Internet users have plenty of options to make their connections more private. Popular choices include content blocking, using VPNs, or disabling services or features that may reveal information about them.
However, in rare circumstances, it is the very tools designed to protect users that may reveal information about them.
Enter Adbleed
Adbleed is a proof-of-concept designed to highlight a specific privacy risk associated with the use of regional adblocking rules.
The tool functions by detecting which country-specific filter lists—such as EasyList Germany or Liste FR—are currently active within a user’s browser. By probing for the blocking of domains unique to these specific lists, Adbleed creates a “filter fingerprint” that can reveal a user’s likely country of origin or language preference.
This technique demonstrates that users can be partially de-anonymized based solely on their adblocking configuration, even when employing VPNs or proxies to mask their physical location.
The detection process follows three simple steps:
- Domains: The tool uses a curated list of domains that are blocked exclusively by certain filter lists, such as EasyList Germany.
- Probing: Adbleed attempts to load resources from these specific domains. It then looks at what is returned. Blocked requests, which happen near instantly, are what the tool is after. It measures the time it takes to get a response to distinguish blocked requests from other errors, e.g., network failures.
- Fingerprinting: When a specific number of domains are blocked from a regional listing, Adbleed concludes that the list is active.
What does it mean? It means that a site can detect if certain regional content blocking lists are likely enabled. This adds another factor to fingerprinting attempts.
Mitigation & Protection
Here are a few suggestions to mitigate Adbleed or limit its use for fingerprinting:
- Stick to the defaults. If you do not enable any regional lists, Adbleed won’t detect any, which in turn makes your configuration less unique.
- Enable anti-fingerprinting: If the browser supports anti-fingerprinting techniques, make sure they are enabled.
- Disable JavaScript or enable hard-mode blocking: This may not be practicable, especially the JavaScript part, but this should protect against this particular type of attack.
- Use different browsers: If you use different browsers, you torpedo tracking attempts, as the trackers can’t link your activities between different apps or browsers (unless there is a common factor that is unique).
Adbleed demonstrates that the tools designed to protect users on the Internet can sometimes be used against them. It reveals how regional content blocking preferences may allow sites to fingerprint and track users. It is not an argument against content blocking, but rather a wake-up call that things are never as straightforward as they look like on first glance.
Blocking ads is one thing, blocking tracking (when not tied to ads) is another, and attempting to remain anonymous still another.
With a proxy, VPN, Tor, ‘Adbleed’ is pertinent.
Without a proxy, VPN, Tor, the device’s IP means the device’s location : ‘Adbleed’ is not pertinent.
Moreover, ‘Adbleed’ connects to 3rd-party servers to establish the correlations with the user’s country-specific adblock lists. If you use a tool such as uBO and set it to refuse by default 3rd-party connections (allowing them specifically per-domain) then the results provided by ‘Adbleed’ are significantly different then if connections to 3-rd party servers are factual.
Personally my aim is not to hide, in which case I’d use a VPN or more likely Tor, but to avoid advertisement and reduce tracking as much as I can. My device’s IP is of course what prevents it from being masked, but if the aim is to avoid having a sticker (tracker) on its back far more than being recognized in the “masked bal”, then that scenario fits my needs.
The ‘Adbleed’ concept is of course pertinent, but it’s only another tool to the Fingerprinting arsenal.
Indeed, to defeat fingerprinting, if that is ever possible, we need to hide the device’s IP and figure out, or try to, all that signs our device, from the device’s local time to its hardware whispers. That would be far above my skills. So I simply walk around the planet, recognized when coming back to a same place but without stickers on my back of all the places I’ve previously visted: the device’s passport aims to be empty of visited locations. That’s all.
“Disable JavaScript or enable hard-mode blocking: This may not be practicable”
Duh. How many sites work without JavaScript? Maybe some basic image and forum websites, but nothing else. It’s like using BitTorrent with p2p sharing disabled. Does not make sense,
I respectfully disagree with boris. Sure, for most users, I don’t recommend messing with scripts. But I’ve been using NoScript (Firefox add-on) on my primary surfing browser for more than a decade, as I like control over which scripts a site runs. For instance, I’ve whitelisted chipp.in, but this site also is trying to run gstatic.com, which I haven’t… and the site works anyway. I fully accept that most people don’t want this of granularity, but for me, I can’t imagine surfing with scripting uncontrolled; it’s like leaving my doors unlocked.
A very simple way to reduce the risk of filterlist fingerprinting (which can be done with more than just language lists) is to add or remove filterlists occasionally. I have more than one language filter on, one being one I use and the others – which I change occasionally – being just noise.
Fingerprints are only useful when they don’t change…
UBO provides the option to add a whole multitude of filter lists for everyday use. I’ve added about 10 of them just to confuse anyone using those as a means of ID’ing me. That and the fact that I do use a VPN with the SOCKS5 proxy enabled just to add a little more flavour to the mix.
I also use the FF addon called “Disable JavaScript” which can be used to enable/disable Javascript on the fly. It’s most useful for turning JS on and off on the BBC News site when the page starts jumping up and down while I’m tring to read it.
I installed the Mullvad VPN app on my phone as well and use their DAITA tool (Defence against AI-guided Traffic Analysis) and that takes care of tracking on my phone.
@ Martin, how about an about:config set of recommendations for Firefox for Android if you have time 🙂
TeIV, Mullvad’s DAITA is not an anti-tracking tool, it’s more of a “VPN traffic hardener”. Unless you are under attack by 3-letter-agency (and possibly even then), it does little more than increase your data usage. I you want to help “take care of tracking on your phone”, activating the DNS blocklists (especially the Tracking list) inside the Mullvad app will do a better job.