48 hours later, Adblock Plus beats Facebook's adblocker-blocker

Two days and a few lines of code is not what i’d call “extraordinary lenghts”.

It’s more like “will Facebook really dedicate engineers to inserting features that its users are going to zap in almost no time?”

The movie theater isn’t going to download malware and fuck up my machine. Invalid comparison.

Christ, you’re really stretching to justify this to yourself, aren’t you? Listen, I get it, you don’t like ads. Or you’re worried about malware. Or whatever the next justification is. SO DON’T GO TO THE SITE. You know damn well those ads are paying for the writers and server/CDN cost.

Jeez, dude, chill out a little. No need for yelling just because you don’t understand what @TobinL is talking about.

Which is why there is a whitelist option. You whitelist all you regular website. that’s the proper ettiquette.

Do you, by any chance, watch the ads on a recorded TV episode?

The thing is I should not fucking have to be worried about it. When sites like NYTIMES.COM (which I actually pay to visit for the crossword thankyouverymuch) can serve up ads which comprimise a machine well the ads get blocked till the main site dumps the ad provider for a better one or the ad providers clean up their act with no more crappy exploitable code and serious security practices.

Then help me understand. What do you think is going to happen if ad-supported sites can’t make money from ads? Sure, some of them will be able to make the jump to some other biz model. But a lot of them will just die. And the ones that are left will be from MegaCorp who will pay Verizon or whomever for a fast lane.

Not only that, how many ads are just plain scams that exploit less tech-savvy people?

Dude, the point is it doesn’t matter what their ad servers are doing. Ad servers are an easy target since ads are annoying. But what if Livefyre or Disqus get hacked-- are you going to rail on about blocking commenting engines since they’re an attack vector? What if Akamai or CloudFlare or L3 get hacked? Then you’re against CDN since it’s an attack vector? Imgur? Well, then we just lose Reddit so meh.

The problem isn’t the ad networks-- it’s browsers. If browsers are vulnerable, it doesn’t really matter where the injection comes from or where the exact XSS (edit: typing too fast, correctly pointed out to me this is a server-side issue) vulnerability lies. This game of ad whack-a-mole is happening with the malware authors too. If the ad networks cleaned up their shit, malware will just move onto a new vector.

Seconded. The fact that add delivery networks don’t screen out malicious code is unconscionable. As a security practitioner, I can’t put it on my clients to “just not visit” sites such as NYT. I opt to suggest add-blockers and no-script to the end users, and DNS black-holing of ad domains for larger clients and the more technically savvy. If the add networks want revenue, they need to clean up their acts.

But their floors are pretty sticky and gross, and I swear I caught something from a theater toilet, once.

[quote=“drpfenderson, post:7, topic:83250”]Yeeeep. Here’s Adblock Plus’ page about it.[/quote]Gee, they make it sound quite reasonable. If it weren’t for the question of resource consumption I would not discount them on that alone.

ETA: Then again, now that I think about it, there’s nothing in there that would particularly prohibit the likes of “One trick of a flat belly”, “Click here to download”, and other such undesirable content.

This is exactly what Boeing does. I could visit a lot of public sites that had boxes with malware alerts instead of ads.
If large companies have to do that to secure the internal network then the ad providers are really bad at the security thing.

uBlock has that already - just enable in the 3rd-party filters list. No need to install another extension.

Pasted image652×735 78.6 KB

Don’t forget to enable to Privacy ones, and I always hit the Social Annoyance/Blocking lists too, so those little share buttons don’t appear everywhere, as they track stuff as well.

It has nothing to do with them being attacked. It has to do with the model ad networks use. They currently bid on content within microseconds of users connecting to sites. The point is they don’t know what they are providing ahead of time. Unless people get on their cases, they have no incentive to verify that the code in the ads is benign.

It’s a completely different delivery model than blogs.

Well, despite all the rhetoric about it being bries or whatever, Adblock Plus also puts some pretty strict limits on the nature of the ads that are let though… and the ads only get passed through to customers who have chosen to allow whitelisted ads (on the promise that they meet the adblock requirements).

I’d guess Facebook either doesn’t consider reaching only users who agree to the ads to be a worthwhile monetary investment, don’t think their ads will actually get through the standard requirements, or just out of pure pride and anger over someone else getting to be the gatekeeper. Probably a combination of all three.

Err… you do know that in Adblock Plus you can just turn that off, right? Frankly, I appreciate the feature, since I don’t want to fuck over every site that uses ads, just the ones that use shit ads.

Sure there is. It’s called “trespassing.”

I used to be more forgiving, and more willing to unblock sites that politely ask you to stop using the ad-blockers.

But now, you get malware embedded in the ads, you get sites trying to block you from them entirely if they detect you using an ad-blocker, you get shit like Forbes asking you to turn off your ad-blocker, only to serve ads with malware.

The bonds of trust are broken. So now I block ads without mercy.

Oh, and I use uBlock Origin as my adblocker - it’s faster and leaner than Adblock Plus, and in general works better.

XSS vulnerabilities are due to website vulnerabilty, not browser. Most site affected by such vulnerabilities are quick to respond to them. Twitter self-retweeting, for example. Imgur did indeed have a XSS vulnerability that somebody was using to embed flash to DDOS 4chan and 8chan. They fixed it. CloudFlare has a whole blog section for vulnerabilities. https://blog.cloudflare.com/tag/vulnerabilities/

There have been Malware and Scams in online ads going on over a decade now. Nothing has been done about it. Ad networks have not cleaned up their act. “There’s always be crime, so whats the point locking your door” is not coherent.

Yes, i did know that but they were still taking payments for whitelisting sites that did not sit well with me.