Windows_Security

Level 23
Verified
Trusted
Content Creator
Why a seperate thread?

I got a few questions in the uB0 thread settings about uMatrix. Posting about two different extensions (although both written by same developer) causes confusion. Therefore I will repost the uMatrix related post in this thread.

What is the idea behind this uMatrix configuration?

In the default configuration uMtarix uses a ' soft' third-party sources block. Gorhill calls it soft, because third-party images and stylesheets are allowed in the default rules configuration. The benefit of blocking third-party sources is that it reduces the risk of malware infection and at the same time blocks 90% of the trackers (so good for privacy also). The problem with blocking all third party scripts, (i)frames and xmlHttprequests (XHR) that functionality on most websites is broken. That is why the uMatrix wiki also contains a ALLOW ALL how to.

As published by phishtank and some DNS services some TLD's and country code have a high percentage of malware (see post). When Google Chrome was launched some smart power users started to post how to block scripts in general, allowing only a few Top Level Domains to execute scripts (block scripts by default and allow for example all domains with TLD is COM, NET, INF, ORG, GOV and a few country codes like DK is for Denmark). This whitelist on some general Top Level Domains (COM, ORG, GOV) and a few country code's makes sense since most of us only speak one or two languages.

This idea used on Google Chrome is used for the uMtarix setup "Soft third-party blockmode with whitelist to allow some TLD's" . Benefit of using uMatrix is that you apply it on other (non-chromium based) browsers also and that umatrix also block XHR (XMLHTTPRequests) and (i)frames besides scripts.

IN the Netherlands I was thought French, German and English. Because I used English and German for work, I forgot most French and only read (besides Dutch) German and English sources. So you won't find websites from France or China, North Korea, Russia and Ukraine in my bookmarks. When I normally don't visit these websites, I just as well can block those country codes in uMtarix. Since uMtraix has a default deny, in stead of blocking I am whitelisting the TLD's I use to visit.

ALLOW SOME THIRD-PARTY RULE SET.

Bottom line: this is not as safe as a BLOCK ALL third-party, but is safer that a ALLOW ALL. The setup is a cross-over of the SOFT THIRD-PARTY block and ALLOW ALL (when you replace the NL country code with the country code of the country you live in and websites publishing content in a foreign language you speak. It is probably more beneficial to users who add an ALLOW ALL for websites often.

View attachment 216080


Check whether 3rd-party TLD whitelist is working


When I surf to CNN.com and use the above ruleset I can see that CNN.IO is blocked (other com, net are allowed when not blocked by my assets).View attachment 216089


-------------------------


Converted the W3techs.com most used ad & trackers in top 10 million websites (it are actually only 175 :giggle: ) to uMatrix rules. Just download and open the text file and copy them into My Rules. I now run uMatrix without any blocklist assets.

Upside of using default blocklists us that the My Rules section remains clear and uncluttered.There is NO memory or CPU advantage in further reducing blocklist from 50K to (Peter Low, MVPS, Adguard DNS and Easylist Host) to only top 175 most used ads and trackers worldwide of Alexa top 10 million websites (derived from W3techs.com)
 

Attachments

Last edited by a moderator:

SeriousHoax

Level 8
Verified
Malware Tester
uMatrix does not has the option to addblockplus rules, so the block third-party on of HTTP://* websites is not possible. When you are on a chromium browser you can however set Scripts to block in site permissions and allow HTTPS://*

View attachment 215528

I tried the latest stable and discovered that it is possible to add Top Level Domain allow rules. So when using these TLD allow rules it is possiible to add a SOFT-third-party blocking setup. Here is what I have done:

1. Tweaked the Assets to trim down the number of rules: allowed two of the defaults and added two using filters.com
- MVPS Hosts
- Peter Low's
- Easylist Host
- Adguard DNS Host


2. Added Top Level Domain Exceptions for COM, ORG, NET and NL (Netherlands) in My Ryles and slightly changed the default hard-block-third-party rules (added allow media, removed block all of Frames)

View attachment 215526

3. Checked whether it worked on CNN (it should block CNN.IO which you have to enable to play movies):
View attachment 215527
Thanks for trying it out on uMatrix. I added allow media which is gonna come out handy. But is it really necessary on uMatrix to add com, net, org, etc? Doesn't it already allow those and all first parties by default?
eg:

mat.png
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
The hard third-party block, only allows FIRST party and ALL stylesheets and images. It blocks all frames and at the same time allows first party frames seperately (????????) and blocks ALL third-party.

The soft third-party block as I showed you, Allows FIRST party and ALL stylesheets, image and media AND allows third party from the Top Level Domains, so Yes it is essential (otherwise ALL third-party would be blocked, now ORG, NET, COM Top Level Domain third-party is allowed).
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Update on uMatrix in soft 3rd-party blocking mode: I like uMatrix' interface over uBlock's and also the more granular control of the ' dynamic' rules. What I miss in uMatrix is this option (link) and the more granular control of the ' static' AdBlockPlus rules to only a block a specific first-party script, or frame (with uMatrix I found no way to block the advertisements on Google ot Startpage results page).

I also wonder why the privacy options of uBlock and uMatrix are not the same. Normally programmers like to re-use code and apply same code or simular functionality, but Mr Hill will have his reasons for this irregularity (hope I am using the correct English word for it).

Strange user experience: although uBlock offers me more functionality, uMatrix (specifically allowing something) feels easier to use manage, so i decided to keep uMatrix on Edge-chromium use uBlock on old Edge.
 
Last edited:

Handsome Recluse

Level 20
Verified
Update on uMatrix in soft 3rd-party blocking mode: I like uMatrix' interface over uBlock's and also the more granular control of the ' dynamic' rules. What I miss in uMatrix is this option (link) and the more granular control of the ' static' AdBlockPlus rules to only a block a specific first-party script, or frame (with uMatrix I found no way to block the advertisements on Google ot Startpage results page).

I also wonder why the privacy options of uBlock and uMatrix are not the same. Normally programmers like to re-use code and apply same code or simular functionality, but Mr Hill will have his reasons for this irregularity (hope I am using the correct English word for it).

Strange user experience: although uBlock offers me more functionality, uMatrix (specifically allowing something) feels easier to use manage, so i decided to keep uMatrix on Edge-chromium use uBlock on old Edge.
I knew this day would come.
Why are you using old Edge and what are you using it for?
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Why a seperate thread?

I got a few questions in the uB0 thread settings about uMatrix. Posting about two different extensions (although both written by same developer) causes confusion. Therefore I will repost the uMatrix related post in this thread.

What is the idea behind this uMatrix configuration?

In the default configuration uMtarix uses a ' soft' third-party sources block. Gorhill calls it soft, because third-party images and stylesheets are allowed in the default rules configuration. The benefit of blocking third-party sources is that it reduces the risk of malware infection and at the same time blocks 90% of the trackers (so good for privacy also). The problem with blocking all third party scripts, (i)frames and xmlHttprequests (XHR) that functionality on most websites is broken. That is why the uMatrix wiki also contains a ALLOW ALL how to.

As published by phishtank and some DNS services some TLD's and country code have a high percentage of malware (see post). When Google Chrome was launched some smart power users started to post how to block scripts in general, allowing only a few Top Level Domains to execute scripts (block scripts by default and allow for example all domains with TLD is COM, NET, INF, ORG, GOV and a few country codes like DK is for Denmark). This whitelist on some general Top Level Domains (COM, ORG, GOV) and a few country code's makes sense since most of us only speak one or two languages.

This idea used on Google Chrome is used for the uMtarix setup "Soft third-party blockmode with whitelist to allow some TLD's" . Benefit of using uMatrix is that you apply it on other (non-chromium based) browsers also and that umatrix also block XHR (XMLHTTPRequests) and (i)frames besides scripts.

IN the Netherlands I was thought French, German and English. Because I used English and German for work, I forgot most French and only read (besides Dutch) German and English sources. So you won't find websites from France or China, North Korea, Russia and Ukraine in my bookmarks. When I normally don't visit these websites, I just as well can block those country codes in uMtarix. Since uMtraix has a default deny, in stead of blocking I am whitelisting the TLD's I use to visit.

ALLOW SOME THIRD-PARTY RULE SET.

Bottom line: this is not as safe as a BLOCK ALL third-party, but is safer that a ALLOW ALL. The setup is a cross-over of the SOFT THIRD-PARTY block and ALLOW ALL (when you replace the NL country code with the country code of the country you live in and websites publishing content in a foreign language you speak. It is probably more beneficial to users who add an ALLOW ALL for websites often.

216080



Check whether 3rd-party TLD whitelist is working


When I surf to CNN.com and use the above ruleset I can see that CNN.IO is blocked (other com, net are allowed when not blocked by my assets).
1562089223784.png
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
Being a fan of minimal blocklist I often add Steven Black's hostlist to uMatrix and disable others. When I posted this thread, I could not find the correct URL (the one I found through searching with Google gave errors when I added it), I found it in old post of @Evjl's Rain (remembered he suggested that blacklist to me for its efficiency).

Just click on import and copy this text into the text box (replace hXXps with https): hXXps://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

1563462892341.png