Hardened Web Blocker

Feb. 15, 2024 [hardening] [privacy-security] [guides] [libre] [technology]

Many web blocker addons take the approach of selectively blocking resources based on finite blacklists. Some have limited methods to allow manually selecting items to block, but generally they allow everything by default and only block elements which match some known bad origin. In some cases, these pushover content blockers will even receive compensation to allow elements of which they otherwise claim to block.

We can skip that entire rodeo by using a more robust, default-deny browser firewall like uMatrix. Its strength is in being able to block everything by default, and then allow or disallow each element on a page with granularity. uMatrix is even stronger than the renowned uBlock Origin, and that’s before hardening it’s default settings!

Install uMatrix and then open its control panel by clicking on its icon. From here, we’re going to configure it to block everything from all web pages except for images and the HTML file itself. The rationale for this being that much of what we do on the web involves reading text and viewing images, and these both present a very small attack surface compared to CSS, javascript and others.

Select the “*” in the upper left to switch to global scope. The cells in the grid below can be toggled allow (green) or block (red) by clicking either the upper or lower half of the cell. Toggle “all” to off. You may need to disable any green cells in the top most row and the leftmost column. It should look like this:

Also open the site wide elements dropdown (three dots) and make sure that the following are enabled:

• Forbid web workers
• Forbid mixed content
• Spoof Referer header
• Spoof <noscript> tags

Click on the lock icon to make these settings persistent. Now when you visit any site, you will see just how much garbage they try to load and how many of their marketing buddies they instruct your computer to report to.

Alternatively, this global ruleset can be configured textually through the My Rules tab in uMatrix’ settings. Delete everything under Permanent Rules and set the following:

https-strict: * true
https-strict: behind-the-scene false
noscript-spoof: * true
referrer-spoof: * true
referrer-spoof: behind-the-scene false
no-workers: * true
* * * block
* 1st-party image allow

Once configured, there will be certain pages that need additional elements to enable functional interactivity. For example, logging into a bulletin board forum will require cookies to be enabled. Advanced editor features will require javascript, unless you have memorized BB code tags. Toggle cells to allow resources and then click reload page (rotating arrows) until you get the functionality you need working. If you will frequently be using a site it may make sense to click the lock to save the working configuration.

But this really begins to shine when it comes to visitor-hostile sites. One might be pleasantly surprised to learn that without javascript or CSS, some paywalled articles are perfectly readable in plain HTML. And enjoy just how much faster and lighter everything is when 3rd party domains aren’t allowed to deliver their payloads.

Some general tips for running uMatrix:

• When allowing javascript for a domain it is generally also necessary to allow XHR in that same domain scope.
• Domains that show up as dark red are being blocked explicitly by uMatrix’s blocklists. Even if you enable the entire column for a resource, resources from that domain will continue to be blocked unless you specifically allow them.
• Some highly interactive sites require web workers so don’t forget that is hidden away in the three dots dropdown.
• Allowing CSS on a page will usually “unbreak” much of the layout and some interactive functions.
• If you are struggling to enable some functionality on a website open the logger (top right icon). It will show explicitly every resource, with full name and info, that is being blocked or allowed.

Once its use becomes second nature, returning to the web without uMatrix might feel a bit like trying to drive a nail with a rubber chicken.