from the only-show-me-what-I-wanna-see dept.
[Ed Note: This reads a little like a Soylvertisement, but the concept that the blog is talking about regarding using WebSocket to send the advertising (and the tool he uses to see the traffic) is interesting. The "How It Works" section of the blog article (not posted here) is worth a read.]
Pornhub Bypasses Ad Blockers With WebSockets
TLDR: Watch the BugReplay Recording of Pornhub dodging AdBlock
(NSFW level: medium)
We tried to find the most PG page on MindGeek's network to use as an example- it wasn't easy.
When I was building the prototype for BugReplay, I was evaluating different methods of capturing and analyzing network traffic from Chrome. One of the first things I saw that looked promising was the chrome.webRequest API.
From the docs: "Use the chrome.webRequest API to observe and analyze traffic and to intercept, block, or modify requests in-flight."
That seemed to be exactly what I needed.
After experimenting with the Chrome webRequest API, I quickly realized there was a big problem. It didn't allow me to analyze any WebSocket traffic, something I really wanted to support.
As I was searching the web trying to see if I was misreading the documentation or was looking in the wrong spot, I found a relevant bug report from 2012: "chrome.webRequest.onBeforeRequest doesn't intercept WebSocket requests." In the bug report, users were complaining that without the ability to block WebSockets, websites could get around ad blockers fairly easily. If WebSocket data was not visible to Chrome extensions via the webRequest API, they could not be blocked without some heavy duty hacks.
Initially, the risks to ad blockers seemed theoretical; the examples of sites that were employing this technique were very obscure. Then in August 2016, an employee of the company that owns Pornhub.com (MindGeek) started arguing against adding the WebSocket blocking capabilities to the Chrome API. Pornhub is the 63rd most visited site on the Internet according to Alexa. I checked out a few of MindGeek's sites and sure enough, I could see ads coming through even though I had Adblock Plus on. The ads on Pornhub are marked 'By Traffic Junky,' which is an ad network owned by MindGeek.
In the screenshot below, you can see a banner at the top of the page announcing that the site is aware that the user is using an Ad Blocker, with an invitation to subscribe to a premium ads free version of the site. On the right side of the page you can see an advertisement.
http://blog.bugreplay.com/post/152579164219/pornhubdodgesadblockersusingwebsockets
-- submitted from IRC
Related Stories
Pornhub has begun to use machine learning to automatically tag videos:
Artificial intelligence has proven to be a dab hand at recognizing what's going on in photos and videos, but the datasets it's usually trained on are pretty genteel. Not so for Pornhub, which announced today that it's using machine learning to automatically catalog its videos.
The site is starting small, deploying facial recognition software that will detect 10,000 individual porn stars and tag them in footage. (Usually this information is provided by uploaders and viewers, who will still play a part by verifying the software's choices.) It plans to scan all 5 million of its videos "within the next year," and then move onto more complicated territory: using the software to identify the specific categories videos belong to, like "public" and "blonde."
In a press statement, Pornhub VP Corey Price said the company was joining the trend of firms using AI to "expedite antiquated processes." However, the speed at which PornHub's AI processes the data doesn't seem like it would be an improvement on its current crowdsourced system. While in beta the machine learning software apparently scanned some 50,000 videos in a month. At this rate it would take nearly a decade to scan the entire site, but presumably improvements are being made.
Meanwhile, a security firm has warned that millions of Pornhub users were targeted by "malvertising" for more than a year:
Millions of Pornhub users were targeted with a malvertising attack that sought to trick them into installing malware on their PCs, according to infosec firm Proofpoint.
By the time the attack was uncovered, it had been active "for more than a year", Proofpoint said, having already "exposed millions of potential victims in the US, Canada, the UK, and Australia" to malware by pretending to be software updates to popular browsers.
Although Pornhub, the world's largest pornography site with 26bn yearly visits according to data from ranking firm Alexa, and its advertising network have shut down the infection pathway, the attack is still ongoing on other sites.
Also at TechCrunch, Engadget, and The Sacremento Bee.
Related: BugReplay - Finding How Ads Get Past the Blockers
Linux Use on Pornhub Surged 14% in 2016
Malvertising Campaign Finds a Way Around Ad Blockers
Pornhub's Newest Videos Can Reach Out and Touch You
(Score: 0) by Anonymous Coward on Sunday November 06 2016, @03:35PM
The first link fails: {"error":"Missing redirect parameters"}
(Score: 0) by Anonymous Coward on Sunday November 06 2016, @03:40PM
actually its every link that uses t.umblr.com.
(Score: 2) by cmn32480 on Monday November 07 2016, @01:22PM
I shall be out back by the fence post awaiting my 50 lashes with a cold wet noodle.
Many thanks to martyb for the assistance.
"It's a dog eat dog world, and I'm wearing Milkbone underwear" - Norm Peterson
(Score: 2) by martyb on Monday November 07 2016, @01:42PM
Well, save some space by the fence post for me, too. I was the one who reviewed the story after you posted it out. I should have noticed it, then. My apologies to the community.
Wit is intellect, dancing.
(Score: 4, Insightful) by Arik on Sunday November 06 2016, @03:39PM
KYS.
Cleaned to https://bugs.chromium.org/p/chromium/issues/detail?id=129353t=NzEwYTcxNWU1NzBkNWU4NTI0ODQ5M2ZkNmQ0ZGEzNWZjNDA0MmQ0YixrcHF4R2FtQw==b=t:6bl5ETNTjYSyFEx99dAe-Am=1
"Issue Not Found"
Hrmmm.
Searched for 129353
Ahh here we go.
Known problem since 2012, appears to be the result of cruddy architectural decision at the start. Now that there are FINALLY known exploits that can be pointed to, it might get papered over.
A browser produced by an ad company? What could possibly go wrong?
Lawl.
If laughter is the best medicine, who are the best doctors?
(Score: 3, Informative) by FatPhil on Sunday November 06 2016, @05:31PM
https://bugs.chromium.org/p/chromium/issues/detail?id=129353
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by Arik on Sunday November 06 2016, @06:30PM
If laughter is the best medicine, who are the best doctors?
(Score: 4, Funny) by zocalo on Sunday November 06 2016, @05:00PM
. Yeah, yeah. You're not convincing anyone. Do you need a fresh ice pack for that wrist yet? ;)
UNIX? They're not even circumcised! Savages!
(Score: 5, Informative) by Celestial on Sunday November 06 2016, @05:05PM
gorhill (the developer of uBlock Origin, an ad block extension for Google Chrome, Mozilla Firefox, and Opera), discovered a little while ago that more and more advertisers are using WebSockets to get around ad blocking in Google Chrome and Google Chrome based browsers, so he added a companion extension to uBlock Origin, called uBlock Origin WebSockets [google.com] oddly enough. It allows uBlock Origin to filter WebSockets. You need both extensions if you plan on using it, just FYI.
If one ad block extension developer can do it, I'm sure other ad block extensions will do it in time as well.
(Score: 2) by edIII on Sunday November 06 2016, @06:02PM
Thank you, and blocking websockets outright is the answer I think.
I'm looking into programming with it myself, but that would be a fully logged and authenticated portal to get work done, not be advertised too. So as long as the website isn't being paid $20+/mo to perform services for me needing websockets and an API, I sure as hell as don't need to be enabling websockets for everyday browsing.
For everyday browswing, I'm using phpproxy out of out Europe stripping everything from the pages. I might need to upgrade that and make sure the websockets hole is closed.
It's always something with those irredeemable bastards isn't it?
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by Bethany.Saint on Monday November 07 2016, @05:32PM
For anyone using uBlock Origin (like myself) you probably don't need this extension anymore. From the description:
UPDATE: since this companion extension was published, uBlock Origin has itself gained the ability to blanket-block all websocket connection attempts for specific sites using a new filter syntax. For example, the filter "*$websocket,domain=example.com" will block *all* websocket connection attempts for web pages from "example.com". EasyList now supports this syntax, and contains such filters.[3]
(Score: 2, Informative) by Anonymous Coward on Sunday November 06 2016, @05:22PM
My initial impulse to advertize for the Pale Moon browser [palemoon.org] was (somewhat) checked by the realization that even it supports Websockets. The good news, though, is that almost all such features can be easily disabled via the "about:config" page, much like with Firefox. (Toggle "network.websocket.enabled" to 'false'.)
I've resorted to using two browser installations to deal with fancy sites that demand added functionality, while trying to be wise about my normal network traffic: a locked-down Pale Moon for normal use, and a portable version of Firefox for the fancy site that demands access to all the latest bells and whistles.
(Score: 1) by idetuxs on Sunday November 06 2016, @10:12PM
Anyone know a way to disable this for firefox? even a trustworthy add-on?
(Score: 1, Informative) by Anonymous Coward on Sunday November 06 2016, @10:32PM
You'll need to dive in to Mozilla's about:config knowledge base [mozillazine.org]; CTRL-F is your friend. One other very strong suggestion: KEEP NOTES on your configuration changes! You'll want to be able to re-create the good changes and also unwind any changes which didn't produce the desired effect - about:config is often unintuitive.
You may also consider making the switch away from Firefox and to Pale Moon [palemoon.org], a Firefox-derived browser that tends towards *gasp* user-friendliness in terms of modification and configuration. You know, just like Firefox used to be, before idjits took over who decided that they not only knew best, but that it was best to shove everything new down users' throats whether they liked it or not.
One big secret to overcoming the pain of switching browsers is some basic knowledge of Fiefox add-on files: the *.xpi files are actually compressed files (.zip or .7z, I forget which), and the "install.rdf" file is plain text which contains Minversion and Maxversion lines which in many cases can be changed with a text editor to cover Pale Moon's version (e.g. Firefox Minversion 40 changed to 25 to allow Pale Moon to install it): extract install.rdf, edit and save, delete install.rdf from the compressed file, then add the modified install.rdf file back to the *.xpi archive. Drag *.xpi file into Pale Moon window and drop it to install.
(Score: 1) by dbitter1 on Monday November 07 2016, @02:34AM
Have you figured out how to get video working (the Win version is fine, I mean the Linux version)? MP4 video support makes my eyes bleed. Sites like Imgur I have found the most reliable thing is to get a user-agent switcher, then when I find a video it doesn't play, switch to another agent and reload... and poof... it plays... till the next one and I have to use ANOTHER agent instead...
(And yes, I know they are jihading against DRM, and I have no problem with that.)
Otherwise, Palemoon FTW on all accounts.
(Score: 0) by Anonymous Coward on Monday November 07 2016, @05:53PM
Apologies, I'm still mired in Windows in regards to my non-server machine(s). Depending on what the trouble is with videos and imgur, you could try toggling both "media.autoplay.enabled" AND "media.autoplay.allowscripted" to 'false'. Youtube tries to self-autoplay html5-based video using scripts (which Firefox does/did allow for some insane reason); perhaps a similar sort of thing is behind the problem with imgur?
(Score: 3, Interesting) by edIII on Sunday November 06 2016, @06:07PM
It occurred to me that websockets is an actual transmission protocol, and not some framework like javascript and AJAX.
As it requires an upgrade, and the entire connection is considered switched to websockets...... all browsers should be forced to instantly swap out the http/https in the url with websockets://site.name as good policy.
Everybody can see right away that the connection switched, and we should be able to be notified with the ability to block it, accept it, or whitelist it.
Filtering it comes after all of that.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Interesting) by jdavidb on Sunday November 06 2016, @08:32PM
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 2) by darkfeline on Sunday November 06 2016, @08:33PM
Wait, I thought WebSocket upgrade only happens when initiated from JS. Why the hell would a browser allow upgrading the initial HTTP/S request to WebSocket? That doesn't even make sense; why/how do you request an HTML file via a full-duplex pipe? I mean, I guess you could use only one direction of the pipe and just unload the HTML file data, but...
From TFA, it sounds like they're doing it the sensible way, opening a WebSocket via JS if ad-blocking is detected to load the ads dynamically. In which case, the solution is quite obvious; block the offending JS.
Join the SDF Public Access UNIX System today!
(Score: 2) by tibman on Monday November 07 2016, @04:12PM
Yes, it's a transmission protocol but it is used like ajax. JavaScript on the page you are currently on initiates a websocket connection. If you leave that page the socket is destroyed because the socket is attached to a javascript object on that page.
I have some good experience with it. Wrote a custom websocket server in php from the RFC. Web socket upgrade from http is there in the protocol but mostly worthless. It's just a nice way to do a hand off that is really unneeded. My server for example just eats the upgrade request and starts the websocket connection because it isn't even capable of serving http.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by xpda on Sunday November 06 2016, @06:48PM
If I disable websockets on my browser, which sites will stop working?
(Score: 1, Informative) by Anonymous Coward on Sunday November 06 2016, @06:57PM
Try it and see.
I've not noticed any sites which break without websockets (using Pale Moon masquerading as Firefox by manipulating User-Agent) during daily use. I suspect that Citrix uses websockets for their browser-based web conferencing, but using a parallel install of vanilla Firefox Portable just for those super-rare occasions seems an adequate course to take.
(Score: 3, Informative) by tibman on Monday November 07 2016, @04:16PM
A lot of bigger sites use AJAX as a fallback if websocket isn't working. Slower but still works (uses long-polling ajax). It's mostly for compatibility with older browsers.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by shortscreen on Sunday November 06 2016, @07:19PM
but I know that trafficjunky is in my hosts file
(Score: 0) by Anonymous Coward on Monday November 07 2016, @01:18AM
I'll never understand why more people don't just kill ads at the hosts file and be done with it.
http://winhelp2002.mvps.org/hosts.htm [mvps.org]
(Score: 0) by Anonymous Coward on Monday November 07 2016, @01:36AM
I'll never understand why more people don't kill ads at their home DNS server and be done with it and block the IPs at the router in case a site has no resolution. Gosh this makes me feel like the model that said "dont hate me because I am beautiful". yeah we hated her because she was an aggrogant jerk. Now we all can see how me and the OP are too.
I do understand why people would use these browser adblocking and javascript blocking things; sometimes, you need access to the host because blocking the domain makes things go poof and not work.
That said, I have too many devices to bother updating hostfiles and adblockers and javascript whitelisting and stuff on. The DNS and router combo is a quick and easy way to get the most offensive (google-analytics for example, which I've had to lift only on rare occasions--by pointing that device to some other DNS service). DNS and access-list blocking is a useful way to block many ads on things I havent needed or wanted to root, which usually falls under the "less than $50" device category, VMs, and other stuff that might not really provide easy access to a host file.
(Score: 1) by Arik on Tuesday November 08 2016, @01:04AM
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Monday November 07 2016, @04:16AM
Best hosts file creator APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1 [google.com]
Ads rob speed, security (malvertising) & privacy (tracking).
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.
Works vs. caps & PUSH ads.
Avg. page = big as Doom http://www.theregister.co.uk/2016/04/22/web_page_now_big_as_doom/ [theregister.co.uk] & ads = 40% of it.
Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.
Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).
Gets data via 10 security sites.
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ [virustotal.com] (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/viewtopic.php?f=5&t=4290 [hosts-file.net] )
(Score: 2) by rob_on_earth on Monday November 07 2016, @10:18AM
Each new web session gets a new VM image, at the end I just revert to previous good snap shot. All cookies, malware, zombie cookies etc are erased.
Only risk is a malware that finds a way out of my specific Linux VM image, on the (built from source code) virtual box instance, that can exploit from the non root user my custom Gentoo box.
i.e. pretty low risk.
Even though its a 6 year old machine handles fully screen YouTube in the VM with Lubuntu with no issue.
(Score: 2) by urza9814 on Monday November 07 2016, @07:46PM
Feels like inviting a criminal into your home and then complaining that they can examine all your expensive jewelry because the sheet you threw over it wasn't quite big enough.
In other words, just block the advertisers at the router and be done with it instead of screwing with bloated browser plugins...