New Update uBlock0rigin in Medium mode for Lighter and Stronger Protection, with Less websites breakage and hassle

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Why a seperate thread?

I got a few questions of the uB0 settings I posted in Old School's uB0 tips and tricks. In stead of stealing that thread I thought it might be better to create a new thread to explain these settings. I also got a question how to apply this on other browsers, so I left out the chromium specific settings, so members using Firefox can also apply these settings.

1. Stronger and lighter medium protection on HTTP websites.

Since let’s encrypt.org provides free DomainValidation certificates, 50% of the websites are encrypted now. Encrypted or secure websites have a padlock sign and have HTTPS before the domain, while unencrypted or insecure websites have HTTP (no last S of Secure) before the websites domain name.

While the DV-certificate ‘only’ guarantees that the website is operated by the person or organization claiming owning the domain, this low-level formality provides enough hassle for cyber criminals to choose the easy way and setup a HTTP website to source their malware. In the Netherlands a valid bank account and first payment to an official ISP is required to get a DV-certificate for your website.

uB0 alllows to write custom AdBlockPlus rules in the My Filters tab, lets write a AdBlockPlus rule to block nasty stuff from insecure/unsafe HTTP websites only (see picture below).

215406


This simple single rule blocks all third-party requests (including XMLHTTPrequest, WebSocket, WebRTC, Ping, Object and ObjectSubrequests and Other e.g. beacons), so it provides more protection than uB0 medium mode protection which ‘only’ blocks third-party scripts and (i)frames (subdocuments in AdBlockPlus syntax).

When you enable this, you can disable the Malware Domain blacklist which are enabled by default in uB0, since 95% of the malicious websites are HTTP (insecure) websites. There are as many websites as there are people living on this planet, so a community maintained blacklist with 300.000 URL’s is only a water drop on a hot glowing plate. Also malicious websites are only active for days, so half of these Malware Domain URL’s are dead links anyway.

So with just one simple rule you can make uB0 lighter and have stronger than medium mode protection on HTTP websites! Together with Google's Safe browsing or Microsoft's SmartScreen this will provide excellent protection against malicious websites.


2. Less hassle and maintenance medium mode protection (on HTTPS websites)

Medium mode protection (blocking third-party scripts and frames) enhances security since it protects against cross site scripting on the websites you visit. It is much harder to completely take over a website (and plant first party scripts) than to use vulnerabilities in CMS systems or JavaScript Libraries to redirect to a websites which is operated by cyber criminals. Sadly uB0 medium mode also breaks most websites since most websites use third-party services to build, manage and operate their website. :(

Due to the increased popularity of adblock extensions many advertising and tracking services use URL, pixel and image-tags and other behind-the-scene tricks to circumvent third-party java script and (i)frame blocking. This reduces the effectiveness of medium-mode blocking against tracking and advanced advertising redirects. So medium-mode blocking breaks many websites while the benefits are declining in real world practice with modern day advertising and tracking services. :(

So why bother to enable medium mode protection anyway? Well when you look at data provided by Domain Name Services 50 percent of the malware originates from fancy Top Level Domains (like website.download, website.link, website.review, website.xys, website.zip, etc) and some country domains (e.g. Palua, Tokelau, Sint Maarten, Russia, Turkey, etc).

Most people only visit websites in their own or English language. So for me living in the Netherlands and not speaking Turkish,Russion, Ukraine or Chinese there is no much need to visit websites originating from these countries or having fancy (general) TLD’s.

With my internet habits most of the websites I visit have the TLD of NL (Netherlands), COM, NET and ORG. So by adding an exception (NOOP = no operant) for third-party requests to these TLD’s, I cut down the risk of malware on HTTPS websites by half again (this sounds spectacular but only reduces the risk from 5 to 2.5% :) ),

You need to enable advanced protection and add only a few rules to the default medium mode rules in My Rules tab (in my case only four NOOP rules to allow the COM, NET, NL and ORG Top Level Domains):

215405


When you are English speaking in stead of NL (Netherlands), you could allow CA, IE, NZ, SA, UK, US or when you are German speaking in stead of NL you could NOOP the country codes D, AT, CH, when you are from Scandinavian language country (Denmark, Norway, Sweden or Iceland) you could allow DK, IS, NO, SE and when you are from Portugal you could enable the country codes of Portugal, Brasil, Angola, Mozambique, Cape Verde, Guinee-Bissau and so on.

So how does this work in practice? Let;s look at at website marked as malware

Let's use the Malware Domains List to evaluate the impact of these settings.
215411


1. Stronger and lighter medium protection on HTTP websites.
When we go to the first active link 4dexports.com the website is displayed and it appears to look fine, because images and style sheets are allowed and all other third-party stuff is blocked by our single My Filters rule (HTTP://*^$third-party,~image,~stylesheet) as shown in uB0's logger which only see's the top document, CSS-style sheets and images (which are allowed by our single HTTP block rule)

215409


2. Less hassle and maintenance medium mode protection
When we click on the uB0 icon, we can see that the third party references to the Google fonts is allowed (nooped because it is grey). When there was malware on this site it would be paralyzed (by our single HTTP block third-party rule) and only (remaining HTTPS) third-party references to COM, NET, NL and ORG Top Level Domains would be allowed by our Dynamic uB0 rules.

215410



So how does this work in practice? Let;s look at at website known as goodware

1. Stronger and lighter medium protection on HTTP websites.


Because BBC.com is a HTTPS website, the static AdBlockPlus rule in My Filters has no effect
215412


2. Less hassle and maintenance medium mode protection

Hey Kees, you promised less hassle, now the website seems to be broken! Yes that is easily explained by clicking on the uB0 icon. It seems that BBC.COM uses third party sources from CO.UK domains which we have not NOOPed (BBC.COM is dark grey means NOOPed, the two CO.UK domains are light grey, so have no exception)

215413


How to fix BBC.COM?

Simply add a NOOP rule for the UK Top Level Domain.
215414



BBC.COM will now render properly as third-party references to (country code) UK websites are allowed now

215415


Less hassle and maintenance?

From now on all websites with third-party UK are NOOPed
215417



But also websites with another TLD (e.g. INFO) which just use COM, NET, as third--party sources will render properly as this example shows. By clicking on the uB0 icon it shows that this INFO website only uses third-party references to COM and NET (and NL). Reason is that most web services have COM or NET or ORG as TLD, so even websites with a general fancy TLD (like hardware.info) will render properly (without adding a NOOP rule for INFO)

215418


I only use My Filters (with most used add and tracking services) and DisConnect malvertising filter. Because Disconnect is used as default blocker in Firefox this list is clean and breaks near to zero websites.

215419


I have attached my uBlock static filter list, so you can check how this ultra light uB0 setup works out for your browsing behavior.
My blocklist is based on WSTech research on most used ad and tracking networks and is offered as a default list in SmartAdBlock extension (the WsTech200 list), so it is not my determined by me (I would love to take the credits, but I just collected them and changed it in AdBlockplus format) :cool:

uB0 does not provide download protection, this is why uB0 was rated badly in a test. When you use a Chromium variant you can add a flag to close down the risk of drive-by's or unintended download of executables from HTTP websites.

215421


TROUBLE SHOOTING TIP

Problem CNN.COM does not play VIDEO's.

STEP 1 NOOP 3rd-party scripts FOR THIS WEBSITE (you still have uB0 EASY and HTTP third-party protection )

in this example that was enough to allow videos to play (culprit was CNN.IO which was also blocked)

215429




STEP 2 ALSO NOOP 3rd-party frames FOR THIS WEBSITE (you still have HTTP third-party protection)

215430
 

Attachments

  • my-ublock-static-filters.txt
    3.3 KB · Views: 1,645
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,012
Beautiful thread! I love your simple & creative use of custom rules. I support anything that motivates others to employ medium mode, in whatever way that suits them. It makes clean, safer surfing possible for more users. Sadly, I can only imagine the vast numbers of internet users who are not aware of, or don't bother to experiment with, µBO - let alone some form of advanced user mode. Excellent work! Now, how about a simple name for your setup/template? (y):)
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I am using Edge-chromium at the moment with two user profiles. Having two user profiles allows you to have the best of both worlds (protection vs compatibility). I named the two profiles Surfing & Socializing (with tight security settings) and Booking & Banking (with default settings for maximum compatibility). Using a different USER icon provides visual feedback which profile is active. On Chrome, Chromium and Edge_Chromium you can specify in the shortcut which profile to use (add the switch --profile-directory="PROFILE NUMBER" look in the USER DATA folder to find which numbers the folders have).

In the Surfing & Socializing profile I use uBlockOrigin as explained in this thread. In the Buying & Banking profile I use Certificate Info (link) and Netcraft extension (link) and Virus Total (link) for extra check on trustworthiness of website. As a rule of thumb I use the info of these extensions as follows (there are three levels of certificates)

  • DV = Domain Validation (displayed as orange with DV in padlock)
    'only' says the domain is controlled by the party requesting the certificate, is the lowest level of trust
    ONLY USE for online buying when ( Netcraft risk rating is zero and Virus Total reports it is safe )

  • IV = OV = Organisation Validation (Displayed as GREY with IV in padlock)
    Identiy is checked also (and displayed) is a considered a 'trusted'level
    SHOULD BE SAFE TO USE for
    a) well known brands with Netcraft risk rating 10 or less OR
    b) unknown brandswith ( Netcraft risk rating 10 or less and VT reports it is safe )


  • EV = Extended Validation (Displayed as GREEN with EV in padlock)
    is the highest trustlevel CA has audited & validated requesting party to be legal, operational and physical existence
    SAFE TO USE (unless Netcraft and VT both report it is unsafe and the website)
With these rules of thumb the risk of doing business with a phishing/malicious website is very low.
 
Last edited:
Aug 23, 2018
12
[QUOTE="Windows_Security, post: 821168, member: 50782"

I have attached my uBlock static filter list, so you can check how this ultra light uB0 setup works out for your browsing behavior.
My blocklist is based on WSTech research on most used ad and tracking networks and is offered as a default list in SmartAdBlock extension (the WsTech200 list), so it is not my determined by me (I would love to take the credits, but I just collected them and changed it in AdBlockplus format) :cool:


[/QUOTE]
Hey Can you attach your ublock backup txt file too?
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Hey Can you attach your ublock backup txt file too?

That allows DUTCH (NL) websites and has some personal settings (like blocking advertisements in startpage and goog search, redirecting google analytics), so most likely irrelevant to your surfing habits, but here you go
 

Attachments

  • my-ublock-backup_.txt
    6.6 KB · Views: 1,116

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,012
I've done a bit of informal testing with the Keespeed (TM) setup in Brave Beta and it is indeed fast, and eliminates the usual trash to enhance privacy and security. I compared it experientially to my superslim ChromEdge setup which uses these filters:

SuperSlim_setup 2019-06-22 160752.png

I honestly can't notice a difference in speed between the different setups. It's easy enough to do a quick one/two click to enable Easy Mode+ in my Edge setup to quickly un-break trusted sites. Both setups enhance privacy and security. I will say your config might be easier for newbies to implement initially, so it would have that advantage.

However there remains one major barrier: The casual user still needs to understand that there are more secure possibilities beyond basic adblocking with µBO, and take a bit of time to investigate either here or at the µBO Wiki, etc. Some people are either too lazy or too busy to bother with this sort of thing.
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Handsome Recluse

I always used different browsers for different purposes. When I moved to Windows 10, I choose Edge for banking because it can be extra protected with Windows Defender Exploit Protection (see this post for a picture of the settings I use).

Now I use Edge-chromium with two user profiles. Because Edge-chromium is still in development, I am keeping old Edge as backup.

The Booking & Banking profile I use on Edge-chromium replaces my old locked Chrome version (which I still have installed as backup also) to use Google and Facebook analytics & advertising (online marketing) and Salesforce and HubSpot CRM (digital sales) for my clients. It was a locked Chrome, because scripts, cookies et cetera were only allowed on the websites I had in my bookmarks.

The Edge-chromium profile I use for surfing replaces Chromium (which I have removed). I liked to use Chromium for surfing because I have set UAC to deny elevation of unsigned programs. Chromium is not signed, so this UAC setting functioned as a sort soft Basic user container. I replaced chromium because Edge-chromium warns you when it is launched in admin mode and because Edge Chromium can also be extra protected by enabling code integrity guard in WD Exploit protection.

In future I will probably end up with Edge-chromium only using two profiles (with Chrome as backup, to check when a site might break or stall)
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Why blocking some 3P TLD's is a good idea. First scareware "you are infected" prompt I have seen in Dutch. What really is 'smart' is that it tries to trick the surfer into downlading and installing a security update of "System Defender" (which looks like MSE :giggle: ) when it does not succeed in doing this through download (the flag #disallow-unsafe-http-downloads ) or executing scripts (white listing a few TLD's with uB0).


215813


TIP also enable this Chrome/Edge/Brave/Opera/Chromium flag #disallow-unsafe-http-downloads
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top