On Wed, Jul 01, 2020 at 06:16:19PM +0200, gunes acar wrote:
Hi all,
Hi Gunes,
I was wondering if Tor Browser team is open to reconsider shipping an adblocker or turning on Firefox's Enhanced Tracking Protection (ETP) mode, and whether you need some research input that may inform that decision.
I am aware of issue #17569 and I agree with most of the arguments laid out in the "No filters" part of the design doc. Especially that the list-based approaches would not improve TB's existing privacy protections with respect to curtailing online tracking.
However, tracking protection/adlocking also have significant performance benefits [1, 2], which is the main reason why I'm bringing this up.
Yes, indeed. We began investigating this last year, as well [5].
Just to find out whether there could be potential performance benefits of shipping uBO with TB, I did a quick crawl of sites from the Trexa list [3] using TB with and without uBlock Origin (uBO) installed. Having uBO *reduced the median page load time by 27.6%* (from 7.6s to 5.5s) on top 1K sites. You can imagine there would be a similar reduction in the network footprint due to blocked requests.
Another reason why it may be timely to reconsider this issue is that today all major browsers except Chrome ship a built-in adblocker or tracking protection mode (Safari, Firefox, Edge, Opera, Brave...). So, Tor Project may not really stand out for "damag[ing] the acceptance of Tor users by sites"[4] by blocking ads.
While the acceptance of ad blockers is significantly higher now than it was a decade ago, a request from a Tor Browser instance (or from the Tor network, in general) is often still perceived as "potentially abusive" due to the existing hacker/darkweb association. Tor Browser remains at a disadvantage compared to the other browsers for this reason, and we are already in a difficult position with sites denying requests coming from the Tor network. Adding an ad blocker could harm Tor Browser's usability even more.
I and some colleagues could be interested in dedicating some research time into studying the potential privacy and performance impact of adding adblockers or enabling ETP mode -- esp. if the JIT issue (#23719) makes uBO and other addons infeasible.
Can you let us know if there's willingness to reconsider shipping an adblocker/ETP, and if so what research may help you with your decision?
We are very much interested in this research area. In particular, we need an evaluation of which option (uBO, tracking protection, etc.) provides performance benefits and safety (what are the tradeoffs in their settings and what should we consider?). Tracking Protection has the advantage of being integrated into Tor Browser, however we have concerns about the way the deny list is updated/retrieved from Mozilla's servers and whether we should host our own list (and the cost/overhead of that). Similarly, uBO provides extensive filter lists but there is minimal oversight, so ensuring Tor Browser users continue receiving sufficient privacy and security protection is a critical part of this.
For research topics, I would suggest investigating the performance benefits of additional configurations in uBO and Tracking Protection, as well as the privacy and security implications of the filter lists and how they are updated. When we have answers for more of these questions, then we can begin assessing what should be deployed in Tor Browser.
Web sites blocking Tor is another important area, and if you are interested in exploring that, then we can discuss that separately, as well.
Thanks! Matt
[1] http://www.ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.... [2] https://dl.acm.org/doi/pdf/10.1145/3366423.3380292 [3] https://github.com/mozilla/trexa [4] https://2019.www.torproject.org/projects/torbrowser/design/#philosophy
[5] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30939