Comment by M95D

Comment by M95D 3 days ago

25 replies

View on Hacker News

I'm using uMatrix and it blocks by default all connections outside the requested site and parent domains. For example, if I request https://mail.yahoo.com, connections to yimg.com are blocked. I need to manually allow each CDN for each website, so this attack/profiling won't work.

Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.

On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.

noja 3 days ago

How does uMatrix handle the Facebook tracking pixel, or the replacement which is the Conversions API Gateway?

This is a container that FB gives you to host that lives under your domain (it can be your main domain) that slurps up user data and sends it to Facebook from the server side. You embed some JS in your website, and they hoover up the data.

Reply View 3 replies
  • M95D 3 days ago

    It doesn't handle it. Anyway, there's no way to know what a website does on the server site. Even a completely static website could be sending the server logs somewhere.

    There are options to not load JS, images, XMLHttpRequests, frames, cookies, for each site, but it doesn't list individual files.

    Reply View 2 replies
    • noja 3 days ago

      Then why use it? They're number one.

      Reply View 1 reply
      • M95D 2 days ago

        No other extension is giving me control like uMatrix does, even considering it's limits.

        Reply View 0 replies
user070223 3 days ago

uMatrix is archived and I think uBlockOrigin is now advised to use(which incorporate uMatrix by enabling advanced settings)

For those who want to try blocking more stuff you can enable hard mode and bind relax blocking mode keyboard shortcut

I'd recommend also enabling filter lists(I advice yokoffing/filterlists and your region/language)

https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-m...

Reply View 10 replies
  • M95D 3 days ago

    But uBlockOrigin UI is so much worse...

    Besides, uMatrix works fine. It's that kind of program that doesn't need any updates.

    Reply View 4 replies
    • rapnie 3 days ago

      I would really like an intuitive UI for people who don't want to do 'a project' to get their config tight.

      Reply View 3 replies
      • M95D 2 days ago

        But it is intuitive... I don't know what you mean.

        You can't manage a whitelist with a single big red on/off button, if that's what you want.

        Reply View 2 replies
  • account42 3 days ago

    Until uBO has an even remotely usable interface for this use case people (including myself) will continue to use uMaxtrix or forks of it instead.

    Reply View 1 reply
    • freedomben 3 days ago

      Amen. I would (and did!) switch browsers to continue using uMatrix rather than go without (and uBO is not a replacement)

      Reply View 0 replies
  • Semaphor 3 days ago

    I reluctantly switched to only uBo because of uM bugs. But the UI/UX is just a huge step backwards to enable mobile usability.

    Reply View 0 replies
  • OJFord 3 days ago

    uBO advanced settings still isn't as flexible as uMatrix was though, fwiw. (I did give in and switch in the end though.)

    Reply View 0 replies
quietfox 3 days ago

It seems to try to check if you are using the Burp Suite on their web application.

Reply View 0 replies
samsonradu 3 days ago

How does it manage to hide the requests to 127.0.0.1 from the network tab?

Reply View 6 replies
  • worthless-trash 3 days ago

    The requests are not made, because some operating systems prevent this.

    If you're on OSX, the permission to "discover on the local network" prevents it from happening ( System Settings -> Privacy & Security -> Local Network -> yourbrowser )

    Could also be 'network' permissions on firefox ( Go to Settings > Privacy & Security > Permissions ) which is on a per site level, but iirc that could be set site-wide at some point.

    The other browsers likely have similar configs, but this is what I have found.

    Reply View 1 reply
    • snowwrestler 3 days ago

      Looks like this is new to MacOS 15 Sequoia, as I don’t see a Local Network option in Sonoma.

      Reply View 0 replies
  • M95D 3 days ago

    I have no ideea. Possibly that's a limitation of Chrome+Firefox developer tools (I get the feeling it's the same code)?

    But I found what "burp" is: https://portswigger.net/burp/communitydownload

    Reply View 3 replies
    • culturestate 3 days ago

      It seems like they only make the localhost requests on your first visit. If you open devtools in incognito mode (or just clear the cookies) before accessing https://ceac.state.gov/genniv/ you should see those 127.0.0.1 attempts as ERR_CONNECTION_REFUSED in the network tab.

      Somewhat more worryingly, Little Snitch doesn't report them at all, though that might just be because they were already blocked at the browser.

      Reply View 0 replies
sylware 3 days ago

Whitelisting seems to be the way to go. With IPv6 and OS generated IPs (up to what the ISP domestic router allows) could be very efficient.

Reply View 0 replies