← Back to context

Comment by M95D

5 days ago

I'm using uMatrix and it blocks by default all connections outside the requested site and parent domains. For example, if I request https://mail.yahoo.com, connections to yimg.com are blocked. I need to manually allow each CDN for each website, so this attack/profiling won't work.

Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.

On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.

25 comments

M95D

Reply
noja  5 days ago

How does uMatrix handle the Facebook tracking pixel, or the replacement which is the Conversions API Gateway?

This is a container that FB gives you to host that lives under your domain (it can be your main domain) that slurps up user data and sends it to Facebook from the server side. You embed some JS in your website, and they hoover up the data.

  • M95D  5 days ago

    It doesn't handle it. Anyway, there's no way to know what a website does on the server site. Even a completely static website could be sending the server logs somewhere.

    There are options to not load JS, images, XMLHttpRequests, frames, cookies, for each site, but it doesn't list individual files.

user070223  5 days ago

uMatrix is archived and I think uBlockOrigin is now advised to use(which incorporate uMatrix by enabling advanced settings)

For those who want to try blocking more stuff you can enable hard mode and bind relax blocking mode keyboard shortcut

I'd recommend also enabling filter lists(I advice yokoffing/filterlists and your region/language)

https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-m...

  • M95D  5 days ago

    But uBlockOrigin UI is so much worse...

    Besides, uMatrix works fine. It's that kind of program that doesn't need any updates.

  • account42  5 days ago

    Until uBO has an even remotely usable interface for this use case people (including myself) will continue to use uMaxtrix or forks of it instead.

    • freedomben  4 days ago

      Amen. I would (and did!) switch browsers to continue using uMatrix rather than go without (and uBO is not a replacement)

  • Semaphor  5 days ago

    I reluctantly switched to only uBo because of uM bugs. But the UI/UX is just a huge step backwards to enable mobile usability.

  • OJFord  5 days ago

    uBO advanced settings still isn't as flexible as uMatrix was though, fwiw. (I did give in and switch in the end though.)

quietfox  5 days ago

It seems to try to check if you are using the Burp Suite on their web application.

samsonradu  5 days ago

How does it manage to hide the requests to 127.0.0.1 from the network tab?

  • worthless-trash  5 days ago

    The requests are not made, because some operating systems prevent this.

    If you're on OSX, the permission to "discover on the local network" prevents it from happening ( System Settings -> Privacy & Security -> Local Network -> yourbrowser )

    Could also be 'network' permissions on firefox ( Go to Settings > Privacy & Security > Permissions ) which is on a per site level, but iirc that could be set site-wide at some point.

    The other browsers likely have similar configs, but this is what I have found.

  • M95D  5 days ago

    I have no ideea. Possibly that's a limitation of Chrome+Firefox developer tools (I get the feeling it's the same code)?

    But I found what "burp" is: https://portswigger.net/burp/communitydownload

sylware  5 days ago

Whitelisting seems to be the way to go. With IPv6 and OS generated IPs (up to what the ISP domestic router allows) could be very efficient.