Ask Slashdot: Best Way To Block Web Content?

First time accepted submitter willoughby writes "Many routers today have the capability to block web content. And you all know about browser addons like noscript & adblock. But where is the 'proper' place for such content blocking? Is it best to have the router only route packets & do the content blocking on each machine? If using the content blocking feature in the router, will performance degrade if the list of blocked content grows large? Where is the best place to filter/block web content?"

Best way to filter web content:

Unplug your modem. Internet is now filtered. Enjoy your day!

Re:Best way to filter web content:

[Jeremiah+Cornelius]

The CLOUD!

No but real. SMB, use EasyDNS.

Big shop? Z-Scaler and similar.

Actually, EasyDNS is better. It blocks specific bloggers and tumblrs, that many "Enterprise" solutions give a pass.

But for EasyDNS, you HAVE to be able to control the resolv.conf of your clients, or it is bypassed.

Re:Best way to filter web content:

[PlusFiveTroll]

>But for EasyDNS, you HAVE to be able to control the resolv.conf of your clients, or it is bypassed.

You don't have to control the resolv.conf, you just only allow DNS traffic to the IP's of the DNS server and block the others. That doesn't top a user from going all APK on you and using a hosts file (or something similar) or a VPN if you allow it, but will stop most people.

Re:Best way to filter web content:

[PlusFiveTroll]

To add on to this, it is good to block all DNS except a few trusted servers anyway. If someone gets a 'DNSChanger' style virus it will show up on the firewall pretty quick.

Re:Best way to filter web content:

Unplug your modem. Internet is now filtered. Enjoy your day!

This is an appropriate response given the bullshit question.

There are different approaches for blocking content, depending on if you're running an ISP, a large Enterprise, a small business, or are just a home user. There are different approaches depending on what TYPE of content you're trying to block, and WHY you're blocking it.
There is no simple, single answer to the question other than "well it all depends".

Adblock is a user-friendly plugin which is, put simply, nothing more than a blacklist of various hosts which serve advertising content. The security aspects of this approach are incidental- it's not a security program it's for avoiding ads.
If you're running an Enterprise or are a more tech-savvy user it's usually better to maintain your own blacklist, either at the edge router or via a hosts file on the local machine (depending on network size and complexity, and capability of your edge routers). If you're just a plain Joe Average, it's probably better to do it per-machine, especially if you're using a laptop which you're going to use in different locations.

NoScript is not, by design, an ad-blocker. It is a script-blocker, and is a security program- ad blocking is incidental. It has the added advantage of operating on a whitelist, so new sources of threats will be caught by default. It blocks a variety of scripting languages from any location you have not specifically allowed, in addition to several other types of browser exploit vectors. For the technical user it is vastly superior to Adblock, but for people who are not so "internet savvy" it can be confusing and frustrating to have to maintain your own whitelist.

Perhaps if the submitter would give us something more specific as to his needs, he'd get better answers.

Re:Best way to filter web content:

[KitFox]

Well, besides the fact that you would need to block TCP as well as UDP (RFC calls for support on both and longer messages, such as zone transfers, require TCP due to UDP's content length limits), you also have the benefit of the fact that this would block exploits that make use of port 53 for communication on the strong likelihood that it is completely unfiltered.

The AS article asks where is the best place to filter though. This gets tricky. The request doesn't indicate whether this is enterprise equipment or consumer. The mention of router-based filtering implies consumer though, so I'll focus on that.

First off, a good number of consumer routers do not have the processing power to handle full filtering at high speed. Even enterprise appliances such as iPrism require heftier units when the pipeline speed exceeds a certain threshold. As a good example, a Linksys 625 Wireless Router can handle filtering with no rulesets up to about 50-60Mb/s. Rules are relatively efficient, but there is no way in many cases to automate rule implementation, and when the ruleset increases in size the capability of the router to handle it drops to around 20-30 Mb/s. Fine if the WAN uplink is perhaps a 15Mb/s line, but catastrophic if you're trying to get full use from a 105Mb/s cable or fiber line.

The end answer really comes down to a balance. Implement filtering at the furthest end that you carry absolute sovereignty over, balanced by duplication of effort and complexity of implementation. Replicating rules over thousands of endpoints is complex enough and lacks enough control that performing the filtering at the trunk is more efficient and effective. By comparison, the ability to control one or a few computers in a home is substantially more likely and will take the burden off the limited processing power of a consumer router. Walking a rule manually to five endpoints is trivial compared to dozens, hundreds, or thousands.

If the uplink is small enough to allow filtering at the router and the eventual change and replacement of equipment will allow easy transfer of rulesets and administration, work from the router or a similar trunk location to globalize and centralize effort. If the endpoints are spread enough or there is sufficient lack of control over them to warrant such, again, work from the trunk. If enough trust exists in the endpoints to offload the work onto their substantially-stronger processors, and administration of rules to and of the endpoints is trivial, filter at the endpoints.

Nice Try China!

[eldavojohn]

I'd suggest paying a lot of money to Blue Coat to do deep packet inspection so none of that content sneaks by.

Or, perhaps, sitting down with your users and discussing with them how to surf intelligently and safely.

And you all know about browser addons like noscript & adblock. But where is the 'proper' place for such content blocking?

If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying. I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.

I've clicked on ads and purchased something twice in my life from ads on a site. Once it was cheap shirts with funny designs on them (I needed new gym shirts) and the other was an eBay auction with a Buy It Now price lower than what I was looking at on that site (not sure how that works). I consider myself a pretty sophisticated person who is "above" advertising but anecdote-wise it's worked on me twice that I can think of. Removing that rare occurrence completely ruins the revenue model.

Re:Nice Try China!

[FireFury03]

I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.

I agree with you that the standard Google adsense ads are ok, blocking them is counterproductive (because websites need income). However, Youtube ads (also operated by Google) have gone way over the line and are way too intrusive; also far too many websites still shove floating divs and the like in your face (in fact, thats something that seems to be increasing), and manually blocking only the intrusive ads becomes far too much effort so invariably all ads get blocked.

Re:Nice Try China!

[Razed+By+TV]

I respect your argument advocating ad revenue to support the sites you visit. This is one of the things the internet was built upon. I do feel bad about the sites I like not getting the money keep things running.

On the other hand, you have:
ads that track you
annoying popups
popups masquerading as windows messages that have faux buttons to close them, cancel them, or remove viruses that the popup supposedly just detected
ads that flash, flicker, or have a lot of motion/activity in them (which I find to be particularly distracting)
ads that play sound

I'm not saying I wouldn't adblock if you got rid of the above ads, but currently there are too many reasons for me to even consider getting rid of adblock.

Re:Nice Try China!

[mcgrew]

Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying.

It's the ads themselves that ruin the very thing I'm trying to enjoy. If ads weren't so intrusive and resource-intensive, nobody would block ads. The web sites that need ads for revenue are their own worst enemies.

Re:Nice Try China!

[udachny]

You took the words exactly out of my mouth.

- then shouldn't you be angry with him for copyright infringement?

Re:Nice Try China!

[Bing+Tsher+E]

Yes, blocking ads is like throwing a soda can out the window. We need to just line up all the admen and shoot them.

I mean, has the ENTIRE slashdot community become 'web developers' and their ilk, sucking on the adman's teat?

Re:Nice Try China!

This is one of the things the internet was built upon.

This is patently false. The internet, and before it the countless BBS services, was built on freedom and idealism. A server operator would pay out of pocket for their hobby and users would either access it for free, pay membership fees, or pay 900-number dial-in fees. The early internet had no ads because it was a hobbyist driven system. Not until the mid 90's did the internet monetize.

Re:Nice Try China!

[BasilBrush]

If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly.

You are certainly in the minority. Most people's view of that analogy would be that the can being thrown out of the window is the advert, and that the spoiled environment that is the result is like the spoiled web that is a result of heavy advertising.

I do not accept that the internet needs third party advertising. Nor that the internet without it (and thus a loss of revenue for some site operators) would be worse.

There was an internet before widespread advertising. Some people run a site as a hobby. Some organisations run sites because they want to spread an idea, or need to get information out there. Commercial organisations will still want to run their own web-sites, whether they sell from them, or just as a communications tool. There are lots of reasons why the internet won't die without advertising.

A lot of sites with heavy advertising don't even have good content. They are only there to make money from adverts, so they steal content, or just link to what other sites have put out, or publish PR verbatim.

There's absolutely nothing to stop people trying to make money with third party advertising, and I wouldn't want any official body trying to outlaw them. But equally I see nothing wrong with blocking them so that I don't have to see them, or waste bandwidth on them. If the result is that there are less people that can make a profit from selling advertising, then I say "hurray!"

Re:Nice Try China!

[Impy+the+Impiuos+Imp]

Well, if someone would actually build a browser with a popup blocker that actually worked, the popup issue would be solved.

One shouldn't have to turn off scripts to stop popups. All they have to do is insert into the code:

if (going to open a new window from this web site and
    user doesn't want these popups)
then
          tough shit

Re:Nice Try China!

[BasilBrush]

What computer language is this? I think I want to try it.

Re:Nice Try China!

[just_a_monkey]

I am continually surprised that it is still legal to block ads, and that there is no visible movement to make blocking illegal. Not even any pervasive "The websites must be able to make money on what they do!", "Blocking ads is like stealing from the websites!" or "You wouldn't watch a movie/TV-show without watching the commercials" campaigns.

Google and their customers must not have as good lobbyists as Hollywood.

Re:Nice Try China!

[Jah-Wren+Ryel]

Removing that rare occurrence completely ruins the revenue model.

GOOD! That revenue model is the single largest driver of the internet surveillance state. It is difficult to imagine an funding model for the internet with worse social costs. The sooner it dies, opening the door to replacement systems that are less invasive the better off we all are.

Re:Nice Try China!

[Albanach]

If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying [slashdot.org]. I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.

I have to disagree. If we get massively more adblocking, the internet will 'route around the damage'. Eventually we'll have someone set up a workable micropayments system whereby we can pay for the content we want. in an amount that's reasonable. Tenths or hundreds of a cent for a showbiz story, and several cents for an in-depth news piece.

Such a system would have massive benefits for the internet, allowing many many more content producers to be rewarded for their work.

Re:Nice Try China!

This is patently false. The internet, and before it the countless BBS services, was built on freedom and idealism. A server operator would pay out of pocket for their hobby and users would either access it for free, pay membership fees, or pay 900-number dial-in fees.

Lol! Silly romantic. You think the Internet infrastructure was paid for by dial-up users?

Most of it, including the high-speed backbones, was paid for by universities, the military, and telecoms. But it's cute that you think it was "hobbyists."

Re:Nice Try China!

Looks like Applescript to me.

Re:Nice Try China!

[Cito]

I always setup adblock and noscript as well as using whitelists in the company side of things.

sites that rely on advertising revenue only by 3rd party companies shouldn't be around anyhow, it's a waste of space.

all 3rd party ad streams should be blocked, people get enough spam in their life, from driving to and from work massive amounts of billboard spam, postal mail massive amounts of snail mail spam, television 15-30 minutes of content padded out to 30-1 hour shows with spam.

all spam is blocked in emails

its time for people in mass to adblock web content also just as we have 0 tolerance for email advertising, and the majority have 0 tolerance for spam in general.

if a website wants to place a small ad they can set it up themself on their own site

3rd party ad agencies have already been proven to destroy privacy, just like the slashdot article from yesterday how everything you do on the web is tracked from google adsense network, doubleclick, facebook, and more a persons online habits are tracked, marketed and spammed.

always run adblock, if a website only relies on 3rd party spam revenues then they do not deserve to exist.

at the company I work for we do allow some web surfing, and also to lookup basic answers to questions and such. adblock and noscript is on every system, and we use easydns

course all of our customer service is ran off dumb terminals citrix style, everyone else have their pc's, there is no perfect solution but we have a network monitoring department we all the "fishbowl" since the office is round and has a wrap around window that looks like peering into the fishbowl :P

the netmon department monitors the companies networks for outages and such, but also occasionally keeps eyes on employee traffic cause there is always workarounds to proxies and filters, but an active netmon department can log incidents and send a little popup notice to a terminal or disconnect a terminal if needed, but that's super rare as the department is mainly keeping tabs on the infrastructure and not wholly worried about employees unless it's blatant.

Re:Nice Try China!

[X0563511]

Lets not forget:
ads from compromised servers shoving malware/payloads down your throat

I could live without adblocking... but that last one there is a no-go. If that's not fixed, I am not willing.

Re:Nice Try China!

[X0563511]

More likely they realize what a particularly nasty fire-ant hill they would be kicking over by doing so.

Re:Nice Try China!

[fast+turtle]

and that's exactly why I use noscript and not block ads. Of course I follow the "DENY ALL" policy and only add those few sites to the whitelist that I actually use and guess what, this blocks 95+ percent of the stinking ads online while still allowing me to use the net. Otherwise it's to the point that I'll simply drop my ISP/Cable and Phone services since I don't use them and 911 calls are paid for by the 911 taxe/surcharge by everyone (mandantory service). Only thing I even use the phone for anymore as I simply don't give a damn about talking to anyone when I'm home.

Re:Nice Try China!

[Jawnn]

Perhaps, but I suspect that it's really because the percentage of users that use ad-blocking software is so small. For that group, the ads are generally nothing more than an annoyance anyway, so it's not a demographic with a significant conversion rate. Nothing is really lost there. Now, have a major ISP offer something like that by default and listen to the howls of outrage from the advertisers.

Re:Nice Try China!

[just_a_monkey]

Now I am thinking what if an ad-blocker would download the ads - so that the websites can sell all eyeballs to their advertisers - but then silently threw them away instead of showing them to the user, who is not interested anyway?

Re:Nice Try China!

[CelticWhisper]

Adblock used to have an option to do just that. It disappeared many versions ago.

Pity, because it was a good idea if you really wanted to stick it to the advertisers. You'd lose the bandwidth savings as the ad content would still download, but if you're unmetered and sporting a vendetta against marketroids it was a great option to use.

Re:Nice Try China!

[wakeboarder]

I don't need advertisements. When I want something, I research it, then I buy it. When I want to know something, I google it. When I want to buy random stuff, I go to a bargain site where people can humanely tell me what I should buy. If advertisers were responsible and didn't try to scheme for my attention, I might give it to them. I don't find it helpful if I go to work, look something up and them come home and find a recommendation for the same product. But for some reason, somebody somewhere thinks that it helps their pocket book, so I block them.

At the proxy.

[Raven42rac]

I prefer at the proxy level. Dansguardian/Squid/ClamAV is pretty easy to set up on your distro of choice.

Re:At the proxy.

[drinkypoo]

This is the right answer. There's nothing wrong with ad blocking on the client, but if you want to block content for a whole bunch of users, a proxy is the answer. squid really is easy to set up.

Re:At the proxy.

[drinkypoo]

Why do you want to block content for a whole bunch of users? Do you run a dictatorship?

The most obvious example which does not support your jerking knee or twisted panties is keeping known malware off of a corporate network.

Content blocking should be done on the client because it's the only place where the user has control over the blocking.

If it's your computer, sure. (That includes those which are owned by the state but which you have access to, e.g. at the library.) If it's not your computer, fuck off. It's not your computer.

Re:At the proxy.

[oodaloop]

Nuke it from orbit. It's the only way to be sure.

Upstream

[Anne+Thwacks]

ISPs should offer a service to block it for you so you dont have to pay for the bandwidth. Of course, YOU would have to choose what is blocked, not them - which is unlikely to happen in our lifetimes.

I envisage an HTML feature where you can click on something and have it labelled spam at the ISP.

Allowing this info back to the scum that served it would be a privacy invasion of the worst kind.

Perhaps some enlightened ISPs could charge charge people double for serving shit. They would get my business for sure!

I truely believe that if the ads were not so horribly intrusive and bandwith hogging, they could/would be ignored or even watched. Just last night, I watched a really great advert on TV yesterday - way better than the program it was embedded in - watched the ad to the end, and then ditched the actual program! However, I have stopped visiting certain websites because the amount of flash they serve makes it impossible to actually scroll though the content!

Please feel welcome give me the standard spam prevention review form ;-)

Re:Upstream

[Technician]

Filtered DNS does this already if you choose to use it.

http://www.opendns.com/
http://www.scrubit.com/

DNS

[craigminah]

I use OpenDNS...works well and works regardless sof browser.

Re:What about SSL?

[myowntrueself]

How would you like to filter out SSL traffic on a intermediate device? Do you have access to fake CA certificates recognized by the majority of web browsers?

No problem if you use active directory group policies and a squid proxy with ssl-bump and dynamic generated certificates.

Simply use a group policy to push the proxies cert out to the workstations as a trusted root certificate. Problem solved.

Now you can filter out naughty HTTPS sites. Also anyone with root access to the squid proxy can extract all kinds of interesting info from the users HTTPS sessions and manipulate them in interesting ways. And the only way the users would know is by manually checking the certificate. "Whats this Google certificate doing being signed by '*'?"

When you do this using Microsoft TMG theres a big red warning "You may want to check the legal implications of what you are about to do".

Well, the first shot has already been fired...

[rocket+rancher]

According to the EFF, Google has removed Adblock plus from the Google Play, citing that it violates Google's terms and conditions that stipulate that apps will not interfere with any other app on the store. This only affects android so far, but I imagine now that Google has decided that content blocking is a bad thing, I would imagine that the chrome and firefox extensions will follow. And, sadly, it's probably only a matter of time before Google turn their considerable talents to making sure that any method will fail. I'm not interested in starting a flame war here; I'm just pointing out that when the pre-eminent search engine on the planet weighs in on content blocking in such a heavy-handed way, it can't bode well for any of us.

Re:This depends on the use and purpose

[qwertyatwork]

I do it on the /etc/hosts level on my dns server. You can find large lists of ad domains that can be added to your hosts file with 127.0.0.1 or 0.0.0.0 to cause them to fail. This covers all machines on your network that use your dns server. The one I use is http://winhelp2002.mvps.org/hosts.txt however they have become slow with updating it. You might want to invest some time in looking for one that is updated more frequently.

Re:How to relocate away from a policy like this?

[tepples]

"At what level should I block content for several machines on your network?"

"Why would you want to block content for several machines on your network?"

"To keep malware off work machines."

"People hired to block content as part of an effort to keep malware off work machines should quit their jobs."

"So if the only available jobs in one's location and area of expertise are with companies that block content as part of an effort to keep malware off work machines, where should one work instead?"

"Off topic."

First, you posted and therefore cannot moderate. Second, how is it off-topic? Third, where would it be on-topic?

You're also behind the curve on DNS

[billstewart]

DNS can use udp/53, but it also supports tcp/53 (and even requires it for longer query types.) You'll want to block both just to be sure.