[CNET] Google may break ad blockers with upcoming Chrome change - Page 18 - Overclock.net - An Overclocking Community

Forum Jump: 

[CNET] Google may break ad blockers with upcoming Chrome change

Reply
 
Thread Tools
post #171 of 176 (permalink) Old 06-07-2019, 10:02 AM
New to Overclock.net
 
zeroibis's Avatar
 
Join Date: Jan 2013
Posts: 573
Rep: 18 (Unique: 17)
Quote: Originally Posted by xJumper View Post
I was thinking about that as well, but wouldn't that break VPN's. The VPN industry is big right now, the word VPN has become a household name with Mr & Ms America and even though they have no idea what it really does or how to use it properly average households are using them. Breaking VPN's wouldn't be good.

No that would not break a VPN any more than it would break your internet. Your VPN is a virtual private network. Just because it is not physical does not mean that programs can simply ignore its existence any more than they could ignore a physical network.



All traffic will still pass over the VPN just as normal. Your are just not able to manipulate DNS requests once they leave the host because they are encrypted HTTPS requests. The traffic over port 443 will continue to traverse your VPN just like your other ports.
zeroibis is offline  
Sponsored Links
Advertisement
 
post #172 of 176 (permalink) Old 06-07-2019, 12:35 PM
Old to Overclock.net
 
Join Date: Jan 2008
Posts: 2,042
Rep: 111 (Unique: 98)
Quote: Originally Posted by zeroibis View Post
No that would not break a VPN any more than it would break your internet. Your VPN is a virtual private network. Just because it is not physical does not mean that programs can simply ignore its existence any more than they could ignore a physical network.


All traffic will still pass over the VPN just as normal. Your are just not able to manipulate DNS requests once they leave the host because they are encrypted HTTPS requests. The traffic over port 443 will continue to traverse your VPN just like your other ports.
So will the DNS requests go through the VPN provider or through Googles DNS over HTTPS provider built into the browser? Chicken or the egg?

Maybe if your VPN was running at the kernel level like wireguard it would "dns out" before it hit Googles forced DNS over HTTPS in the browser.

362436
(15 items)
CPU
AMD Ryzen 5 1600
Motherboard
Asus Prime X370-A AMD Ryzen AM4 DDR4
GPU
Gigabyte GeForce GTX 950
RAM
2x Corsair Valueselect 8GB 288 Pin DDR4 SDRAM DDR4 @ 2133
Hard Drive
Corsair Force LS 2.5" 120GB SATA III MLC SSD
Optical Drive
Lite-On 24X SATA DVD/RW Optical Drive
Power Supply
Corsair RM550x 550W 80 Plus Gold
Cooling
Noctua NH-L9A-AM4 Low-Profile
Case
Antec NSK4100 Steel ATX Mid Tower
Operating System
Mint 18.2 x64
Monitor
HP 24" LCD/LED 1920x1080
Keyboard
IBM PC-AT
Mouse
Logitech G5
Audio
Sennheiser HD650
Audio
Asus Essence STX II
▲ hide details ▲


xJumper is offline  
post #173 of 176 (permalink) Old 06-10-2019, 06:30 AM
New to Overclock.net
 
zeroibis's Avatar
 
Join Date: Jan 2013
Posts: 573
Rep: 18 (Unique: 17)
Quote: Originally Posted by xJumper View Post
So will the DNS requests go through the VPN provider or through Googles DNS over HTTPS provider built into the browser? Chicken or the egg?

Maybe if your VPN was running at the kernel level like wireguard it would "dns out" before it hit Googles forced DNS over HTTPS in the browser.



It will go out over the VPN though the DNS over HTTPs.


The DNS request is made as an HTTPs call over port 443. If your port 443 traffic is routed over your VPN then it will traverse the VPN.


As far as the network is concerned the traffic is indistinguishable from any other traffic on port 443.



The type of VPN implemented is irrelevant.



There is only two ways around it:


1) Client side you can disable this behavior assuming there is a way to do so. You can also have plugins on the client system that make this possible if the software does not already do so.


2) Network side you can force install client certificates that break encryption for https so that you can then preform packet inspection and then filter out the DNS requests and manipulate them. This will have the effect of breaking all https traffic on the internet within your network. Some traffic will function but clients will be informed at the browser side that all of their "encrypted" traffic is moving across the local network "unencrypted". Thus users should avoid using any banking sites or anything else that needs to be secure on said network.



Due to the demise of effective packet inspection and said packet inspections impact it's use going forward is going to be much more limited. Companies are going to need to invest more in endpoint protection rather than edge point protection in order to ensure a secure network. This also creates new risks for BYOD businesses as well as they need to ensure an effective endpoint solution for them.



This is not to say that firewalls are not going to be needed on the network edge or in other places on the network but that they are going to need to be complemented with additional endpoint security as well.
zeroibis is offline  
Sponsored Links
Advertisement
 
post #174 of 176 (permalink) Old 06-10-2019, 08:22 AM
Waiting for 7nm EUV
 
tpi2007's Avatar
 
Join Date: Nov 2010
Posts: 11,259
Rep: 890 (Unique: 501)
[ZDNet] Opera, Brave, Vivaldi to ignore Chrome's anti-ad-blocker changes, despite shared codebase


Quote:
Despite sharing a common Chromium codebase, browser makers like Brave, Opera, and Vivaldi don't have plans on crippling support for ad blocker extensions in their products -- as Google is currently planning on doing within Chrome.

The three browsers makers have confirmed to ZDNet, or in public comments, of not intending to support a change to the extensions system that Google plans to add to Chromium, the open-source browser project on which Chrome, Brave, Opera, and Vivaldi are all based on.
Quote:
Microsoft Edge

The only major browser maker who did not respond to our request for comment on this issue was Microsoft.

The company announced last year it was ditching its proprietary EdgeHTML browser engine for a Chromium port of Edge, which is currently in public testing.

Microsoft's plans in regards to Google's Manifest V3 changes are currently unknown.

Is your CPU bottlenecking your GPU ? Find out: CPU and GPU usage along with FPS in-game
Read my reviews here.
Clubs (founder): The rare / unusual CPU club
Clubs (member): Corsair Professional HX / AX Series PSU Owners Club || The Official Cooler Master HAF X/932/922/912(+) Club
CPU
Core i7-3820
Motherboard
Asus Sabertooth X79
GPU
MSI GTX 1060 6 GB Gaming X
RAM
16 GB Corsair DDR3 1866 Mhz Dominator
Hard Drive
Samsung SSD 830 128GB + WD Caviar Black 2TB
Optical Drive
Sony Optiarc DVD-RW
Power Supply
Corsair AX750 Professional Modular 80 Plus Gold
Cooling
Corsair A70 + Noiseblocker M12-P
Case
Cooler Master HAF 912 Plus
Operating System
Windows 7 Home Premium 64-bit
Monitor
BenQ RL2455HM
Keyboard
Cooler Master Octane
Mouse
Cooler Master Octane
▲ hide details ▲



Last edited by tpi2007; 06-10-2019 at 08:27 AM.
tpi2007 is online now  
post #175 of 176 (permalink) Old 06-10-2019, 11:56 AM
Old to Overclock.net
 
Join Date: Jan 2008
Posts: 2,042
Rep: 111 (Unique: 98)
DNS adblockers and other old school hosts style solutions like pihole kind of suck. It's fine for mobile or IoT devices that you can't protect but for your main rig I find dedicated in browser blockers are way better.

If you're following classic infosec practices there' shouldn't be any adware/spyware standalone connections to ad/malware domains outside of your web browser anyway. With this security model your browser should be your only "portal" to the internet to begin with so system wide ad blocking should not be necessary. Mobile style adware applications that make their own direct connections to ad/malware domains outside of your browser should just flat out not be on your system, whether it's a desktop rig or mobile.

On mobile you can use uBlock as well same as the desktop. If you must break rule #1 of classic infosec and install adware/malware apps then you can use software like Adaway to modify your hosts and use the same list from uBlock Origin, same things a piHole but directly on your phone whether you're on your router or not. You need root to do it but I figure if you're on this site you probably are.

pihole and other such solutions are wonky to work with. With direct in-browser blockers like uBlock, uMatrix & NoScript I can turn everything up to 11, default deny everything and very easily selectively allow things. Running the same level of protection with hosts style or DNS adblockers first of all isn't possible but even trying to run similar levels of protection would be a huge pain in the butt, it's not nearly as easy to temporarily whitelist a domain, or a specific element for a specific site or sub domain of a site as it is would with content blockers running in the browser like uBlock.

This is a huge step backwards for computer security, shows you how much content blocking must be hurting Google if they are willing to put users at risk to protect their revenue. Content blockers/script blocking is the modern AV, more important than AV if you ask me. People don't get malware from downloading a .exe from Kazaa anymore, malicious script injections on sketchy sites when some guy searches "free NFL streams" and the likes are the most common attack vectors now, limiting what users can block is underhanded as hell.

362436
(15 items)
CPU
AMD Ryzen 5 1600
Motherboard
Asus Prime X370-A AMD Ryzen AM4 DDR4
GPU
Gigabyte GeForce GTX 950
RAM
2x Corsair Valueselect 8GB 288 Pin DDR4 SDRAM DDR4 @ 2133
Hard Drive
Corsair Force LS 2.5" 120GB SATA III MLC SSD
Optical Drive
Lite-On 24X SATA DVD/RW Optical Drive
Power Supply
Corsair RM550x 550W 80 Plus Gold
Cooling
Noctua NH-L9A-AM4 Low-Profile
Case
Antec NSK4100 Steel ATX Mid Tower
Operating System
Mint 18.2 x64
Monitor
HP 24" LCD/LED 1920x1080
Keyboard
IBM PC-AT
Mouse
Logitech G5
Audio
Sennheiser HD650
Audio
Asus Essence STX II
▲ hide details ▲


xJumper is offline  
post #176 of 176 (permalink) Old 06-11-2019, 02:38 AM
New to Overclock.net
 
c0rrupt's Avatar
 
Join Date: Feb 2017
Posts: 6
Rep: 0
c0rrupt is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off