-
-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content filtering via subresource filter #39
Comments
Altough discussions in the discord has deemed it a slightly worse option than Vanadiums approach, Braves adblock-rust https://github.com/brave/adblock-rust/ could be an alternative. |
If using the DNS route (arguably the most secure), we do have some options. But it would require setting a default DNS provider which may not be ideal? |
I don't think it makes sense to separate the browser's DNS from the system dns. If the user wants to do DNS filtering, they can do it globally. I'm also skeptical of the effectiveness of dns filtering relative to vanadium's approach. |
Well, it gives the advantage of ECH, which you cant get in automatic mode. You are right, DNS isnt as strong as local filtering but it can block significantly more domains with little performamce loss or security risk. Prior to the current Vanadium approach, it was the recommened method. Late edit: also safe browsing, which there currently is nothing in its place, DNS provides way more robust safe browsing aka malware blocking. |
I agree with the advantages of DNS filtering, I just don't think it should be a browser default for two reasons. One is we'd be circumventing system-level or even network-level DNS configuration. Ideally, the user would be setting DNS for their entire lan, or if they don't have control over that, their entire system. The second reason is that it would require us to set a specific dns provider as default, which means if users want to use their dns provider of choice, they might lose out on filtering. in short, I think it would be valuable to support filtering without sacrificing the feature that allows the user to set the DNS provider. |
If we are going for secure and more private by default? I think a browser based DNS would be better, simply because of ECH. You pretty much cannot get that with automatic mode. Not like this would be mandatory, users can disable it or switch to auto, but as a default I think it makes sense. Especially if they do not have a network based DNS filter (my case), or did not setup a system DNS (likely the case of many). |
Right but if users disable it or choose a different dns, they lose out on filtering. ECH is good, but I don't see how it relates to content filtering. |
What I'm saying is: we could even set a default dns provider with dns filtering and ECH, and I would still think we need a content filtering feature |
also, as far as I know ECH is more of a privacy feature than a security feature, and "more private by default" is out of scope |
Its just another benefit, on the topic of enabling a default DNS. Just something extra to consider, anyway.
If they disable it, its likely because they dont want the filtering or want a system filtering thing. So it would make sense.
Obviously, I was gonna say use both, its the best of both worlds. They are not mutually exclusive, I still agree that the Vanadium approach is best, or something like it, but DNS complements it.
It does prevent some level of network attacks similar to DoH/DoT (just not so significantly to warrant calling it a security feature), but private by default is a benefit. Btf, content filtering is more of a privacy/convenience thing. |
Sure, it's just already there.
The DNS toggle shouldn't also be a filtering toggle, that's my point.
Right but the DNS piece is already there. Users who want to set cloudflare and use ECH can do so right now
The advantage of built-in content filtering is to eliminate the need for extensions and ultimately remove support for extensions by default, which is ultimately a security feature |
speaking of privacy, if we ended up choosing a dns provider it would open up a can of worms about researching which dns provider is best and all that stuff. I don't think we want to be in the business of making those decisions for users. |
Fair, but it is more configurable, or we could just set one that blocks only malware as a safe browsing alternative so that it isn't a filtering toggle (for ads that is).
Not sure I understand the point. Are you saying we dont need the default because the user can do that already?
Fair, the advantage of a default DNS is similar (to lesser degree), except that it also adds any advantage of secure DNS.
we can keep it to recongized DNS providers (Mullvad, Controld, Cloudflare, Quad9, etc.).
fair, ultimately your call. I did do a lot of research into this already for my own purposes. Besides, DNS is mandatory, so by choosing a notable provider it helps users who are potentially unaware. |
Also of note is that as far as I know, Vanadium didn't consider DNS filtering, probably for similar reasons. GOS also doesn't ship a default DNS provider and neither does secureblue |
Also fair. Could do it temporarily, as an extension alternative? And while Vanadium didnt do it, they did recommend it. Also they do prefer to use Cloudflare where they can iirc. |
What I'm saying is that if the user selects a custom DNS without filtering, they will lose out on content filtering. So in practice the DNS toggle would also be a filtering toggle
I'm saying they are orthogonal design decisions
Let me restate what I was trying to get at. Ultimately, we're trying to secure the browser. I put "Any novel functionality that is unrelated to security" as out of scope so that the scope doesn't creep away from us. So then the question that follows from that is, why is this issue even open since this is novel functionality that's ostensibly unrelated to security? The answer is that it's open purely because doing so enables us to remove extension support by default. So when you're talking about other advantages that don't get us closer to that goal, you lose me.
I believe that you've done a lot of research on it, but eventually other people who claim the same will come and insist that their research points to a different provider being a preferred default. Litigating a DNS debate, all because we wanted to remove extension support by default, sounds like a nightmare |
Where did you see that? GOS defers to the DHCP provided server as does vanadium. Which frankly is the right decision so as to not avoid the anti-pattern of having individual machines or even worse, individual applications, decide which dns to use. |
A, I see, yeah that would be a limitation, I agree. I still think it is better than extensions though.
I see. I was just stating extra reasons to consider it. I will try to remain in scope in this regard from now on, ie about content filtering and security. Some are arguments in favor of setting a default DNS, I would say they are important to consider as well. But I will refrain from further reference to them. Then I would say using a default DNS is better anyway, since it is infinitely more secure than any content filtering option (as it doesn't reduce security at all or offer any risk, since DNS is mandatory anyway, you are just shifting trust and adding filtering). While it breaks impartiality by setting a browser level preference for a specific service you can make a similar argument for filter lists (not to the same level, but still to a point). If we are talking pure security though, DNS is little loss for similar gain.
By deciding to disable extensions, you litigate another debate. Similarly, by opting for whatever filter lists another debate is raised. I think these come with territory. And, my research is just a basis to work from plus I may have bias, it would be better to get multiple opinions on that kind of thing.
"GrapheneOS replaces Google Public DNS with Cloudflare DNS for the fallback DNS servers due to the superior privacy policy and widespread usage including as the fallback DNS servers in other Android-based operating systems." https://grapheneos.org/faq#default-dns |
I'm not saying not to reference it 😄 it's just orthogonal to this issue.
I don't see why this would be the case. It's not like we're adding a content filtering engine, we'd for example be using the built-in one.
We'd be introducing an anti-pattern by default and circumventing DHCP-defined dns.
Not at all similar. Disabling extensions is an objective security benefit. Preferred DNS provider is highly subjective and based on second hand information about the practices of a third party. They couldn't be more different.
Not if we use brave's adblock-rust, for example
Yeah, overriding a fallback and setting a default dns are entirely different. |
Still, it bloats the discussion.
We add filter lists, from whatever sources. Arguably attack surface, not alot but not zero.
What is the security risk? DHCP defined dns typically lacks DNSSEC validation (at least in my region).
Not entirely the same, my point is it still adds people who want their own ideas pushed. I doubt zero people will complain about no extensions. Thats the only point, I still think it should be done but it shouldnt be deterant just because of people trying to one-guy, or sparking discussions.
True, but that introduces security risk. Even still, there would be requests to add more lists, or remove lists, or configure this that way, etc. This isn't a binary decision either, it is complex is my point.
My bad. You are right. But it breaks impartiality, I doubt no one asked for whatever other DNS to get added in Cloudflare's place. |
Perhaps ironically, I made this same point to GOS folks about their configuration app when they were developing it and they made a compelling case as to why it wasn't a source of attack surface. I can dig it up.
It's an anti-pattern not a security risk. DNS overrides should be set at the highest level possible. Ideally, on LAN DHCP.
Right but the reason for maintaining a clear scope declaration is so that complaints like this can be addressed clearly and objectively. "Hey I don't like this change!" can be addressed with "It's clearly in scope and can still be overriden". Being in the business of choosing a default dns is far more nebulous and subjective
Agreed, that makes me want to just defer to UBO-Lite though 😄 Is there a way we can build it into the browser itself and then block remote extension installation? 😄 |
I was partially joking but it looks like it is possible 😮 https://stackoverflow.com/questions/50125821/standard-way-to-build-a-chrome-extension-into-chromium |
I would be very interested in that. Why would it not be?
Sure, but that isn't common. And again, you lose certain features only the browser offers. It also loses on convenient configurability. If users have a DNS preference, they can set it themselves.
I mean, you can define scope based on privacy policy, filtering ability, and connection security, none of which are subjective. But I see the point, it would require adding more scope just for what makes a good DNS provider. I can definitely write that, but again to avoid bias that would not be ideal.
Ehhhhhhh
Ehhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh I would prefer the Vanadium way. Also, that requires maintaining the version of uBOL, and that still adds some attack surface since it is still an extension, and also how update? It adds too much extra stuff. Braves abr, Vanadium's integrated filtering, and DNS are all much simpler imo. |
GrapheneOS/Vanadium#453 (comment)
Other way around. I'm talking about the scope for this project, not DNS. To write parameters about what DNS to use is to expand the scope of this project.
I do too, hence I was half joking 😄 |
I see.
I undertand. Could stay on scope by defining security and filtering boundaries. |
It might be worthwhile to see if GOS folks can elaborate on their rationale for going the route that they did. If they're willing to, since they're busy. I suspect their reasons are similar to the ones I've elaborated above, but I'm not certain. Regardless, I think we should sleep on this for awhile since it's not urgent and UBO-lite suffices in the meantime, while we gather additional input from GOS folks. |
Sure, I just dont want to keep jumping to them for stuff like this. Feels like that happens a lot lol. Also yeah, none of this is like tomorrow urgent. |
What do you mean? I'm inclined to go with their approach regardless. |
Of course, nevermind. Wrong mindset. |
What? 😄 |
I'm terrible at communicating thoughts. My bad. Just dont mind me... or my last few comments. |
No worries, I just wasn't sure what you meant. At least in secureblue we rarely if ever ask GOS folks for a consult, but occasionally they will chime in on issues of their own accord. Maybe you meant other projects ask them for consults frequently? I wasn't sure but maybe you're more involved with GOS than me. |
Ok, to be fair, I have been contributing here for a short period of time (like 2 weeks, maybe 3). Since that point, there has been like 3 situation where Vanadium/GOS was used for consult. It just feels frequent. I won't further elaborate here, since this is pretty off topic, but I hope that makes sense. |
Hi, I would just like to add my view. Ad block extension is okay with me but I do not use one. I think this should be communicated. Only a few DNS providers offer malware protection. I think the secureblue system should be forced to use the set up DNS. System DNS resolver could be set up to use DHCP DNS or from the predefined list. |
@idnovic That's a great idea, we could even incorporate it into yafti directly so that on first install, users are prompted to optionally select their dns provider. That way, the whole system will use that including chromium and will benefit from dns filtering if the user selects a provider that filters. And then we can potentially do vanadium-style content filtering as well on top of that @idnovic Do you mind opening an issue on secureblue for this? I think it would be a value add. Something like "User-configurable DNS via yafti on first rebase"? |
Controld, Mullvad, Cleanbrowsing, Cloudflare, and many others have safe browsing options, Quad9 and DNS0 arent the only ones neither the best options.
Why so? |
Yes. I can open an issue tomorrow.
|
That is true. It really depends on the end users opinion. Because now you need to trust two different DNS providers. It is simpler if everything is forced to use one DNS. |
Fair enough.
Sure, but if we are discussing security of adblocking solutions, this would be the way. You still use your ISP for DNS lookups, for your current DNS hostname. That is also not necessarily the case if you use the same provider for system and browser (like I do).
It is exactly one extra variable, complex how? Misconfigure what? Setting a DNS for the system by force is harder to undo, and even more so for a network-wide DNS. Browser level is the simplest. Making that choice for the user is the easiest at the browser level.
Most of the risk of insecure DNS revolves around the browser, when talking about adblocking. Again, you still use your ISP for some limited lookups.
Not by a lot, in my opinion. And even then, you can use one provider. |
@RKNF404 I've been thinking about this some more and have the following proposal. Let me know what you think:
This will be more work but I think it "covers all the bases" best. |
@qoijjj
Definitely for the best, I agree. Thinking about it a more, a universal default DNS would be a hassle, even as a short term solution.
No doubt. There is already an Ads site toggle. Vanadium repurposes it for their own content filtering, we can do the same.
Makes sense.
Sounds good, 100% on board. |
Agreed, and I'm not sure exactly what the details would look like in terms of how the relationship would be between the OS dns and the browser dns. As in, when setting the OS DNS, we might also want to override chromium to use the OS DNS option at that time. But those are details we can get to later For now I'll open new issues for each of the above three |
I was thinking user's choice, and if the user chooses to override the browser it sets the policy. Otherwise browser's choice. But yeah, finer details. |
No description provided.
The text was updated successfully, but these errors were encountered: