tracking protection (edit: and SB) - why exactly is it disabled?

[RoxKilly]

The implementation guide explains:

Tracking Protection (TP) and Safe Browsing (SB) are turned off (section 0400) -- We think you can do much better than this (wider scope, no over-reach / censorship)

Could someone please elaborate? Is the block because the browser has to connect to a remote server to download blocklists? @Thorin-Oakenpants do you operate under the assumption that this user.js must be used in conjunction with uBlock Origin? If this is meant for both uBO users and non-users, why disable TP?

Setting that aside, let me make the case for TP even for a uBO user like myself: For the vast majority of webpages, TP never plays a role because uBO blocks requests before they get to the TP code (see the last comment from link 3 below). So there is no additional burden on the browser and I don't see an additional privacy exposure (beyond the blocklist downloads).

In some cases, default uBO filter lists and settings let something through the cracks and TP actually catches it (eg: enable Tracking Protection and open this page as of May 4 2017). This is usually a tracking image of some sort. In those cases I'm glad to have TP on.

For Reference

1. How TP works
2. TP wiki
3. TP authors' post -- the comments below the post yield a lot of useful info; for instance although TP uses the SafeBrowsing protocol, there is no interaction with Google..

[RoxKilly]

I wrote earlier:

In some cases, my uBO filter lists and settings let something through the cracks and TP actually catches it. This is usually a tracking image of some sort...I don't use the Disconnect list in uBO, though I have EasyList, Peter Lowe's, and EasyPrivacy ON. These occurrences are rare though; the next time I run across one, if I remember, I'll post it here

I got a hit. Turn on Tracking Protection then open this page with default uBO settings. uBO would not protect the user, but the built-in TP does.

[earthlng]

@Gitoffthelawn wrote

From what I can tell, SB would have blocked the phishing scam

What makes you think that?

Google has blocked the account in the meantime, removed the fake pages, and pushed updates to Safe Browsing on top of all that.

I'm reading that as SB did NOT protect users. It would be interesting to know what updates they pushed, because I don't really understand atm what exactly the problem was.

@RoxKilly wrote

I got a hit.

Can't replicate. Fresh profile with default uBO and this user.js but with TP enabled: "No tracking elements detected on this page". What isn't blocked that should be blocked? And who said to use uBO with its default settings btw?

[RoxKilly]

@earthlng wrote:

Can't replicate. Fresh profile with default uBO and this user.js but with TP enabled: "No tracking elements detected on this page". What isn't blocked that should be blocked?

To replicate:

1. start with fresh Firefox 53 profile
2. Install uBlock Origin Add-On version 1.12.1 (current as of May 5 2017)
3. In uBO settings >> 3rd-party filters, click "Update now" to downlod latest default lists
4. Download the latest ghacks-user.js live master and place it in Firefox profile folder
5. Change pref 0420 to user_pref("privacy.trackingprotection.enabled", true);
6. Comment out the two prefs under 0410d because tracking protection relies on the safebrowsing API (maybe you forgot this step?)

   //user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");
   //user_pref("browser.safebrowsing.provider.mozilla.updateURL", ""); 

7. Save the file and restart the browser.
8. Visit this page and you should get a Tracking Protection hit. The specific resource blocked is logged to the console.

Without TP, I would not have avoided this particular tracking mechanism. I get such a hit once or twice a week I think. If you don't get the same result, I suspect it's either because you skipped step 6 above or the Amazon server doesn't send the tracking bug to your PC, or your uBO settings aren't the default.

@earthlng wrote:

"Google has blocked the account in the meantime, removed the fake pages, and pushed updates to Safe Browsing on top of all that." I'm reading that as SB did NOT protect users. It would be interesting to know what updates they pushed, because I don't really understand atm what exactly the problem was.

You guys were discussing the benefits of the frequent update check by the SafeBrowsing engine as an advantage over uBO malware lists. I think the point @Gitoffthelawn made is that because Google pushed a fix to SB infrastructure within an hour of the exploit being public, and since SB checks for updates every hour, people who use SB for protection would have had a much shorter vulnerable window (the quick update would protect most people who actually receive and eventually open the phishing email) than people who use just uBO with this user.js (they would have been exposed until their next manual update I think).

[Gitoffthelawn]

@RoxKilly wrote

You guys were discussing the benefits of the frequent update check by the SafeBrowsing engine as an advantage over uBO malware lists. I think the point @Gitoffthelawn made is that because Google pushed a fix to SB infrastructure within an hour of the exploit being public, and since SB checks for updates every hour, people who use SB for protection would have had a much shorter vulnerable window (the quick update would protect most people who actually receive and eventually open the phishing email) than people who use just uBO with this user.js (they would have been exposed until their next manual update I think).

Exactly. Your paraphrase of what I wrote made it much more clear though. :)

I think uBo would benefit from the ability to customize the list check interval. Actually, do you know if it checks lists for updates or always just downloads the most recent versions?

The downside, of course, is the additional traffic if too many people start asking for lists to be updated too frequently.. it would amount to a DDOS. But the number of people that would actually adjust such a setting would likely be minimal compared to the installed base.

Are the SB and TP lists available anywhere in a format compatible with uBo?

[earthlng]

@RoxKilly wrote

Comment out the two prefs under 0410d because tracking protection relies on the safebrowsing API (maybe you forgot this step?)

I did forget that, sorry. Ok so amazoncustomerservice.d2.sc.omtrdc.net is the tracker in this case. omtrdc.net is listed in the Adobe section of the TP list, and also in Dan Pollock’s hosts file in uBo/uM. So if you use more than only the default settings in uBO, OR also use uMatrix with its default settings, nothing slips through the cracks (for that site at least).

@Gitoffthelawn wrote

I think uBo would benefit from the ability to customize the list check interval.

https://github.com/gorhill/uBlock/wiki/Advanced-settings

Actually, do you know if it checks lists for updates or always just downloads the most recent versions?

afaik it checks a checksum file from gorhill's github repo before updating lists.

Are the SB and TP lists available anywhere in a format compatible with uBo?

Not that I know. The TP list could however easily be parsed and converted into a compatible format. idk if the same is possible for SB. Would this be the format we want ... ?

## AddThis
||addthis.com^$third-party
||addthiscdn.com^$third-party
||addthisedge.com^$third-party

[Atavic]

FYI These lists have been implemented into Ubo Lists: https://github.com/chrisaljoudi/uBlock/issues/1406#issuecomment-105517545

[RoxKilly]

@Gitoffthelawn wrote:

Actually, do you know if it checks lists for updates or always just downloads the most recent versions?

@earthlng wrote:

afaik it checks a checksum file from gorhill's github repo before updating lists.

That may no longer be the case. I just came across this statement from gorhill from Jan 2017

uBO no longer uses checksums.txt resource hosted on GitHub to find out whether some specific assets have changed: the update logic is now completely time-based -- checksums.txt will be deprecated and will no longer be updated. Eventually in some future it will be removed from the repository

[crssi]

Interestingly this very page/tracker is explicitly allowed on the following lists: EasyPrivacy (under uBo privacy) English filter Spyware filter

[Gitoffthelawn]

Hmmm... Popular lists such as EasyList have a string at the top to indicate how often to perform updates. For example: ! Expires: 4 days (update frequency).

IIRC, popular blocking programs like AdBlock Plus and uBlock Origin (uBo) will not automatically update the list from its source until that time has expired.

IIRC, when a user of AdBlock Plus manually updates a list, it will force an update, overriding the value specified in the header. IIRC, uBlock Origin will not update the list in this situation, even if the user performs a manual update.

IIRC, in uBo, even if the user specifies a lower value by using the autoUpdatePeriod advanced setting, it will still not override the expiration interval. Thus, it will not perform a manual update.

In uBo the user can purge all uBo caches and then perform a manual update of every list. AFAIK, this will manually update the lists. AFAIK, in uBo, there is no obvious way to manually purge and update a single list before it has expired, which can be days.

That's a lot of IIRC and AFAIK, so you may want to confirm.

[RoxKilly]

@Thorin-Oakenpants

Consider writing out SB >> SafeBrowsing and TP >> Tracking Protection in your last post, because it's one of reference (almost like documentation). Also you've mistakenly used TB where you meant TP. You've done it a couple of times in this thread or in the VOTE thread, but on this last post I think it's important to get it right. It might be linked to a few times in the future and people who come directly to it may wonder what SB, TP and TB are until they scroll up etc...