Question on local.adguard.com.Why tracking blocked by default by Privacy Badger?

[polonus]

Dear Avast friends,

Can anyone explain this behavior?

I see local.adguard.com (I run adguard on my Vista laptop), see: http://toolbar.netcraft.com/site_report?url=http://local.adguard.com set this domain (local.adguard.com) to be blocked by EEF's Privacy Badger extension.
Why is this? The same happens with domain tracking by www.mustbebuilt.co.uk (I have the extension BuiltWith).

Is it true these extension domains are into browser tracking?

Why are they blocked by default through Privacybadger.

Should I set the domains to allowed? Anyone?

I have to admit that I just found issues with 194-177-23-34.flops.ru (the reverse DNS for local.adguard.com)
with a fake googlebot detection, see: https://www.mywot.com/en/scorecard/flops.ru?utm_source=addon&utm_content=rw-viewsc (both issues confirming the tracking issue  ).

polonus (volunteer website security analyst and website error-hunter)

[polonus]

I am testing Adguard 6.07.67.364 beta at the moment and as soon as I open that Vista laptop I see connections for
http://91-239-26-116.flops.ru/ hosted at EGIHosting,US, IP 205.164.14.88, US, California, San Jose.
I looked up the historical badness on the AS -> http://sitevet.com/db/asn/AS18779  with some 34 blacklisted URLs
mainly for Phishing and Spam activity.
flops dot ru has malware -mc.yandex.ru/metrika/watch.js (x-javascript running on 93.158.134.119)
see https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~LdMon-C/detailed-analysis.aspx  (where adblockers may crash the Yandex metrics). See where I reported on mc.yandex.ru/metrika/watch.js here: https://forum.avast.com/index.php?topic=92880.msg740051#msg740051
See other malware on IP: https://urlquery.net/report.php?id=1444581285230  &  https://www.virustotal.com/nl/ip-address/205.164.14.88/information/
Once we saw -http://bancbot.ru/ activity from there: http://www.stopforumspam.com/ipcheck/205.164.14.88
and also Open Proxy and Spam detected: http://www.liveipmap.com/205.164.14.88

So as howfar are the services from Adguard above board and there is also Cloudflare to be considered here.
I see HTTPS certificates signed using a one-way hash — often SHA-1.

Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2.

polonus (volunteer website security analyst and website error-hunter)

[REDACTED]

Hi!

Adguard dev here, I am happy to answer your questions.

"local.adguard.com" is a placeholder domain. In fact all connections to "local.adguard.com" are handled locally on your computer.
This domain is used to serve static content injected by Adguard (mostly CSS stylesheets for hiding ads).

flops.ru is a hosting we use, all our servers are hosted there. Also some are proxified by cloudflare.com.
Anyways, there are no remote connections to local.adguard.com.

It would be better to unblock this domain as you need that static content for better ad blocking.

[polonus]

Hi avatar_adg,

No one said there is any question of blocking that, just a check. I set "local.adguard.com" to green in Privacy Badger, the EEF developed extension.

I now know that all is being handled on the local computer and I see that all is verified by Adguard Personal CA, AES 128 gcm encrypted on connection. On a dazzlepod page checking with Tracker SSL extension I get:

100% of the trackers on this site are helping protect you from NSA snooping. Why not thank dazzlepod.com for being secure?

Started to test that Adguard beta software because it was recommended to me by an enthusiast pal and user of the software here and that made me curious so installed it to give it some enhanced running and testing. I already had the extension running inside Google Chrome browser and firefox for that matter.

Welcome to the official Avast support forums,

polonus (volunteer webiste security analyst and website error-hunter)

P.S. Is Adguard also blocking this: Unique IDs about your web browsing habits have been insecurely sent to third parties.

v1%3a14XXXXXXXXXXX14185  Twitter guest-id and same goes to local.adguard.com -cfduid 
also seen external domain requests ther.

Damian

[polonus]

With the continuous drive towards establishing HTTPS Everywhere it is high time to check on the real security and also the misconfigurations, the security header implementation and other security aspects.
Important insights came from HTTPS Everywhere Atlas and websites with issues there, various header and SSL-check scans and also through an extension Tracker SSL, Check SSL, Safer Chrome Security Report, Webpage Behavior Report combined with Privacy Badger. From Tracker SSL and EFF info it appeared to me that SSL can be secure, but that anonimyzed tracking IDS are exempted and some tracker IDS do not support secure transmission. This could lead to NSA snooping as the anonimyzed tracking IDS from Google for instance could be de-anonymized and personalized by re-targeting with personal info found elsewhere, helped with fingerprinting and geo-location profiling you into detail does not really require rocket-technology. Here your privacy is non-existant by design. So keep that info always at the back of your mind, what goes onto the Interwebs is like sending out a global message for everyone to see.
Now there are still a lot of sites that have SSL but the log-on info is insecure and all there "goes over the wire" unencrypted as plain txt. With proxies etc. you are depending on the integrity of that service. What happens to your info in the cloud for instance. Do they wanna market it to the highest bidder or with whom they wanna share.
Are widget and buttons rendered harmless by Privacy Badger for instance? Interesting information I also got from doing a tracker tracker report on scripts and particularly on so-called SPOF scripts that slow down the loading of pages considerable, notorious in this respect is Google monitoring.

Let us take an example now from the HTTPS Everywhere Atlas. Here at http://www.oag.com/Store we have a

Website is insecure by default
42% of the trackers on this site could be protecting you from NSA snooping. Tell oag.com to fix it.


Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

d811450cde054c7ebc3d12f1cb3cda08e1444324431 local.adguard.com __cfduid  (As I have Adguard Beta installed).
Legend
 Tracking IDs could be sent safely if this site was secure.
 Tracking IDs do not support secure transmission.

Now over to https://www.oag.com/Store. As with the other site we see outdated software here:
HTTP Server: IIS 7.5
Operating System: Windows Server 2008 R2
PHP Version: 5.3.9 (Outdated)  Asafaweb scan delivers 4 warnings: https://asafaweb.com/Scan?Url=https%3A%2F%2Fwww.oag.com%2FStore  fitting in with the 67% of asp sites with problems 

Then we have Possible Frontend SPOF from:

-html5shiv.googlecode.com - Whitelist
(49%) - <script src="-http://html5shiv.googlecode.com/svn/trunk/html5.js">
ajax.googleapis.com - Whitelist
(49%) - <script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js">

The page also tries to load scripts from non-verified sources.

But

100% of the trackers on this site are helping protect you from NSA snooping. Why not thank oag.com for being secure?


Identifiers | All Trackers
 Secure Identifiers
Unique IDs about your web browsing habits have been securely sent to third parties.

Which trackers were:

At least 5 third parties know you are on this webpage.

www.oag.com  www.oag.com
 local.adguard.com *
 js.hs-analytics.net
 Amazon.com
 shaaaaaaaaaaaaa.com *

* extension related.

The re-writing efforts: https://www.eff.org/https-everywhere/atlas/domains/oagtravel.com.html

See also: http://toolbar.netcraft.com/site_report?url=https://www.oag.com
Website Risk Status 1 red out of 10 and no PFS
Poodle Scan -> Bingo:

TLS_FALLBACK_SCSV Not Supported

Exclamation-point
Your server does not support the new TLS_FALLBACK_SCSV flag. This flag prevents newer clients from being forcibly downgraded to an insecure SSL version. Remember, your clients and server must both implement the (very new) TLS_FALLBACK_SCSV cipher flag. See here for a ton of information on patching your clients and servers.

Vulnerable Ciphers Still Supported:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Just a check on a random HTTPS site shows there is still lots and lots to be done and left to make the Interwebs a tiny fraction more reliable. I guess not everyone will be into third party cold reconnaissance scanning like some others and little old me here are performing, but going through the results everyone should learn caution. The Interwebs could be a dangerous world to visit.

My question what security and privacy did I ad by installing Adguard. I keep testing it and expect some further reporting.

Oh and as a desert the tracker tracker report from https://www.oag.com/Store scripts, see attached!
Also consider: http://www6.userexp.net/oagaviation.com.html

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Really impressive what I have experienced using Adguard so far. The solution with the injected source code really works, allthough some persistent aggressive ads take somewhat longer to be suppressed.
The only thinks I saw is some home communication on a https page for some intalled extension like BuiltWith - tracker does not support secure transmisson. How to be protected with Adguard there? This was on the DuckDuckGo search page, where I got a 87% secured https page, as the page has sources that aren't secured.
Whenever I use DuckDuckGo I use DuckDuckGo extended via a Tampermonkey script, but I miss Bitdefender TrafficLight warnings there, DrWeb's URL checking (well manually I can but that is a nuisance), I only have WOT there and Adguard naturally to show me ahead. No Netcraft, No AOS (Avast Online Security) - the webshield protection is on natuarally.
DuckDuckGo comes minus ads and tracking but also without a lot of the site exploring functionality I am so acustomed on the Google search results page.
Oh just another thing, Adguard works flawlessly along uMatrix and uBlock Origin. And another plus, blocking website elements is easy peasy using Adguard, and better still functional, it works and with other Adblockers there is no 100% guarantee.
A last question does one need Anti Adblock Killer 8.5 with Adguard? I have it running in Tampermonkey.

polonus

[polonus]

Only minus on the software is the weak certification in the browser. They use an outdated CipherSuite.

polonus

[polonus]

Started beta testing the software to-day, and will report how adguard is behaving alongside Avast AV, MBAM, CCleaner formula.
Last I experienced was a little hick-up on a webpage load where a cloudproxy service seemed to be involved. Re-loading cured the gateway time-out error. I reported that.
Nice we now have this option added to use ABP filter subscriptions, hopefully uBlock also.  There is a special module that protect us from Malicious and Phishing websites. Google Safebrowsing security comes included, whether Yandex Safebrowsing has been added, is not clear to me yet. Wanna know how to create your own rules please visit here;  http://adguard.com/en/filterrules.html  There is English and Russian Beta-testing going on. Have to report that my good forum friend, CraigB here on the forums, inspired me to get involved here.

Folks be convinced that working a good adblocking solution is as important for your online security as working a resident AV solution is. There is only one effective cure against ad-tracking and monitoring and that is using an ad- (and script-) blocker.

Everyone should seek protection against malicious ads, last incident here: http://www.hotforsecurity.com/blog/browser-ransomware-still-active-on-porn-sites-50-countries-affected-12898.html  (P.S. Know that visiting smut-sites is a high risk activity in many respects that is, and moreover cybercriminals are more likely to infest bad web rep sites anyway, so stay away there is my advice).

polonus

[CraigB]

I'm fairly sure Adguard filters Yandex Pol, Yandex should be listed in settings/filtered apps...if you haven't removed it as I did ( but they can be re-added ) I removed all browsers bar IE - Edge and Modern UI Hosted Apps.