Add a way to specify default subscriptions in corporate environment

[Gingerbread Man]

As far as I can tell, there's no convenient way to do this. For example, Adblock Plus for Firefox keeps both subscriptions and all filters in patterns.ini, which is specific to each user (Firefox profile).

See ​https://adblockplus.org/forum/viewtopic.php?f=11&t=22926

[sebastian]

We just discussed that possibility yesterday. And most of us agreed that pre-configurable filter lists aren't a priority. Also there were concerns that this feature can be misused for censorship. But at least Adblock Plus will behave differently then users might expect, when other filter lists are used by default.

[trev]

I can imagine a "language hint" that will determine which recommended subscription Adblock Plus chooses on the first run. On the other hand, allowing admins to determine the complete filter list configuration can be problematic to say the least. So I am inclined to reject this request unless somebody can provide a compelling reason to implement it.

[Gingerbread Man]

Replying to trev:

allowing admins to determine the complete filter list configuration can be problematic to say the least. So I am inclined to reject this request unless somebody can provide a compelling reason to implement it.

Can you provide a compelling reason not to implement it? The forum already provides convoluted directions for accomplishing the same thing.
​https://adblockplus.org/forum/viewtopic.php?f=21&t=24598

Are you suggesting there's some sort of benefit for users because administrators have to follow complicated directions first?

[sebastian]

Everything we change and add to Adblock Plus, we do for good reasons, and not just because we can. But the description of this issue only says that we should implement it because we haven't yet. So it is a legit question, to ask for reasons to do so. Is there a significant number of request for that feature? And what are their actual use cases? Do they really need full control over the default filter lists, or would a language hint or similar be sufficient?

It might be non-trivial to implement and maintain that feature. If we do, we will not only in Firefox, but also in Chrome and Internet Explorer. So if we implement it there should be at least a few real-world use cases, requiring full control over the filter list configuration.

But the largest problem I see myself is that Adblock Plus will behave differently than users might expect when using other default filter list. So Adblock Plus might appear broken to the user, while it just works as configured by their administrator. In the worst case organizations might implement censorship with Adblock Plus, something we certainly don't want to support.

Sure, administrators can already tweak Adblock Plus in a less convenient way, but we shouldn't support and encourage them to tweak Adblock Plus in ways we consider problematic.

[simona]

This request has not been very common as I know and I do agree with sebastian that the changed behavior of ABP might be perceived negatively by users. Let's collect some more feedback/issues/forum threats to see if this makes a sense to be solved and keep it in a low priority for the moment.

[Alon]

Replying to simona:
I've been using ABP for a long time and since then dreaming of implementing it in a LSD at work.
What is wrong with an organization that requires the use of internet to be censored or limited?
There are a lot of users that barely know how to use the internet and ABP is a blessing because it helps get rid of all the unwanted ads and popups that clutter the web page and giving admins a viable way to specify filter subscriptions helps the end user to be more productive and have a better browsing experience.
Admins are not evil people that censorship the internet just for fun, they comply with the organization requirements.
Most of the filtering/ censorship gets done by a dedicated proxy/url filtering appliance/VM , the problem is that inside the legit/permitted sites there are ads that can be treated only by the subscription filters that are specific to a region/country and that's why need the functionality of a GPO to add subscription filters and make all the necessary configurations to ABP.
I hope other admins get to better explain what i'm trying to .
For me, ABP or no internet.

[jstore]

I created an account here just to create this post. I'm very frustrated with the comments posted here and I would like to illustrate why this is so frustrating from an system admin perspective.

Here's what we're trying to accomplish:

• We want to use Adblock Plus as an additional security layer in our organization (small credit union)
• We follow security best practices and have a strictly locked-down network (to protect or member's information)
• The primary security purpose is to block malvertising domains as they have been used recently to spread ransomware
• We have already found a way to automatically deploy ABP for both of our supported browers (Chrome & Firefox)
• We want to now configure Adblock automatically for our users so that it can:
  1. Block everything on the EasyList
  2. Block everything on the Malware Domains list
     3. Disallow non-intrusive advertising
• It's important that these settings are consistenly applied to each computer so we have consistent protection against malware domains.

Here's what you guys have said on the issue:

Sebastian (17 months ago):
"...most of us agreed that pre-configurable filter lists aren't a priority. Also there were concerns that this feature can be misused for censorship. But at least Adblock Plus will behave differently then users might expect, when other filter lists are used by default."

Trev (17 months ago):
"allowing admins to determine the complete filter list configuration can be problematic to say the least. So I am inclined to reject this request unless somebody can provide a compelling reason to implement it."

Sebastian (17 months ago):
"...Do they really need full control over the default filter lists, or would a language hint or similar be sufficient? ...But the largest problem I see myself is that Adblock Plus will behave differently than users might expect when using other default filter list. So Adblock Plus might appear broken to the user, while it just works as configured by their administrator. In the worst case organizations might implement censorship with Adblock Plus, something we certainly don't want to support.
Sure, administrators can already tweak Adblock Plus in a less convenient way, but we shouldn't support and encourage them to tweak Adblock Plus in ways we consider problematic."

Here's my rebuttal to your comments:

1. My goal here is to provide a compelling reason to implement. I've list our use-case above and I believe that is a common use case. I've spoken with many people and seen many threads (on your forums and others) with people discussing how to configure ABP centrally. If you want ABP to be adopted in larger organizations, they need to be able to make sure it's setup consistently across the board. Security controls aren't effective if they aren't applied consistently.

2. As for censorship, the potential for censorship should not be a good reason to make ABP less enterprise friendly, and in my opinion, is a moot point. Most organizations don't need ABP to censor content as they have web filters for that. Unfortunately, a lot of web filters aren't good at consistently blocking ads. Furthermore, an organization has a right to limit internet access to their employees. This is for information security though, not censorship. One credit union that I support has strict web filtering in place so that their employees can only access a select list of sites that they need to do their job. This helps eliminate the risk of an employee infecting their workstation (and putting financial information at risk). If they want to have unlimited access to the internet, they have to connect to an off-network WiFi (that is provided) or use their own connection. This is common place for organizations like financial institutions, schools, medical institutions, etc. Think about it this way. Do you want the tellers working at your bank to be able to access any malicious site on the internet from their work terminal while they are working with your sensitive information? Do you want their computer to connect to a malware site just because a legitimate site is hosting malware through their advertisements? As a security professional, that thought scares me and I want to be sure that our employees are blocked from accessing advertisements that host malware. It makes our computers and our customers information safer.

3. As for ABP behaving differently, sure it might behave differently then their computer at home, but this is a WORK ENVIRONMENT. Everything here is different from at home and our users know that. We have IT people that can support any issues that come up that our users aren't expecting. Furthermore, we have a locked-down network that prevents users from installing software on their own including browser add-ons, plugins, and extensions. They either get ABP through IT support or not at all.

4. As for a language hint, that sounds like a great feature for home users, but as an organization, we need to be able make sure ABP is configured consistently across all computers if want the protection it offers to be consistent from machine to machine. Furthermore, we need to be able to block malware domains and may even use block lists from other 3rd parties. We can't expect every user to configure ABP to block malware domains.

5. As for not encouraging admins to tweak ABP in ways that you consider problematic, I think you should really reconsider what you believe to be "problematic". It's somewhat ironic that you bring up the idea of censorship, but then purposely avoid creating functionality that allows administrators to consistently configure ABP. It's like you are saying, that you as developers know what's best for the end users instead of allowing the organization to decide. You seem to not address the fact that organizations have complete control over their systems and can censor or limit access as much as they want. They own the systems after all. Making ABP more difficult to centrally maintain isn't fighting against censorship, it's trying to limit what admins can do on their own systems which is it's own form of censorship. You're basically saying, that you know what's best for our environment.

In summation, I would really like to see ABP step up and allow it to be configured in a central fashion. A configuration file or registry settings for key configuration options is crucial for a consistent deployment across an enterprise.

I hope this more clearly illustrates the frustrations that system administrators have when looking to deploy ABP. I know lots of other people have the same frustration, but you don't seem to acknowledge that either. Their are threads on your forum, SpiceWorks, and others all trying to figure out a way to centrally manage the configuration of ABP. There's clearly a demand for a solution.

The question is: Will you do anything about it?

[greiner]

Thanks for your comment. It's really helpful to get such feedback on those kinds of feature requests.

As far as I know this feature has recently been implemented in our Chrome and Safari versions (see #3801) so this ticket can be closed as duplicate if Sebastian agrees.

I'm not aware of any specific changes that were made on our Firefox version in regards to the approach outlined in #3801 though.

[sebastian]

Thanks for your feedback and sorry for your frustration. The main reason the discussion here didn't move forward was that back then we only occasionally got rather vague requests from organizations for more control over Adblock Plus when deployed on their network. However, in order to decide on a reasonable solution we have to consider actual and specific use cases. So your feedaback is very valuable.

However, in the meantime we already implemented a way to configure addional subscriptions via group policy in Adblock Plus for Chrome, see #3801. I suppose we should also implement a similar feature in Adblock Plus for Firefox.

But this still wouldn't allow you to centrally remove default subscriptions, neither will it prevent the user from changing the configuration. FWIW, I still think that this would go too far. After all Adblock Plus isn't primarily an enterprise solution, but a tool to put the user back into control. And as long as there is still our name on it, users might bother or blame use for whatever our software does on your workstations.

[jstore]

I've tried adding the registry key that is listed in #3801, but that thread doesn't say what type of entry should be created (REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ).

Also, should the Name and Value both be in quotes in the registry?

I've tested multiple ways with the latest production version of ABP for chrome and I haven't got it to work.

It sounds like your stance is to protect only individuals and not organizations (which may be trying to protect the information of those individuals).

-Justin

[mapx]

#3801 is only in the the dev builds for the moment. If you want to test it try:
​https://chrome.google.com/webstore/detail/adblock-plus-development/ldcecbkkoecffmfljeihcmifjjdoepkn

[jstore]

We'll see if this goes through. Your bayesian test are trying to say my post is spam. Maybe it has something to do with the frequency of posts.

Anyway, I've tested and can confirm that I can add a new subscription in the dev build using the registry key mentioned in #3801.

How can I do the same for IE?
Can I dis-allow non-intrusive ads in the same fashion?
Can I whitelist domains in the same fashion?

Personally, I believe you should allow your admins to force settings so that your users can't override them. Instead you're saying you give power back to the user, instead of giving power to the owner of the system. Again, do you want a teller to be able to determine what ads are filtered for security purposes when their working with your financial data? Or would you prefer that the organizations security team determine what risk is acceptable to take when accessing the internet from a computer that is accessing sensitive financial information for thousands or even hundreds of thousands of individuals?

ABP seems to have taken the stance that users should determine filtering on systems even if they don't own or are responsible for those systems. I'm all for end-user freedom on their own systems, but if they are going to use the systems that I am responsible for, I'm going to make sure that key security controls are locked down so an end user can't override them. This protects against human error, malicious insiders, and forces the user to report an issue if they have one. This is important so IT can resolve the issue and roll out a fix to all users in a centralized, consistent manner.

We're not looking for a centralized console for administration, just for key configuration settings to be stored in separate file or registry keys for easy configuration.

I realize ABP is free and you get what you pay for. I can't force you to listen to me or make any changes to your product, but I would hope that you could see the overall security benefit that such configuration options would allow. ABP could very easily become the de facto tool for blocking adds in financial institutions if it was more easily configured and that configuration enforced. Wouldn't you like to know your tool is blocking malware from entering sensitive networks? Most individuals have their sensitive information stored by other organizations (banks, credit unions, insurance companies, hospitals, etc). Wouldn't you like to protect that information as well? Or are you just concerned with blocking ads for home users? Instead, many FIs are looking at Next-gen firewalls and web filter that can block ads at the perimeter. Those of us that work for smaller FIs can't afford such solutions and need to look for products that work in the browser. ABP is the most common, so we're really hoping that you can provide the functionality that we need since many of us in IT and IS like your product so much for our own home use. Unfortunately, we in security can't depend on a tool for security purposes if the configuration of that tool isn't consistently applied and enforced.

-Justin

[mpittsley]

Good stuff here. Is there a dev version for this feature to work in IE? If not when can we expect a version for IE?

[jstore]

If you're looking to configure ad blocking for IE in a domain, you can do that with built-in functionality. Here's a link with instructions:

​http://decentsecurity.com/adblocking-for-internet-explorer-deployment/

I wish ABP would take this more seriously as I know several admins who would still like to have greater control over ad blocking in Chrome and Firefox. Instead it seems ABP has taken an odd stance based on a straw man argument centered on scenario where organizations are censoring their employees instead of trying to protect their systems from malware.

[thomsen]

Hi

I'm an IT consultant at a firm with 3.500 users. Our users connect through thin clients, which have very poor performance. They simply can't handle modern flash adds with both video og audio.
By using ABP we can reduce the server cpu load by about 40%! This is a big deal for us, since our users get a more fluent experience when browsing the internet.

Sadly we had to remove ABP again, since some of our tools running in Internet Explorer conflicts with ABP. The current solution would be to tell all of our users to manually block every site. That's not even close to acceptable for us as a solution.

It's a big problem for us, that we can't manage a shared whitelist. Adding this feature would really be helpful for us.

[afitsec]

This is insane. I understand that Adblockplus is freely available, open source, yada yada.

There is no reason why you can't keep it that way and provide specialized deployments for a fee, or specialized scripts for a smaller fee. Unless you are unsure how?

Obviously most of the people speaking on this distributed/customized issue are admins in some sort of closed/business/security environment where, at least in the US, the legal precedent is that if a user is at work (or working remotely, but touching the work network) and using equipment provided by the employer/org/etc, it is the employer's equipment, and they have the right to lock it down as they choose to protect the user, the machine and the network, as long as the user can still get work done.

Why is this so hard to understand?

Admins are taking your tech seriously, but they can't count on it out-of-the-box since you reduced the lists used on a fresh install.

Another idea: have config flavors available with a new download with you only having to update the app, iterating what lists are included off the bat: Adblockplus, Adblockplus+Ads/Privacy, Adblockplus+Ads/Privacy/Malware.

I know you can combo some of these lists (especially the Easylist library) and have the same effect.

There are so many options. Why has this become an old-timey Slashdot debate? Are resources the issue? I can't code but tell me what I can do to help. Hell, I'm willing to watch the lists for you for problems, or updates, if you don't automatically have an automatic way of doing it. Or I can help get resources; whatever. Just know that UBlock is moving quickly, and the only reason why my place uses Adblockplus is because it works on IE, and UBlock skipped and went straight to Edge.

• Terri

[sebastian]

This has been addressed with #6474.

[neelablore]

spam

[neelablore]

spam