With help from Google, impersonated Brave.com website pushes malware

With a valid TLS certificate, faux Bravė.com could fool even security-savvy people.

Read the whole story

 

[madewokherd]

Any thoughts on *why* the ad used the mckelveytees.com domain then redirected to their look-alike domain? At a glance, that's the most suspicious thing about that ad listing. The domain has no obvious connection to Brave.

It seems mckelveytees is a legit company that no one is blaming for this, so I have to assume they used some exploit of the site to make a URL that redirects to one of their intermediate URLs, but I don't understand why that's preferable to using a domain they control with the word "brave" in it.

 

[SplatMan_DK]

Any thoughts on *why* the ad used the mckelveytees.com domain then redirected to their look-alike domain? At a glance, that's the most suspicious thing about that ad listing. The domain has no obvious connection to Brave.

It seems mckelveytees is a legit company that no one is blaming for this, so I have to assume they used some exploit of the site to make a URL that redirects to one of their intermediate URLs, but I don't understand why that's preferable to using a domain they control with the word "brave" in it.

Perhaps because it fools security tools that evaluate the reputation of the destination site?

 

[SplatMan_DK]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

Do you actually not just click on ads but constantly go and purchase everything you see advertised? You're not doing anyone much good by contributing to lower click through rates. Get off your high horse. If you want to support people who make websites, pay them.

You're projecting and make false assumptions. And making an unnecessary ad hominem. Why lash out?

I do subscribe (and have for many years). It's right there in my post next to my user name.

I subscribe to several other sites as well, because I frequent them often.

Not all sites offer subscriptions, and not all are worth subscribing to if you only visit them once or twice a year.

 

[WXW]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

I and probably most other Ars commenters block ads and trackers on all websites. I, like you, subscribe to Ars because I value its in-depth, high-quality coverage. (Plus, the full-text RSS feeds are really nice.)

It’s the website’s job to implement technical measures to maintain its revenue stream. I have no obligation to execute some random JavaScript function from doubleclick.com just because wired.com asks my browser to do so. If a website is concerned about losing revenue from users who block ads, then it should implement some sort of account system and lock its content behind a paywall. No one has a right to make money.

Perhaps not a legal right. I am unsure how easy it is to enforce a website TOS (but most I have bothered to read actually prohibit and blockers or altering the source of the rendered page). But surely they do have a moral and ethical right though. It is their content, so it's their decision how to monetize it.

You are not entitled to remove the ads or dictate they alter their business model to something that "suits you". The ethical choice would be to simply not use their services, if you are not prepared to accept whatever business model they have chosen.

I understand they have no recourse. And I am not going to start a big stink over people who use as blockers. But for many site, what you propose (a paywall) is a worse alternative than accepting the leeches who take the content without providing value.

I think it's a somewhat entitled to demand they abide by your rules/demands rather than the other way around when they're obviously the ones offering value to you (as evident by the fact you visit the sites). You honestly don't get to do that with any other business on the planet.

You know, in my opinion I do have a moral and ethical right to get compensation if the ads on a website turn out to be malicious because they didn't bother to perform any due diligence with their security, and it doesn't seem many do. So I will continue blocking ads all over the Internet for my own safety, and if websites don't want that then they can block me; some do and I'm not going to try to circumvent it, it's fair to me. If they don't I have to assume their business model is to let some people read for free, and earn money through those that pay, providing them with extra features or not.

Personally I pay for some of the content I consume which I could get for free, and I'm fine with other people not paying for it. I subscribed to Ars some years ago, and was going to subscribe again recently, but I didn't like the privacy policy at all and sent a message to their contact address to ask a pair of questions and exercise my rights as an EU citizen, but I got no answer, so I'm sorry but nope.

 

[malor]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

Sadly, on the web, depending on ads is a bad business model. It directly exposes your audience to extra risk, for your benefit. You are instructing their computers to contact a whole network of additional computers, any one of which could attack them, and you are doing this to make money.

In 2021, subscriptions are the only ethical model. Ad networks make the world a much worse place, and using them means you're contributing to the problem.

 

[J.King]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

 

[Starouscz]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

Sadly, on the web, depending on ads is a bad business model. It directly exposes your audience to extra risk, for your benefit. You are instructing their computers to contact a whole network of additional computers, any one of which could attack them, and you are doing this to make money.

In 2021, subscriptions are the only ethical model. Ad networks make the world a much worse place, and using them means you're contributing to the problem.

Mostly agree - there is a second model, where selected group pays in advance to get the content first and then everybody gets it free later - but i have seen that more for podcasts

 

[malor]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

Sadly, on the web, depending on ads is a bad business model. It directly exposes your audience to extra risk, for your benefit. You are instructing their computers to contact a whole network of additional computers, any one of which could attack them, and you are doing this to make money.

In 2021, subscriptions are the only ethical model. Ad networks make the world a much worse place, and using them means you're contributing to the problem.

Mostly agree - there is a second model, where selected group pays in advance to get the content first and then everybody gets it free later - but i have seen that more for podcasts

Oh, yeah, that works too. Linux Weekly News uses that model, a one-week delay on articles for non-subscribers.

Their site is also minimalist, and delightfully safe. Also very easy to read, because there are no ads to gum up the layout.

 

[Wallachia]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

The initiator of the visit is irrelevant. I walk into Rite Aid for my prescription with the reasonable assumption that I'm walking into Rite Aid only. If Rite Aid decides to sublease their space to Chemical Weapons Testing Inc and the International Brotherhood of Expert Pickpockets without posting notice, and other storefronts around town decide to otherwise expose me to mortal risk without informing me what bad actors they're letting run around their store, I'm well within my rights to take preventative steps to defend myself.

If Rite Aid and Chemical Weapons and Pickpockets Inc are upset that I come in with a gas mask and a tazer, they're welcome to ask me to leave but if they think it's unethical they can pound sand

 

[J.King]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

If I visit address X, I am under no obligagtion to also retrieve and execute a referenced script at address Y which retrieves an advertisement at address Z. I asked for X and I got X. That I stop there (or not) is no one's business but mine.

 

[HarpoQuartx]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

How exactly are they going to enforce such a ridiculous clause in their ToS? Are they going to point a camera to my screen and send me a lawsuit when my browser allows me to view and edit the source with a simple shortcut?

Secondly, just because something is put into a ToS does not mean it's either legally binding or enforceable.

 

[Deleted member 1]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I'm picturing SplatMan_DK watching a program he taped, and never, ever skipping commercials - cause, you know, gotta respect the business model!

 

[HarpoQuartx]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I'm picturing SplatMan_DK watching a program he taped, and never, ever skipping commercials - cause, you know, gotta respect the business model!

And even in the case of the television companies that went after Dish for the AutoHopper they failed to win in court and at best got a settlement where Dish crippled the feature for up to a week after recording. So despite what Splatman seems to think with the argument that we are not legally allowed to skip and block out ads it has little to no substantive legal precedent behind it.

It's no different to fast forwarding a VHS recording of TV or skipping the ads and previews on DVD. It would be ridiculous to claim that a user was bound by some legally-binding ToS preventing them from doing so. And let's not even get into walking away from the TV while commercials are playing for live TV.

Methinks Splatman has likely done one or more of these things in their lifetime and is not the righteous, moral warrior that they uphold themselves as.

 

[Deleted member 1]

Methinks Splatman has likely done one or more of these things in their lifetime and is not the righteous, moral warrior that they uphold themselves as.

I don't see it as righteous or moral -- just bizarre rigidity -- but I know what you mean.

 

[HarpoQuartx]

Methinks Splatman has likely done one or more of these things in their lifetime and is not the righteous, moral warrior that they uphold themselves as.

I don't see it as righteous or moral -- just bizarre rigidity -- but I know what you mean.

They caged many of their arguments in terms or ethics and morality so I feel the statement is appropriate.

 

[agpob]

Perhaps, as with commercial/civil aviation, there should be an internationally accepted, mandatory, default language/characters to provide ID for all web sites/addresses...

 

[madewokherd]

Perhaps not a legal right. I am unsure how easy it is to enforce a website TOS (but most I have bothered to read actually prohibit and blockers or altering the source of the rendered page). But surely they do have a moral and ethical right though. It is their content, so it's their decision how to monetize it.

I might grudgingly accept this if ads weren't so high on the list of information security threats to the average person browsing the Internet (up there with password database leaks). I could not advise anyone to browse the web without an ad blocker. Scams are simply too common, and there is nothing I can tell a less tech savvy individual that would really help them identify malicious ads. Maybe some of them are harder to detect now, but that doesn't matter, because being less good at identifying bad ads than I am doesn't mean you deserve to get scammed.

Then again, another way of looking at what's happening is that a website is auctioning your attention to some unknown third party, even to them. Unlike an ad in a newspaper, this is done on an individual level for everyone who visits the page. Surely you should have the ability to negotiate this arrangement, or at least an opportunity to evaluate it before consenting to it, since they are selling something that belongs to you. In fact, the most practical way to make that happen right now is to run an ad blocker, and let them refuse to serve you content if they think it's sufficiently valuable to entice you to reconsider (or to pay for it directly).

 

[J.King]

Any thoughts on *why* the ad used the mckelveytees.com domain then redirected to their look-alike domain? At a glance, that's the most suspicious thing about that ad listing. The domain has no obvious connection to Brave.

It seems mckelveytees is a legit company that no one is blaming for this, so I have to assume they used some exploit of the site to make a URL that redirects to one of their intermediate URLs, but I don't understand why that's preferable to using a domain they control with the word "brave" in it.

Congratulations on breaking five and a half years of silence, by the way! Welcome!

 

[HarpoQuartx]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

How exactly are they going to enforce such a ridiculous clause in their ToS? Are they going to point a camera to my screen and send me a lawsuit when my browser allows me to view and edit the source with a simple shortcut?

Secondly, just because something is put into a ToS does not mean it's either legally binding or enforceable.

You are absolutely right. And i stated that already in this thread. The site has no real recourse, and it's unlikely any term in the TOS can be truly enforced for any anonymous or non-registered user.

That doesn't change the ethical and moral perspectives though.

.

It's no less moral than walking away from live TV during a commercial break or fast forwarding a recording of a show. And you'll never be able to convince me that either is immoral or unethical. And methinks you have likely done this yourself despite all the moral posturing.

 

[SplatMan_DK]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I'm picturing SplatMan_DK watching a program he taped, and never, ever skipping commercials - cause, you know, gotta respect the business model!

I don't tape stuff. I stream stuff, from services where I pay a subscription fee. I also - ghasp - buy content on physical disks so I can decide when, how and where to consume the content. Most of it is scifi classics I want the kids to see because I liked them myself decades ago. Most but not all have aged well.

 

[madewokherd]

Malicious ads aren't very common where I live. As I see things the threat exist but is greatly exaggerated in order to justify blocking. Things may be different where you live.

I don't run a blocker and my endpoint protection suites has reported nothing for over a year (work PC uses Fortinet, private PC has Kaspersky).

I disagree any online media is selling something that's yours. They are selling and space on their pages, exactly the same as if it was a printed edition. It's just brokered in milliseconds and served in new ways to optimize targeting. It's their space and they're not selling anything of yous. To do so would imply they could sell your eyeballs even if you didn't visit their site - but clearly that's not the case.

I'd include scams within the umbrella of malicious ads, stuff like "tech support" scams that pretend to be the actual company. If you haven't encountered those, then it's a case where my experience differs from yours, and I can't argue that.

I absolutely agree that online media is within their rights to sell space on their site to advertisers, IF the arrangement is for a given space at a given time. The fact that they can't sell my eyeballs even if I don't visit their site is WHY this is different - the transaction occurs the moment I make the request to the site, for me individually.

 

[SplatMan_DK]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

How exactly are they going to enforce such a ridiculous clause in their ToS? Are they going to point a camera to my screen and send me a lawsuit when my browser allows me to view and edit the source with a simple shortcut?

Secondly, just because something is put into a ToS does not mean it's either legally binding or enforceable.

You are absolutely right. And i stated that already in this thread. The site has no real recourse, and it's unlikely any term in the TOS can be truly enforced for any anonymous or non-registered user.

That doesn't change the ethical and moral perspectives though.

.

It's no less moral than walking away from live TV during a commercial break or fast forwarding a recording of a show. And you'll never be able to convince me that either is immoral or unethical. And methinks you have likely done this yourself despite all the moral posturing.

actually I don't think I have. At least not for good three decades. But that's more because I live in a country with odd media history (license funded media) and because I dumped "flow TV" so many years ago.

Having said that, no, neither of those examples are "immoral". Mostly because payments for such commercials are sold under completely different models. They can't be paid on a per-view basis because there is no mechanism to measure it. The same is not true for browser content.

 

[HarpoQuartx]

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

How exactly are they going to enforce such a ridiculous clause in their ToS? Are they going to point a camera to my screen and send me a lawsuit when my browser allows me to view and edit the source with a simple shortcut?

Secondly, just because something is put into a ToS does not mean it's either legally binding or enforceable.

You are absolutely right. And i stated that already in this thread. The site has no real recourse, and it's unlikely any term in the TOS can be truly enforced for any anonymous or non-registered user.

That doesn't change the ethical and moral perspectives though.

.

It's no less moral than walking away from live TV during a commercial break or fast forwarding a recording of a show. And you'll never be able to convince me that either is immoral or unethical. And methinks you have likely done this yourself despite all the moral posturing.

actually I don't think I have. At least not for good three decades. But that's more because I live in a country with odd media history (license funded media) and because I dumped "flow TV" so many years ago.

Having said that, no, neither of those examples are "immoral". Mostly because payments for such commercials are sold under completely different models. They can't be paid on a per-view basis because there is no mechanism to measure it. The same is not true for browser content.

Nielsen might want to have a conversation with you.

 

[TROPtastic]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

If a website is concerned about losing revenue from users who block ads, then it should implement some sort of account system and lock its content behind a paywall. No one has a right to make money.

If Ars were to suddenly paywall their website on Monday and require subscriptions to access articles, two things would happen:
1) their article views would plummet, as casual visitors (far outnumbering people who comment on articles and people who subscribe) go elsewhere, bringing a corresponding decline in ad revenue
2) someone sufficiently annoyed would subscribe simply to repost all the articles for free on a 3rd party site (like what happens to FT and Wired on Reddit), leaving Ars back at square 1 except with less revenue.

This dilemma illustrates why not all news websites on the internet have paywalled content.

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

Do you actually not just click on ads but constantly go and purchase everything you see advertised? You're not doing anyone much good by contributing to lower click through rates. Get off your high horse. If you want to support people who make websites, pay them.

You can't be seriously trying to claim that browsing websites without an adblocker is morally equivalent to browsing websites with an adblocker and without subscribing. One of them actually contributes some revenue to the site, while the other contributes 0. If you asked news site owners, I'm sure that none of them would say "people who browse without Adblock are irrelevant/useless to us". This is why I browse Ars without an adblocker.

Also, I notice that you are not subscribed to Ars, yet you feel the need to preach about paying websites for their content. Bold of you to be so obviously hypocritical.

 

[malor]

Perhaps not a legal right. I am unsure how easy it is to enforce a website TOS (but most I have bothered to read actually prohibit and blockers or altering the source of the rendered page). But surely they do have a moral and ethical right though. It is their content, so it's their decision how to monetize it.

I might grudgingly accept this if ads weren't so high on the list of information security threats to the average person browsing the Internet (up there with password database leaks). I could not advise anyone to browse the web without an ad blocker. Scams are simply too common, and there is nothing I can tell a less tech savvy individual that would really help them identify malicious ads. Maybe some of them are harder to detect now, but that doesn't matter, because being less good at identifying bad ads than I am doesn't mean you deserve to get scammed.

Then again, another way of looking at what's happening is that a website is auctioning your attention to some unknown third party, even to them. Unlike an ad in a newspaper, this is done on an individual level for everyone who visits the page. Surely you should have the ability to negotiate this arrangement, or at least an opportunity to evaluate it before consenting to it, since they are selling something that belongs to you. In fact, the most practical way to make that happen right now is to run an ad blocker, and let them refuse to serve you content if they think it's sufficiently valuable to entice you to reconsider (or to pay for it directly).

Malicious ads aren't very common where I live. As I see things the threat exist but is greatly exaggerated in order to justify blocking. Things may be different where you live.

I don't run a blocker and my endpoint protection suites has reported nothing for over a year (work PC uses Fortinet, private PC has Kaspersky).

I disagree any online media is selling something that's yours. They are selling ad space on their pages, exactly the same as if it was a printed edition. It's just brokered in milliseconds and served in new ways to optimize targeting. It's their space and they're not selling anything of yous. To do so would imply they could sell your eyeballs even if you didn't visit their site - but clearly that's not the case.

.

Ad networks aren't safe, Splatman. They just aren't. They're stacked multiple layers deep, and website operators may end up exposing their clients to dozens of different networks with completely different security standards. No matter how fantastic they might be locally, just one compromised system anywhere in the ad infrastructure is an attack vector against their clients.

It would be different if the ads were entirely hosted locally. If, say, Ars sold its own ads and hosted them on Ars' own servers, then customers wouldn't be at any more risk. But it's easier and requires very little effort to use ad networks, and companies just ignore the risk, because they don't run any particular risk themselves. Their customers bear the entire burden of their bad behavior.

Profiting by putting people at risk is flat out unethical. Ads could be done safely, but they never are, because companies would rather keep the dollars in their pockets than keep their readers safe.

 

[WXW]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

Are those sites with TOS that require you to allow ads making sure the users know about them, and that they have accepted them? Are those clauses actually legal? Are sites free to just not serve content to users that block ads? Are there any ethical and moral questions for the sites regarding the safety of their users, or is it just for us very very bad users?

 

[RoninX]

Why isnt ascii enough ?

Because not every domain is intended for english speakers.

Here's how to set Firefox to show punycode rather than unicode characters. https://www.tenforums.com/tutorials/104 ... ndows.html

It looks like Brave always displays the punycode (not unicode) characters in the address bar.

For example, for https://www.xn--80ak6aa92e.com/.

That seems like the right choice. Of course, you have to download Brave from the correct site first...

 

[Iggy the Jiggy Piggy]

Its pure e̶v̶i̶l̶ greed these domains exist. Why isnt ascii enough ? There is no reason why bravè.com bravê.com or bravė.com should point to something else than brave.com

Well, mainly because the world is a bit more international than ASCII can handle. There's a huge difference for Spanish-speakers between diezaños.com (tenyears.com) and diezanos.com (tenbuttholes.com). I'm sure with other languages there can be even more extreme examples. And that's before we consider non-Latin script users among the world. Accommodating them effectively requires a Unicode derived system which will, in turn, also include Latin diacritics.

There are some tools that can sniff out potentially misleading URLs by using a variety of heuristics (e.g. all Latin except for one Cyrillic/Greek letter, and that one is known to be potentially confused with a Latin one). If a browser gets one of these URLs with mixed scripts or diacritics, it might be a good idea to check if it's rather similar to a top 1000 (or 10k, or 100k, etc) domain, and alert the user of a potential phishing attempt in such case.

It reminds me of this episode of King of the Hill https://youtube.com/watch?v=1jyGsKOzEVE

 

[johnnoi]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

Lots of people complain about too many ads and I always tell them I never have ads on my computer, then explain how to stop them nasty ads.

 

[johnnoi]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

I and probably most other Ars commenters block ads and trackers on all websites. I, like you, subscribe to Ars because I value its in-depth, high-quality coverage. (Plus, the full-text RSS feeds are really nice.)

It’s the website’s job to implement technical measures to maintain its revenue stream. I have no obligation to execute some random JavaScript function from doubleclick.com just because wired.com asks my browser to do so. If a website is concerned about losing revenue from users who block ads, then it should implement some sort of account system and lock its content behind a paywall. No one has a right to make money.

I never clik on ads so they would never get any of my money so blocking them just makes surfing that much nicer especially on YT.

 

[Lord Windy]

I think we can all agree ads are the worst.

I wish there was a better way than subscriptions though. I remember once reading about a service where you load up your account with money and you pay per article/thing you use and then you get to keep it. But it still wouldn't fix the biggest problem I have where in subscriptions you don't own the stuff you subscribe to, you're just renting it. Ditto for buying software, ebooks and music.

 

[Dietz]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

I have a Pi-Hole running on my network, and use an ad blocker full time. I don't see ads. Ever. For anything. They are banished from my network.

I don't care if a site is supported by ads, advertising networks have proven themselves to be immoral, evil ass holes, and I will not allow their intrusive and obnoxious crap to be shown in my browser.

 

[andy o]

Even today, it aggravates me that Google hides the actual URL's within its embedded spy-on-you bullshit links instead of getting a clean link to the site I want to go to (which I typically then type into the address bar instead of using Google's link).

On desktop there is a pretty simple way to avoid this, just right click on an empty space and then drag to the link, and release the right click. Then when you copy the link it will be the real destination.

 

[Pseudalopex]

Its pure e̶v̶i̶l̶ greed these domains exist. Why isnt ascii enough ? There is no reason why bravè.com bravê.com or bravė.com should point to something else than brave.com

Because there's lots of languages that cannot be represented using ASCII.

Having said that, what would be useful is for punycode to be disabled by default for languages that can be adequately represented without it, e.g. English. But that doesn't help the muggles fluent only in non-ASCII-able languages.

The sad fact is that bad actors will always find a way.

This is a strong argument for a restricted character set. ASCII has been there since the beginning. Extending it for domain names has been an evident mistake for decades.