Skip to content
This repository has been archived by the owner on Sep 9, 2022. It is now read-only.

Privacy issues

Jump to bottom
Gitoffthelawn edited this page Jun 17, 2015 · 1 revision
Intro

If you really care about privacy (not being tracked, data-mined, etc.), uBlock is a crutch (a good one, though), even with the EasyPrivacy list enabled (this is true for any content or ad blocker). If you want more than a good crutch, uMatrix or HTTP Switchboard can help: either gives you full disclosure and full control of what web pages do.

Settings

Unlike HTTP Switchboard (and possibly uMatrix), uBlock can't foil cookie headers. For privacy-minded users it is strongly suggested to:

  • Enable "Block third-party cookies and site data" in "Content settings" / "Cookies".
    • It works very well: see "Outbound cookies" in this benchmark results.
    • But this may break some sites. For instance, you won't be able to enter comments on Youtube.
    • Useful to know: the block also applies to local storages, not just cookies.
  • Enable "Click to play" in "Content settings" / "Plug-ins".
  • Disable "Predict network actions to improve page load performance", as this causes DNS queries to be made even for blocked network requests (see issue #232).
Chromium command-line switches

These Chromium command-line switches might be of interest to privacy-minded users:

  • --disable-component-extensions-with-background-pages
    • "Disable default component extensions with background pages" (ref)
    • This seems to prevent Hangout Services to be launched by the browser as a background process. Even in Chromium there is such a process launched even if you do not use Google's Hangout.
    • With other Chromium-based browsers, maybe more stuff would be disabled, you decide whether this is good or bad.
  • --disable-background-networking
    • "Disable several subsystems which run network requests in the background" (ref)
  • [add more switch of interests whenever new ones are found]

Another powerful command-line switch is:

  • --host-rules="MAP *.google-analytics.com 0.0.0.0","MAP *.googleadservices.com 0.0.0.0","MAP *.doubleclick.net 0.0.0.0","MAP *.googletagservices.com 0.0.0.0"
    • This switch maps those hostnames (or any other ones) to the IP address 0.0.0.0 (ref) and hence blocks them effectively (even on the Chrome webstore where extensions like uBlock are disabled).
    • However, note that blocking those hostnames with that switch might break some websites. That's why blocking them with uMatrix or HTTP Switchboard is preferable since you can whitelist them as exceptions for those websites which will not work without them. Alternatively, you can use the important filter option mentioned below.
Regarding EasyPrivacy

Using the EasyPrivacy list doesn't protect completely against Google Analytics. So if you were using Adblock Edge or Adblock Plus with the EasyPrivacy list (as recommended by the EFF), you might have thought you were protected against Google Analytics. This is not necessarily the case.

uBlock protects you more against Google Analytics out of the box, because it includes "Peter Lowe's Ad server" list. Yet, given that an exception filter may exist somewhere in one of the many lists, blocking Google Analytics (or any similarly ubiquitous hostname) is not possible with preset filter lists.

Overriding exception filters

However, in uBlock 0.5.5.0, a new filter option important was introduced that results in corresponding exception rules being ignored.

Example: Adding

||google-analytics.com^$important

to "Your filters" would block Google Analytics regardless of existing exception rules. You could restrict this rule to specific domains.

Example:

||google-analytics.com^$important,domain=example1.org|example2.org

Or to all third-parties.

Examples:

||facebook.com^$important,third-party
||linkedin.com^$important,third-party
Twitter widget

It is unclear why this one is not blocked by the Fanboy Annoyance list, as that list already blocks many other twitter widget-related items. If you use above list, and want to block more calls to twitter, you could add the following to your filters:

||platform.twitter.com/widgets.js$third-party

Gravatar (et al)

Each time you visit a site which puts cute little avatar images near a commenter's name, there may be a corresponding request to the Gravatar website, and the HTTP referer header likely contains the site you are visiting. If you want to reduce the tracking potential, you could add a filter such as:

||gravatar.com^$third-party

It is unclear if, and how often this breaks things. But it will help prevent your browsing habits from being disclosed to gravatar.com.

This applies to any domain which is ubiquitous enough; gravatar.com is just one example among many.

uMatrix or HTTP Switchboard are easy tools to deal with this, as blacklisting a ubiquitous domain is simply a matter of point and click.

Clone this wiki locally