diff --git a/µBlock-and-others:-Blocking-ads,-trackers,-malwares.md b/µBlock-and-others:-Blocking-ads,-trackers,-malwares.md index 37bdf12..e90a682 100644 --- a/µBlock-and-others:-Blocking-ads,-trackers,-malwares.md +++ b/µBlock-and-others:-Blocking-ads,-trackers,-malwares.md @@ -1,109 +1,84 @@ -Hard data, not hype. - -Latest benchmark: 22 July 2014 ([raw data spreadsheet](https://github.com/gorhill/uBlock/blob/master/doc/benchmarks/privex-201407-22.ods)). - -This benchmark is to measure privacy exposure, by counting the number of **distinct 3rd-party domains** which -have been hit by net requests during the benchmark. The lower the number of distinct 3rd-party domains hit, the better. - -Some benchmarks measure the amount of requests blocked, which I think is of no interest as a useful -measurement of privacy exposure. The number of requests blocked is no guarantee of less distinct 3rd-party domains being hit (and leaving a trace in the servers' logs). - -Measuring directly the number of distinct 3rd-party domains which were hit is a much better and relevant measurement for comparison of privacy protection efficiency in my opinion. - -![Privacy benchmark graph](https://raw.githubusercontent.com/gorhill/uBlock/master/doc/img/privacy-benchmark.png) - -Caveat: "3rd-party" is defined as a domain which doesn't match the domain of the web page. For sure many -domains reported as "3rd-party" actually belong to the same entity which owns the page domain (for example, `yimg.com` is owned by `yahoo.com`). There is no way for the benchmark code to know this, unless using a comprehensive database of who owns which domain -- that is beyond my means. Still, the benchmark is useful if comparing blockers among themselves, or against when no blocker is used. - -Results -- figures are "3rd party / all". Ordered from least 3rd-party hits to most 3rd-party hits. Privacy-wise, lower numbers are better. - -#### µBlock 0.2.3.3 - -- Distinct 1st-party/3rd-party pairs: **245** -- Scripts: 569 / 852 -- Outbound cookies: 1 / 112 -- Net requests: 2,458 / 5,020 - -#### Adblock Plus 1.8.3 - -- Distinct 1st-party/3rd-party pairs: **255** -- Scripts: 563 / 839 -- Outbound cookies: 1 / 120 -- Net requests: 2,415 / 4,963 - -#### Ghostery 5.3.0 - -- Distinct 1st-party/3rd-party pairs: **282** -- Scripts: 589 / 894 -- Outbound cookies: 1 / 135 -- Net requests: 2,605 / 5,301 - -#### Adguard 1.0.2.12 - -- Distinct 1st-party/3rd-party pairs: **283** -- Scripts: 637 / 930 -- Outbound cookies: 1 / 136 -- Net requests: 2,600 / 5,251 - -#### Disconnect 5.18.14 - -- Distinct 1st-party/3rd-party pairs: **352** -- Scripts: 716 / 989 -- Outbound cookies: 1 / 174 -- Net requests: 2,704 / 5,276 - -#### Privacy Badger 2014-07-18 - -- Distinct 1st-party/3rd-party pairs: **604** -- Scripts: 853 / 1181 -- Outbound cookies: 1 / 182 -- Net requests: 3,190 / 5,990 - -#### No blocker - -- Distinct 1st-party/3rd-party pairs: **1160** -- Scripts: 1471 / 1799 -- Outbound cookies: 1 / 216 -- Net requests: 5,317 / 8,207 - -### Notes - -The figures show the number of requests **allowed**, thus lower numbers are better. -The point is to count the number of distinct 3rd-party/1st-party pairs after running -the reference benchmark (three repeats in the current instance). - -The less distinct 3rd-party/1st-party pairs, the better. - -Adguard: it sends `GET` requests in the form `https://sb.adtidy.org/safebrowsing-lookup-domain.html?domain={page hostname}` for the first time a URL is visited. This may be related to its _"Phishing and malware protection"_ setting. Just a guess. - -Privacy Badger: warning from the browser: _"This extension is slowing down Chromium. You should disable it to restore Chromium's performance."_ - -Ultimately, if you **really** want to increase significantly control over your privacy, [HTTP Switchboard](https://github.com/gorhill/httpswitchboard#http-switchboard-for-chromium) is the way to go. -If web page breakage annoys you, just start using HTTP Switchboard in [allow-all/block-exceptionally mode](https://github.com/gorhill/httpswitchboard/wiki/How-to-use-HTTP-Switchboard:-Two-opposing-views#the-allow-allblock-exceptionally-approach), -and blacklist your way up from this starting point. Unlike µBlock and others here, HTTP Switchboard does not -have unseen exception filters which often defeat good blocking filters. For example, [**this**](https://github.com/gorhill/httpswitchboard/wiki/About-these-%22%E2%80%98virtually-impossible%E2%80%99-to-block%22-fingerprinting-tools#kind-of-low-breakage) is the way to foil many fingerprinting tricks, canvas fingerprinting included, without preventing javascript execution. - -### Methodology - -All blockers were configured in such a way as to compare apples-vs-apples: - -- **µBlock:** out-of-the-box settings -- no change. -- **Adblock Plus:** out-of-the-box settings + _"EasyPrivacy"_, _"Malware Domains"_ checked. _"Acceptable ads"_ unchecked. _"Update now"_ clicked. -- **Ghostery:** out-of-the-box settings + _"Advertising"_, _"Analytics"_, _"Beacons"_, _"Privacy"_ checked. _"Widgets"_ not checked. _"GhostRank"_ not checked. _"Update now"_ clicked (and ensured whatever new filters were used). -- **Adguard:** out-of-the-box settings + _"Spyware and tracking"_, _"Phishing and malware protection"_ checked. _"Social media"_ not checked. _"Acceptable ads"_ unchecked. _"Check for filter updates"_ clicked. -- **Disconnect:** out-of-the-box settings -- no change. -- **Privacy Badger:** out-of-the-box settings -- no change. The extension was "primed" by visiting all the URLs in the benchmark three times before running the real benchmark. - -Browser settings (if you mind your privacy, there is no way around these settings): -- _"Click to play"_ enabled. -- _"Block third party cookies and site data"_ enabled. - -[Sessbench](https://github.com/gorhill/sessbench) was used to run the benchmarks, -and each extension was tested as the only extension active in the browser. - -The official [Public Suffix List](https://publicsuffix.org/list/) is used to determine the domain of a URL. - -**Note regarding the methodology:** It has been said that I was unfair toward ABP because I didn't -use [Peter Lowe’s Ad server](http://pgl.yoyo.org/) list for ABP while I did for µBlock. It is -true that I could have imported the list into ABP, which most certainly account for the difference +Hard data, not hype. + +Latest benchmark: 30 September 2014 ([raw data spreadsheet](https://github.com/gorhill/uBlock/blob/master/doc/benchmarks/privex-201409-30.ods)). + +This benchmark is to measure privacy exposure, by counting the number of **distinct 3rd-party domains** which +have been hit by net requests during the benchmark. The lower the number of distinct 3rd-party domains hit, the better. + +Some benchmarks measure the amount of requests blocked, which I think is of no interest as a useful +measurement of privacy exposure. The number of requests blocked is no guarantee of less distinct 3rd-party domains being hit (and leaving a trace in the servers' logs). + +Measuring directly the number of distinct 3rd-party domains which were hit is a much better and relevant measurement for comparison of privacy protection efficiency in my opinion. + +![Privacy benchmark graph](https://raw.githubusercontent.com/gorhill/uBlock/master/doc/img/privex-201409-30.png) + +Caveat: "3rd-party" is defined as a domain which doesn't match the domain of the web page. For sure many +domains reported as "3rd-party" actually belong to the same entity which owns the page domain (for example, `yimg.com` is owned by `yahoo.com`). There is no way for the benchmark code to know this, unless using a comprehensive database of who owns which domain -- that is beyond my means. Still, the benchmark is useful if comparing blockers among themselves, or against when no blocker is used. + +Results -- figures are "3rd party / all". Ordered from least 3rd-party hits to most 3rd-party hits. Privacy-wise, lower numbers are better. + +#### Ghostery 5.4.0 + +- Distinct 1st-party/3rd-party pairs: **197** +- Scripts: 490 / 796 +- Outbound cookies: 0 / 135 +- Net requests: 2,548 / 5,304 + +#### µBlock 0.6.6.0 + +- Distinct 1st-party/3rd-party pairs: **285** +- Scripts: 681 / 1011 +- Outbound cookies: 0 / 131 +- Net requests: 2,871 / 5,558 + +#### Adblock Plus 1.8.5 + +- Distinct 1st-party/3rd-party pairs: **369** +- Scripts: 774 / 1106 +- Outbound cookies: 0 / 139 +- Net requests: 2,966 / 5,671 + +#### Disconnect 5.18.15 + +- Distinct 1st-party/3rd-party pairs: **400** +- Scripts: 922 / 1258 +- Outbound cookies: 0 / 202 +- Net requests: 3,266 / 6,141 + +#### No blocker + +- Distinct 1st-party/3rd-party pairs: **1578** +- Scripts: 2659 / 3156 +- Outbound cookies: 0 / 250 +- Net requests: 8,225 / 11,718 + +### Notes + +The figures show the number of requests **allowed**, thus lower numbers are better. +The point is to count the number of distinct 3rd-party/1st-party pairs after running +the reference benchmark (three repeats in the current instance). + +The less distinct 3rd-party/1st-party pairs, the better. + +### Methodology + +All blockers were configured in such a way as to compare apples-vs-apples: + +- **Ghostery:** Select all trackers. _"GhostRank"_ not checked. _"Update now"_ clicked (and ensured whatever new filters were used). +- **µBlock:** out-of-the-box settings + local mirroring enabled (through _"Experimental features"_). +- **Adblock Plus:** _"EasyList"_ + _"EasyPrivacy"_, _"Fanboy's Social Block List"_, _"Malware Domains"_ checked. _"Acceptable ads"_ unchecked. _"Update now"_ clicked. +- **Disconnect:** out-of-the-box settings -- no change. + +Browser settings (if you mind your privacy, there is no way around these settings): +- _"Click to play"_ enabled. +- _"Block third party cookies and site data"_ enabled. + +[Sessbench](https://github.com/gorhill/sessbench) was used to run the benchmarks, +and each extension was tested as the only extension active in the browser. + +The official [Public Suffix List](https://publicsuffix.org/list/) is used to determine the domain of a URL. + +**Note regarding the methodology:** It has been said that I was unfair toward ABP because I didn't +use [Peter Lowe’s Ad server](http://pgl.yoyo.org/) list for ABP while I did for µBlock. It is +true that I could have imported the list into ABP, which most certainly account for the difference between ABP and µBlock. My answer to this is available at [Wilders Security Forum](http://www.wilderssecurity.com/threads/%C2%B5block-a-lean-and-fast-blocker.365273/page-3#post-2386023). \ No newline at end of file