[hedora]

Sounds like it might make sense to drop this early hints feature (whatever it is).

I wonder how much longer it will be before the next major escalation happens with ad blockers. I can imagine mainstream browsers that fetch unmodified pages and click ads in the background (do subvert pay per click ad business models and make it harder to compute targeting metrics), but then display an ad/tracking-free version in a separate rendering pipeline.

[guitarlimeo]

As far as I know, current ad blockers can't block ads from Widevine (DRM protected) streams, so I guess it's only a matter of time until Chromium team comes up with Widevine for webpages and then it's game over for normal consumers.

[xg15]

Didn't they more or less try this with the Web Environment Integrity API? Luckily, people caught on quickly and caused enough backlash for them to abandon it - this time.

I'm not sure how things will work out the next time though.

[undefeated]

At least we got some of my all-time favorite GitHub issues tho

[_shantaram]

Out of curiosity, could you post a couple?

[RockRobotRock]

https://github.com/explainers-by-googlers/Web-Environment-In...

[bawolff]

While i know its evil, i always wished widevine was an option for creating captchas.

Most captcha solutions are defeated by services like 2captcha.net and generally aren't the most privacy respecting.

[Semaphor]

Most captcha solutions are also hard for me, but easy for computers to solve. So I really hope their use doesn’t get expanded even further…

[kedean]

"Select every tile with motorcycles", shows an image of a single motorcycle parked on the street. Does the sliver of a tire that shows up in the bottom right tile count, or not? This is never clear, and I end up usually getting it wrong until they show me one that's unambiguous.

[jerf]

"This is never clear, and I end up usually getting it wrong until they show me one that's unambiguous."

While those CAPTCHAs present a surface narrative of you having to get the problem correct, that's not how they really work. After all, it's not like they are creating those problems by hand. They're pushing the images through computers. You don't even know that what the CAPTCHA server considers correct is even close to objectively correct.

Really it's just a hook to engage you to collect a wide variety of streams to try to detect whether or not you are a human, like reaction speeds, how the mouse moves, etc. The correctness of your selection is only one small signal, and not even necessarily a large one.

The answer is, stop overthinking it. Your overthinking it is probably sending a signal that you're not a human because it's got all your timings wrong. Do what most humans do: Halfassedly click at the problem until it seems rightish and then click "Submit". Does the sliver of tire that shows up in the bottom right tile count? The human response to that question is "Who cares you dumb computer let me through to the content already", so, to maximize how human you look to the algorithm, channel your fellow human's feelings. If you feel frustrated at the CAPTCHA problem and wiggle your mouse angrily and maybe overshoot some of the squares you mean to click, so much the better and more human looking.

[freedomben]

Interesting, I guess this explains why I can never "solve" the damn things on my desktop. I use an Ultimate Hacking Keyboard which has a mouse layer, so I control the mouse cursor with my keyboard. It means that my mouse always travels in either perfectly horizontal, perfectly vertical, or perfectly diagonal patterns, and at very different timings than a human using a traditional mouse would.

But, it pisses me off to no end that I can't use my fucking keyboard the way it is supposed to be used (which is a far superior design to the "normal" setup) to view some websites because it doesn't "look" human to the fucking server who expects me not to be a statistical outlier. As someone who has always been an outlier, I kind of hate the algorithmic future we live in and are headed even further toward. This is why we can't have nice things.

[xk_id]

a tutorial on how to be human on internet

[whitehexagon]

The last time I got blocked by captcha I went through a dozen of them in a row before being told I wasnt human enough (possibly true after 30 years in IT!) and so on principal I reject all websites that include captcha. And anyway, why are we training these image recognition tools for free.

[Sabinus]

Were you trying to access archive.is using the CloudFlare DNS resolvers?

[ghayes]

I have never successfully gotten a “click all motorcycle squares” to succeed. With a VPN, nothing usually works until “click until there are no more X.” It’s so consistent that I’m pretty sure it’s designed that way, since the final task is time-gated.

[Sohcahtoa82]

> With a VPN, nothing usually works until [...]

Bots are very likely to use VPNs, so captcha services make things a real pain in the ass for anyone connecting from a VPN.

It's the same story with Tor. Coming from a VPN/Tor is a strong signal that you're more likely to be a malicious user.

[Nextgrid]

ReCaptcha will serve you impossible captchas (as in it will always behave as incorrect even if the answer is correct) if it doesn't like you.

[arprocter]

I've had 'click all the lettuces' - it told me I was wrong for not clicking on a cabbage

[hunter2_]

It's not comparing your response to some hard truth, it's comparing your response to a typical response. Sort of like how LLMs dish stuff out based on what's probable, not based on hard truth.

So when you fail, it's not really saying you're wrong, it's saying you're not like most.

[darepublic]

On these captchas I used to sweat it but now I just think "fuck it" and don't overthink anything. And I always pass, perhaps for a variety of reasons secondary to the actual tiles selected

[bawolff]

Which is mostly because computers are good at solving them. A DRM based captcha wouldn't have that issue in theory.

[costco]

Widevine has already been reverse engineered. You just need to extract a device private key and there are numerous methods for doing so. "Web Environment Integrity" will never work.

[avidiax]

It will not work to prevent someone from copying a webpage.

It will work to make ad-blocking difficult enough that most people don't bother anymore.

[throw10920]

Widevine (or any other DRM-based "proof of human" solution) would be far less compute-freedom and privacy respecting than a captcha.

Hashcash[1] was invented two and a half decades ago and is still the best solution. It doesn't require manual work or user privacy invasion and deters mass spammers.

[1] https://en.m.wikipedia.org/wiki/Hashcash

[Dwedit]

Captchas can be forwarded to other people. Think of things like VNC.

[Adverblessly]

I'd prefer to see proof-of-work based captchas. I'd much rather give up 10 minutes of CPU time for a token that can be revoked as soon as I actually use it for evil than give up all of my privacy (and two minutes of my personal time) for the privilege of using your annoying website.

[bawolff]

Proof of work captchas are pretty hard to tune. You need it high enough to deter spammers (who can pre-compute and dont care about latency), but low enough not to deter real users on low powered devices who are using your site live and get more frustrated every second they have to wait.

It might work for spammers who really are just making billion of attempts, but then again if they are making that many attempts then you can block on the IP level.

[hedora]

This is basically how Apple does things. Instead of proof of work, they bake the tokens into devices.

The basic idea is that they'll happily let you sneak a few spam messages through iMessage if you're willing to spend a few hundred dollars on a burner iPhone. This is one reason why they're so resistant to allowing gateway protocols between iMessage and third party devices or RCS.

[Symbiote]

That is what those Cloudflare "checking your connection before proceeding" page is doing.

[YetAnotherNick]

Spammers would actually prefer it I think. I think for each captcha solved, spammer are ready to pay more than real users(be it electricity or real money). They were already paying real humans before AI became good enough for solving captcha.

[avidiax]

Spammers are probably not using their own computer or electricity, so this would be very attractive for them.

[throw10920]

No, it would not. Spammers are still paying for the devices - most botnets are built and used (to spam) by different actors. Systems that require more computational power to spam take up more of their resources, making spamming significantly less profitable.

[3pt14159]

If an ad can be rendered on a page or if it uses audio it can be blocked. We have it easy right now with how trivial it has been to block ads, but we could face off against rendering and wiping them in real time if we need to.

[dannyw]

Not really. Modern DRM uses Intel ME / AMD / ARM equivalent. These execute code the OS doesn’t have privilege to access.

[3pt14159]

Oh really, that's news to me. I thought one could always read the video frames one at a time.

[dannyw]

Nope, it gets access to its own framebuffer that’s composited in the GPU. OS sees a black viewport, and only a black viewport.

The comms is encrypted on the bus using strong cryptography, so you can’t sniff it.

All these software blobs are signed and encrypted, you can’t replace it without the signing key.

[3pt14159]

Thanks for letting me know! Really interesting stuff.

[Mindwipe]

> As far as I know, current ad blockers can't block ads from Widevine (DRM protected) streams, so I guess it's only a matter of time until Chromium team comes up with Widevine for webpages and then it's game over for normal consumers.

Only where the the adverts are embedded with an encrypted single stream.

Hard to do targeted advertising that way though.

It is a lever that you can pull that's better than nothing though.

[michaelt]

Most modern video formats allow you to splice multiple videos together without recompressing, so long as they use the same codec, resolution and framerate and you do it at an I-frame.

So long as you can run code on your CDN edge servers - which Youtube undoubtedly can - there's no technical reason this couldn't be done.

[NelsonMinar]

That'd be a good reason to finally break Widevine.

[musicale]

It's only a matter of time before I get an AI-fueled graphics overlay that eliminates anything that looks like an ad from my screen (click to reveal false positives), and then it's game over for advertisers.

Hopefully HDMI/HDCP splitters will add an adblock feature as well.

[xyst]

Until quantum computing becomes mainstream and then consumers can break drm on the fly!

[thomastjeffery]

You don't need quantum computing. You just need a debugger. The user already has the encryption key, else they would not be able to see the content.

[bawolff]

Widevine has different levels. In level 1 & 2 the key is in a TPM.

Even for level3, i can only inagine that the amount of obfuscation must be pretty intense.

[xg15]

"Post-Quantum" crypto is already being rolled out in expectation of that though.

[okasaki]

They already tried with the Web Integrity Environment, but it wasn't very popular.

[hereme888]

By the time that happens my hope is that we might have the new GPT-5 with personal agents curating information for us.

[dpig_]

I already have a personal (NSA) agent that does this for me.

[hereme888]

I'm not sure if I missed a joke about the NSA, or if there's a computer agent you use, in which case i'd love to hear about it.

[eipi10_hn]

Hmm... For example which sites?

[allendoerfer]

Don't be evil.

[bawolff]

Even without early hints, i assume you could do the same thing with the link http header.

Or if you really dont care about performance, just loading the start (e.g. <head>) of the document and wait a little bit to see which subresources are loaded.

[mechazawa]

Yep that also works, I've made a proof of concept for that ages ago https://github.com/Mechazawa/pixelAntiAdblock/blob/master/ap...

[eli]

Yeah but the critical piece here is loading Early Hints happens before the HTML is sent to the browser. So the server can change the HTML of the page based on what the browser does. (I wonder about the performance impact of this though.)

Trying to detect adblock via a <link> (or an <img> or a <script> etc) means you have to do the check in javascript, which can be manipulated by the browser.

[bawolff]

No, not neccesarily.

With the link http header (different from the <link> tag) you just send the http headers, but can still change the response body based on what the browser does.

Alternatively, By sending just the start of the document, then pausing, you can change the rest of the document based on what the browser does with the start, since browsers start loading css/js referenced in the document before the main document completes loading. (Before web sockets were a thing, this was basically the technique used for that sort of thing, called "long polling")

None of this requires javascript.

[Repulsion9513]

You can send some content (<link>) and then wait for something else to happen (prefetch) before you continue sending the rest of the content (the page).

[wafflemaker]

AdNauseam does just that. It clicks the adds before blocking them (possible to whitelist non-tracking adds). It's a fork of uBlock and what I replaced the uBlock with on my phone and PC.

Sadly, it doesn't do clicking in the private browsing mode, which I usually use not to crowd the browsing history with hn and other forums' articles.

[extraduder_ire]

Are you sure you haven't just forgotten to enable the extension in private browsing? Their FAQ suggests that you can enable it for private browsing, but it's not on by default.

[hoseja]

I'd be worried I'd get blacklisted by cloudflare etc with maximum prejudice.

[ndriscoll]

I don't understand how this feature even came to be. Presumably these resources are cached (it's going to be used for static resources; for dynamic ones, you'd need to have already performed the request on the server to figure out what to send, so you'd just send the response). So what, you're saving 5 ms off the first page load? Assuming it's not already a static response, in which case again you'd just send it.

[neurostimulant]

Given the web industry's obsession over reducing TTFB as much as possible, I bet no one would use this tricks to avoid tanking their web vitals score.

[xsc]

TTFB role in the overall time to a usable web page has dramatically decreased. Instead of being the primary driver in display of mostly static sites, the role is smaller now due to the increased compilation/execution time of client code.

[xnx]

Meta and Apple are pushing their AR (advertising required) goggles because they are a locked-down systems where it is even more difficult to block ads.

[wwalexander]

Safari on visionOS supports Content Blockers and extensions just like on every other platform. In what sense is visionOS any different from iOS or macOS in this regard?

EDIT: I suppose the developer of the content blocker needs to already have an iPad version and check the “visionOS” box, but Apple has made this extremely easy and it’s in both Apple and the content blockers’ interest to release a visionOS version.

[Nextgrid]

"Content blockers" are trivial to bypass though. It's a half-assed "solution".

[stephenr]

In 9 years of using content blockers I've come across I think one site that eventually prevented ad blocking without resorting to JS: YouTube.

That's it. I've occasionally had to add a custom blocking pattern but essentially nothing else has been impossible to block.

I can't think of many other "half assed solutions" that have worked as advertised for almost a decade.

[wwalexander]

What do you mean? Safari also supports regular WebExtensions for advanced blocking. I truly don’t know what you’re referring to.

[eipi10_hn]

It's even more limited than MV3, let alone MV2