Ad- and spyware-blocking

Here's what I use. What do you use?

I know everyone else in the world is probably using AdBlock or something, but I've been using Privoxy for ages and I'm used to it. (I almost wrote, "I like being able to type my own regexps" but no I don't, that's just the Stockholm Syndrome talking.)

On the plus side, since it's a system-wide proxy, it blocks ads not only in Safari but also in NetNewsWire and anything else that loads web pages.

On the minus side, it makes Little Snitch less useful (see below).

Little Snitch
Little Snitch is kind of amazing and I grudgingly admit that it is worth the $30 for its entertainment value alone. It lets you monitor and block network connections initiated by applications on a per-application, per-host and/or per-port basis, so you can tell what's trying to "phone home" on you, and stop it.

Unfortunately the combination of Privoxy and Little Snitch means that "port 80" is the root password that bypasses this. If some random application phones home by loading a URL via webkit, then by the time Little Snitch sees that connection, all it knows is that the "Privoxy" process connected to port 80, not that the connection is really coming from some app that ought not be making such connections at all. It can't tell the difference between some-random-app and you clicking links in a web browser. So that's a bummer.

If there was a way to tell MacOS that Safari and NetNewsWire should use the HTTP proxy but all other apps should connect directly, this would work better, but as far as I know there is not.

This seems to do a good job of blocking all manner of web-page spyware, and like Little Snitch, shows you what it's blocking. I had been using Incognito before this, but as far as I can tell, Ghostery does a superset of what Incognito does, but with better feedback over what's happening.

I suppose there's no way to get ad blocking on iOS without jailbreaking it or running a non-standard web browser app?

Incidentally, I was wondering whether Reeder on iOS is using SSL when it syncs my subscriptions with Google Reader, and I realized that I don't actually know how to snoop my wifi network in order to answer this question. Do you know the answer?

    Update: I think that Reeder on iOS is using SSL to connect to Google Reader and download the RSS contents of all of the feeds. It then connects to the sites directly to load images over http, as you'd expect. Oddly, though, it seems to keep connecting/caching long after its "busy" throbber has stopped, and mostly what it's loading is all of those stupid "apple-touch-icon-precomposed.png" URLs, so maybe this is some lower-level webkit nonsense instead of Reeder itself. Surprisingly, NetNewsWire on the desktop is connecting to Google over http instead of https.
Tags: , , , , ,
Current Music: EMA -- Marked ♬

18 Responses:

  1. Easiest way is to insert a smart switch like the Netgear GS105E, which can do port mirroring, in between the AP and your network. Other than that, have a roll your own AP.

  2. Ben says:

    If you point your iOS device at privoxy, you'll be able to see if it is using http or https (privoxy also does SSL proxying, although you'll only see the hostnames that it is connecting to in the logs)

    If you want to do ssl snooping, then check out mitmproxy, it will do all the ssl-decrypting and ssl-encrypting that you need.

    • Ben says:

      So privoxy will also do Adblocking just fine for iOS / wifi (and it's an eye-opener just to see how many apps phone home all the damn time). But annoyingly you can't set a web proxy for non-wifi. The only fallback would be to do something like set up a VPN to a server you run (pptp on Linux is probably the least painful option) and *then* iOS allows you to specify a proxy server)

  3. Thomas says:

    If you've got a computer with a wireless card, then you may be able to snoop your wifi network just by running a network sniffer on that. According to the WLAN page on the Wireshark wiki, promiscuous captures on Linux or Mac OS X should work (disclaimer: I've only tried it on Windows where it's very driver-dependent).

    • jwz says:

      Yeah, but I'm actually more interested in the answer to "Does Reeder connect to Google Reader over https" than to "how do I sniff wifi". Answering the former by answering the latter sounds like more of a pain in the butt than I care to dive in to.

      • If that's all you want, you can buy a hub (or a switch with a monitor port), plug it in between your wifi base station and broadband device, then plug in a computer to the hub and run WireShark. Look for outgoing TCP SYN packets and you can see the host and port. No SSL MITM required.

        (For SSM MITM, you can run something like Charles/Burp/Fiddler as your proxy, extract the proxy's CA cert (browse to a site using Firefox or Windows IE) (Fiddler does this for you, but is WIndows only), then email it to yourself on your phone. But, of course, you only need to do this to inspect the contents of the messages. You can also use Mallory, but it's harder to set up an use (though more effective at capturing all traffic.))

  4. Jim says:

    For discovering what's going on HTTP-wise, I usually start with Charles:

    It has facilities for snooping HTTPS, and pretty-printing for a lot of the junk that's send over HTTP - js(on), xml, flash crap, etc.

  5. Ben Morrow says:

    Snooping a wifi network is non-trivial, due to the encryption. If you can get in on a wired section the traffic is going through it will be easier, but that depends on how your wifi <-> DSL connection is set up.
    That said, this implies it is possible under OSX. This looks likely to be useful, as well.

  6. Mike Fisher says:

    mitmproxy got some recent notoriety for helping demonstrate that Path uploaded your address book to their servers. I think it should meet your needs too.

  7. IOS: if you jailbreak, there is a (not free) adblock extension that will work with all webkit-using apps. If you don't jailbreak, there is an alternative web browser available in the app store called "Mercury web browser" that has adblocking (and several other desktop-like features) built in. it has two versions, one free, the other costs a couple bucks. I forget if the free one includes adblocking. Depending on how much web surfing you do on your idevice, the mercury web browser may be a desirable app to try -- I have not discovered any downsides to using alternative browsers instead of safari on my ipad, and the upsides are numerous, from adblocking to being able to set a text zoom level (when oh when will Apple realize that not everyone has the vision of a 20 year old?).

  8. Ben Bennett says:

    Since you asked a pretty blanket question...

    My Firefoxes have:
    - Adblock Plus: easy list management and good control for adding any that the auto-updating lists miss. But make sure you subscribe to a list that both blocks ads, and blocks user trackers
    - NoScript: Whitelist / Blacklist scripts globally
    - RequestPolicy: Nail any asset request per-site. So Facebook can request Facebook assets, but I won't let other sites request them. It and NoScript overlap, but play subtly different roles

    Both NoScript and RequestPolicy are a bit of a pain for a week or so until you whitelist the common sites. But it is informative to see what is going on behind the scenes and how widely we are tracked.

    For Android I run:
    - AdFree Android: (a bit like Adblock Plus, but no UI to tweak the lists or see what hit)
    - CyanogenMod: So I can revoke app permissions that I really don't want them to have

    And I have run some of the other firewall apps that allow more visibility and control, but on the tiny screen it is too painful. I was running everything through an OpenVPN back to my home server, and then filtering dynamically with Linux rules to send it through Privoxy... but that was too much of a hassle too. Sadly, on that size device I fell on the convenience side of "give me convenience or give me death".

  9. J. Peterson says:

    For those of us too [insert excuse] to install Little Snitch, care to cite some examples of typical apps that are phoning home?

  10. MattyJ says:

    About ten years ago, the effort to block information going out crossed the line of time and effort I was willing to put into it. I resigned myself to the fact that they'll get what they want one way or another.

  11. Bob says:

    I know it's tedious and a bit low-tech, but I find it works reasonably well to just edit the /etc/hosts file and put in for the offiending servers. The nice advantage is once you have the list of sites you can copy from machine to machine trivially. Works equally well on Mac, Windows, and linux. I still need to try it on a linux phone someday.

  12. schvin says:

    reeder for iOS appears to use ssl for the feeds and content embedded in the pages. however, as expected, clicking titles for the whole article or links therein (even though still read in reeder) go over http or whatever protocol the feed specifies. hth.

  13. Ingmar says:

    Glimmerblocker is pretty much Privoxy, only with a rather nice OS X GUI and a list of (maintained) adblocking filters that you can subscribe to (or don't). I'm using it to adblock, force HTTPS (this can also fix your NetNewsWire talking to Google) and occasionally mucking about with requests/responses (but Tamper Data is better for that if it's just a temporary thing).

    Oh, and to redirect the Safari search box to DuckDuckGo (or whatever else you want it to go to).

  14. Martin says:

    If there was a way to tell MacOS that Safari and NetNewsWire should use the HTTP proxy but all other apps should connect directly, this would work better, but as far as I know there is not.

    I believe you could use Proxifier for that. Back in the days I used it to force my FTP client to tunnel connections to certain networks through a certain SOCKS proxy without affecting the rest of the system.

    (libtsocks and some LD_PRELOAD hacking should theoretically get you there, too. But I've always been too dumb to figure that out properly with OS X.)