Thursday, March 20, 2014

Why I run Adblock Plus and Ghostery...

A few topics came up on my radar recently that questioned whether or not AdBlock Plus is a security risk because several websites are now asking users to disable it for their website and claimed AdBlock Plus is a security risk.

That got me thinking about why I really run both AdBlock Plus and Ghostery. I trust both plugins because they do their job VERY well, are generally trusted products by millions of people, and, most importantly, are open source software. However, the reason I run these tools is not the usual "ads are annoying" or "privacy is important" reasons that I see bandied about. I run them because NOT running these tools introduce security vulnerabilities and serious performance degradation into the web browser stack and those using ad servers do not follow the law. Here are a few reasons as to why you should be running *at least* AdBlock Plus:

  1. Ad server operators are notorious for running any ad, including ads that deploy malware. It is not uncommon for a hacker to use a stolen credit card to flight malware ads on an ad server platform. They send over their malicious creative and it runs without being analyzed. In some instances, the ad runs before payment even clears! If the flighted ad is placed on what is known as a "remnant ad provider", it can take 6 to 8 hours after discovery of the malware to get it taken offline. Meanwhile, the ad is being served up to all sorts of users around the world. This actually happens and it happens because there is no accountability in the ad server world and the people responsible are reactive instead of being proactive. AdBlock Plus (and, to some extent Ghostery) should be considered to be part of a comprehensive security solution beyond what your anti-virus software and hardware firewall solutions offer. This reason alone should be sufficient to immediately install AdBlock Plus (or equivalent) because, if the ad server can't serve anything in the first place, it can't deliver malware to your computer or other devices. These tools reduce the potential attack surface of the web browser.

  2. Ad servers can be (maliciously) configured to request the user's password for the website they are currently visiting using browser-based authentication dialogs. Users will freely enter their login information for the current website (thank you AOL!), which can be used to compromise the account. Let's say an attacker gets onto the web server itself that hosts the ads, they reconfigure the server so that it asks for everyone's usernames and passwords, and then they start collecting information. Millions of compromised accounts across millions of systems in a matter of minutes. Seriously, install AdBlock Plus and Ghostery right now. (Added on June 24, 2016 after seeing this.)

  3. Excessive web requests. Remnant ad servers are especially notorious for this. To request a single remnant ad position, the browser will generally contact an average of 15 different servers across the Internet. Each server request also requires talking to a local DNS server to get an IP address of the destination. If the local DNS server doesn't know the IP address of the target server (fairly common), it has to go and find out. DNS requests are fairly expensive. Throw 3 to 4 ads on a page and suddenly page load times skyrocket to at least 20 seconds per page. I've personally seen page load times in excess of 60 seconds on modern hardware. AdBlock Plus drops page load times to under 6 seconds in many cases by simply blocking the excessive web requests. Ad server operators don't know when to say "no" to money and constantly make exceptions. Therefore, they don't set rules on request depth and, even if they did, they would never stick to such rules because the drive for money outweighs common sense. I also use Ghostery more for the reason of excessive web requests than the "privacy" reasons that other people use Ghostery for - it shaves off another 1 to 3 seconds per page load with very few issues.

  4. Those flighting ads also almost always do not know nor have the desire to know even very basic HTML. They will happily flight ads that output broken content onto the page, which then proceeds to destroy the layout of the page. Mismatched 'div's or other bad HTML code results in half of a page simply not loading or loading properly. It then takes up to several hours to diagnose the problem ad and then the ad finally gets taken down. Meanwhile, users suffer with an unusable website. A more stable website viewing experience is just one more reason to run AdBlock Plus.

  5. Most ads are not compliant with the Americans with Disabilities Act (ADA). Ads that flash, rapidly change colors, have wild patterns (e.g. optical illusions), or otherwise move on a screen can trigger seizures even in those who have never had a seizure before. These triggers are scientifically proven. Therefore, AdBlock Plus is also a lifesaving medical device and brings website operators into some semblance of compliance with ADA regulations (i.e. federal law). The only ads that are remotely ADA compliant are those that are static images with muted color combinations. But since you don't know nor can control what ads will be served to you, the only solution is to install AdBlock Plus.

  6. Animated ads other than GIFs, especially Flash ads, also dramatically hurt browser performance. Moving DOM elements around on a page causes DOM thrashing (for lack of a better term) and redraw operations at the OS level - combined, they take a lot of CPU power to pull it off and frequently lag. Fortunately, some browser vendors are blocking Adobe Flash by default now, but authors of ad creative are just switching to a "Javascript plus images" method, which ultimately doesn't help much. The only solution to this problem is to block all ads until the industry wakes up and realizes that animated ads aren't just annoying, they hurt the performance of the user's web browser.

  7. Ad server operators don't demand that all ad creative fit in with their website design. It doesn't seem to matter which ad, they all look ugly and destroy what would otherwise be an elegant website design. This stems from no review process prior to flighting any ad. A good review process will reject both ads and advertisers that refuse to meet a set of well-defined requirements that result in ads that look good in relation to the rest of the website. This lack of concern over the ad creative that users will see demonstrates that there is also a lack of concern over the website's users. If a website operator can't be bothered to properly care for their users by only flighting ads that have been through an extensive review process, then AdBlock Plus is a great way to send the message that the users want to be cared about to the website operator.

  8. Third-party server dependencies hurt browser performance. If just one third-party server goes offline in an unusual way, pages that depend on the third-party will never finish loading. A lot of sites depend on the "DOM ready" event to fire to execute important changes to the page. If the browser is waiting on some third-party server to return content before continuing and that server hangs for 30+ seconds, I'll generally just leave and go elsewhere. I've seen both ad servers and analytics servers hang for extended periods of time. AdBlock Plus and Ghostery dramatically reduces the number of third-party dependencies, which speeds up page load times while simultaneously helping improve site uptime.

  9. Update March 4, 2017: Finally, 9.4 million people in the U.S. are still on dial-up for various reasons. That's about 3% of the total population of the United States. Reasons for those folks using dial-up range from cost-effectiveness to being the only option available. Combining multiple technologies, including third-party website blockers, is the only option to being able to get on the Internet and staying connected to friends and family. If you are one of those unfortunate souls on dial-up, whatever the reason, be sure to install third-party blocking software. Also be sure to look into setting up a data compression proxy server like Ziproxy for HTTP and mitmproxy for HTTPS connections. Both can be configured to compress the data being sent and received for significant bandwidth savings, which translates to faster page loads. You'll find this post on setting both proxies up to be useful. You'll need a cheap VPS (e.g. OVH or to host the proxy software somewhere. However, depending on your privacy needs and before you spend any extra money, call your dial-up service provider as they might already provide or be willing to provide compressing proxy servers. To save even more bandwidth, you can install image and cookie blocking extensions, which will also reduce third-party requests.

Until all of these issues are addressed by the entire ad and SaaS industries, AdBlock Plus and Ghostery stay installed and active on my hardware and hopefully I've convinced to you install and use them on all of your devices as well.

Update March 2017: I've recently started using uBlock Origin on new OS installs. I got annoyed with AdBlock allowing third-party content through and having to go in and say, "No, really, block everything." I'm still evaluating it but uBlock Origin + Ghostery works well enough for my needs so far. It really doesn't matter what software you use as long as the vast majority of third-party content is blocked by default with the option to unblock portions for certain pages or websites.

1 comment:

  1. I just added one more reason to the list. Let me explain the "thank you AOL!" bit. AOL, back in the day, sent out floppy disks and later CDs to join their service and "get on the Internets!" This created a whole industry of "n00bs" and anyone with an address was instantly a real eye-roller (and still is). These people got their first taste of computing and technology and it really revolutionized things in terms of Internet growth. Unfortunately, it also did something else: It said that anyone and their mom, as long as they owned a computer and a modem (today it is the smartphone), could get on the Internet without any specific training. This created a relatively unsustainable culture of unlimited *future* technical support and subsequently opened the door to massive malware deployments. We in the tech sector are *still* cleaning up AOL's mess today. That phishing attack that *you* didn't click on but you know six other people who did and made you facepalm? AOL is squarely to blame for that.