"Users may also switch to uBlock Origin. It does not support the $rewrite filter option and it is not vulnerable to the described attack."
AdBlock uses Adblock Plus filtering engine internally and also supports and enables "Acceptable Ads" by default:
> AdBlock is a popular ad blocking extension for Chrome, Opera and Safari, now based on the Adblock Plus code.
* * *
This is why brands have immense value.
It's not just your opinion. Mr. John McAfee himself, the guy who started the company and whose name it still bears, has publicly stated that McAfee software is "the worst software on the planet"!
If that isn't enough for people to avoid a brand name, then I don't know what is. But apparently, countless businesses are so clueless they keep using McAfee software even though its own founder says it's trash.
Although it's been molasses-slow in comparison to 3rd party tools since that time as well.
When I talk to these folks and probe why they think they need WinZip, they never say "oh, I was trying to uncompress a 7GB file the other day in Explorer and it took forever." They say "I'm on Windows, and this is a Zip, therefore I need WinZip." They're usually genuinely surprised to find out that this is something Windows can do all by itself.
> Since its release in Windows XP, Zip folders has not been actively developed. The reason is the usual: Because adding features requires engineering resources, and engineering resources are limited. Furthermore, since the compression and decompression code weren’t written by anybody from Microsoft, there is no expertise in the code base, which means that debugging and making changes is a very difficult undertaking.
Safari is really easy to beat by anti-ad-blocking technology, the only reason for why more publishers won’t do it is because they don’t want to piss off people, but as the minority of people using ad-blockers grows, they’ll get over that fear.
Also FYI injecting scripts in webpages is the only way to prevent anti-ad-blocking from working.
It might be enough to handle most of the ads at the moment, but it fails miserably when a website uses any adblock circumvention.
As for your specific claim, 1Blocker has an entire section of blocking rules to counter anti-adblock.
Sure, if some site want's to be completely hostile to users, it may still show up. The little cross icon on the tab solves that issue pretty quickly.
What do you mean by abandoned? I use it and it works for me daily.
Somehow, my intuition is that ublock is too advanced/complex for non-tech-affine users.
> BetaFish Inc, owner of AdBlock, paid to acquire control of the GitHub repository and control of the ublock.org site last year. The apparent goal was to keep the deception ongoing, and further increase it, as clearly the site is trying to game search engines so to rank ublock.org high in results. They also registered the trademark "uBlock" in Germany, and have been pulling code from "uBlock Origin" repo.
> Nothing that they are doing is user friendly, it's to deceive people who are looking to install "uBlock Origin" into installing "uBlock" instead.
Fixed now. Thanks for your work.
Simply giving ownership to a GitHub repo might not be a license.
> Through April and May 2015, the uBlock project was forked by Chris Aljoudi, while uBlock Origin reflected the continuing effort by the original developer Raymond Hill.
Since April 2015, uBlock Origin has been completely unrelated to the web site ublock.org.
> Shortly after the project division [between uBlock and uBlock Origin], Chris Aljoudi created ublock.org to host uBlock, promote the extension and request donations... In July 2018, uBlock was acquired by AdBlock.
IIRC, Raymond Hill, the original author of uBlock and current maintainer of uBlock Origin, voluntarily gave the control of uBlock project to Chris Aljoudi because he was tired of dealing with all the bug reports/issues (and Aljoudi offered to take it over, I think).
But due to various reasons, shortly (very shortly, maybe even no gap in between) after, he self-forked uBlock  to make uBlock Origin and started to work on it again.
So technically uBlock Origin is the fork, and more importantly, Chris Aljoudi didn't really "fork uBlock", he inherited the main repo.
Note: I'm by no means to defend Aljoudi's practice on uBlock and I'm pretty sure Hill regretted his decision of handing it over. But let's avoid historical revisionism.
(See the "forked from chrisaljoudi/uBlock" text and readme.MD below)
Edit:  Hill's own words about this matter on Apr 11, 2015: https://github.com/gorhill/uBlock/issues/38#issuecomment-918...
The people who forked tried to make some money off the name by asking people for donations. They seemingly failed after the uBlock creator called them out and renamed his work to "uBlock Origin".
So the people who forked sold what they got to ABP and called it a day.
(I've worked on filter lists since the Junkbuster and then Privoxy days, through Adblock Plus. Then Adblock Plus suddenly seemed like a bad place to be, and uBlock was similarly questionable, so I moved to uBlock Origin, even though adding new rules there was more work than in ABP. I've been very happy with uBlock Origin, and with its lead developer's apparent benevolent intentions.)
Support for this filter option was discussed (and declined) in uBlock Origin's issue tracker:
Here's a permalink to your explanation in that thread: https://github.com/uBlockOrigin/uBlock-issues/issues/46#issu...
After some clicking I found this: https://github.com/uBlockOrigin/uAssets/issues/4080#issuecom... , might be interesting
Calling it an exploit is no different than claiming .exe files are exploits because they allow arbitrary code to run. Or that browser extensions are exploits because they too can manipulate the page.
The problem is that you can’t necessarily trust filter maintainers to be completely honest. Users don’t regularly audit the thousands of rules in their filter lists, so a bad or compromised filter could easily introduce a malicious filter in an update. The $rewrite rule lets a filter change what code is being loaded by a webpage (under certain fairly realistic situations).
I agree with that, and it's not a strong security model. But my original point is that the author is using a bad faith argument by describing a feature they dislike as an exploit. It's in spec for what the original authors intended. Just like running an executable program is potentially risky, but a design of the system.
I read the article and perhaps it's been edited since you commented, but the author states in the introduction that there is a security vulnerability in a feature and provides an exploit. That to me is quite different from calling the feature itself an exploit.
> It's in spec for what the original authors intended. Just like running an executable program is potentially risky, but a design of the system.
While it's true that it is in spec, I see a big difference in terms of how users experience this situation compared to running an executable program. I see this as more analogous to new feature introduced in an executable format that offers a different security guarantee to what users are already comfortable with. I don't see pointing this out as being in bad faith.
While I'd still argue it's "working as intended" (for better or worse), he is at least calling this specific demonstration an exploit rather than the feature as a whole. So I'll step back from that position, at least part way.
Thank you for the clarification on that point.
As a developer, I expect that browser plugins can execute code in some context (though I think general users may not even expect that); but I don't generally expect that plugins will execute code from some arbitrary 3rd party source.
Ad blocking extensions should consider dropping support for the $rewrite filter option. It’s always possible to abuse the feature to some degree, even if only images or style sheets are allowed to be redirected.
The classic "ban it because it can be abused" mindset. Let's ban the use of computers too, certainly that would be more secure!
Google has been notified about the exploit, but the report was closed as “Intended Behavior”, since they consider the potential security issue to be present solely in the mentioned browser extensions.
As they should, because what user-agents are doing have nothing whatsoever to do with their site.
(Disclaimer: I don't use ABP nor uBlock nor any in-browser blocking extensions, so I have no conflicts of interest here. I use a full MITM proxy which is far more powerful than anything you can do with a browser extension. I wonder what he'll think about that...)
Can your MITM proxy modify HTTPS traffic? If so, how did you configure your machines to trust the cert you're using?
Yes, of course. It wouldn't be very useful otherwise. The proxy has its own CA, and I install the cert into the trusted roots of all the machines I use.
I really like it, no doubts it's good and everyone should consider using it.
BUT, since we are talking about uBlock Origin, I'd like to mention another awesome extention Raymond Hill made.
uMatrix alone is very powerful, and will prevent most ads.
Yes you as a user need to do the work, but the result is better.
If you like the idea of uMatrix, you may also look at NoScript!
Actually, I live almost ad free using NoScript + uBlock Origin for at least 2 yrs.
$rewrite... what a dumb feature btw!
You cannot. Pihole may be. Abetter solution for network-wode ad blocking, but some ads (such as push notification spam) use the same domain name as the original site, so pihole can't block them, being just a DNS blacklist.
Constrained list of functions.
This could go a long way towards opening up the web to more extensions but also keeping it more secure.
I recently did a rev to the Polar chrome extension:
and I had to request a new permission for filtering and they're now taking a WEEK to approve my any updates due to code review.
I really only need to evaluate a URL and add headers.
This doesn't need to be turing complete.
I basically just need to take a HTTP response and headers if they're missing when a specific origin is set.
And what does Turing completeness has to do with security anyway?