For a long time I thought there were two approaches to ad blocking on web pages:
-
You configure blacklists of ad serving domains in your DNS server and suddenly the webpages you visit won’t find the domains to download the ads from any more. I have used some forms of this, with PiHole for example.
-
You install some web browser extension that has full access to the content of all the web pages you visit. This extension can then freely modify the content of the page, including (but not limited to) removing the ads. The “not limited to” part is why I never trusted any such extension. Beyond that, those extensions tend to get banned more and more by Google because they are an ad serving business after all ;)
The problem is that solution 1 is very imperfect if you really want to remove overly intrusive ads. More and more sites (starting with YouTube) serve the ads from the same domain as the content. This way you cannot block just the ad-serving domain any more… This technique is actually more useful for blocking inappropriate sites you don’t want you kids to visit ;)
Now, personally I am paying for a full blow YouTube Family Premium membership… Yet, I still get annoyed by youtube’s ads! That’s because while I have no problem staying logged in on my TV all them time, I don’t actually want to stay logged into my Google Account all day long on my computer. I do NOT actually want google to track everything that I’m doing! The cost of that is that every time I click on a YouTube link on the computer, I get an ad… despite having paid to not get the ads…
My moral position is: I am ok with YouTube tracking me as a (paying) user. I am NOT ok with that tracking being extended to all my web activity, which has nothing to do with YouTube. But they don’t give me a choice…
So… I gave ad blocking another look… and today I stumbled on something completely new I had never seen before: AdBlock360. This ad blocker works in a completely different and novel way:
- It does NOT rely on DNS and it does NOT install a browser extension.
- Instead it installs as a full blown application on your computer (Windows in this case)… with admin privileges of course… like an anti-virus if you will…
- Under the hood, it installs 2 critical components:
- A local proxy through which all your web requests will be transparently routed
- A new root certificate for handling https…
The AdBlock360 installer explains exactly how it operates
So now… when you visit https://youtube.com, what happens is that your browser now asks your newly installed local proxy to go get https://youtube.com. The proxy can now load the page, decode it, remove the ads and then send it back to your browser, ad-free…
Well, not so fast!
If it did just that, what would happen? Your browser would display a warning saying something like “The certificate for this https site is missing, or improperly signed, or there is a mismatch, etc..” and this would be even more disruptive than having ads…
This is where the black magic comes in: the AdBlock360 local proxy actually re-encrypts the ad-free page and generates a new certificate for youtube.com, which it signs with the new root certificate it installed on your system.
Result: your browser receives a validly signed certificate and displays the (modified, ad-less) web page as secure and trustworthy… (!) …with green secure lock and all the rest…
Now… AdBlock360 may fulfill a desirable purpose for the user, but… if you abstract the concept, the technology they use actually demonstrates a perfectly executed and brutally effective Man in the Middle (MitM) attack !
What if… instead of a legit ad blocker which clearly announces how it operates (see screenshot above), you would now have some not-so-transparent malware on your system… using the exact same technique… and without telling you, of course!?
Such malware would be able to modify what you see on any website and record all you send on any website, stealing passwords and much worse… for those who do crypto for example…
But surely, your OS would protect you against a malware silently installing itself and registering a new root certificate, right? Right?
Well… it depends o1n your OS:
- On Windows the short answer is actually no! If you are running as admin or running the installer of some trojan horse app you downloaded as admin, Windows will NOT ask you again if the app wants to install a root certificate!
- On MacOS, there is no user elevation by default and any privileged operation (in this case: modifying the System Keychain) will still require an explicit dialog and authentication step. So, on MacOS, you will know if anything else tries to install a root certificate.
- On iOS and Android it’s almost impossible to install a custom Root Certificate that will be trusted by your web browser ans most other apps. This is one of the reasons these devices are now used as multi-factor security tokens by banks.
- Linux: many variations… you’d better trust what you install as root…
For me, this discovery is really the final nail in the coffin for Windows. I just cannot trust it as a secure platform any more. I’ll use it when there is no other choice but I’ll never use it for sensitive data again…