Browser Add-on uBlock0rigin in Medium mode for Lighter and Stronger Protection, with Less websites breakage and hassle

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
@koloveli

Are you sure uBo blocks man in the middle attacks? I don't think browsers compare network traffic from different network nodes to find out whether network traffic is intercepted. Intriguing how uBo would be able to discover man in the middle or man in the browser snooping. Do you have some links/info about this interesting uBo feature?
 

koloveli

Level 4
Sep 13, 2012
166
@koloveli

Are you sure uBo blocks man in the middle attacks? I don't think browsers compare network traffic from different network nodes to find out whether network traffic is intercepted. Intriguing how uBo would be able to discover man in the middle or man in the browser snooping. Do you have some links/info about this interesting uBo feature?
i tested many years ago (i not have link)...
but you can test analyzing data in sites then acess via tool (inspector f12)...
 
  • Like
Reactions: Nevi

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
@koloveli it "only" shows network requests

1622275195443.png

Software like SSLeye can compare SSL fingerprints by comparing the SSL fingerprint from several servers (link)
 
Last edited by a moderator:
  • Like
Reactions: Nevi

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
IMPORTANT UPDATE

I was reading on misuse of website data connections (e.g. third-party XMLHttprequest, Fetch, Websockets, etc) or hidden code in some data formats (remember the exploit which used the meta data of an image) and came across this post from Gorhill. Read his response "The only way to prevent this is to block all first-party scripts or third-party network requests"

1626341361100.png

Since blocking first-party scripts breaks all websites it is not an option for daily use, therefor it is better to change Kees1958 very easy medium mode setup from only blocking 3p-scripts and 3p-frames to blocking (all) 3p.

This might cause some websites to break (third-party CSS and images are also blocked now), but it prevents pulling in sneaky third-party code from top level domains you normally don't visit.

Suggested change, see picture below

1626341556100.png
 
Last edited:

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
Using the tips of GorHill to falback from hard mode (blocking all 3p requests) to medium mode (blocking only 3p-script and 3p-frame), apply the following rules (save and commit them)
1626352186700.png



With one click you can NOOP the 3rd-party block for that website (see picture below) and re-establish the old blocking behavior (only 3p-script and 3p-frames allowed from whitelisted Top Level Domains)
1626369600300.png
 
Last edited:

oldschool

Level 62
Verified
Mar 29, 2018
5,104
IMPORTANT UPDATE

I was reading on misuse of website data connections (e.g. third-party XMLHttprequest, Fetch, Websockets, etc) or hidden code in some data formats (remember the exploit which used the meta data of an image) and came across this post from Gorhill. Read his response "The only way to prevent this is to block all first-party scripts or third-party network requests"

View attachment 259675

Since blocking first-party scripts breaks all websites it is not an option for daily use, therefor it is better to change Kees1958 very easy medium mode setup from only blocking 3p-scripts and 3p-frames to blocking (all) 3p.

This might cause some websites to break (third-party CSS and images are also blocked now), but it prevents pulling in sneaky third-party code from top level domains you normally don't visit.

Suggested change, see picture below

View attachment 259676
Have you got the source for this issue? I can't find it. :unsure:
 

oldschool

Level 62
Verified
Mar 29, 2018
5,104

rndmblk

Level 3
Nov 18, 2020
93
With one click you can NOOP the 3rd-party block for that website (see picture below) and re-establish the old blocking behavior (only 3p-script and 3p-frames allowed from whitelisted Top Level Domains)
Do you mean if you NOOP the 3rd-party block for a given website then only 3p-scripts and 3p-frames will be blocked for that website? When I tested it, I clicked 3rd-party and it changed to grey but 3p-script and 3p-frame stayed red i.e. blocking

Sorry Lenny, probably me just not understanding the blocking precedence
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
Do you mean if you NOOP the 3rd-party block for a given website then only 3p-scripts and 3p-frames will be blocked for that website? When I tested it, I clicked 3rd-party and it changed to grey but 3p-script and 3p-frame stayed red i.e. blocking

Sorry Lenny, probably me just not understanding the blocking precedence
Yes that is correct. When you have below rules
* * 3p * block
* * 3p-script * block
* * 3p-frame * block

and you noop 3p for that website, you fallback from hard mode to medium mode (only blocking 3p-scripts and frames). When you additionally noop 3p-script you falback from medium to easy mode. When you also noop 3p-frame you fallback to very easy mode (only using blocklists).
 

ErzCrz

Level 10
Verified
Aug 19, 2019
452
Thanks. He considered it a non-issue while noting the overall threat environment and providing a fix for that click-jacking instance.

:LOL: One of my favorite artists! The Godfather of Grunge! :LOL:
🪨 Oh grunge memories from my growing up in WA, sadly to young to hit the bars/clubs around the time grunge came out but I knew people who knew people in bands etc.. Sorry for OT, just reminiscing.


Yes that is correct. When you have below rules
* * 3p * block
* * 3p-script * block
* * 3p-frame * block

and you noop 3p for that website, you fallback from hard mode to medium mode (only blocking 3p-scripts and frames). When you additionally noop 3p-script you falback from medium to easy mode. When you also noop 3p-frame you fallback to very easy mode (only using blocklists).
Thanks for clarification. Care to share your My Rules and My filters export?
 
  • Like
Reactions: Nevi and oldschool

qua3k

Level 1
Jul 18, 2021
19
@koloveli

Are you sure uBo blocks man in the middle attacks? I don't think browsers compare network traffic from different network nodes to find out whether network traffic is intercepted. Intriguing how uBo would be able to discover man in the middle or man in the browser snooping. Do you have some links/info about this interesting uBo feature?
WebExtensions can only request to see detailed certificate info natively on Firefox; other browsers would require your extension contact an external server to fetch certificate info. It isn’t really meant for preventing attacks and validating certificates isn’t the job of an extension in the first place.

I’m not sure why they equate content blocking to defending against MITM when that isn’t the case.
 

oldschool

Level 62
Verified
Mar 29, 2018
5,104
Thanks for clarification. Care to share your My Rules and My filters export?
Since you're already familiar with medium mode, you're probably better off using @Lenny_Fox 's core rules from post #106 bove and building the rest of your own rules as you surf. Or, combine your rules with his core and adjust as needed. My 2cents.
I’m not sure why they equate content blocking to defending against MITM when that isn’t the case.
Me neither. While the former can prevent some nefarious web elements, they are definitely not the same.
 

ErzCrz

Level 10
Verified
Aug 19, 2019
452
Since you're already familiar with medium mode, you're probably better off using @Lenny_Fox 's core rules from post #106 bove and building the rest of your own rules as you surf. Or, combine your rules with his core and adjust as needed. My 2cents.

Me neither. While the former can prevent some nefarious web elements, they are definitely not the same.
Thanks ;)
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
@ErzCrz

I run Edge with two different Edge profiles Panda (for my bookmarks) and Ninja (for surfing). The Panda profile has most site permissions on block (see post on MalwareTips), Ninja hast the same with Microphone and Camera on block (in stead of ask). Ninja is the profile used when Edge starts.

I have copied MyFiles to Github, so my younger brother can also use them (link to my blocklists). In Panda profile I have uBlock Advanced mode disabled (only using Kees1958 lists and my own lists).

I copied my hardened Ninja profile settings below. I changed NL to UK for you. In the Ninja profile I use Easylist & EasyPrivacy optimized from Adguard.

! Block beacons, plugins and websockets everywhere
||*$ping,object,websocket

! Block potentially unsafe third-party content to unencrypted websites
|HTTP://*$third-party,~document,~stylesheet,~image,~media

! Block opening webpages on top level domains and countries I never visit
||*$document,~stylesheet,~image,~media,~script,~subdocument,~xmlhttprequest,domain=~com|~info|~io|~eu|~net|~org|~uk

! Inject javascript to blur Google FLOC interest tagging
*##+js(no-floc)

! Block switch to Chrome popop on google domains (search, maps, etc)
||ogs.google.*/widget/callout$all

! Block Google search URL paramater tracking
||google.*/search$removeparam=biw
||google.*/search$removeparam=bih
||google.*/search$removeparam=dpr
||google.*/search$removeparam=sa
||google.*/search$removeparam=source
||google.*/search$removeparam=aqs
||google.*/search$removeparam=sourceid
||google.*/search$removeparam=ei
||google.*/search$removeparam=gs_lcp
||google.*/search$removeparam=gclid

! youtube.com
||youtube.com/subscribe_embed?$third-party
||youtube.com/subscribe_widget$third-party
youtube.com###alert-banner > .ytd-browse > .yt-alert-with-actions-renderer
youtube.com###mealbar\:3 > ytm-mealbar.mealbar-promo-renderer
youtube.com###notification-footer
youtube.com###secondary-links
youtube.com###yt-feedback
youtube.com###yt-hitchhiker-feedback
youtube.com###yt-lang-alert-container
youtube.com##.yt-consent
youtube.com##.ytd-banner-promo-renderer.style-scope.ytd-banner-promo-renderer-content
youtube.com##.ytd-banner-promo-renderer.style-scope.ytd-banner-promo-renderer-background
youtube.com##.ytd-primetime-promo-renderer
youtube.com##.ytd-statement-banner-renderer
youtube.com##.ytp-ce-playlist
youtube.com##.ytp-pause-overlay
youtube.com##.ytp-title-channel
youtube.com##+js(json-prune, *.playerResponse.adPlacements)
youtube.com##+js(json-prune, *.playerResponse.playerAds)
youtube.com##+js(json-prune, 2.playerResponse.adPlacements playerResponse.adPlacements playerResponse.playerAds adPlacements playerAds)
youtube.com##+js(json-prune, 2.playerResponse.adPlacements)
youtube.com##+js(json-prune, playerResponse.adPlacements)
youtube.com##+js(json-prune, playerResponse.playerAds)
youtube.com##+js(set, ytInitialPlayerResponse.adPlacements, null)
youtube.com##div[class^="ytd-consent"]
youtube.com##ytd-popup-container > .ytd-popup-container > #contentWrapper > .ytd-popup-container[position-type="OPEN_POPUP_POSITION_BOTTOMLEFT"]
youtube.com#@##consent-bump
||gstatic.com/youtube/img/promos/*.jpeg$image,domain=youtube.com

no-csp-reports: * true
no-popups: * true

* * 3p block
* com * noop
* eu * noop
* io * noop
* info * noop
* net * noop
* org * noop
* uk * noop

behind-the-scene * * noop
 
Last edited:
Top