uBlock and others: Blocking ads, trackers, malwares

Raymond Hill edited this page May 15, 2015 · 3 revisions

Hard data, not hype.

Latest benchmark: 16 February 2015 (raw data spreadsheet). (Previous: 2014-09-30, 2014-07-22)

This benchmark is to measure privacy exposure, by counting the number of distinct 3rd-party domains which have been hit by net requests during the benchmark. The lower the number of distinct 3rd-party domains hit, the better.

Some benchmarks measure the amount of requests blocked, which I think is of no interest as a useful measurement of privacy exposure. The number of requests blocked is no guarantee of less distinct 3rd-party domains being hit (and leaving a trace in the servers' logs).

Measuring directly the number of distinct 3rd-party domains which were hit is a much better and relevant measurement for comparison of privacy protection efficiency in my opinion.

uBlock and Disconnect required no extra configuration steps. Other blockers required configuration. The one requiring the most configuration for that benchmark was Adblock Plus.

Privacy benchmark graph

Caveat: "3rd-party" is defined as a domain which doesn't match the domain of the web page. For sure many domains reported as "3rd-party" actually belong to the same entity which owns the page domain (for example, yimg.com is owned by yahoo.com). There is no way for the benchmark code to know this, unless using a comprehensive database of who owns which domain -- that is beyond my means. Still, the benchmark is useful if comparing blockers among themselves, or against when no blocker is used.

The URLs (84) from the reference benchmark were used.

Results -- figures are "3rd party / all". Ordered from least 3rd-party hits to most 3rd-party hits. Privacy-wise, lower numbers are better.

uBlock 0.8.8.1

  • Distinct 1st-party/3rd-party pairs: 491
  • Scripts: 980 / 1635
  • Outbound cookies: 58 / 269
  • Net requests: 3,987 / 7,956

Adblock Plus 1.8.10

  • Distinct 1st-party/3rd-party pairs: 497
  • Scripts: 1009 / 1733
  • Outbound cookies: 67 / 284
  • Net requests: 4,069 / 8,166

Ghostery 5.4.1

  • Distinct 1st-party/3rd-party pairs: 501
  • Scripts: 882 / 1619
  • Outbound cookies: 120 / 370
  • Net requests: 4,031 / 8,218

Disconnect 5.18.18

  • Distinct 1st-party/3rd-party pairs: 555
  • Scripts: 1186 / 1685
  • Outbound cookies: 130 / 382
  • Net requests: 4,462 / 8,219

No blocker

  • Distinct 1st-party/3rd-party pairs: 2977
  • Scripts: 3800 / 4647
  • Outbound cookies: 1641 / 2097
  • Net requests: 12,131 / 16,851

Notes

The figures show the number of requests allowed, thus lower numbers are better. The point is to count the number of distinct 3rd-party/1st-party pairs after running the reference benchmark (two repeats in the current instance).

The less distinct 3rd-party/1st-party pairs, the better.

Data diffs

This shows the differences in what was not blocked. If something appears on side A but not on side B, this mean side B blocked something not blocked by side A, and vice versa.

These diffs may help you in deciding whether you should complement uBlock with another blocker, though keep in mind you can always ask uBlock to block more (dynamic filtering may come handy for this).

Observations

Using the data diffs, one can observe that with uBlock + default settings, there are large areas of privacy exposure related to:

  • facebook.net (45)
  • facebook.com (44)
  • googletagservices.com (39)
  • twitter.com (34)
  • taboola.com (11)

So if this concerns you (it should), I would say the best way to foil these is to use dynamic filtering. Here are the rules, which will block all these 3rd-parties, except when used as 1st-party:

* facebook.com * block
* facebook.net * block
* googletagservices.com * block
* taboola.com * block
* twitter.com * block
facebook.com facebook.com * noop
facebook.com facebook.net * noop
twitter.com twitter.com * noop

With these few dynamic filtering rules, you would lower the "distinct 1st-party/3rd-party pairs" figure for uBlock to 318 (from 491). As a bonus, pages will load markedly faster.

Any of the blocked domains above can easily be unblocked for a specific site. For example, if ever you want Twitter widgets to work when visiting AnandTech, just set twitter.com to a local noop for that site, a mere point-and-click when using the dynamic filtering matrix.

Methodology

All blockers were configured in such a way as to compare apples-vs-apples:

  • Ghostery: Select all trackers except "Widgets". "GhostRank" not checked. "Update now" clicked (and ensured whatever new filters were used).
  • uBlock: Out-of-the-box settings -- no change.
  • Adblock Plus: "EasyList" + "EasyPrivacy", "Peter Lowe's list", "Malware Domains" checked. "Acceptable ads" unchecked. "Update now" clicked.
  • Disconnect: Out-of-the-box settings -- no change.

Browser settings (if you mind your privacy, there is no way around these settings):

  • "Click to play" enabled.

I forgot to check "Block third party cookies and site data", so 3rd-party cookies were allowed during the benchmark.

Sessbench was used to run the benchmarks, and each extension was tested as the only extension active in the browser.

The official Public Suffix List is used to determine the domain of a URL.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.