New Update uBlockOrigin flexible modes

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Hi, because I am using Kees1958 Top500 blocklist (link) I started to follow him on GitHub and came across a discussion on Giithub between GorHill and Kees1958 where an interesting idea of is posted (link) on combining internet zone's with different uBlockOrigin block modes.

GorHill on Github said:
... to make advanced mode features to be usable by less advanced users who do not want to waste time figuring rulesets has always been a preoccupation, and an easy way to toggle between documented mode has been on my mind since forever...

People using uBlockOrigin advanced mode always turn into advocates of using the advanced blocking options of uBlockOrigin
Oldschool on MT said:
...I support anything that motivates others to employ medium mode, in whatever way that suits them. It makes clean, safer surfing possible for more users. Sadly, I can only imagine the vast numbers of internet users who are not aware of, or don't bother to experiment with, µBO - let alone some form of advanced user mode...

At the moment the idea discussed between GorHill and Kees1958 is partly possible, it requires manual configuration of both static My Filters and dynamic My Rules. It would be nice when this idea of applying different block modes for different zones would be guided and partly automated by uBlockOrigin.

IDEA OUTLINE:
  • Block all websites traffic from generic and country Top Level Domains known to have a large percentage of malware.
    It is stricter than the mode GorHill calls 'nightmare' mode (link). Normally you would not visit these TLD's so blacklisting them would only rarely lead to website breakage. You need to disable strict blocking to access a website within a blacklisted TLD. This warning can't be missed. It is explained at point 1 and 2 below.

  • Allow only (safe) passive third-party content from (unencrypted/insecure) HTTP websites.
    Because HTTP websites don't require a certificate they are easier to launch (owner is not checked), making them popular with malware writers. As illustrated on VX-Vault URL's 90% of the malware comes from HTTP websites, while 99% of legitimate websites are HTTPS websites. The allow passive content is a bit stricter than medium mode blocking, but more usable than hard mode blocking (because 3p-stylesheets are allowed),. In most cases HTTP website should still display (safe) passive content (like text and images). It is explained at 3 below.

  • Apply medium mode blocking on all TLD's outside your language scope (and apply easy mode to websites which language you read).
    This is the idea posted earlier by Kees1958/Windows_Security and is a sticky on this forum (link). This W_S tweak applies medium mode blocking for all remaining websites, except for the third-party TLD's you explicitly noop. For websites in the NOOP-ed third-party TLD's you apply easy mode blocking (because first-party is allowed by default). This is explained in 4.

Before posting the details I want to apologize to members from outside West Europe and North America for making this how-to from the western world perspective. I want to explicitly apologize for blocking some country code TLD's with high abuse/malware. I just searched for malicious / most abused Top Level Domains and copied the TLD's, I have no bias, political agenda or negative views on the listed country domains.


1. BLOCK ALL ON MUCH ABUSED GENERIC TOP LEVEL DOMAINS IN MY FILTERS
Generic Top Level Domains are domains with a generic fancy suffix. Some of these suffixes are very cheap and therefor often used by malware writers to limit costs.
!
! Block all on much abused generic TLD's. The TLD is between ||* and ^$, e.g. ||*.BID^$
!
||*.bid^$all
||*.buzz^$all
||*.club^$all
||*.country^$all
||*.date^$all
||*.download^$all
||*.gdn^$all
||*.host^$all
||*.icu^$all
||*.jetz^$all
||*.kim^$all
||*.loan^$all
||*.men^$all
||*.mobi^$all
||*.mom^$all
||*.party^$all
||*.pics^$all
||*.racing^$all
||*.ren^$all
||*.rest^$all
||*.review^$all
||*.ryukyu^$all
||*.science^$all
||*.shop^$all
||*.site^$all
||*.stream^$all
||*.top^$all
||*.trade^$all
||*.vip^$all
||*.wang^$all
||*.win^$all
||*.work^$all
||*.xin^$all

2. BLOCK ALL ON MUCH ABUSED COUNTRY CODE TOP LEVEL DOMAINS IN MY FILTERS
Some countries have loose legislation on cyber crime or no prisoner exchange ruling with the US, making them popular with malware writers. This is probably why they rank high in Spamhouse and yearly reports of security and DNS suppliers. Again apologize when your country is mentioned here.
!
! Block all on much abused country code TLD's. The TLD is between ||* and ^$, e.g. ||*.AM^$
!
||*.am^$all
||*.cc^$all
||*.cf^$all
||*.cn^$all
||*.fm^$all
||*.ga^$all
||*.gg^$all
||*.ki^$all
||*.kp^$all
||*.la^$all
||*.ml^$all
||*.pw^$all
||*.ru^$all
||*.tk^$all
||*.ua^$all
||*.ug^$all
||*.vn^$all

3. ONLY ALLOW PASSIVE THIRD-PARTY CONTENT ALL HTTP (UN-ENCRYPTED) WEBSITES IN MY FILTERS
HTTP are called insecure websites, because they do not use the HTTPS protocol, so the data you retrieve and send to these websites is unecrypted. Most commercial websites in West Europe and North America have a secure HTTPS website. This does not mean that HTTPS is safe, but only ensures that the data is encrypted and depending on the certificate and domain operator (DV), owner (OV) and legal entity (EV) is checked. Because you need to pass a check to get an certificate for a HTTPS website, most malware / phishing websites launch as HTTP website (often they are only active for a few days/weeks). So adding just one (1) rule in my filters reduces the attack surface a lot.
!
! Only allow third-party passive content on HTTP-websites
!
HTTP://*$third-party,~stylesheet,~image,~media

4. BLOCK SCRIPTS AND FRAMES TO THIRD-PARTY TOP LEVEL DOMAINS YOU NORMALLY WOULD NOT VISIT IN MY RULES
Enable advanced option in Settings tab of the Dashboard and create your own easy-medium mode blocking rules. When you are a member from Germany and also read English, this could be the dynamic rules you might add the following rules in MY RULES to block third-party scripts and frames (medium mode) globally. You should tailor the NOOP-rules below to your browsing habits (e.g. languages which you read).

A. Apply medium mode blocking (block active content on third-party websites)
* * 3p-frame block
* * 3p-script block


B. Next add noop exceptions (NO-OPERAND) for some generic Top Level Domains. This has as effect that all websites in those NOOP-ed Top level Domains the blocking mode is lowered to easy mode.

* biz * noop
* com * noop
* gov * noop

* inf * noop
* info * noop
* io * noop
* net * noop

* org * noop

C. Also allow exceptions (ignore or NO-OPERAND) for country codes of the languages you read. As an example, lets say you are from Germany and also read English. You could add noop-rules for German (Germany, Austria, Switzerland) and English (UK, US, Canada, Ireland, South Africa, Australia and New Zealand) and the EU. You should always tailor this to your needs.

* de * noop
* at * noop
* ch * noop

* uk * noop
* us * noop
* ca * noop
* ie * noop
* sa * noop
* au * noop

* nz * noop
 
Last edited:

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
RE: Adguard

Points 1, 2 and 3 can be used in Adguard's USER RULES. Adguard also supports the (block) $all.

1589523612217.png


Point 4 can't be done with Adguard, but you still block scripts within a Chromium based browser using Site Settings. Only difference is that the javascript block rules below block first paty scripts (so a reference to a third-party script to for instance a website with country code DE would not be blocked in the example below).
1589524432039.png
 
Last edited:

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
This works pretty well Still experimenting with it and I had to whitelist discord.gg as I use the web version of Discord. Simply added the rule:
@@discord.gg^$all,domain=discord.com
Testing page load impacts but seems to do the job fairly well.
 

absolute beginner

New Member
Oct 4, 2020
2
Hello,
not really sure to be at the right place to ask my question but this post was one of the start of point
Well, at the very beginning, I was just searching for an adblocker to improve performance in loading pages. Then, I've learned about tracking, Etag, lot of thing I've never heard before and then discovered MT, a gold mine.
I've read integrally all theses topics, amongst many others :
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings
Browser Add-on - uBlock Origin/Nano Adblocker - User Tips, Questions and Issues Thread
Adblocking innovation
gorhill/uBlock

In fact, so much knowledge got me more confused and i'm not really satisfied with the result.
Ok, i've gained privacy but decreased performance and I've got the feeling to spend my time to unbreak websites.
That's why your approach with just one list paid my attention (but if I've understood some things, this doesn't protect from tracking, just ads)

My setup is :
W10- DNs 1.1.1.1
Opera (Ads and tracking blockers disabled + malware protection Enabled)
Extensions :
- U blockOrigin (medium mode) with
"ublock-badware",
"ublock-privacy",
"ublock-abuse",
"ublock-unbreak",
"adguard-generic",
"easylist",
"easyprivacy",
"fanboy-enhanced",
"fanboy-annoyance",
"plowe-0",
"FRA-0",
"https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt",
"https://easylist-downloads.adblockplus.org/antiadblockfilters.txt",
"https://www.i-dont-care-about-cookies.eu/abp/",
"https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt",
"https://raw.githubusercontent.com/liamja/Prebake/master/obtrusive.txt",
"https://raw.githubusercontent.com/Kees1958/WS3_annual_most_used_survey_blocklist/master/Top500"

- Privacy Possum
- DecentralEyes
- MalwarebytesBrowserGuard (double protection)

FireFox
Same extensions but Ublock in easy mode because I need and install and forget approach for this brower (used for my wife)

I feel more concerned about tracking aspect than ads aspect so I'm planned to retrograd Ublock to Easy enhanced mode.
Do you think this would be more relevant or just using Opera with blockers enabled would be better? Or a mix of both?

And a general question : why nobody talks about extensions (except gandalf one time) like cache clearer, cache killer, etc...Are these things completey useless?

Sorry for this looong post.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Short answer: too many filters and extensions will slow your browsing down as you have noticed.

A note I found on blocking CNAME trackers and other filters:
About CNAME tracker: I really don't understand why it's so special to some people. Apparently they still believe subscribing a dedicated anti CNAME tracker list on Chromium is mandatory to block them if a DNS-level blocker is not deployed on other layer. The fact is EasyPrivacy alone, or the combination of AdGuard Tracking Protection and my list, blocks 99% of CNAME tracker while DEFINITELY many other analytics and trackers have slipped whatever your lists through, as long as you visit many sites. You prefer to double-lock a window and keep the door open? This reminds me that many people keep NoCoin despite EasyPrivacy covers 99% of them, and that others keep Adblock Warning Removal with a completely wrong assumption it has something to do with anti-adblock wall. Don't be fooled by misinformation on the Internet.
To see it open the adguard section on this site:
EDIT: Malwarebytes Browser Guard is known for slowing browsing down, so I would definitely loose that one.
Start over with uBlock Origin with the default filters and if you want to enhance look at the medium mode as described in this thread here:
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
FireFox
Same extensions but Ublock in easy mode because I need and install and forget approach for this brower (used for my wife)
You may skip Privacy Possum and Malwarebytes. Use built-in SafeBrowsing protection in FF Options>Privacy & Security>Security>Block dangerous and deceptive content.
Do you think this would be more relevant or just using Opera with blockers enabled would be better?
Opera with built-in tracking protection for usability. Or better yet try Brave browser which has more built-in privacy protections, including all µBO default filters optimized for Brave. If interested you may check here for setup tips:
 

absolute beginner

New Member
Oct 4, 2020
2
Incredible how fast we get answers on this forum :oops:(y)

So, i've done some quick tests consisting in removing all of my 4 extensions then test a combination of 2, 3 and all of them with 200 sites never visited (to avoid cache interference).
First, it's amazing to re-discover how fast can pages load without extensions. You click, you see the page, it's immediate.

- MBBG alone or MBBG+Ubo don't really slow my browsing down. It's really when you add a third extension (whatever extension) that i can notice a slow down (pages will load then in 1 to 5 seconds).
- Using Ubo (alone in easy enhanced mode) with just one list (Kees1958) didn't really improve the speed. You will see more effect just with disabling cosmetic filtering I think.

Secondly, it's amazing to re-discover how much annoyances we get without Ubo (cookie agreement, newsletter inscription, etc..). How can people live nowadays without extensions?

Well, I think i have to find a compromise between speed, annoyances protection and tracking protection (in order of preference).

Maybe i'm wrong with tracking protection. In fact, i just want to protect myself from commercial sites to recognize me and give me the price they profiled.
For example, if you want to rent a car, at home, the site will propose me 100$ and if I do exactely the same research on a different PC (at work), the site will propose me 90$. I think it's called the best price practice.

and to answer your questions :
@Gandalf_The_Grey : sorry, i didn't unsterstand the whole thing about CNAME. But I agree that I have to better choose my filters list. I'll do that. What about Cache clearer. do you still use it and why?
I saw the windows_security' topic (and it is pinned) about tweaking Ubo, but as Lenny_Fox's setup is largely inspired by this one, i prefered to ask here.

@oldschool : I think effectively that i should separate myself of at least one extension but the problem is that MBBG and Privacy Possum are highly recommanded almost everywhere. I would rather prefer to say goodbye to decentraleyes which real utility is more controversed.
I was mentally prepared to give up Ubo but finally, no...and when I thought i have made the most important click of my life when I thicked "I'm a advanced user" to switch to medium mode :p. I think I will stay with "Enhanced easy mode"
Brave : ah, if I could step back in time, I would surely choose this browser but you know, at my age, it's hard to break the habit and I do like my Opera...🙄

@security123 : i know you recommand NextDNS for multiple reasons, CNAME is another reason i was ignoring but CloudfaresDNS are faster I guess. As I said, i have to find by myself a compromise.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top