I wouldn't even mind ads if most sites weren't malicious with how they serve them. Do not make a new window pop up, do not try to download anything to my computer without my explicit instruction, do not make me click an x to view the content, do not interrupt the content to serve an ad. Why can't they just have a nice little ad on the left and/or right side of the page that doesn't interrupt my intake of their content? Heck, even on the top is fine.
Greed. Those kinds of ads pay more. Interrupting the content means they can sell the spot as something people will actually see because they are forced to.
More like desperation. The only real source of money online is ads sales. Nobody is making bank from putting ads on their site. They might be making enough for hosting.
Though I guess it could be described as greed on the part of the advertisers?
The entire point of ad is to make you notice. As you said you "don't mind", this is not something ads would want. It's a raising bar as people are starting to learn to ignore ads more and more subconsiously.
I've successfully removed ads from basically my whole life, but now when I do happen to see one I'm less conditioned to ignore it. So boy oh boy do I notice. I kind of hate it. My eye is immediately drawn to anything flashy or moving, to the point where I'll make an effort to sit facing away from any TV screen in a restaurant.
Animated banner ads were something I adapted to completely ignore during my time on the web 20 years ago. After that, a decade of ad-blockers softened my calluses and now when I see an animated banner ad on a news site I begin to twitch and spasm.
I actually enjoy reading ads in enthusiast magazines (those few that remain for computing, gaming, musical instruments and technology, etc.)
It's a shame that magazines are mostly dead at this point. If you ever look at old computing magazines on the internet archive, it's like stepping into a rather wonderful alternate timeline before the web asteroid hit. (The irony of reading those magazines on the web is not lost on me.)
Well also many sites are now just absolutely covered with ads. Like it went from one on a page to now banner above, banner left and right, pop up video that has to be closed, two to three interstitial ads in the main content, like 2 dozen shitty taboola or similar "articles" popped on the end. Ugh.
Sounds like it might make sense to drop this early hints feature (whatever it is).
I wonder how much longer it will be before the next major escalation happens with ad blockers. I can imagine mainstream browsers that fetch unmodified pages and click ads in the background (do subvert pay per click ad business models and make it harder to compute targeting metrics), but then display an ad/tracking-free version in a separate rendering pipeline.
As far as I know, current ad blockers can't block ads from Widevine (DRM protected) streams, so I guess it's only a matter of time until Chromium team comes up with Widevine for webpages and then it's game over for normal consumers.
Didn't they more or less try this with the Web Environment Integrity API? Luckily, people caught on quickly and caused enough backlash for them to abandon it - this time.
I'm not sure how things will work out the next time though.
"Select every tile with motorcycles", shows an image of a single motorcycle parked on the street. Does the sliver of a tire that shows up in the bottom right tile count, or not? This is never clear, and I end up usually getting it wrong until they show me one that's unambiguous.
"This is never clear, and I end up usually getting it wrong until they show me one that's unambiguous."
While those CAPTCHAs present a surface narrative of you having to get the problem correct, that's not how they really work. After all, it's not like they are creating those problems by hand. They're pushing the images through computers. You don't even know that what the CAPTCHA server considers correct is even close to objectively correct.
Really it's just a hook to engage you to collect a wide variety of streams to try to detect whether or not you are a human, like reaction speeds, how the mouse moves, etc. The correctness of your selection is only one small signal, and not even necessarily a large one.
The answer is, stop overthinking it. Your overthinking it is probably sending a signal that you're not a human because it's got all your timings wrong. Do what most humans do: Halfassedly click at the problem until it seems rightish and then click "Submit". Does the sliver of tire that shows up in the bottom right tile count? The human response to that question is "Who cares you dumb computer let me through to the content already", so, to maximize how human you look to the algorithm, channel your fellow human's feelings. If you feel frustrated at the CAPTCHA problem and wiggle your mouse angrily and maybe overshoot some of the squares you mean to click, so much the better and more human looking.
Interesting, I guess this explains why I can never "solve" the damn things on my desktop. I use an Ultimate Hacking Keyboard which has a mouse layer, so I control the mouse cursor with my keyboard. It means that my mouse always travels in either perfectly horizontal, perfectly vertical, or perfectly diagonal patterns, and at very different timings than a human using a traditional mouse would.
But, it pisses me off to no end that I can't use my fucking keyboard the way it is supposed to be used (which is a far superior design to the "normal" setup) to view some websites because it doesn't "look" human to the fucking server who expects me not to be a statistical outlier. As someone who has always been an outlier, I kind of hate the algorithmic future we live in and are headed even further toward. This is why we can't have nice things.
> I can't use my fucking keyboard the way it is supposed to be used (which is a far superior design to the "normal" setup)
Surely this is just your preference and the setup isn't objectively better. I can see see some people prefer moving a mouse with a keyboard but they likely wouldn't be as quick/precise as people with an actual mouse.
The last time I got blocked by captcha I went through a dozen of them in a row before being told I wasnt human enough (possibly true after 30 years in IT!) and so on principal I reject all websites that include captcha. And anyway, why are we training these image recognition tools for free.
I used to have an internet connection from a small ISP that used carrier grade nat. Same issue. I think most of these captcha systems basically just look at IP or other reputation, and then make end-users do mechanical turk style work for free.
Someday, I'm hoping some sociologists look for evidence of socioeconomic discrimination in captcha implementations.
In my experience, performing the exact same actions with your mouse in Mountain View leads to a completely different outcome than it does in lower income areas (red-voting white, ethnic minorities, etc) surrounding the Bay Area.
I have never successfully gotten a “click all motorcycle squares” to succeed. With a VPN, nothing usually works until “click until there are no more X.” It’s so consistent that I’m pretty sure it’s designed that way, since the final task is time-gated.
I'm guessing they also use failed CAPTCHA statistics as more "proof" that those users are malicious. How much should we bet that each time I fail a CAPTCHA because it's utter shit, and happen to be on a VPN, somebody somewhere counts it as a "blocked bot" or "blocked attack"? I guess I don't want to know as it will probably make me angry.
It's not comparing your response to some hard truth, it's comparing your response to a typical response. Sort of like how LLMs dish stuff out based on what's probable, not based on hard truth.
So when you fail, it's not really saying you're wrong, it's saying you're not like most.
On these captchas I used to sweat it but now I just think "fuck it" and don't overthink anything. And I always pass, perhaps for a variety of reasons secondary to the actual tiles selected
Widevine has already been reverse engineered. You just need to extract a device private key and there are numerous methods for doing so. "Web Environment Integrity" will never work.
Widevine (or any other DRM-based "proof of human" solution) would be far less compute-freedom and privacy respecting than a captcha.
Hashcash[1] was invented two and a half decades ago and is still the best solution. It doesn't require manual work or user privacy invasion and deters mass spammers.
I'd prefer to see proof-of-work based captchas. I'd much rather give up 10 minutes of CPU time for a token that can be revoked as soon as I actually use it for evil than give up all of my privacy (and two minutes of my personal time) for the privilege of using your annoying website.
Proof of work captchas are pretty hard to tune. You need it high enough to deter spammers (who can pre-compute and dont care about latency), but low enough not to deter real users on low powered devices who are using your site live and get more frustrated every second they have to wait.
It might work for spammers who really are just making billion of attempts, but then again if they are making that many attempts then you can block on the IP level.
This is basically how Apple does things. Instead of proof of work, they bake the tokens into devices.
The basic idea is that they'll happily let you sneak a few spam messages through iMessage if you're willing to spend a few hundred dollars on a burner iPhone. This is one reason why they're so resistant to allowing gateway protocols between iMessage and third party devices or RCS.
Spammers would actually prefer it I think. I think for each captcha solved, spammer are ready to pay more than real users(be it electricity or real money). They were already paying real humans before AI became good enough for solving captcha.
No, it would not. Spammers are still paying for the devices - most botnets are built and used (to spam) by different actors. Systems that require more computational power to spam take up more of their resources, making spamming significantly less profitable.
Depends on how much do you want real users to spend per captcha in electricity cost? If say it is $1/captcha it would be untenable for real users. If it is 0.01 cent, it wouldn't hurt spammer's margins.
Yes, $1/captcha is clearly infeasible - it'd be far too slow, first of all.
I don't have any knowledge of what spammers' financials are like, but it's possible that even 0.01c/captcha would still be impactful if the click rate is low enough.
Probably the best way to start tuning the PoW difficulty is just by starting out with what users are willing to tolerate - e.g. 3s solve time on the median mobile device. The gap between mobile and desktop devices has significantly lessened over the past decade, so desktop-grade equipment won't have that much of an advantage - say 1s per captcha, which is a lot for a spammer who would otherwise be able to send out dozens of spam per second.
It's not about making spam impossible, but about making it unprofitable enough that the criminals go elsewhere. Economic warfare.
According to google search, captcha solving companies charges 0.3c per captcha[1], which basically translates to half an hour of PoW for digitalocean instance. So if the PoW is less than half hour, spammers would need to pay less with PoW.
I'm not sure what comment you're replying to, but I think you got the wrong one. Nothing that I'm proposing results in a "web filled to the brim with bot content".
If an ad can be rendered on a page or if it uses audio it can be blocked. We have it easy right now with how trivial it has been to block ads, but we could face off against rendering and wiping them in real time if we need to.
> As far as I know, current ad blockers can't block ads from Widevine (DRM protected) streams, so I guess it's only a matter of time until Chromium team comes up with Widevine for webpages and then it's game over for normal consumers.
Only where the the adverts are embedded with an encrypted single stream.
Hard to do targeted advertising that way though.
It is a lever that you can pull that's better than nothing though.
Most modern video formats allow you to splice multiple videos together without recompressing, so long as they use the same codec, resolution and framerate and you do it at an I-frame.
So long as you can run code on your CDN edge servers - which Youtube undoubtedly can - there's no technical reason this couldn't be done.
It's only a matter of time before I get an AI-fueled graphics overlay that eliminates anything that looks like an ad from my screen (click to reveal false positives), and then it's game over for advertisers.
Hopefully HDMI/HDCP splitters will add an adblock feature as well.
Even without early hints, i assume you could do the same thing with the link http header.
Or if you really dont care about performance, just loading the start (e.g. <head>) of the document and wait a little bit to see which subresources are loaded.
Yeah but the critical piece here is loading Early Hints happens before the HTML is sent to the browser. So the server can change the HTML of the page based on what the browser does. (I wonder about the performance impact of this though.)
Trying to detect adblock via a <link> (or an <img> or a <script> etc) means you have to do the check in javascript, which can be manipulated by the browser.
With the link http header (different from the <link> tag) you just send the http headers, but can still change the response body based on what the browser does.
Alternatively, By sending just the start of the document, then pausing, you can change the rest of the document based on what the browser does with the start, since browsers start loading css/js referenced in the document before the main document completes loading. (Before web sockets were a thing, this was basically the technique used for that sort of thing, called "long polling")
You can send some content (<link>) and then wait for something else to happen (prefetch) before you continue sending the rest of the content (the page).
AdNauseam does just that. It clicks the adds before blocking them (possible to whitelist non-tracking adds). It's a fork of uBlock and what I replaced the uBlock with on my phone and PC.
Sadly, it doesn't do clicking in the private browsing mode, which I usually use not to crowd the browsing history with hn and other forums' articles.
Are you sure you haven't just forgotten to enable the extension in private browsing? Their FAQ suggests that you can enable it for private browsing, but it's not on by default.
I don't understand how this feature even came to be. Presumably these resources are cached (it's going to be used for static resources; for dynamic ones, you'd need to have already performed the request on the server to figure out what to send, so you'd just send the response). So what, you're saving 5 ms off the first page load? Assuming it's not already a static response, in which case again you'd just send it.
TTFB role in the overall time to a usable web page has dramatically decreased. Instead of being the primary driver in display of mostly static sites, the role is smaller now due to the increased compilation/execution time of client code.
Meta and Apple are pushing their AR (advertising required) goggles because they are a locked-down systems where it is even more difficult to block ads.
Safari on visionOS supports Content Blockers and extensions just like on every other platform. In what sense is visionOS any different from iOS or macOS in this regard?
EDIT: I suppose the developer of the content blocker needs to already have an iPad version and check the “visionOS” box, but Apple has made this extremely easy and it’s in both Apple and the content blockers’ interest to release a visionOS version.
We're all complaining and blaming the big corporations for the pitiful state the internet got to be now but seems we are all contributing our little to bring it even lower. Because corporations pay, I know, but we are the ones pulling the trigger.
Yep, when I created my first website in the mid 90s, ads were definitely already a thing. It was pretty bad even, worse than nowadays because there weren't any adblockers and ads would abuse the living hell out of frames and popup windows.
If you want the analogy to make sense, you have to specify a particular method of paying. At which point it becomes obvious that most places selling food let you use multiple alternatives. Websites usually don't give you a choice.
On the other hand, surprisingly few "ad-free" service tiers turn out to actually be ad-free, which tends to undermine the whole concept. It's extremely common to get various kinds of "special" promotions that don't go through the standard ad platform. Sites have been known to forget the premium option when A/B testing changes to ad placements. Multiple streaming services have ads on some shows even on their top "ad-free" tier (I think because the ad buy was with the original studio/network and is written into the show's distribution contract). Several marketing gurus have figured out ways to game social media networks to make "non-advertising" posts featuring their brands go viral (see e.g. the fad of "weird brand Twitter").
Yep, thanks Paramount Plus aka CBS All Access. I paid for ad-free, yet for some reason still see ads (previews/promotions for Paramount content). Fortunately I cancelled because their app would let me watch Star Trek Picard and Discovery, but it kept fluctuating colors from heavy green to purple. It only happened on the newer shows, not on the older Star Treks. My best guess is that the DRM thinks something weird might be going on, but it's just a plain Chromecast with Google TV. Making the user experience for paying customers suck is what leads to people going elsewhere...
Price thing: no one can afford to pay "a latte per month" for every site they visit.
Trust thing: the site is likely to still spy on you even if you're a paid subscriber. Even if they drop ads they'll send your data to google or some other analytics provider, at the least. They'll "accidentaly reset" your email preferences. Plus other shenanigans *.
Infrequency thing: I won't subscribe to $SOME_SITE just because it's linked on HN a couple times per year.
* friend of mine said he's tempted to subscribe to the economist online. I pointed out that they need to call or talk to a rep over live chat to cancel. Friend stopped mentioning subscribing to the economist.
I managed to subscribe at a really good annual rate vs. list through some online aggregator, where they pre-warn me of renewal and rate changes to let me cancel if I want. I don’t remember what it was without searching my email, so not shilling for them in any way, but there are methods.
That said, yeah-no one can reasonably afford the constant “I just want to read this one linked article twice a year on your local community news” turning into “subscribe for $120 a year after $1 for your first month”, and we really need some middle ground.
Unfortunately, people have an aversion-a hard aversion-to anything that’s not “zero” or “fixed”. I discovered it with Kagi, for example-despite whatever number of searches you find yourself actually running, having only “x per month” means you have to think about it, until you’re just like “pay the unlimited price and put the cost of thinking about it on them”.
Maybe with news the best way would be some kind of micro transaction, but all attempts so far have failed…
> Maybe with news the best way would be some kind of micro transaction, but all attempts so far have failed…
It's hard. I wouldn't pay a subscription to a micro transaction middle man, for example. Unless it would work like a music service, i.e. have everything available for one price, and not like a video service with their islands and attempts to differentiate.
But if they had everything, you'd end up with a gatekeeper that decides who can make money and who can't, and that ends up as censorship. If such a service ever comes up, i want to be able to pay for any site with it, including porn, right wing propaganda and left wing propaganda if i so choose. And that ain't going to happen.
Now suppose there would be competing services where you could pay 5 cents for an article read, and they'd bill you when you reach $10 or something for the transaction fees to make sense. That's okay, you pay per read, you can have accounts with several middle men because you pay per use.
But what do you pay for? One read? What if something comes up and you can't finish? Will you be able to save it for later reading or will that cost extra?
Perpetual access? With per-article access control that's going to be a major database after a while. Hard problem technically.
There is this thing called Zette: https://www.zette.ai/ - 30 cents per article on about hundred (so far) big newspapers. However it's not working for EU/Switzerland because data protection rules (what are they doing with your personal data???) and their FAQ site is broken, so I wouldn't even bother.
Fixed is great, it just needs to apply to a lot of sites.
Google was playing around with ad-replacement purchases, but they never made a version that does the same thing as youtube: pay X and all the google ads go away.
Frustratingly, even when you pay handsomely for subscriptions to major news providers, they still show ads (and quite a lot of them). A few are willing to sell you an ad-free subscription if you can establish a connection to the EU, but those seem to be thin on the ground.
I really and truly do wish this wasn't true, but it is. Part of this is because we've built an expectation that the only thing one needs to pay for to use services connected on the Internet is access, and once access is paid for, the problem is solved.
But that's not the case. Products cost money, and we've established a pattern of free to play to freemium for much of the most popular services. This could change, but it would take the major players to flip the script, and they've invested so much into ad systems that they'd be hard pressed to abandon it.
> The internet was just fine before it was turned into an ad delivery platform.
this is the comment I replied to. Apparently the old internet was fine, so what kind of "competition" are you looking for? Youtube gives you easy access to content you would have to spend hours trying to locate on "old" internet.
If you do not like their content, simply stop using their site. But it is immoral to pretend like it is OK to abuse their site, and deliberately hide their adviertisments that keep their site alive
Are you also okay with sites running crypto miners while they're open without having received your prior consent as a way to monetize? How about if they install a service worker in case you close the tab before doing sufficient mining to pay what they think is fair?
Personally, I run malware blockers by default, so I don't know which sites are trying to send it to me to avoid visiting them. I couldn't tell you whether e.g. the github link in OP has ads. I see some stuff gets blocked, so I guess maybe? I figured they monetize through upselling their enterprise offerings, but I guess it is Microsoft and their OS has ads built in these days, so wouldn't surprise me.
Because they both involve non-consensually using your computer for something you didn't want it to do as a form of "payment" you didn't agree to? In fact my point is I didn't see why you would ever consider crypto mining to be murder in this analogy. Crypto mining only uses your computer to do some pure computations and send the other party the result. It does not exfiltrate your private information or stalk you. It does not facilitate scams. It is obviously vastly more ethical than drive-by adware, which uses your computing resources and does those other bad things, but for some reason you don't find people defending crypto miners very often, while you do find them defending ads (I suppose because they participate in adware/spyware delivery somehow, so they're not interested in examining their own actions).
How can you justify it being okay to send drive-by adware and spyware with a requested web page, but you believe it's not okay to use computation as a form of payment without consent?
Personally, I've only ever worked for companies that make money by having our customers pay us for the product or service that I work on, so I've never had to worry about that conflict of interest.
If the ads would be self-hosted and properly curated by the hosting site I wouldn't have a problem with them (just as I don't have much of a problem with print or tv ads). The specific problem with web ads is that most of the web made a deal with the devil: 3rd-party ad-networks which are directly injecting who-knows-what into webpages. Those ads are not just cheap click-bait-trash, but also potential malware vectors. At that point, ad-blocking essentially becomes a civil duty ;)
...and FWIW the use of ad-blockers is indeed recommended by the German "Federal Office for Security in Information Technology":
The US federal government also officially recommends using an ad blocker to protect oneself from e.g. ransomware and fraud, and has issued a warning that online ads are being used for those things:
It's not really practical to know in advance whether any random site will invite me to view an ad; it's easier to just decline such invitations when they come.
But it's not just ads: that's disingenuous by understating the impact. It's the entire tracking, data broker, ad marketplace, surveillance capitalism ecosystem. This ecosystem causes immense harm in global climate, ruins lives, delivers malware, violates privacy, and supports authoritarian overreach.
This is why EU legislators have made the "cookie law". The site will tell you that they are using ads, and you are free to just leave. the. site. Stop mooching off people's hard work by killing their only source of revenue, ad blockers are immoral
> Stop mooching off people's hard work by killing their only source of revenue, ad blockers are immoral
What hard work? Most of the time it's "content" written by minimum (African) wage "copywriters"*. We are drowned into a deluge of shit, so excuse us when we don't trust anyone.
Also, I believe you have no idea what the "cookie law" is about.
* soon to be replaced with "content" that is LLM generated.
Yes, of course. Someone already payed [1] for the ads that they are trying to show to you and me and with that for the content funded with those ads. If we block them, nobody loses any money, at worst some future sales will not happen. And if you decide to get a subscription in order to get rid of ads, then you are paying twice - once with the subscription and your are also still paying a fraction of the ad budget with everything you buy.
[1] Unless companies are taking out loans for their ad budget hoping to get that money and then some back through additional sales.
But also because we refuse to pay. Any attempt at monetization is widely demonized, yet people still feel entitled to free content, and refuse to put their money where their mouth is and at least abstain from consuming the content if they really don't think it's worth the price
It's funny how scarce the "I'd be willing to pay for good content, but alas, there is no option" claim has become since websites have started widely implemented paid ad-free accounts or outright paywalls
I've never seen someone angry that a supermarket won't give them a newspaper for free, but when it's online this is apparently a valid complaint
I am willing to pay for good content, and do, but still often have little choice. E.g. I can't pay for google maps without ads. And no, it's not a reasonable take to suggest I not use any map app.
I also pay for online news, AND STILL GET ADS, so fuck that I block them. It's still the case today that most of the time you do not have an option to pay to get rid of ads, and often when you do it's some ludicrous amount like $10 a month for some blog you might read three times a year.
Part of being able to pay for content is to come up with a fair price for it.
I pay for and use Kagi. Apple Maps uses yelp which makes it useless for actually checking reviews of places. Kagi reviews link to other sources with ads.
edit: and I hope you're not implying that all people who don't want ads should buy an iphone just to use an app tied to it? Again, there needs to be fair alternatives to ads.
I'd say at least 80% of my maps usage is looking for restaurants or coffee shops and checking their reviews. Directions are maybe 20% or less. Apple has come a long way and their maps are good for directions, but not a good fit for the argument that the general public has little access to good alternatives to ad-based maps.
I assume kagi is based on open-street maps, I use kagi but not their maps as I have better alternatives. I really hope Kagi continues to succeed because its a model I believe in, but outside of basic search I suspect they have a ways to go.
Paying will at best temporarily stop ads, until the company wants more money and brings them back. Which we've already seen. And it will not stop aggressive user tracking at all. In fact, it will make the later worse for you on the individual level as it requires doxing yourself to pay and sorts you into the "has money" bucket which makes you a juicier target.
Yeah, it's a mistake to think of this a simple "just buy an apple a different stall in the marketplace" situation, we're way past that.
To bring it towards alignment with the status-quo, every fruit-vendor would be a facet of a few massive guildhalls, with spyglasses trained down from the parapets, informants circulating in the crowd, a parchment file on everyone, etc.
On the inverse, just because a business relies on ads doesn't mean it won't start charging money for certain things.
Businesses are always changing and there are no guarantees. Some money hungry bozo might become CEO of your favorite product and enshittify it. That's just reality, and it doesn't mean that paying for things is futile. Best to avoid having too many eggs in one basket and paying for things that you can't actually own.
Maybe we will see a fractionation between businesses that use the free but ad-supported model and the pay-based model.
Recently, the investment platform M1 Finance decided to begin charging users with less than $10,000 in holdings $3 per month to use their service while giving everyone access to features that used to be only available in the premium plan. This has all been announced in advance, so it's not as if anyone should have been surprised about this.
Many users, virtually all of whom have a total of holdings below the $10k threshold, flipped their shit and have claimed they are leaving the platform. Ironically, many of them are suggesting alternatives that cost more than $3 a month, and I'd wager a guess that a lot of these people are spending way more than that buying coffees every day. No one has to like having to pay for something that used to be free to them, but one really has to question their life if paying $3 for something that used to cost more than that per trade and require a lump sum up front is something to throw a fit over. If you have just shy of $10k in investments, you're not gonna retire, and $3 a month is the least of your worries.
In my opinion, M1 is doing the right thing by saying goodbye to these users. They are the types who won't value your product, maintain chronically low balances, and will tie up your customer support with spurious complaints and misunderstandings. I predict they will be rewarded for keeping around customers whom are willing to pay.
Hopefully, more online platforms figure this out and decide to do the same thing. I call BS on those claiming "no one will pay for that." If your business is only viable on attention, which is what the ad economy is based on, then its existence is in a precarious position, and perhaps your product isn't worth much to anyone except the ad networks. On the other hand, there are things that people are willing to pay for, or would pay for if given a premium experience. I've gone from watching stuff for free on YouTube to buying books and audiobooks because they provide far more value to me these days than the chum that is social media "content." I pay individual creators I appreciate on Patreon, etc. I have a Kagi subscription because I find it to be more aligned with my wants and needs than free search engines. I've gone back to buying individual songs and even buying CDs since they not only disappear from platforms but now there are artists that change their own songs retroactively. I pay my investment platform because it has better automation than competing free (or so-called free) competitors.
Everything being free online is a meme, and hopefully it starts to die the more that the spehre of free things eats itself with spam and user-hostile behavior. They will always exist for those who have barely any money or those who don't value the conveniences bestowed upon them, but they can't be the only viable options anymore. Paying for things is a good thing.
Classic security philosphical conundrum. Do you let the black hats figure it out on their own and weaponize it, or do you have a white hat figure it out and release it so it's common knowledge to the world?
Is this already being exploited by any sites in the wild? If not, then I kind of wish that it would have been privately reported to Mozilla and the major ad blocker developers to give them time to patch it.
I definitely see your perspective here, but it also seems like something that isn't likely to be used. There's already good JS ways of detecting ad blockers that don't require nearly as much work.
To take advantage of this, you'd need to alter your web application so that it'd do a two-stage rendering. Most web apps don't even stream their content (rather they wait until the whole content is ready, whether HTML or JS, and then send the whole thing). Your app needs to first send the HTTP 103 with the stuff to pre-fetch. Then it has to wait while holding the state and content it wants to push to the user.
The longer you're holding that stuff in RAM, the fewer requests you can handle per second. Let's say you can handle 100 simultaneous requests and usually a request takes 10ms. Now you've handled that request and you're holding the response for 500ms to see if they hit the no-adblock-detector before sending the rest of the content. All of your Safari/iPhone users hate your website because every page load takes half a second. Awesome, you've pissed off the richest demographic browsing your website. You're paying more for server resources because you're holding onto state longer instead of getting the response to the user and freeing up that RAM so the requests per second you can handle drops. Ok, maybe you look at user agent and only use this technique for Firefox since that's the only browser it's effective with.
In the demo, the DeferredInvoker basically generates a random string and associates it with a request (Map<string, request-response-thing>). Then when a request comes in for the no-adblock-detector, it looks up which request-response-thing is associated with the random string and sends the response to the user. If it doesn't receive a request for a string within a timeout, it'll send the response as adblock-detected. Of course, this only works for a single server since it's an in-memory map.
How do we get it to work in a multi-server environment? Ok, we store "ABCDEF123" in a data store and hold the response until we see the request for "ABCDEF123" on the no-adblock-detector. Do we use listen/notify in PostgreSQL? I mean, at some point we're adding a lot of overhead for these requests. I have to store on my server "ABCDEF123" goes with request/response X and then I have to listen to the database to see if another server has received a request for "ABCDEF123" and that other server needs to do a database write. These can't be database writes that can be batched or deferred because the user is literally seeing the page wait to load on this database write.
It's not impossible to exploit, but it requires real engineering for any company that has horizontally scaled anything to multiple web servers. You can't just drop it in easily. And while we might hate ads and there are concerning things about ads with respect to privacy and many other things, it isn't a security vulnerability. It's certainly interesting, but I can't see a company putting resources into this.
Mozilla says the following about HTTP 103 Early Hints:
> Note: For compatibility reasons it is recommended to only send HTTP 103 Early Hints responses over HTTP/2 or later, unless the client is known to handle informational responses correctly.
> Most browsers limit support to HTTP/2 or later for this reason.
> Part of the goal of content blocking is to reduce network traffic, so that's not an ideal outcome.
Not in the short term, no. But, maybe in the long term ...
Remember that the user is not the customer. The customer is the person buying the ad space from google/facebook/etc. If the customer receives no value for their money, and they can easily determine that, why would they continue purchasing ads?
If every browser downloaded and clicked every single ad in an invisible background and sandboxed process, ads become close to worthless to the customer.
So, sure, in the short term there'd be extra processing and network usage, but that would quickly taper off as customers stopped buying ads because every single ad they put out gets a 100% click-rate. After a while the extra utilisation would be close to zero, as it would only be the occasional customer trying their luck at advertising, and failing immediately.
It's the same with spam email: the solution isn't to block, and keep lists and reputation, the solution is to reply to every single spam email![1] Even the most well-run spamming/scamming organisation can't very well reply to millions of emails rxed per hour.
[1] Caveat: need to ensure that the sending email did indeed legitimately send the email, otherwise a few clowns would simply send spam with someone else's email as a prank.
Prefetching is a low-priority operation in general, so you can't rely on the fact that prefetching happens earlier than the page loading (the diagram is quite misleading in this aspect). Therefore one alternative might be to start loading prefetched but blocked resources but arbitrarily delay it until the page loading finishes, at which time blocked connections get closed.
Could run the ad blocker as a MITM proxy on an unmetered fast connection (e.g. residential), and it serves the lightweight modified version over your metered slow connection (e.g. mobile).
Probably too unreliable to use in real life - for example, I suspect many crappy corporate proxies will block HTTP 103 responses as some unknown danger.
Unfortunately, it can be used opportunistically, as the readme says:
> Browsers that do not fully support early hints can be easily detected by adding a harmless dummy resource to preload that will not be blocked by adblockers.
It seems pretty easy to mitigate this by always loading the early hints though, as in Firefox should adopt Chrome's approach as described in the README.
Haha. The copyright license is a parody of the MIT license [1]:
> Copyright (c) 2024 Mechazawa
> Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software with specific restrictions, provided that the user intends
to use the Software explicitly FOR the purposes of evil or advancing evil,
including but not limited to:
> Genocide, Wanton Destruction, Fraud, Nuclear/Biological/Chemical Terrorism,
Harassment, Prejudice, Slavery, Disfigurement, Brainwashing, Ponzi Schemes
and/or the Destruction of Earth itself,
> with this, including without limitation the rights to copy, modify, merge,
publish, distribute, sublicense, sell and/or run copies Software or any
executable binaries built from the source code.
HN converts single newlines into spaces. The license text on Github [1] has apparently intentionally obstructive newlines within the "paragraphs".
haha, that would've been so incredibly funny... if I was still 15 years old :)
maybe I'm growing old and grumpy, but at a state of affairs where active genocides are going on, I just find that immature and callous. By "that", maybe I mean Dutch attempts to humour ;)
The way it works right now is already efficient. The adblock-enabled browser doesn't spend energy on rendering ads. If the website then blocks the user from the content then the user leaves.
I'd be interested to see a calculation on how much value could be extracted from the same amount of CPU cycles mining crypto - my gut feeling is it would be orders of magnitude smaller.
This! I'm actually amazed how rarely it gets brought up, even among my techsavy friends. It literally seems like a perfect win-win for everyone...except ad companies. Queue conspiracy theory: they were clearly the ones that coined the term cryptojacking and spawned a ton of articles about in the press when this idea first surfaced.
Just once and for all understand, people who do not want to see ads and you force ads on them, will not come to your site.
All you're doing is making the user experience worse and decreasing your site's worth.
And people will remember who was so rude to them.
They will share your website with others, post links to it on social media, etc. Websites are all about driving traffic to it. Also, "these people" are also often willing to pay for good content if it's priced right. Substack is a good example of this, even if some of the prices are still too high.
> Chrome does not allow adblockers to interact with resources loaded using early hints, nor does it display resources loaded using early hints in the developer console.
I wonder if Brave has these same limitations? Not sure where its Shields JS fits into the architecture.
SMS is the next big frontier for ads, every few messages with someone you can see a little ad about something related to your conversations. Or if a conversation has gone stale and someone hasn’t replied in several days, inject an ad to wake it back up.
SMS is still used in France. It is free, reliable and every phone supports it, making it the default.
I think there are historical reasons. There was a time where most plans had free SMS but expensive internet, and even today the cheapest plans have free SMS and very limited data (ex: 50MB/month for the free.fr 2€/month plan).
Countries that didn't have good SMS infrastructure and advantageous plans are the most likely to have switched to private, internet-based messengers.
I don't know if it is still the case now with 4G/5G and the phasing out of earlier standards, but SMS had the advantage of going through congested networks better than anything else, including phone calls, MMS and internet data. Probably because it is an ouf-of-band signaling protocol.
Those are all closed-loop messaging systems. If anything whatsapp/imessage/whatever are more vulnerable to what was suggested because they aren't open/standardized protocols.
SMS is an insecure protocol from the ground up it was never designed for the mass communications it is now used for.
It is open, sure but it needs a new open standard to completely replace it, which will take decades because its used for machine-to-machine communication in US telecom infrastructure and the sheer amount of physical equipment that would need upgraded is insane.
Anyone know what happened to ethicalads.io? Website has been offline for over a month, but founders/engineers seem to be active on LinkedIn & GitHub still
Are people still relying on only browser plugins to de-trash their browsing experience? DNS is your friend. Block the asshats at their media delivery source. DNS Filter, NextDNS, PiHole...
