AdBlockers are not a security nor privacy tool at all

In today’s Blog post I want to talk about the misconception that Ad-blockers are security or privacy tools.

As always I try to keep it short an simple so that there is less room for misinterpretation about what I want to show with this post.

Threat actors know about blockers and their filter lists
First of all an potential actor knows what you use as adblocker, there are fingerprint techniques to get your installed extensions. Of course there are some counter measures but we assume that an attacker knows what you use, guessing is also not hard as there is mainly only adguard and ublock which are the most popular blockers.

Most users using the default lists and never change anything and roll with it. Threat actors can read-out those lists and their content to see what is already known and blacklisted.

Blocking random domains is useless
Malware can be delivered trough previously unknown, existing or new domains. The trend is to deliver malware trough services which are usually not blocked e.g. uploading malware on popular services and servers that are not blacklisted at all. Forums, Github, Discord, P2P you name it, Discord and Telegram are very popular as lots of people using it and it is unlikely - except a few exceptions that do not use such services at all - that any standard list blocks them.

Threat actors know about it and explicitly uploading their malware on such services. An adblocker renders entirely useless.

There is no security at all, which debunks any claim that it prevent something in advance. We are not even creative in this scenario by getting an existent domain and compromising it or use an unknown .onion domain which is sure as hell not on any list at all.

Fingerprinting or their countermeasures are covered by the Browser itself, if you see this as concerning use Tor Browser and do not rely on vanilla Firefox, Brave nor any other Browser and roll with it. Remember that Tor Browser also does not contain any adblocker preinstalled because the protection layer should come from within the Browser and should never rely on any extension.

Extensions are limited
Extensions are probably not as secure as the core of the Browser, I call it Browser Kernel as modern Browser are basically mini operating systems, so I got used to that particular term. However, besides the Manifestv3 and other things that are regulated by the Engine or Kernel, call it what you want there are restrictions like access, api and more which can influence the efficiency of the adblocker.

Safe Browsing is pretty much enabled by default in every standard browser
Googles SafeBrowsing mechanism is more or less efficient, it all depends on how you see it. The search engines are the first layer of defense, combined with the detection rate of SB itself. Lets assume you combine those two things then it comes once again down to the blocking random domains factor and the privacy aspect. At the end of the day the Browser should cover both of those things and limit the amount of leakage and metadata a normal domain can get from you in the first place.

Browsers can be tweaked Chromium based ones and Firefox
This is for advance users but in my opinion worth it, both Browsers can be tweaked. Lets assume you use a normal Browser because there are problems with Tor Browser - plays no role which problems in our scenario - then you stick with the known players. Tweaking flags and limiting what your Browser is allowed to send and get is one of the major privacy aspects an adblocker cannot gain for you. They heavily rely on static lists and how often they are been updated.

Update Factor
Filterlists need to be updated, regularly. If you subscribe to lists without reviewing them from time to time they might become obsolete or dead - dead means no updates or maintenance entirely stopped - which can be a problem. Once again the user needs to review things and this is unlikely, because if you are not interested in those kind of things you probably only notice it if websites starting to break or if you notice that X not gets blocked, by then it could be already too late.

Whitelists within filter-lists can let things slip trough
Another major issue is that you have no control over whitelisted stuff within the list. You can, if you aware of it override this by manually enforcing your own custom rules but this again requires some skills, knowledge and awareness. People not connected to such topics will not check the list nor debug anything at all to reveal what is really whitelisted and what not.

Cosmetic blocking, DNS based blocking and my opinion
With all the negative things I mentioned there are also positive things, like faster website loading speed and things that are well-known. However, as recommendation you probably should review what you need. Do you never use Discord, probably DNS block all Discord domains and ASN, but here a DNS based solution such as PI-Hole or AdGuard Home makes a bit more sense to enforce such rules globally on your entire network, the downside is that there is no cosmetic blocking possible, so you end up again installing an adblocker extension if you still want to get rid of leftovers that are not covered with just DNS blocking domains.

Combining multiple layers seems the best way until there are others
As previously already stated I think that DNS based solutions combined with adblockers make the most sense, not because privacy or security but because other factors like speed and that it is easier to setup one device and cover everything then individual monitor and configure every network device.

Final Conclusion

  • Promises like security and privacy are usually made without showing the entire picture
  • DNS based solutions combined with traditional adblockers to cosmetically block leftovers seems the most logical blocking strategy.
  • Solutions depend on what you want to do, if blocking domains is what you want, just go with a DNS based solution.
  • Blocking randomly domains often ends up with problems and the security promise is questionable as threat actors already move on once they got burned.
  • Malware is more and more delivered trough Discord, Telegram, GitHub and high-traffic services that are well maintained, protected which makes it harder to backtrack as malware authors tend to quickly move on with new fake accounts. Blocking entire services with DNS is useful only if you do not need and visit such services and even then blocking can be a problem as other dependencies rely on those services, app updates, news etc.
  • Browser should cover privacy and security and not an extension.