uBlockOrigin / uAssets

Resources for uBlock Origin, uMatrix: static filter lists, ready-to-use rulesets, etc.
GNU General Public License v3.0
4.2k stars 776 forks source link

go.usa.gov #13161

Closed mraonea closed 2 years ago

mraonea commented 2 years ago

Prerequisites

I tried to reproduce the issue when...

URL(s) where the issue occurs

go.usa.gov

Describe the issue

US Gov official URL shortener. Should not be blocked.

Found on peter lowes list.

Screenshot(s)

No response

uBlock Origin version

-

Browser name and version

-

Settings

-

Notes

No response

mapx- commented 2 years ago

@pgl

pgl commented 2 years ago

It's a bounce tracker. No need for it other than to register people's clicks. If you're fine with that, add it to your allow list.

(I need to make this response a template or something...)

mraonea commented 2 years ago

By this reasoning all other URL shorteners should be added to the blocklist as well. Twitters t.co, tinyurl, bit.ly, goo.gl, page.link (google firebase), youtu.be, w.wiki (wikimedia), ow.ly etc.

Dont understand the double standard here.

pgl commented 2 years ago

@mraonea That's a strange argument to convince me that it's not a bounce tracker. I fully admit to not hosting a complete list of all other bounce trackers, though. This isn't a double standard, it's an incomplete list.

I'm open to suggestions. Let me know, although it might take me some time to review them. pgl@yoyo.org or https://twitter.com/pgl or whatever.

ghost commented 2 years ago

@pgl Can you provide Lesser pgl's Ad and tracking server list that excludes bounce trackers for practical use?

pgl commented 2 years ago

@hirorpt No, but you can exclude any entry using the &skip[] query string parameter.

https://pgl.yoyo.org/as/formats.php#skip

ghost commented 2 years ago

My concern is that if you make a significant addition to the list, non-technical people will be much in trouble while the uAssets maintainer takes action about it. I want uBlock Origin to be an install-and-forget solution against malvertising and trackers that doesn't burden anyone with support requests.

pgl commented 2 years ago

OK, let me get this straight: people use my list to block trackers. t.co is a tracker and I've put it on my list. The frustration should be directed at the trackers, not myself.

I mean, of course I get it - it's problematic that links will stop working - but not because of my list, it's because people are blocking trackers.

Previously they didn't think (or were aware) about their link clicks being tracked. Now they know, and can make an informed decision about whether they want to continue.

Unfortunately I have to decide to include a domain because it's a tracker, or leave it out because it's used so much. Ironically, if it's used enough, people might stop using my list - so the more tracking that's happening, the less likely it is to be prevented. If the shorteners are primarily for tracking (eg go.usa.gov, t.co) then I will add them to my list. If they have other purposes (eg link sharing, “neat URLs” etc), then I won’t necessarily add them.

I don't want to compromise on including trackers because they're doing too much tracking. Hopefully this ends up in more people becoming aware that they're being tracked in the first place, but if people stop using my list then that's OK with me. I don't make any money from it and I don't police usage, I just maintain the data.

okiehsch commented 2 years ago

I want uBlock Origin to be an install-and-forget solution

That is our aim as well, however one of Peter Lowe's list stated goals is to block trackers, clearly the mentioned bounce trackers fit this policy and are valid entries. We will badfilter some of his entries - we always have, just check the uBO-unbreak references - to ensure a better user experience of this extension, which is independent of his list.

ghost commented 2 years ago

Now they know, and can make an informed decision about whether they want to continue.

Unfortunately, it would not occur. They'll just say "wow, my ad-blocker blocks twitter links!". If you want to educate them, you will need to be more verbal rather than just blocking. This is not possible with uBlock Origin today. (Of course, also with DNS sinkholes!) Additionally, I believes privacy sensitive people has already aware tracking links such as t.co and made their own decision even if you don't educate them.

Yuki2718 commented 2 years ago

https://github.com/uBlockOrigin/uAssets/pull/10149#issuecomment-951882664 TBH we haven't heard anything from @gorhill yet.

pgl commented 2 years ago

@hirorpt Probably the best thing to do if you disagree, is start a list of your own and have your own inclusion policy.

Yuki2718 commented 2 years ago

Or possibly the second best - notify us if you are to add a popular shortner like t .co. But at the end of the day it's your list and we are user of the list so you have no obligation at all (I'd note this time we're notified even though afterward).

pgl commented 2 years ago

Second best for @hirorpt perhaps

pgl commented 2 years ago

But I take your point, and will do my best to be considerate.

spodermenpls commented 2 years ago

@pgl Adding t.co to your hosts file is a problem, since every text link or Twitter Card (the embedded "preview" of a website mentioned in a Tweet) gets automatically transformed into a t.co'ed link. Blocking t.co as a whole therefore leads to every link inside a tweet or DM, that a user clicks on, getting blocked before the intended destination gets a chance to open (which is why it was flagged as "badfilter" in uAssets' "Unbreak" rules file already).

Since I am a frequent user of Twitter.com for a bunch of years by now, I've figured out that there are two ways to actually handle this nuisance:

If a user wants to solve the problem at the root, he/she has to use either the "Twitter Link Deobfuscator" extension (https://github.com/theAlinP/twitter-link-deobfuscator, Firefox-only at the moment) or the "Expand t.co-links" feature of the "GoodTwitter2" userscript (https://github.com/Bl4Cc4t/GoodTwitter2), which both replace the t.co'ed links with the actual hyperlinks, thus circumventing the middleman (TLD is able to do the injection automatically, GT2 does it after the first mouse-over hover, not for DMs (yet) though, unlike TLD, which is able to uncloak everything - unless there are fixes yet to made, like in this minute).

On the other hand, the usage of uMatrix (what a pity that Raymond Hill sent it into the "unmaintained"-mode...) allows to defuse most of its tracking capabilities, too. The t.co "redirect stack" consists at the moment of 2 cookies, 1 image and 1 script. Since uMatrix only allows CSS and images to pass through by default, only the one image is a concern (I haven't analyzed it in detail, but I would bet it is a count pixel or something similar), therefore I've added the rule * t.co image block to block those images, which doesn't hinder the redirect to the actual website.

pgl commented 2 years ago

People affected by this have installed software that blocks trackers for them. It's a primary feature of that sort of thing.

t.co is a tracker.

okiehsch commented 2 years ago

was flagged as "badfilter" in uAssets'

Just for clarification purposes, the "badfilter" syntax does not judge if a filter is "bad"or not. I added the filter because in my judgement it will degrade the experience for the majority of uBO users, they will think something is wrong and in the worst case disable uBO altogether. t.co is a tracker and a valid entry to Peter Lowe's list according to it's policy.

stephenhawk8054 commented 2 years ago

@spodermenpls About umatrix, as extension doesn't have full control over cookies, I'm not sure if it can block all t.co cookies fully or not.

spodermenpls commented 2 years ago

People affected by this have installed software that blocks trackers for them. It's a primary feature of that sort of thing.

t.co is a tracker.

@pgl Yes, but people also use Twitter (otherwise, is there any other place where t.co is in use?) to open links inside of Tweets and DMs, which is one of the basic and essential features of that platform. My calculation is, the breakage of that "feature" for everyone is not worth the enhanced privacy of not ever running into t.co's middleman activities. This is not comparable to, say, Google Analytics, which adds nothing and blocking it removes nothing.

@stephenhawk8054 I am relying on this documentation: https://github.com/gorhill/uMatrix/wiki/Cookies

pgl commented 2 years ago

OK

spodermenpls commented 2 years ago

@pgl Your way of saying "agree to disagree", or what do you mean? 😄

pgl commented 2 years ago

I'm acknowledging your comment without continuing the discussion, because I feel that it's starting to go round in circles.

spodermenpls commented 2 years ago

Alright, as you prefer. Addendum: I've re-read your earlier comment (https://github.com/uBlockOrigin/uAssets/issues/13161#issuecomment-1125208034) a second time more patiently now, I see now that I've added some redundant points to the discussion, my bad. You stressing how some trackers "may be used too much", though, didn't convey your intentional decision on potentially breaking some features/"usability" of websites for the sake of being consistent in tracker hosts detection, which, at least in my humble experience as a user of your hosts list, is setting a precedent in this instance. I see the value in "informing" (albeit quite bruntly) the individual user about the intention of website XY to proceed with using a tracking service, as you explained it. Thanks for your time.

mraonea commented 2 years ago

Before the ublock "unbreak" list I just disabled the PGL list altogether because it always caused just issues and headaches due to overzealous rules or just plain misplaced domains, always breaking websites in subtle ways. I dont think it strikes a reasonable balance between user friendliness/annoyance and the purpose of it.

hosts lists are a bad approach anyway imo, and tbh I dont really understand the reasoning of having this ruleset as part of the defaults in ublock anyway, doesnt seem to really add any value in addition to easylist/tracking, just more issues.

Its always an approach of striking a balance between effectiviness and excessive breakage and my preference is to allow "tracking" in some amounts so that websites would at least work reasonably well without excessive annoyance to the user. I thought that is the default approach of ublock as well and I am happy to see it does seem to hold place.

I have to confess, I also use a cell phone even though it exposes me to constant tracking as well because that is a compromise I am willing to make, thats also why I use the internet in the first place.

I understand the reasoning of blocking short url providers as they practically always provide tracking of clicks (the whole point mainly being obfuscating the destination which in itself is suspect at best and tracking, they are rarely used for actually providing easy to type URLs), but I believe that practically everyone want to reach the destination anyway and it is mainly just an annoyance in the way. You could argue that it makes the issue visible to the user but I'm not so sure if that actually really achieves the goal, kinda like the annoying EU cookie banners.

In any case you can get quite similar analytics/tracking of page visits without an URL shortener anyway so the point is quite moot imo.

MasterKia commented 1 year ago

The Go.USA.gov URL shortener service was retired on September 18, 2022.

pgl commented 1 year ago

The Go.USA.gov URL shortener service was retired on September 18, 2022.

Interesting, because it's still being used as of 5h ago. The link in the tweet below still works as a redirect.

https://twitter.com/CBP/status/1668468301184245760

image