Closed Bug 1985170 Opened 3 months ago Closed 3 months ago

uBlock Origin interfere with Gecko's Enhanced Tracking Protection

Categories

(WebExtensions :: Developer Outreach, defect)

Product:
WebExtensions
Component:
Developer Outreach
Version:
Firefox 141
Platform:
All
Android
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: sukou36, Unassigned)

Details

(Keywords: reporter-external)

Steps to reproduce:

uBlock Origin looks interfere with Gecko's Enhanced Tracking Protection
Summary: After extensive testing across Gecko-based browsers, I’ve observed that installing uBlock Origin significantly reduces the effectiveness of native tracking protection, even when Firefox’s Enhanced Tracking Protection is set to “Strict.” This behavior was consistent across multiple browsers and test environments. Surprisingly, alternative blockers like Adblock Plus and AdGuard do not exhibit this issue — they allow the browser’s native protections to function as expected.

Actual results:

Test Environment: Using adblock.turtlecute.org, which measures how many invisible trackers are blocked.

RESULTS:
Browser Extension Score on Tracker Test
Firefox uBlock Origin 4%
Firefox No extension 89%
Firefox Adblock Plus 90%
Midori uBlock Origin 4%
Midori No extension 90%
Midori AdGuard 90%
Observation: uBlock Origin appears to override or suppress the browser’s built-in tracking defenses, resulting in dramatically lower protection scores. In contrast, Adblock Plus and AdGuard seem to coexist with native protections, preserving their full effectiveness.

Expected results:

It would be valuable for Mozilla and/or the uBlock Origin maintainers to investigate this interaction. If uBO is unintentionally disabling or bypassing Enhanced Tracking Protection, users may be unknowingly less protected than expected.

This is filed against Firefox for Android: is the problem specific to that? It's possible both our tracking protection and uBO have smaller/different lists for mobile, but otherwise for the big sites and known trackers it should all be the same.

Group: mobile-core-security → firefox-core-security
Component: General → Developer Outreach
Flags: needinfo?(sukou36)
Product: Firefox for Android → WebExtensions

(cc'd author of uBO)

Does this need to be a restricted security bug? Is there anything that Firefox could or should do here?

These website-based "ad blocker tester" are pointless, they are completely unreliable. We constantly keep have to tell people about this, see https://github.com/uBlockOrigin/uBOL-home/discussions/457.

I currently get "1%" on this https://adblock.turtlecute.org/ with stock uBO despite a lot of blocked 3rd parties, and this specific "tool" was abandoned by the original author[1] and is unmaintained anyways.

uBO on Android uses the same exact lists as the version in desktop Firefox, plus a few extra lists, it's not tone down. Firefox's own Strict Enhanced Tracker Protection may also cause seemingly "worse" results because these sort of sites are unable to detect resources which are redirected to local shim resources, which ETP does.

I created an extension recently, uBO Scope[2], to among other things help dispel that sort of flawed online tools, and since this is an extension, it is able to properly show the real outcome of network requests:

  • Firefox ETP standard:
    • The page reports "7%"
    • uBO Scope reports 49 distinct domains were reached
  • Firefox ETP strict:
    • The page reports "52%"
    • uBO Scope reports 28 distinct domains were reached
  • uBO default settings + Firefox ETP standard:
    • The page reports "1%"
    • uBO Scope reports 19 distinct domains were reached
  • APB default settings + EasyPrivacy (aka "Block additional tracking") + Firefox ETP standard:
    • The page reports "64%"
    • uBO scope reports 26 distinct domains were reached

Immediately we can see it doesn't make sense, as blocking more distinct 3rd parties should always lead to better results, yet uBO + ETP standard shows the worse results while blocking the most distinct 3rd parties.

A good way to make uBO immediately obtain "good score" is to prevent all redirect filters from taking effect, by adding @@*$redirect-rule as custom filter:

  • uBO default settings + @@*$redirect-rule + Firefox ETP standard:
    • The page reports "69%"
    • uBO Scope reports 19 distinct domains were reached (same as before)

These sort of online tools have serious flaws:

  • They are unable to see (or are not looking to find out) that many network requests are redirected to local resources, these requests do not reach remote servers.
  • Many requests made by these tools are unrealistic, they do not occur in the real world.
  • Specific content blocker can add special filters to specifically target those tools, easily manipulating their results
    • For instance adding *$3p,from=adblock.turtlecute.org and @@*$redirect-rule to uBO's custom filters causes uBO to obtain "98%" (curiously not "100%" despite all 3rd party requests having been blocked as per uBO Scope or Network pane in dev tools).

In my opinion these online "ad block tester" tools have made more damage to users by misleading them about their choices of content blocker, I see disreputable content blockers using these tools to convince people to install their solution.

[1] https://github.com/d3ward/toolz
[2] https://addons.mozilla.org/en-US/firefox/addon/ubo-scope/

Thanks for chiming in Raymond.

As this is not a security bug nor a valid issue, I'll close this bug and lift the visibility restrictions.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago
Flags: needinfo?(sukou36)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.