of users into another block list.
Fingerprinting vs ad tracking protection has been an ongoing war. The natural escalation to tracking protection is to fingerprint even harder. I'd expect most power users who like to configure their extensions and blocking lists to be suprised how much information thst provides to differentiate them. Even without that browsers by default share a lot of information with every website (https://panopticlick.eff.org/).
I don't see a good ending to this war. Solutions like Firefox containers requires you to be extremely thoughtful in your site usage and don't protect from more advanced fingerprinting techniques (that for example cloudflare employs). The web is fundimentally a little broken here.
Disagree on DoH though, because it defeats DNS caching and blocking in the subnet. Plus, many people trust their own provider more than yet another US corporation.
That's fascinating, but now you know why people in the US are quick to embrace DoH in its default configurations. And, of course, nothing ties DoH to major US corporations. You can DoH to a NUC in your cousin's bedroom closet.
The "community learning" feature they mention investigating at the bottom of the article sounds like the best of both worlds: automatic learning without fingerprinting and a pre-trained block list.
This is quite unfortunate news but not surprising. This effectively turns Privacy Badger for the majority of users into another block list.
Yes. Privacy Badger was not just an anti-tracker. It's also something of an ad blocker. Since ad sites tend to track, it learns to block them.
Checking "cnn.com" right now, Privacy Badger is blocking 36 sites. These include "static.ads-twitter.com", "c.amazon-adsystem.com", "www.googletagmanager.com", "ad.doubleclick.net", and "amplify.outbrain.com". Blocking those knocks out most of the ads from the big players. Two of those are Google's, and they probably don't like being blocked by a large number of users.
Taking that away to prevent a theoretical approach to tracking seems like a sell-out by EFF.
Firefox Containers ought to just let do such things:
1. Open every new website (the one which doesn't have a saved container for it) in a new random/untagged container - destroy that container and data/everything when I close the last tab of that site
2. Unless I tag/name that container for that website and then persist it the way you do - and give me one click operation to tag name and (maybe select an icon/colour for that container)
3. What about giving website favicon as an option to the container icon
4. Get rid of those "Oh you are opening this website B (container_B) from a website A (container_A) - do you want us to open it in container_B instead"? "Always"? Yes! Yes! Make it default or give me an easy options to make it default damn it - give me an option the first time where I can mark "always do this"!
5. Do we really need special container for Firefox and then for the rest? Why not ship with a default already set container in the Multi Container add-on that's Fb container?
There's an option "Select a container for each new tab" but it's not very helpful as it lets you just choose either one among all the existing containers, or "No container" and that is blocking pop-up.
I'm not a security expert so I may be wrong (if so, someone please educate me). My impression is that if you own several websites and trackers, you can identify users by the specific combination of blocked and non-blocked trackers, plus data about their machine/OS, ISP, screen resolution, and browser languages, as well as checking to see if browser permissions are turned on for notifications, location, and the like. I'm not sure you can prevent that with a javascript-based approach alone.
What is the recommended cocktail of extensions to use these days for optimal privacy? I have so much to think about that I haven't had a chance to dig in and learn what's best.
I like the idea of Skip Redirects and Smart Referer, but I feel they aren't worth the risk.
They're not popular extensions (11K and 6K users respectively) and aren't being reviewed by Mozilla. I'm certainly not going to review them myself, and I see no reason to trust their developers and their personal security practices.
What is the best way to use DDG like Google with minimum friction and good search results (I rarely get relevant answers if I do a pure DDG search)?
Also, what is DDG? It has its own crawlers (DuckDuckBot) like Google and Bing have (assuming Bing has, haven't read on it)? Or DDG (or DuckDuckBot) just filters/parses results from Google et al?
'almost'? Do you have examples of websites breaking? Does it mean for example that you wouldn't be able to log onto YouTube because Google cookies are blocked?
Adblock is run by Wladimir Palant's Eyeo GmbH. It used to be an open source project but was rewritten to what it is now and is tied to "acceptable advertising" policies and is run by a for-profit company. As always, if you aren't paying for it, you should be asking who is.
uBlock Origin is Free. Open source. For users by users. No donations sought.
Without the preset lists of filters, this extension is nothing. So if ever you really do want to contribute something, think about the people working hard to maintain the filter lists you are using, which were made available to use by all for free.
Well someone is still paying for opensource.. the maintainers and developers. The contributors. They're mostly paying with time, but there's some direct cost too.
It's why we want to be good users of open source and contribute back, whether that's donating or helping write documentation, manage issues, etc.
The cost of open source is the direct cost - what it takes to build an adblocker in this case. The cost of a for-profit product is the direct cost and the profit margin - a higher number in every situation. Instead of the for profit company paying that, it's some external party and if that isn't you it's.. well, still somebody. As the saying goes, if you aren't the customer, you're the product.
Adblock Plus itself has trackers in it. They also accept money to whitelist every major ad company and trackers meaning you gain nothing privacy wise and just waste CPU resources.
I went through the pain period of noscript but still couldn't stick with it. I had to be constantly mindful every time I buy something online. The process would half-fail at some stage and then I have to start hunting for which domain is the one that's essential for the checkout to complete.
This is not NoScript's fault of course. Some websites are including 20-30 different domains (check out maperformance.com for example) and picking and choosing to get something to work is a nightmare.
I keep a separate browser profile just for purchases; once I've decided to buy something, I open that profile and copy the URL over. That way, my "browsing" profile remains locked down, and purchases stay easy.
Someone correct me if I'm wrong, but ublock breaks almost nothing because it just allows trackers on pages where blocking it would break something.
So if blocking a doubleclick tracker will stop a video from playing on some page/site, an exception will get added to the block list to just allow it on that page/site.
It makes it 'just work', but imo it's not clear enough in the UI that this is happening and I would guess that most users don't even know.
Pihole is great for stopping stuff that’s not in the browser in particular. OS telemetry, in-app ads, phishing sites, etc. In pronciple I suppose it can block cryptoviruses, but it’s probably hard to keep a good blocklist up to date.
I used noscript before umatrix. Umatrix is def technically superior in my eyes. Also noscript has some pretty shady sht in its history. Exactly what I don’t need from a privacy extension
Cookie autodelete is also worthwhile to prevent cookies from lingering unnecessarily.
The Resist fingerprinting and Third party isolation settings is also worth a try, it doesn't stop everything but it does prevent some of it. For usability I usually install the corresponding add-ons so I can toggle them with a button (these settings tends to break stuff).
LocalCDN may also help a bit by using local copies of commonly used resources.
I used to have an add-on that could spoof the font detection by making small random changes to font sizes, but it stopped working and I haven't found a replacement.
These tests are sketchy - I have been awarded 17.85 bits on this browser however 13.94 bits come from one line item:
> System Fonts Arial, Bitstream Vera Sans Mono, Bookman Old Style, Century Schoolbook, Courier, Courier New, Helvetica, Monaco, Palatino, Palatino Linotype, Times, Times New Roman (via javascript)
But as a Linux user, those are all mapped by Freetype (some to the same typeface) as many of those are copyright (? encumbered, not freely licensed) fonts:
$ for zzz in Arial "Bitstream Vera Sans Mono" "Bookman Old Style" "Century Schoolbook" Courier "Courier New" Helvetica Monaco "Palatino Palatino" Linotype Times "Times New Roman"; do fc-match "$zzz"; done;
LiberationSans-Regular.ttf: "Liberation Sans" "Regular"
.. 12 more lines of font replacement maps...
This website javascript test is measuring a heuristic, giving it a very high score (almost twice as high as anything else, "Hash of canvas fingerprint" is next) but that measurement is patently false compared to the real data. (it also reports no Ad Blocker used and I have uBlock-O fully enabled).
I am a lifelong EFF fan and supporter, but... well, if everyone (ad / tracker people) is using this code and set of techniques I'm better off not pointing out how wrong it is. :)
It's almost like how Airwolf used to toss out chaff left and right to escape the bad guys, I have Earnest Borgnine in the back going "Why can't we hover like regular helicopter people?" as Firefox tosses out fake font results to Javascript sniffers.
But disabling WebRTC and Canvas makes you easier to be fingerprinted? Most people doesn't block that, so those feature not being available on a modern browser makes you "special" right?
The browser is a complete traitor in this commercial surveillance system.
It doesn't seem possible with any of the mainstream browsers to avoid a "unique" fingerprint. RSS is a good counter-tactic.
In the end, if I have to apply defensive tactics just to read information, I will stop visiting. When I enter a store, I am unique. But I don't let the store cover me with tracers.
Privacy Badger and Catblock might not be the best combo but it is furry mammal themed. I haven't had the urge to upgrade from it. However, sometimes I feel guilty for partaking in content that I have ad blocked as the creators lose out.
Then I think about how it is that adverts might zonk out my brain, thereby rendering me unable to write helpful pleasant comments that are hopefully well received by the content creators. So being an advert blocking person isn't all that bad if you contribute with engaged comments.
It makes sure that when you type www.somewebsite.com and press enter you go directly to https instead of going through a http-https redirection that could be intercepted. This is only useful for websites that support https but are not in the HSTS preload list. Alternatively you can enable that Firefox setting someone mentioned but once you do that you stop being able to visit websites that don't support https so HTTPS Everywhere is a good middle ground.
I don’t think that is true. See the other sibling comment. Also LocalCDN, whilst it has some nice extras, isn’t a recommended extension - decentraleyes is.
Google's original report on Safari's ITP was part of a major FUD campaign about privacy measures. Google went so far as to suggest because fingerprinting was possible, we should just allow third party cookies. Arguably, carrying this forward in limiting the effectiveness of Privacy Badger to block tracking domains is a further extension of that behavior.
Google has finally been pushed to accept that third party cookies are going away, but are now advocating for a "privacy budget" system that essentially gives them a certain amount of allowance to violate your privacy. They are still FUD-ing about the drastically more correct solution: To just protect your privacy outright.
>because fingerprinting was possible, we should just allow third party cookies
Nothing is either/or. Increasing the cost and difficulty of tracking does increase privacy. At the same time, there is some truth to the argument that Google is not losing the arms race between its trackers and the blockers anytime soon. Fundamentally, as long as web pages have this much control over your computer, they will be able to track you. The web is broken and needs to be paired down and reworked so that privacy is part of the protocol.
Can DuckDuckGo Privacy Essentials be an alternative to Privacy Badger? Once I replaced Privace Badger by it, because Privacy Badger had conflicts with some sites I read often. But I'm not sure if its's an optimal alternative.
I don't know what Privacy Badger's blocklist looks like, but without the learning aspect, if it's inbuilt blocklist is already covered by uBlock then all you're doing is slowing down your browser without any benefit.
They're saying not only can it still be turned back on, but that the inbuilt list is going to be built on their side using the same learning aspect, not built manually.
As many adblockers as possible is a very bad idea. They interfere with each other. Half of the issues on r/ublockorigin are cause by people using adblock plus with it.
Does anyone have a good example of a site plastered with ads that still renders with privacy badger? I want a go-to screenshot to link to for my rants any time a website tells me to disable my "ad blocker"
Didn't I just read somewhere on slashdot or hacker news that privacy badger logs all of your websites you visit and websites that you enable/disable certain cookies or javascript?
Fingerprinting vs ad tracking protection has been an ongoing war. The natural escalation to tracking protection is to fingerprint even harder. I'd expect most power users who like to configure their extensions and blocking lists to be suprised how much information thst provides to differentiate them. Even without that browsers by default share a lot of information with every website (https://panopticlick.eff.org/).
I don't see a good ending to this war. Solutions like Firefox containers requires you to be extremely thoughtful in your site usage and don't protect from more advanced fingerprinting techniques (that for example cloudflare employs). The web is fundimentally a little broken here.