As far as I can tell there are two classes of ad blockers: 1) Those that sit outside the browser and provide a proxy that blocks requests to known-bad domains or similar filtering, and 2) Those that integrate with the browser and have full control over every page, in order to neutralize any HTML or JS or CSS that looks like an ad.
It seems to me that the latter type open up a vast new attack surface. These addons have full access to every piece of data flowing through a logged-in webpage. All your Gmail, all your bank, all your Hacker News.
How am I supposed to believe that these addons are themselves not sources of malware and vulnerability? They need to have the same standard of transparency and testing and supply chain security as the browser itself.
I’m willing to believe that Mozilla and Google and Apple will not willingly introduce vulnerabilities into their browsers, but the vendor of BlockUrAdsPlus or whatever? No way.
Yes, ad-blockers get access to All The Things (except in Chrom(e/ium), where they've intentionally been neutered so Google can keep serving you ads), so you should treat them as any other piece of software, and get one you trust. The current gold standard is uBlock Origin, which is open source[1], highly performant, and whose author (gorhill) has a stellar reputation in the community.
It seems to me that the latter type open up a vast new attack surface. These addons have full access to every piece of data flowing through a logged-in webpage. All your Gmail, all your bank, all your Hacker News.
How am I supposed to believe that these addons are themselves not sources of malware and vulnerability? They need to have the same standard of transparency and testing and supply chain security as the browser itself.
I’m willing to believe that Mozilla and Google and Apple will not willingly introduce vulnerabilities into their browsers, but the vendor of BlockUrAdsPlus or whatever? No way.