[tbb-dev] reconsider shipping uBO or enabling ETP?

Matthew Finkel sysrqb at torproject.org
Thu Jul 9 14:01:50 UTC 2020

On Wed, Jul 01, 2020 at 06:16:19PM +0200, gunes acar wrote:
> Hi all,

Hi Gunes,

> I was wondering if Tor Browser team is open to reconsider shipping an
> adblocker or turning on Firefox's Enhanced Tracking Protection (ETP)
> mode, and whether you need some research input that may inform that
> decision.
> I am aware of issue #17569 and I agree with most of the arguments laid
> out in the "No filters" part of the design doc. Especially that the
> list-based approaches would not improve TB's existing privacy
> protections with respect to curtailing online tracking.
> However, tracking protection/adlocking also have significant performance
> benefits [1, 2], which is the main reason why I'm bringing this up.

Yes, indeed. We began investigating this last year, as well [5].

> Just to find out whether there could be potential performance benefits
> of shipping uBO with TB, I did a quick crawl of sites from the Trexa
> list [3] using TB with and without uBlock Origin (uBO) installed. Having
> uBO *reduced the median page load time by 27.6%* (from 7.6s to 5.5s) on
> top 1K sites. You can imagine there would be a similar reduction in the
> network footprint due to blocked requests.
> Another reason why it may be timely to reconsider this issue is that
> today all major browsers except Chrome ship a built-in adblocker or
> tracking protection mode (Safari, Firefox, Edge, Opera, Brave...). So,
> Tor Project may not really stand out for "damag[ing] the acceptance of
> Tor users by sites"[4] by blocking ads.

While the acceptance of ad blockers is significantly higher now than it
was a decade ago, a request from a Tor Browser instance (or from the Tor
network, in general) is often still perceived as "potentially abusive"
due to the existing hacker/darkweb association. Tor Browser remains at a
disadvantage compared to the other browsers for this reason, and we are
already in a difficult position with sites denying requests coming from
the Tor network. Adding an ad blocker could harm Tor Browser's usability
even more.

> I and some colleagues could be interested in dedicating some research
> time into studying the potential privacy and performance impact of
> adding adblockers or enabling ETP mode -- esp. if the JIT issue (#23719)
> makes uBO and other addons infeasible.
> Can you let us know if there's willingness to reconsider shipping an
> adblocker/ETP, and if so what research may help you with your decision?

We are very much interested in this research area. In particular, we
need an evaluation of which option (uBO, tracking protection, etc.)
provides performance benefits and safety (what are the tradeoffs in
their settings and what should we consider?). Tracking Protection has
the advantage of being integrated into Tor Browser, however we have
concerns about the way the deny list is updated/retrieved from Mozilla's
servers and whether we should host our own list (and the cost/overhead
of that). Similarly, uBO provides extensive filter lists but there is
minimal oversight, so ensuring Tor Browser users continue receiving
sufficient privacy and security protection is a critical part of this.

For research topics, I would suggest investigating the performance
benefits of additional configurations in uBO and Tracking Protection, as
well as the privacy and security implications of the filter lists and
how they are updated. When we have answers for more of these questions,
then we can begin assessing what should be deployed in Tor Browser.

Web sites blocking Tor is another important area, and if you are
interested in exploring that, then we can discuss that separately, as


> [1]
> http://www.ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf
> [2] https://dl.acm.org/doi/pdf/10.1145/3366423.3380292
> [3] https://github.com/mozilla/trexa
> [4] https://2019.www.torproject.org/projects/torbrowser/design/#philosophy

[5] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30939

More information about the tbb-dev mailing list