Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
The Internet

Ask Slashdot: Best Way To Block Web Content? 282

Posted by samzenpus
from the what-has-been-seen-cannot-be-unseen dept.
First time accepted submitter willoughby writes "Many routers today have the capability to block web content. And you all know about browser addons like noscript & adblock. But where is the 'proper' place for such content blocking? Is it best to have the router only route packets & do the content blocking on each machine? If using the content blocking feature in the router, will performance degrade if the list of blocked content grows large? Where is the best place to filter/block web content?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Best Way To Block Web Content?

Comments Filter:
  • by Anonymous Coward on Sunday March 17, 2013 @08:33AM (#43196467)

    Unplug your modem. Internet is now filtered. Enjoy your day!

    • by Jeremiah Cornelius (137) on Sunday March 17, 2013 @09:50AM (#43196807) Homepage Journal

      The CLOUD!

      No but real. SMB, use EasyDNS.

      Big shop? Z-Scaler and similar.

      Actually, EasyDNS is better. It blocks specific bloggers and tumblrs, that many "Enterprise" solutions give a pass.

      But for EasyDNS, you HAVE to be able to control the resolv.conf of your clients, or it is bypassed.

      • >But for EasyDNS, you HAVE to be able to control the resolv.conf of your clients, or it is bypassed.

        You don't have to control the resolv.conf, you just only allow DNS traffic to the IP's of the DNS server and block the others. That doesn't top a user from going all APK on you and using a hosts file (or something similar) or a VPN if you allow it, but will stop most people.

    • by Anonymous Coward on Sunday March 17, 2013 @10:44AM (#43197073)

      Unplug your modem. Internet is now filtered. Enjoy your day!

      This is an appropriate response given the bullshit question.

      There are different approaches for blocking content, depending on if you're running an ISP, a large Enterprise, a small business, or are just a home user. There are different approaches depending on what TYPE of content you're trying to block, and WHY you're blocking it.
      There is no simple, single answer to the question other than "well it all depends".

      Adblock is a user-friendly plugin which is, put simply, nothing more than a blacklist of various hosts which serve advertising content. The security aspects of this approach are incidental- it's not a security program it's for avoiding ads.
      If you're running an Enterprise or are a more tech-savvy user it's usually better to maintain your own blacklist, either at the edge router or via a hosts file on the local machine (depending on network size and complexity, and capability of your edge routers). If you're just a plain Joe Average, it's probably better to do it per-machine, especially if you're using a laptop which you're going to use in different locations.

      NoScript is not, by design, an ad-blocker. It is a script-blocker, and is a security program- ad blocking is incidental. It has the added advantage of operating on a whitelist, so new sources of threats will be caught by default. It blocks a variety of scripting languages from any location you have not specifically allowed, in addition to several other types of browser exploit vectors. For the technical user it is vastly superior to Adblock, but for people who are not so "internet savvy" it can be confusing and frustrating to have to maintain your own whitelist.

      Perhaps if the submitter would give us something more specific as to his needs, he'd get better answers.

  • Nice Try China! (Score:5, Insightful)

    by eldavojohn (898314) * <eldavojohnNO@SPAMgmail.com> on Sunday March 17, 2013 @08:35AM (#43196473) Journal
    I'd suggest paying a lot of money to Blue Coat [rsf.org] to do deep packet inspection so none of that content sneaks by.

    Or, perhaps, sitting down with your users and discussing with them how to surf intelligently and safely.

    And you all know about browser addons like noscript & adblock. But where is the 'proper' place for such content blocking?

    If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying [slashdot.org]. I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.

    I've clicked on ads and purchased something twice in my life from ads on a site. Once it was cheap shirts with funny designs on them (I needed new gym shirts) and the other was an eBay auction with a Buy It Now price lower than what I was looking at on that site (not sure how that works). I consider myself a pretty sophisticated person who is "above" advertising but anecdote-wise it's worked on me twice that I can think of. Removing that rare occurrence completely ruins the revenue model.

    • Re:Nice Try China! (Score:5, Insightful)

      by FireFury03 (653718) <slashdot@CHEETAHnexusuk.org minus cat> on Sunday March 17, 2013 @09:06AM (#43196615) Homepage

      I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.

      I agree with you that the standard Google adsense ads are ok, blocking them is counterproductive (because websites need income). However, Youtube ads (also operated by Google) have gone way over the line and are way too intrusive; also far too many websites still shove floating divs and the like in your face (in fact, thats something that seems to be increasing), and manually blocking only the intrusive ads becomes far too much effort so invariably all ads get blocked.

      • Re:Nice Try China! (Score:4, Insightful)

        by fast turtle (1118037) on Sunday March 17, 2013 @11:19AM (#43197265) Journal

        and that's exactly why I use noscript and not block ads. Of course I follow the "DENY ALL" policy and only add those few sites to the whitelist that I actually use and guess what, this blocks 95+ percent of the stinking ads online while still allowing me to use the net. Otherwise it's to the point that I'll simply drop my ISP/Cable and Phone services since I don't use them and 911 calls are paid for by the 911 taxe/surcharge by everyone (mandantory service). Only thing I even use the phone for anymore as I simply don't give a damn about talking to anyone when I'm home.

    • Re:Nice Try China! (Score:5, Insightful)

      by Razed By TV (730353) on Sunday March 17, 2013 @09:13AM (#43196647)
      I respect your argument advocating ad revenue to support the sites you visit. This is one of the things the internet was built upon. I do feel bad about the sites I like not getting the money keep things running.

      On the other hand, you have:
      ads that track you
      annoying popups
      popups masquerading as windows messages that have faux buttons to close them, cancel them, or remove viruses that the popup supposedly just detected
      ads that flash, flicker, or have a lot of motion/activity in them (which I find to be particularly distracting)
      ads that play sound

      I'm not saying I wouldn't adblock if you got rid of the above ads, but currently there are too many reasons for me to even consider getting rid of adblock.
      • Re:Nice Try China! (Score:5, Informative)

        by Anonymous Coward on Sunday March 17, 2013 @09:33AM (#43196725)

        This is one of the things the internet was built upon.

        This is patently false. The internet, and before it the countless BBS services, was built on freedom and idealism. A server operator would pay out of pocket for their hobby and users would either access it for free, pay membership fees, or pay 900-number dial-in fees. The early internet had no ads because it was a hobbyist driven system. Not until the mid 90's did the internet monetize.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          This is patently false. The internet, and before it the countless BBS services, was built on freedom and idealism. A server operator would pay out of pocket for their hobby and users would either access it for free, pay membership fees, or pay 900-number dial-in fees.

          Lol! Silly romantic. You think the Internet infrastructure was paid for by dial-up users?

          Most of it, including the high-speed backbones, was paid for by universities, the military, and telecoms. But it's cute that you think it was "hobbyists."

      • by Impy the Impiuos Imp (442658) on Sunday March 17, 2013 @09:38AM (#43196747) Journal

        Well, if someone would actually build a browser with a popup blocker that actually worked, the popup issue would be solved.

        One shouldn't have to turn off scripts to stop popups. All they have to do is insert into the code:


        if (going to open a new window from this web site and
            user doesn't want these popups)
        then
                  tough shit

        • by BasilBrush (643681) on Sunday March 17, 2013 @09:44AM (#43196775)

          What computer language is this? I think I want to try it.

          • Re: (Score:2, Funny)

            by Anonymous Coward

            Looks like Applescript to me.

        • In your pseudocode, how would the program determine which fixed-position block elements within a page are "these pop-ups" and which are essential navigation?
        • Re: (Score:2, Interesting)

          The browser blocks its own popups, but sites get around this by having java or flash or whatever do the popup.
      • by xeoron (639412)
        Don't forget compromised ad-networks pushing XSS or different forms of malware. Squid Proxy, adblock, or a good host file are perfect for dealing with such things, if you had the desire to filter network addresses and content access.
      • by DragonTHC (208439)

        they still have those?

        I guess I've used adblock plus for too long.

      • Re:Nice Try China! (Score:4, Insightful)

        by X0563511 (793323) on Sunday March 17, 2013 @11:11AM (#43197225) Homepage Journal

        Lets not forget:
        ads from compromised servers shoving malware/payloads down your throat

        I could live without adblocking... but that last one there is a no-go. If that's not fixed, I am not willing.

    • by mcgrew (92797) *

      Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying.

      It's the ads themselves that ruin the very thing I'm trying to enjoy. If ads weren't so intrusive and resource-intensive, nobody would block ads. The web sites that need ads for revenue are their own worst enemies.

    • Yes, blocking ads is like throwing a soda can out the window. We need to just line up all the admen and shoot them.

      I mean, has the ENTIRE slashdot community become 'web developers' and their ilk, sucking on the adman's teat?

    • Re:Nice Try China! (Score:5, Insightful)

      by BasilBrush (643681) on Sunday March 17, 2013 @09:36AM (#43196733)

      If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly.

      You are certainly in the minority. Most people's view of that analogy would be that the can being thrown out of the window is the advert, and that the spoiled environment that is the result is like the spoiled web that is a result of heavy advertising.

      I do not accept that the internet needs third party advertising. Nor that the internet without it (and thus a loss of revenue for some site operators) would be worse.

      There was an internet before widespread advertising. Some people run a site as a hobby. Some organisations run sites because they want to spread an idea, or need to get information out there. Commercial organisations will still want to run their own web-sites, whether they sell from them, or just as a communications tool. There are lots of reasons why the internet won't die without advertising.

      A lot of sites with heavy advertising don't even have good content. They are only there to make money from adverts, so they steal content, or just link to what other sites have put out, or publish PR verbatim.

      There's absolutely nothing to stop people trying to make money with third party advertising, and I wouldn't want any official body trying to outlaw them. But equally I see nothing wrong with blocking them so that I don't have to see them, or waste bandwidth on them. If the result is that there are less people that can make a profit from selling advertising, then I say "hurray!"

      • Re:Nice Try China! (Score:5, Interesting)

        by just_a_monkey (1004343) on Sunday March 17, 2013 @09:48AM (#43196793)

        I am continually surprised that it is still legal to block ads, and that there is no visible movement to make blocking illegal. Not even any pervasive "The websites must be able to make money on what they do!", "Blocking ads is like stealing from the websites!" or "You wouldn't watch a movie/TV-show without watching the commercials" campaigns.

        Google and their customers must not have as good lobbyists as Hollywood.

        • by X0563511 (793323)

          More likely they realize what a particularly nasty fire-ant hill they would be kicking over by doing so.

        • by Jawnn (445279)
          Perhaps, but I suspect that it's really because the percentage of users that use ad-blocking software is so small. For that group, the ads are generally nothing more than an annoyance anyway, so it's not a demographic with a significant conversion rate. Nothing is really lost there. Now, have a major ISP offer something like that by default and listen to the howls of outrage from the advertisers.
        • I don't need advertisements. When I want something, I research it, then I buy it. When I want to know something, I google it. When I want to buy random stuff, I go to a bargain site where people can humanely tell me what I should buy. If advertisers were responsible and didn't try to scheme for my attention, I might give it to them. I don't find it helpful if I go to work, look something up and them come home and find a recommendation for the same product. But for some reason, somebody somewhere thinks that

    • Re:Nice Try China! (Score:5, Insightful)

      by Jah-Wren Ryel (80510) on Sunday March 17, 2013 @09:52AM (#43196825)

      Removing that rare occurrence completely ruins the revenue model.

      GOOD! That revenue model is the single largest driver of the internet surveillance state. [slashdot.org] It is difficult to imagine an funding model for the internet with worse social costs. The sooner it dies, opening the door to replacement systems that are less invasive the better off we all are.

    • The aesthetics and annoyances of ads are only part of the issue, and not even the most important. Ads are also vectors for information gathering and tracking across the web, which is why it is perfectly justifiable to cut them off at the ankles, right in your hosts file.

    • by Albanach (527650)

      If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying [slashdot.org]. I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource inten

    • If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed

      Exactly right. None of my computers have adblockers installed. I know ads drive most of Slashdot absolutely batshit crazy, causing them to invest hours and dollars blocking them, but I'm just 'meh' - I tune them out.

    • by Cito (1725214)
      I always setup adblock and noscript as well as using whitelists in the company side of things.

      sites that rely on advertising revenue only by 3rd party companies shouldn't be around anyhow, it's a waste of space.

      all 3rd party ad streams should be blocked, people get enough spam in their life, from driving to and from work massive amounts of billboard spam, postal mail massive amounts of snail mail spam, television 15-30 minutes of content padded out to 30-1 hour shows with spam.

      all spam is blocked in emails

      i
    • by PNutts (199112)

      Or, perhaps, sitting down with your users and discussing with them how to surf intelligently and safely.

      It's time people stopped giving this answer. The problem is worse than "be safe" (or "pull out" to use a car backseat analogy).

      A few months ago in a known developer forum a known dev gave a link to his legit project on github. I knew what github was having seen it referenced by many devs to their projects also in other forums but I had never visited. I clicked on his link and github opened and my A/V immediately stopped a blackhole exploit attempt. I verified his link wasn't funky and because my A/V was tri

      • by Smallpond (221300)

        There's plenty of unsafe behvior possible, but there's no such thing as safe behavior. Until the latest fix, enabling Java was unsafe behavior. Is it safe now? We won't know until its proven unsafe. Same for any sufficiently complex plug-in.

    • > Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly
      It is STILL littering no matter how many justifications you try to use.

      ads = visual littering (and now audio littering.)

      > I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.
      1. Ah, the old "bandwidth usage is imaginary" argument. Do you understand network _latency_ ? Blockin

    • I have no need to block static ads. I get annoyed at ads with motion though, but they're easy to block. Animated gifs, just hit ESC in Firefox, they stop.

      Then I use flashblock which disables all flash-based content. I can selectively choose any content to view it, such as youtube videos and the rest of the flash ads are still blocked.

      Ads still get through, and I'm not annoyed at all the flashing/blinking and bandwidth-hogging ads as they are blocked or stopped. Easy.

  • At the proxy. (Score:5, Informative)

    by Raven42rac (448205) on Sunday March 17, 2013 @08:35AM (#43196475)
    I prefer at the proxy level. Dansguardian/Squid/ClamAV is pretty easy to set up on your distro of choice.
    • Re:At the proxy. (Score:5, Insightful)

      by drinkypoo (153816) <martin.espinoza@gmail.com> on Sunday March 17, 2013 @08:49AM (#43196535) Homepage Journal

      This is the right answer. There's nothing wrong with ad blocking on the client, but if you want to block content for a whole bunch of users, a proxy is the answer. squid really is easy to set up.

    • by oodaloop (1229816)
      Nuke it from orbit. It's the only way to be sure.
  • by Anne Thwacks (531696) on Sunday March 17, 2013 @08:40AM (#43196489)
    ISPs should offer a service to block it for you so you dont have to pay for the bandwidth. Of course, YOU would have to choose what is blocked, not them - which is unlikely to happen in our lifetimes.

    I envisage an HTML feature where you can click on something and have it labelled spam at the ISP.

    Allowing this info back to the scum that served it would be a privacy invasion of the worst kind.

    Perhaps some enlightened ISPs could charge charge people double for serving shit. They would get my business for sure!

    I truely believe that if the ads were not so horribly intrusive and bandwith hogging, they could/would be ignored or even watched. Just last night, I watched a really great advert on TV yesterday - way better than the program it was embedded in - watched the ad to the end, and then ditched the actual program! However, I have stopped visiting certain websites because the amount of flash they serve makes it impossible to actually scroll though the content!

    Please feel welcome give me the standard spam prevention review form ;-)

    • Re:Upstream (Score:5, Informative)

      by Technician (215283) on Sunday March 17, 2013 @08:58AM (#43196579)

      Filtered DNS does this already if you choose to use it.

      http://www.opendns.com/ [opendns.com]
      http://www.scrubit.com/ [scrubit.com]

      • I've used OpenDNS before for content filtering. Works well. Just keep in mind that if this is a Windows network you're administrating, you will want to use a GPO that locks in DNS settings (option will be greyed out for users looking to modify local TCP/IP setting). If you're running Vista, Windows 7, or 8, you can further restrict access to the Hosts file for users that are a member of the Local Administrators group.

        • by ls671 (1122017)

          Just catch all outgoing DNS at your router and redirect them to your own DNS server or OpenDNS if you wish. Much easier and especially much more fail safe.

    • But isn't it mostly the case that you know you don't want something even before you look at the content? So you can block the request before
      it even goes out to the ISP.

    • by ls671 (1122017)

      ISPs should offer a service to block it for you so you dont have to pay for the bandwidth...

      I truely believe that if the ads were not so horribly intrusive and bandwith hogging, ..

      What kind of bandwidth are you talking about?

      He wants to block web content, not email spam. When you block a web site with squid, hosts file, firewall etc., you use zero bandwidth to connect to the site.

      Actually, you may end up using more bandwidth blocking web content at the ISP level because your HTTP requests could still get to the ISP along with a HTTP response.

  • DNS (Score:4, Insightful)

    by craigminah (1885846) on Sunday March 17, 2013 @08:53AM (#43196555)
    I use OpenDNS...works well and works regardless sof browser.
  • According to the EFF, Google has removed Adblock plus from the Google Play [eff.org], citing that it violates Google's terms and conditions that stipulate that apps will not interfere with any other app on the store. This only affects android so far, but I imagine now that Google has decided that content blocking is a bad thing, I would imagine that the chrome and firefox extensions will follow. And, sadly, it's probably only a matter of time before Google turn their considerable talents to making sure that any method will fail. I'm not interested in starting a flame war here; I'm just pointing out that when the pre-eminent search engine on the planet weighs in on content blocking in such a heavy-handed way, it can't bode well for any of us.
  • Blocking content at the router/firewall is the best place to block it inside your network. Otherwise you're dealing with keeping several machines up to date. As IT infrastructure becomes more diverse (Mac, Windows Flavors, Guests etc) keeping individual machines updated will be harder than a centralize point. Another option is to force users to utilize a specifc DNS server (ie http://www.opendns.com/business-security/ [opendns.com]). Then all you do is block DNS traffic destined for any other DNS servers.

    I'd avoid the $

    • by ls671 (1122017)

      Then all you do is block DNS traffic destined for any other DNS servers.

      I find it more convenient to redirect DNS queries to the server you like instead of blocking them.

  • One solution is a service that filters domains at the DNS level, such as OpenDNS.

    But does anyone know of a similar service on the IP level? Malware attackers may not cooperate by using domain names; IP addresses are less hassle for them, less attention-getting from the average end-user (who knows somewebsite.ru is wrong, but not 134.14.215.12), and they bypass DNS-level security. The IP-level filter would have to be either,

    * Something like an RBL, but for all attacks not just for spam.
    * A pr

  • I assume you try to increase the convenience of browsing and not to restrict anyone of the information (the latter I don’t think is possible). Any blocking will have some unintended effect. Router dns poisoning works relatively well. I had it for a long time and enjoy it. I like that all my machines, including any mobile clients connected to my wi-fi, have less ads displayed. My main purpose is to block tracking sites, rather than disable the ads. I also like the fact that the page content does not ch
  • In my opinion, as a network engineer, routers should never be used for security functions as it just isn't scalable from a support and management perspective (i.e. keeping settings the same across a large number of sites). If you need to block traffic then you need to buy a Firewall and/or a Proxy server. If you can just afford one device, buy a firewall. Most Firewalls can also support routing and routing protocols plus they are optimized to handle the additional overhead of security services.

    Unless thi

  • [Before anybody gives a response about Internet freedom, that's well and all, but for certain applications, you only need to have employees access a few websites--like say a corp HQ information system.]

    There are many routers that have a way to blacklist certain sites and keywords, though that's basically useless (a few mL vs the ocean?).

    Whitelisting would be much more handy, but most routers don't support it.

    Not only that, but custom Linux router firmware doesn't (easily) support it. Not DDWrt or Tomato. Op

  • I for one would not want to pay for the router powerful enough to parse every webpage that passes through it.

    Also it would be a far bigger pain to update and modify.

  • to live in Iran

  • Somewhere along the way, the internet isn't meant to be 'free'.
    Somebody has to pay for the bandwidth, the infrastructure, etc.
    Then comes along content. Content can't always be 'free'. Someone has to place it on the web, someone has to maintain it, someone creates it and depending on the complexity of the content, there are 1 or more content creators and associates/affiliates getting involved and eventually people need to make a living.
    Here's the point I'm making with the following example:
    My wife
  • Take a look at the devices from Fortinet ... decent AV/Malware as well as webfilter with "the usual" load of different categories (and the ability to filter based on groups defined e.g. by SSO info from an ADS). Add to that many additional security firewall features, IPS, security scanner, ... to top it off, it's a lot more affordable with better throughput than many (all well-known?) competitors ...

  • Are you a parent trying to keep your kids from porn? Are you a business trying to keep your workers on task? Are you a government trying to control the eyeballs of your citizens? Are you just trying to keep ads away from your personal eyeballs, malware from your personal devices?

    If it's for your own personal use there are two approaches:
    1) Do it on the device. This has the advantage of being easy to pause if it causes a web site or service to stop working. It has the down side of not being centrally managed

  • Blocking at the web browser level, where the blocking program has an idea of what's going on, works best. Blocking at the IP level will stall out some sites. It's technically possible to block in the browser in such a way that the site can't figure out that it's being blocked. Few sites detect ad blockers yet, but more could. It may be worthwhile to delay loads of ad sites and see if this stalls the loading of the real content. For mobile, it would be amusing to have an ad-blocking proxy site which reads

  • Close the Browser.

  • No one posts ads there. If you can find the content, that is. Or even know what gopherspace is.

"The way of the world is to praise dead saints and prosecute live ones." -- Nathaniel Howe

Working...