Cool hack overall, but some of the statements about protobuf strike me as odd.
> Exploit a Protobuf Flaw to Easily Remove All Ads by Changing One Byte
He's intentionally corrupting the tag on one field of the protobuf. The "flaw" is apparently that Protobuf ignores tag numbers it doesn't recognize. But that's not a flaw, it's a core design feature of Protobuf, designed to allow extensibility.
> Notice how the Protobuf response payload is 1.87 MiB? As I said, Google makes it computationally expensive to decode, alter, and re-encode without the C++ source proto files, but a quick linear scan takes no effort at all.
1.87MB is not that big, and presumably these messages only come through occasionally, not in a constant stream, so I'm a bit perplexed about the purported performance barrier here.
The text seems to be claiming that Protobuf encoding is designed to be expensive to decode, but it's actually the opposite, Protobuf is intended to be efficient to decode.
He says you need the source proto (schema) files to make it efficient, but this isn't really true, you can decode directly into UnknownFieldSet easily enough.
Or better, he could have written his own fake .proto schema that covers just the one field he is aiming to remove. This would have been much less error-prone than the string-scanning approach which could accidentally match other data where the same byte sequence happened to appear by coincidence.
> While computationally expensive, decoding, editing, and re-encoding without the original schema leads to a modified encoding. This is likely because we cannot detect if ZigZag encoding is being used, or if a number is an int32, int64, sint32/64, varint, etc., plus the order of object fields is normally non-deterministic. Here is some Protobuf trivia on the matter:
I think he's misunderstanding here. The point is that the Protobuf encoder is allowed to encode fields in any order, hence decoding and immediately re-encoding a message can lead to different bytes. But, the receiver is supposed to treat the message the same regardless. It's unlikely that the YouTube app is going to notice if the field order changes.
Brilliant response and observations. I’m not sure I’d agree with this one tiny assertion though:
“1.87MB is not that big“
I have lived in rural communities most of my life and unless I’m on my own Wi-Fi, this actually is a big file to download. Maybe they have a workaround for mobile?
Mostly I just want to add that rural Wi-Fi still struggles with Web 2.0 architecture. More often we’re operating on 2-4G speeds.
Although if you’re in any kind of metro area with a population that supports better infrastructure, 1.87MB has mostly become a small file size. Except maybe at 6pm when everyone on your cable trunk is streaming content. :)
I'm also in the rural 'my ISP is a WIFI ISP' boat.. I pay for 10/2! While they do burst its not uncommon for my speeds to dip down into single digits. Sometimes I have to tune my video streams down as low as they'll go. Packet latency can frequently be so bad that playing online games is VERY DIFFICULT so I mostly play single player, downloads of new games often take 24 hours+.
My ISP when I talk to them about their speed issues "Well, 7mbps is all you need to stream Hulu", which is.. a terrible response. Want to do something else while streaming? What if _two_ people want to stream? What if I want to stream a video while my partner is playing a game online?
Ads are simply a _HUGE WASTE_ of my bandwidth, so I filter as much as I can.
If I were to keep my insurance policy number in my car in the form of 9 bricks with a number on each one, I honestly wouldn't notice. The car would seem to drive exactly the same. There are even plenty of dead spaces to hide them where they wouldn't even noticeably consume cargo space.
Yet for some reason I will not place 9 unneccessary bricks in my car, nor tolerate them if I discovered them already there.
I used to stream all my videos 144p less than 5 years ago because streaming any higher resulted in a stuttering buffering mess. Youtube was the only streaming service I could watch because most other sites didn't bother with resolutions/bitrates so low. Maybe that's why youtube won out. Much like how whatsapp made it their mission to run on every phone they could get their hands on.
Now we have proper internet I don't but don't for a second doubt that a sizable portion of the internet still suffer from slow speeds, even those living in developed countries.
As others pointed out, the article was talking about it as a CPU processing constraint, not a bandwidth constraint. In that context, it's not much. I do agree that it seems like an excessively large amount of metadata to be downloading just to play one video.
1.87mb is the size of the encoded protobuf. Almost certainly, it is being sent over a compressed connection, and I bet there is a lot of easily compressible string data in there, so the size over the wire is probably closer to 500k(just guessing).
It may be a big download depending on your bandwidth (which you're already doing if you are streaming the video), but it's not big in terms of a CPU trying to parse a protobuf. If you are decoding streaming video from YouTube, the extra CPU power needed to decode a protobuf of that size is barely going to qualify as a rounding error.
It's a little weird on HN to see someone refer to "rural wifi". Unless you're talking about a relatively rare form of mesh networking, there's not really any such thing as rural wifi, at least not in the sense that its different from any other kind of wifi - a very local RF network designed to share an access point. I assume you're using wifi as a stand-in for "internet" or "broadband".
4G speeds are completely fine for watching video - I do this often in very rural locations using a Verizon hotspot (4G only). Sure, less than that is problematic for video, but 1.87MB is still small over 3G.
I would guess he’s referring to a shared wifi network that connects to the internet through a low bandwidth link. That’s pretty common in small villages where I live.
1.87MB is definitely not small over a bad 2G link that you’re sharing with other people.
I can’t imagine a scenario where someone with that setup would be streaming YouTube often enough to spend the effort to block the ads. Seeing one ad a month isn’t worth the effort to manage YouTube ad whack-a-mole.
Having worked for an internet service provider its common for people to literally refer to their internet connection as their "wifi" and fail to differentiate between their network and their upstream connection or even fail to differentiate between more obvious categories of things like their computer being able to turn on and "the internet". Their mental model isn't a graph its an amorphous blob.
It's humorous if you ask them if they have a wire and wired device to test they frequently act as if you asking them if they have a vacuum tube or a teletype. Meanwhile they frequently struggle with wifi configuration problems with devices that are 3 feet from one another.
> Unless you're talking about a relatively rare form of mesh networking
It’s not rare. Ubiquiti is very popular for setting up point to point links getting a single internet connection shared amongst a bunch of rural homes.
We have a small house in Cerrillos NM that has point-to-point networking, run by a co-op (shout out to La Canada, great people). But my experience has been that this is fairly rare - La Canada is the only example I know in NM for example.
Also, this isn't my understanding of what "mesh networking" really is. It's just providing RF access to a single wired access point. But it could be that I don't understand what mesh networking actually is.
In Australia, NBNCo (our national wholesaler) provides a 'fixed wireless' solution for pretty much everyone rural. "Rural wifi" would be a valid synonym, just as "wifi" is a valid synonym to "Wi-Fi" to you. This is different to 4GLTE etc.
My friends house sat for the chair of my university's Computer Science department. This was in Arkansas, and he lived a fair drive away from the university. He had a data cap of 15GB a month.
The characteristics of the systems we use control the usage that we make of them. Not having fast internet means you don't do the kinds of things people do with fast internet.
It's more likely that people play console games they can buy on disk at walmart. Another alternative would be to use a pirated version that is highly compressed with extra crap removed. For instance fitgirls has a version of forza that is only 67GB. There are times when it might actually make sense even to buy a game to support the dev AND still pirate it.
So what can we do about the situation. Obviously we can continue to expand faster internet but as developers maybe we should offer our own compressed version if we can't bring ourselves to economize in general. For instance some games that top 100GB have 10s of GB of uncompressed audio that could profitably be reduced. We can ensure that locale specific content like languages can be disabled. We could break levels into content packs that can be downloaded AS the game is used. Maybe that 120GB can be reduced to 60GB of which 20GB needs to be downloaded immediately to start playing? How many users play some of a game and move on? My bet would be a LOT.
Shameless plug: I wrote a project to generate source proto files from binaries called protodump [1] - it regenerates all the message/field definitions (including the original names). It would just require pulling the binary off the AppleTV box
Hey, that’s really cool! Upvoted! ¿What binary formats are supported? - I couldn’t see that in the README and I’m guessing it isn’t universal (though I could be wrong!).
As for this specific context, presumably at least the bulk of the fields are shared between YouTube clients across architectures and platforms - it might be easier to just run the dump against binaries extracted from the YouTube apk than getting the specific Apple TV YouTube app binary. (For iPhone, you can just make a full iTunes backup but for Apple TV I imagine you’re going to need to do some forensic binary spelunking.)
It looks like it is in fact universal. Just glancing at the code here, it looks like the tool searches any arbitrary file for bytes that look like encoded protobuf descriptors, specifically looking for bytes that are plausibly the beginning of a FileDescriptorProto message defined here:
This takes advantage of the fact that such descriptors are commonly compiled into programs that use protobuf. The descriptors are usually embedded as constant byte arrays. That said, not all protobuf implementations embed the descriptors and those that do often have an option to inhibit such embedding (at the expense of losing some dynamic introspection features).
What and understatement. For those unaware, Kenton made protobufs to what they are today.
Protobuf was my first dip into what are IDLs; it seemed like a magical idea at the time (having discovered protobuf ater writing my own rudimentary IDL first, protobuf was amazing).
I had much the same points of confusion when reading this. It's not like the design principles behind Protubuf are a secret. This is all documented plainly.
I've been MITM'ing my traffic to, among other things, strip ads and rewrite pages with things like custom CSS, ever since I discovered The Proxomitron over 2 decades ago. It does tend to get me profiled as a "bot" by CloudFlare and such, but there are not-so-trivial ways around that too. It also shows why things like remote attestation are hazardous for user freedom.
Googling this, development ended in 2004? An informed summary of the current state of play would be interesting, since a lot of different "continuations" of it seem to be around. Also, is it Windows-only? (I've been casually looking for a simple proxy that would enable injection of local links into remote content.)
Adguard seems to offer blocking only, whereas Privaxy "is able ... to inject scripts as well as styles into HTML documents", which was the feature my comment expressed interest in.
The readme goes on to say: "Privaxy is also way more capable than DNS-based blockers as it is able to operate directly on URLs and to inject resources into web pages."
In this case "incorrectly" is what makes it possible to find it, search-engine-autocorrect-stupidity aside. The name is obviously a combination of privacy and proxy. There's another one called Privoxy which works on similar principles.
Network level ad-blocking like Privoxy and pi-hole have so many downsides like they can't handle inline adverts. My pi4 pi-hole is unplugged right now because it just didn't work well. After hours wasted trying to make it work with all the services, I've thrown in the towel. The time involved is just not worth it for a home network.
What works are browser based ad-blockers and app patchers like ReVanced. As my savings have gone up, I've relied more and more on just paying for ad-free services like YouTube Premium, Hulu, Netfix, and Max for the cases those 2 can't handle.
I think this is an unfair critique of the PiHole and I believe you’re throwing the baby out with the bath water. The PiHole blocks DNS and that’s all it’s designed to do, and it does it well. There’s a grandiose amount of telemetry, marketing, and general unsavory traffic flying through your network that didn’t originate from a browser. The PiHole is not exactly a turnkey solution and does take some adjusting to your preferences, but once you get it set up, you basically only have to touch it to do system updates.
The problem is that unless you're willing to do surgery on a regular basis as you come across blocked sites, PiHole is going to cause more problems than it solves when you have your entire family using it. Even google stops working correctly because results for products on the front page start leading to blocked links. I like PiHole, but I had to stop using it because it was so aggravating for my wife.
I used a PiHole for a while but after a corrupted SD card I said screw it and started using NextDNS. I have very few subscriptions, in fact nothing else except Spotify, but this one was worth the time saved and hasn't required any maintenance on my end.
How heartwarming that they run such a wonderful service purely out of the goodness of their hearts, with no income from it, and no expectation of financial compensation.
It forms the backbone of their paid AdGuard apps on iOS, MacOS and Android. Those apps create a loopback VPN on your system so they can reroute the DNS requests to AdGuard DNS.
I have our PiHole set up with just ad lists, not trackers or privacy. I follow that up on my own devices with uBO with more thorough lists, but this way my whole family gets ad protection rather than nothing.
I’m a novice, and figured it out and have zero maintenance. Unless you count occasionally updating pihole every now and then. I have a word file with all my exceptions (mostly white lists for Microsoft gaming stuff my kids want) in the event I ever need to reload (ever since I switched to a better SD never have had corruption issues). I understand the spouse issue, mine loves clicking ads on her phone. Easiest workaround is to pop off WiFi click link then go back to WiFi.
This is not my experience. Pihole works flawlessly for me and it’s sitting in my closet connected to my cable modem. Haven’t touched it in a year. No broken mainstream sites and I’m blocking telemetry and other crap from apple, Amazon, google, Netflix, Hulu, Wyze, etc. related to advertising and device analytics trying to profile my usage. Pi-hole has been a blessing in the war on privacy and targeted advertising.
Likewise. My biggest tip is set your secondary DNS to something outside your networks so if your pi-hole goes down your entire network doesn’t go down you just get ads.
I’ve been using NextDNS for a few years now. I don’t have time to mess with an ‘on prem’ solution.
It works really well and is simple to manage. It runs on my mobile devices easily.
I turn it off occasionally to shop, but immediately turn it back on as the internet is a whole different place without some sort of robust ad blocking.
It’s nice to see the logs fill up with blocked telemetry and other crap all day.
Fair enough, but I've been super happy with the ability to do network level blocking; if you're willing to decrypt your own traffic, you can even do things like strip advertisements from getting embedded in Smart TVs and whatever else you have connected to your insecure network partition. I like it that I can hook up some random Roku and I won't get ads. Or my kid can connect his school laptop to our network and it wont get ads.
It’s $18.99 a month for an individual, I agree with your sentiment but really don’t feel like it’s that inexpensive. Then again I don’t consume large amounts of YouTube as most people seem to do.
"Corporate MITM" is built into the very idea of PKI. Running your own custom PKI is a completely valid way to operate a network. This is a feature because it allows anyone to establish their own trust tree, completely outside of the public certificate trust network.
"Regimes" sounds pejorative but in truth, companies have a duty and in many cases a legal obligation to protect their networks. Prima facie, I don't see any reason at all why interception of traffic in this circumstance is "bad," except maybe a potential for political misuse like any other written medium.
I actually think the reverse would be substantially worse: if _only_ the public trust chain was valid in major browsers, we would be completely hosed and there would be no distinguishing factor at all between remote attestation and trust.
Thus, corporate TLS interception is, at worst, a necessary byproduct of a very well chosen tradeoff.
I have a minor quibble with "my network". You should have the right to intercept the traffic originating or terminating at your devices, but not to intercept any traffic going between other people's devices just because it's on your network.
Hah, remember how Amazon invented "Cyber-Monday"? They claim the Monday after Thanksgiving when people go back to work it'll be their first encounter with Internet-connected computers after the Thanksgiving vacation, and it's the time where they'll be most busy shopping for Christmas presents...
Amazon was barely a blip when Cyber Monday first came out, let alone the inventors of the term.
> The term "Cyber Monday" was coined by Ellen Davis, and was first used within the ecommerce community during the 2005 holiday season. According to Scott Silverman, the head of Shop.org, the term was coined based on 2004 research showing "one of the biggest online shopping days of the year" was the Monday after Thanksgiving (12th-biggest day historically). Retailers also noted the most significant shopping period was December 5 through 15 of the previous year. In late November 2005, The New York Times reported: "The name Cyber Monday grew out of the observation that millions of otherwise productive working Americans, fresh off a Thanksgiving weekend of window shopping, were returning to high-speed Internet connections at work Monday and buying what they liked." At the time, a lot of people had slow Internet at home. The idea for having such a holiday was created by Tony Valado, in 2003 while working at 1800Flowers.com, and coined "White Wednesday" to be the day before Thanksgiving for online retailers.
Privacy of communications is a protected right in lots of jurisdictions, not by default overridden by employer interests. From a values pov it makes sense as well, privacy is a human right and the fact that you're at work doesn't invalidate that, social interactions at work can be of a personal nature that is good to keep confidential.
> We consider an HTTPS connection to be intercepted when there is a mismatch between the expected client request signature corresponding to the browser identified by the User Agent, and the actual client request fingerprint of the request.
Sounds like something that would be "trivial" to defeat, by means of "emulating" other TLS implementations more closely?
Presumably so. You'd just need to compile the curl-impersonate for the appropriate browser you want to impersonate, and then link it in to a proxy that used libcurl for its https traffic.
Since you’re not a Cloudflare customer, you need to think like a customer who is using Cloudflare’s bot protection. Do you want to filter people who are blocking your ads through mitm? I would guess yes.
99.9999% of humans won’t be decrypting protobuf traffic but a large % of bots are out of necessity to interact with the website. That’s what I’d call a good filter.
I haven't thought about Proxomitron in about two decades - are you still using it? I never used it for anything you described, but it was great to use as a proxy with our company firewall. Many programs back in the day couldn't connect with the Internet because our firewall back then required login information to make outbound connections.
Yes, and this also answers the other comment about what else I MITM for: blocking devices that I can't inspect the traffic of is another reason, since the proxy is the only way out of the network.
Pardon the lay question, but is it really the only way out of the network? Can't programs initiate connections while skipping the system-wide configured proxy?
Hm, I have to see if Mikrotik has rule syntax for this. I can already force every app who thinks they will use their own DNS server to use mine but not sure how I could do the same with a proxy. Maybe just force ports 80 and 443? But what's stopping these apps to communicate on non-standard ports?
There's no reason to allow arbitrary traffic in either direction other than convenience. If you want a more secure network, you block everything by default and narrowly open as needed.
MITM is kind of a silly term for what the computer owner is doing when using a forward proxy. If the computer owner binds the proxy to a localhost address, the unencrypted requests need only go over the loopback. There need be no unencrypted requests travelling over the LAN. The computer owner, the "MITM", is on their own computer sitting in between an application and the network interface. That is exactly where they should be, IMHO. Corporations do it. They own the computer and they own their internal networks. It's no different for home users. And WFH is blurring the distinction anyway.
Once the requests leave the computer and travel onto the internet destined for another computer, then of course "MITM" makes sense as a concept. We all want to prevent that.
The computer owner controls the proxy and it's the proxy, not the untrusted application, like a "modern" web browser for example, that handles authentication of the remote peer. Compiling and fully controlling a "modern" browser is a PITA. Almost no one does it, even software developers. Instead people beg for an advertising company or their partner to make changes to a browser. That does not seem to work. Sometimes when people complain it stops the company from making undesired changes. But only temporarily.
Whereas compiling a proxy is easy and the user can fully control it.
Having used many different applications that implement support for TLS, I actually trust the proxy's implementation more than most applications. It's arguably easier to audit one program, the proxy, than it is to check every application to make sure the developer didn't make a mistake when adding TLS support. I recall socat as one example. That mistake went undetected for a long time. Elinks was another. At the time, it was dropped from OpenBSD ports as a result.
For any gamers out there, Reshade's installer is another example where TLS istn't implemented properly. It fails to download effect/shader packages for basic setup on up-to-date Windows machines because it requires that you disable TLS 1.3 globally on Windows so it can use 1.1 or 1.2.
I never heard of reshade before but that is quite crazy. The only explanation I can think of is that the backend they connect to implements TLS 1.3 but in a broken way (because the client crypto lib would otherwise fall back to TLS 1.2 on its own) which really makes you wonder just how broken the crypto impl on their servers is and how many vulnerabilities they’re wide open to.
TLS 1.3 is IMHO still too new to have stabilised and had all the edge-cases worked out. 1.2 was first released in 2008 and only started becoming a requirement more than ~10 years later. I'm not sure how the situation with 1.2 was but I know there were several draft versions of 1.3, which do not interoperate yet had public implementations. That might be what's happening there.
No, actually it just needed to be well-formed. UA headers follow a certain format. Some folks like to try to "blend in" and use known headers seen in the wild but personally I like to make up new UA headers that reveal nothing, not even fake details. On the whole, I very rarely send a UA header. The number of sites that demand one is very small for me. I had just assumed Cloudflare was doing TLS fingerprinting or something more involved than just checking for presence of a UA header. But it worked. The StackExchange family of sites is one example where a UA header is needed. They will block otherwise. Not using Cloudflare to do the blocking though.
This reminds me of a now-dockerized Privaxy, which is a UBlock-origin blocklist compatible MITM proxy. It’s crazy to see how many ads and tracking scripts are on smart products, especially my TV where so far in my testing it’s over 40% unnecessary traffic. Its been pretty fun to try and strip out ads on my smart-tv apps.
It would not surprise me if most TVs don't check. I remember LG or Samsung using unencrypted FTP to upload viewing data a few years back, so unverified TLS would be an improvement >_<
I'm pretty sure they don't check certs. If they did, there would be many corporate networks and even entire countries where they wouldn't work, because they use DPI on all inbound/outbound connections with SSL stripping.
Definitely should be checking certs, though I always worry about the flip side of these device security decisions. if there is no way to update the trusted root certs, your TV becomes terminally ill with software ewaste disease when the manufacturer updates stop coming.
I really don’t like hardware becoming waste because we don’t have a better iot cert pool update story
I trust YouTube to know how to bake their own cert and trustworthy tls libraries into their apps but I’m not sure if that’s common in other apps
At that point, cut all its connections from the Internet and use it as a dumb panel. Many people will say you should have never connected it in the first place anyway.
You can alway use a streamer box (custom Linux one, Apple TV, Fire Stick, etc) to give it "smarts".
I have asked this question repeatedly every time someone mentions inspecting TV meteor requests via a LAN proxy and never received a satisfactory answer..
If there are known exploits for the TV (a bunch are now running old and unpatched Android), the answer is easy enough (root it and do what you want - though that opens different and maybe easier options for ad stripping), but I’ve heard of it on Apple TV where jailbreaking isn’t so easy. Perhaps MDM deployments?
TL;DR it involves using Apple Configuration to make a custom mobileconfig profile to point to your proxy and then also installing the certificate with the same method.
Aha it’s awesome to see you here on HN too! Thanks for bringing up that filter list pinging. Been meaning to change the fork to stop using the hardcoded address of 0.0.0.0 on the front end so we can truly isolate the docker container but life gets in the way. Have you tried this on an Apple TV?
Of course! I’ve been wanting to run this for my Apple TV devices for a while now. tvOS itself doesn’t really have ads, but the third-party tv network apps have a lot of ads and tracking services which is what I wanted to work on stripping out.
I have it working for a few TV Everywhere compatible apps, but some are proving to be more difficult than others. I may have to do some other TLS inspection with mitmproxy and figure out what needs to be removed with the custom uBlock filter syntax option.
Fork author here. It’s a bit more nuanced than that. The original version originally came with a webui that was removed upstream and replaced with a desktop app. The way it was written, there was some modification required to make with docker which was a popular request from the users. The desktop app isn’t dockerizable so this can’t be merged upstream.
Fwiw I’m familiar with docker and I certainly wouldn’t have understood it that way if you hadn’t said so. I wonder why they can’t just upstream the web gui either in addition or instead of the existing one.
This write up is a great answer to the often-asked question “how do I learn to be a hacker?”. It does a great job of demonstrating the thought process and painstaking work that goes into any exploit.
> We’re going to use WireGuard – we have the Intel AES-NI crypto instruction set
WireGuard doesn’t actually use AES, as far as I know.
In general, it seems like the author somewhat overestimates the CPU requirements for TLS encryption (or equivalently underestimates modern single-board computers):
> The CPU requirements to decrypt and re-encrypt HTTPS traffic greatly exceed those available to Raspberry Pis.
I'd be really surprised if MITMing TLS on an RPi 4 was actually infeasible, even when using RSA cryptography purely in software.
There are Android phones still in use with weaker CPUs than that of the RPi 4, and these use TLS too.
I think you're underestimating the CPU requirements. If a weak Android phone is only able to decode 50Mb/s of TLS traffic, that's not a big problem in practice. It's a slow phone, usually connected to slow networks. On the other hand, if you have a gigabit internet connection at home and it is being bottlenecked to 50Mb/s by that weak device sitting between all of your computers and the internet, then that is a big problem.
The CPU requirements for TLS are extremely dependent on the desired bandwidth. At even higher bandwidth, offloading onto accelerators becomes important to be able to do it at all. The cost of handshakes is also nontrivial, and can limit the number of connections per second. For a single device, rarely a big deal. For an entire network of devices, it can be a bigger problem.
> If a weak Android phone is only able to decode 50Mb/s of TLS traffic
That's a lower, not an upper bound.
An RPi 4 can encrypt/decrypt AES-256-GCM at more than 300 Mbit/s, according to my rough measurements. That's per core, of which it has four.
RSA can be much more expensive, but that's besides the point – the author was claiming that AES-NI makes a meaningful difference here, which I'd really doubt even in the case of TLS. (As mentioned above, it can't help at all for Wireguard.)
Which only matters for multiple concurrent connections... a single download would still be a sequential task on a single core at 300Mb/s, which I would find to be an unacceptable bottleneck on my gigabit connection.
In reality, it would probably only be 300Mb/s for up to 2 connections, since it needs to both decrypt and reencrypt, which could be parallelized onto 2 cores, otherwise 150Mbps for 4 connections if each connection was handled only on a single core.
Either way, it would not be possible to MitM 1Gbps of traffic on a Raspberry Pi 4, with the numbers you provided, only 600Mbps total, and only across multiple connections. It would be an extremely noticeable bottleneck.
If you've got a Raspberry Pi 4 as your proxy, aren't you already struggling to pump more than 600Mbps over your network? Even if so, are you really pulling down more than 300Mb/s over a single TLS connection?
> If you've got a Raspberry Pi 4 as your proxy, aren't you already struggling to pump more than 600Mbps over your network?
The Pi 4 is capable of a full gigabit connection, unlike previous Raspberry Pis. So, no, not fundamentally.
> To me, it seems like a pretty narrow set of scenarios where you'd not have the processing power to decrypt/encrypt at the speed of your network.
The whole scenario was set up by the comment at the top of this thread: "I'd be really surprised if MITMing TLS on an RPi 4 was actually infeasible, even when using RSA cryptography purely in software."[0]
I consider it "infeasible" if it is a significant bottleneck on the network. It could be infeasible for multiple reasons, as you're alluding to, but that only strengthens my argument.
> Even in that scenario, AES encryption/decryption can be parallelized
An AES implementation that no one uses is not a very compelling argument, except as a hypothetical. Do trusted AES implementations do the encryption in parallel? That's all that matters, IMO.
> An AES implementation that no one uses is not a very compelling argument, except as a hypothetical.
The entire whole scenario is hypothetical!!!
Yes, there aren't a lot of AES implementations that use CPU & GPU for decryption, but if you're setting up a multicore network device a CPU parallel AES implementation isn't unreasonable.
> I consider it "infeasible" if it is a significant bottleneck on the network.
So there's a lot of vague terms and hypotheticals, as you say.
I would presume it is possible to have a network where data over even a single connection traveled so fast over a Raspberry Pi 4, where you had no access to a parallel implementation of AES, where the performance impact of routing everything through the Raspberry Pi were deemed acceptable, but the consequent slowdown in performance might be deemed "infeasible" by some, yet if you were to drop in a comparable device with an AES-NI capable CPU, the consequent ~4x performance improvement would allow for it to be deemed "feasible". Another "feasible" solution would likely be to spend roughly the equivalent of two months of what you were paying for the Internet connection on the bottleneck you've created in your network.
Yes, it's possible to construct the necessary hypothetical, but it's not exactly a common scenario.
I do not agree at all. Some people may actually want to use the technique detailed in the article.
Most people do not have a powerful, enterprise-grade router they can run software on, so they would reach for another device. A Raspberry Pi is frequently used for PiHole and similar functions, so it is logical that someone would reach for a Raspberry Pi 4 here.
What part of this seems hypothetical?
An AES library that might not even work (since no one actually uses it), let alone is likely difficult to integrate into the software stack described in the article is extremely hypothetical in a way that the actual project would not be. That parallel AES implementation is not some proven library with great documentation... it's a random github repo that hasn't been updated in 5 years. If the feasibility of the project depends on that, that seems like a bad place to start.
> where you had no access to a parallel implementation of AES
You don't. Unless you're saying the author has already integrated this into the described software stack? And proven that it works.
> yet if you were to drop in a comparable device with an AES-NI capable CPU, the consequent ~4x performance improvement would allow for it to be deemed "feasible".
That does not seem hypothetical. That appears to be extremely real. Of course, the speedup would likely come from multiple factors, not just AES-NI, given that you can't find a Raspberry Pi with AES-NI to have a pure apples-to-apples comparison.
> Yes, it's possible to construct the necessary hypothetical, but it's not exactly a common scenario.
I have no idea what you're talking about. This scenario is not convoluted like you're trying to make it out to be.
"Hypothetical" joins a list of a lot of other words like "infeasible", "random", "real", etc. where we apparently have entirely different semantic interpretations.
> An AES library that might not even work (since no one actually uses it)
The library I provided was the first result I got when I searched for "parallel AES", and it's not used because there aren't a lot of scenarios where people need the extra performance extracted by splitting workloads between CPUs & GPUs. Ways to improve the parallel processing of AES was still the subject of some research a decade ago, but there's not a question as to whether it is feasible today. There's just not a lot of call for software that does it because aside from brute-force attacks, in practical scenarios the hardware is already fast enough.
> You don't. Unless you're saying the author has already integrated this into the described software stack?
So now the scenario you've got here is someone with requirements and means at their disposal to regularly pull down data over a single connection at gigabit speeds from the Internet, but doesn't invest in their network proxy enough to get hardware that can decrypt at performance that was available for commodity hardware over a dozen years ago, who is hacking away on a Raspberry Pi to MITM their Internet access, interpret layer-7 protocols, develop software to manipulate those protocols in ways that don't break the functionality they require but do break ad platforms, but don't have the resources to swap out their encryption library?
Presumably, it has to MitM all traffic going to/from the WAN in order to MitM YouTube traffic.
Encrypted Client Hello / Secure SNI / Encrypted SNI prevents the hostname for each connection from leaking in plaintext. DNS-over-HTTPS prevents anyone on the local network from snooping on the DNS lookup to realize which connections are for a given domain name. I guess a sufficiently advanced implementation would stop MitMing a connection once it is not talking to YouTube, but as a broader ad-blocking technique, this would apply to more than just YouTube.
Even just focusing on YouTube, lower bandwidth means that you have longer pauses when you skip around any video that isn't super short, as it attempts to buffer that section of the video.
> Encrypted SNI prevents the hostname for each connection from leaking in plaintext.
True, but almost nobody uses that yet. Youtube certainly doesn't.
> DNS-over-HTTPS prevents anyone on the local network from snooping on the DNS lookup to realize which connections are for a given domain name.
The author of TFA is MITMing their own Apple TV. In that scenario, they could just configure their own DNS proxy as well. But given that there's no eSNI, it's not even necessary.
And even if you'd need to MITM all flows to and from YouTube on your local network – that would still be only a few Mbit/s per device, given YouTube's (non-premium) potato-quality data rates.
I think most people with gigabit internet at home never max out their pipe with a single connection, not even close. The real value of gigabit internet, for most people, is being able to handle numerous family members all doing their thing online at once without stepping on each other's toes.
True, and I'd argue that the most significant benefit Gigabit home internet provides is (at least in many cases) a meaningful upload data rate.
Upload congestion, together with massive Bufferbloat powered by horrendously configured CPEs, is what makes home internet connections feel slow most of the time.
The author also seemed to think parsing a <2MB protobuf was CPU intensive. Even for a cheap embedded network device, you'll never convince me that is true.
But... can you do it at 1Gbps on a single core of a Raspberry Pi? You have to both parse and then reencode it. 1000Mbps = 125MBps. 125MBps/(2MB/message) = 62 messages per second.
62 messages per second means that you have 16ms to do 5 things: decrypt the TLS, parse the protobuf message, filter the message, encode the protobuf message, encrypt the TLS traffic. If you take more than 16ms, you cannot achieve 1Gbps.
We've already established[0] that you can't even hit 1Gbps with just the TLS traffic. The protobuf messages might be fast to parse... but they will still slow things down even further.
> But... can you do it at 1Gbps on a single core of a Raspberry Pi?
Probably not, but if you've only got a single Raspberry PI core at your disposal and you're trying to pump 1000 Mbps of network traffic through said Raspberry PI, you've already got significant challenges.
> 62 messages per second means that you have 16ms to do 5 things: decrypt the TLS, parse the protobuf message, filter the message, encode the protobuf message, encrypt the TLS traffic. If you take more than 16ms, you cannot achieve 1Gbps.
Let's just say you have a system that can do all that in 16ms. I would estimate significantly less than 1ms of that time would be spent parsing and encoding the protobuf message.
The CPU on the Pi 4 isn't that weak. Consider that on processors from well over a decade ago, protobufs were being parsed & encoded at data rates that were easily an order of magnitude more than what gigabit ethernet can support. I don't have a Pi 4 to test on, but I've benchmarked protobuf parsing on machines with far less CPU power, and we measured the parsing times for protobufs in nanoseconds, not milliseconds. Considering the limitations of the I/O subsystem, you're going to have a hell of a time sending data to & from the CPU fast enough to keep up with the rate it parses protobufs.
It's a "given" in the sense that it's a "given" that Raspberry Pi 4's can saturate a gigabit ethernet network.
Very nice writeup. I was kinda hoping to find a way to MITM devices that don't allow the installation of custom CA's. I have some IoT devices that do not expose a local API and only exposes the data through the cloud, and would like to capture the device to cloud traffic...
I guess the only way to do that would be to dump the flash memory, replace the CA and reupload the dump to the device?
It’s called certificate-pinning if they “hard coded” a certificate, yes then you have to replace/remove it and move the same certificate to your MITM proxy to decrypt traffic.
Note for other readers: the two sentences in the parent post have nothing to do with each other. The Robert Heathon post does not describe how to break cert pinning without needing hardware/firmware modifications unfortunately.
The only relevant thing to repeat here might be this
> if you can’t get access to your IOT device’s hardware in order to add a new root CA to it, your journey mostly ends here. Don’t lose hope though. Leave your setup running for a while and see if anything strange happens. When I attempted the above process on my baby’s crib, the device refused to trust Burp’s certificate and so refused to complete a TLS handshake with my laptop. But after a minute or two of repeated failures, the crib started sending out some of its system status data over plain, unencrypted HTTP!
> Frankly I expect the days of being able to install our own trusted certificates are numbered on the few devices that do currently allow it.
For iot security reasons, namely trying to stop persistence of exploits, secure boot features on arm processors will become widely used. Think of it like TPM chips. This will make it much harder to “own your” device.
There is always a new way to block ads on YT or any platform. But then a few months later it gets changed rendering these methods useless.
Instead, why don’t we attack the advertisers? YT/Google only appear to track “clicks”, but does it actually track purchases as well?
In theory, if there are enough fake (bots) and real users clicking through ads but not buying anything. Then that should burn through the advertising budgets. Over time the marketing departments should see that clicks are at an all time high on X platform but conversions are a small percentage of those “clicks” or impressions. Thus pulling out from the platform all together.
that's not really a "flaw" in protobuf; the protobuf is Working As Intended by decoding the field in a different place when you modify it.
i am not sure how one could possibly characterize that as a "flaw," since protobuf is a field-numeric length-prefixed protocol in the first place. it makes a (reasonable) assumption that bytes won't be messed with over the wire, leaving integrity to the reader, so even if this _was_ a flaw, it would be a flaw in the YouTube app for iOS, not in protobuf...
since it isn't a flaw, it isn't an "exploit," unless you are referring to the fact that youtube's protobuf exchange on their iOS app isn't checking hashes for returned payloads.
Yeah, that's some weird editorializing on behalf of the author. The "flaw" is mentioned only in the headline, the text just explains how the format works. It's not a flaw, just working as designed.
There's also this bit:
> Google makes it computationally expensive to decode, alter, and re-encode without the C++ source proto files
Yeah, it's computationally expensive if you use unoptimized Python code to do it. If you write your code in C (or another compiled language) then scanning 1.8MB of protobuf code should be trivial, with or without the proto source files.
I'm pretty sure that making Protobuf files hard to decode without sources is not a design goal. If it was, they did a pretty lousy job.
The author seemed to have parsed the protobuf data by converting it all to a huge hierarchy of thousands (millions?) of Python objects. Of course that is slow and takes a few seconds. That's so many allocations!
But if you are just looking for a specific tag, there's no need for that, I'm pretty sure you can parse protobuf in place without allocations, which would be a million times faster. You could maybe even do it in Python with reasonable speed.
I don’t know how mandatory fields work in Protobuf, but to mitigate the attack, Google’s YouTube client could treat the field as mandatory and refuse service when it finds the field to be missing or having a default value.
Protocol buffers don't always support "default" values, because certain types will include a protocol-default value. For example, a `bool` which is not present will return `false` instead of say, a nil type.
Required fields were a feature of Proto2. In proto3 syntax (latest), the required field concept was dropped because it caused issues with protocol evolution and was easy to misuse.
In essence, because of the backward and forward compatibility guarantees supported by protobuf, a "required" field must be required for the entire lifecycle of the protocol.
For these reasons and others, protobuf takes a stance where unrecognized fields are not necessarily errors. If it took a strict stance and failed in this condition, the presence of new fields in an "evolved" protocol would be an error which would break forward compatibility; old clients would not be able to communicate with new servers, and vice versa.
Protobuf guarantees that new fields will not break forward or backward compatibility.
This is why parsing unknown fields in protobuf is a feature, working as intended, not a flaw. In some language SDKs for protobuf I believe you can customize this behavior but it really isn't a good idea.
This is also why the app authors might want to consider a hash instead. Tampering with the payload would break the hash, and without the schema, the author would not necessarily know where the hash was situated in the payload to fix it, or even that one is present at all. The complexity of recalculating the hash (assuming they find it) vastly multiplies the attacker's burden at little cost to the application; adding a few rounds and a salt, for instance, would make this kind of attack significantly harder to pull off.
It's not perfect security, but it would certainly be better.
Well, for the field in question, I imagine that it should be easy to distinguish meaningful content from whatever it defaults to when the field is missing.
In this case since he mentions it's a "tree" of data (he means a "message"), it would be a sub-object that would become an initialized default. So there would be an "object" there, but it would have no "ads" array in it, or what not.
Protobuf does this so you can do `deep.dotted.paths` and you won't get null exceptions (probably a side effect of starting partly in Java). The leaf fields end up as empty strings, `0`, `false`, or an empty array for repeated fields.
It's a neat trick to get it to ignore a field, just not a "flaw." It's actually a compatibility feature in disguise.
(So it might be pretty hard to detect, versus the potentially-legitimate case of just not having any ads to show.)
It would be like receiving `{ads: []}`. How do you distinguish between the case of having no ads to show, and someone tampering with the data?
Is it ever reasonable to assume you have a properly decoded empty array because a user tampered with it, instead of that being what the server gave back to you?
If you have to choose between (a) the app shutting down or (b) the user not seeing ads bc the ad array is empty, you are probably going to pick B.
I found it odd that the article complained about squid proxy being slow. There was a memory leak issue in the 4.x versions, it was fixed sometime in the 5.x version. I dealt with it for like 2 years but could never figure out where the leak was. I charted[0] the process size, you can see in June where I upgraded to 5.7. Before then, I had just cron'd a restart every week.
This is interesting, I’ve been trying to figure out the best solution for handling blackout rules for sports apps. You pay full price but they specifically block anything in your market which is absolutely ridiculous. Yes, you can slap an antenna on the back and view low resolution local stations assuming you’re picking up a decent signal.
Haven’t found the most elegant way. Probably the path of least resistance is getting a separate router and connect the devices AppleTV, firestick, etc to that. But then you’re going to be constantly swapping networks if you wanted to use a different app with location.
But even that feels weird because you’re paying monthly for a smart dns service just to appear in a different geolocation. There has to be a better way.
I found a 16-digit code that I can give to YouTube that blocks ads on all my devices, not just my AppleTV — no additional hacking or effort needed. It works great!
Excellent write up! I learned a lot and there's still much I did not fully understand.
In my spare time I got to the point in the article of trying to figure out which URLs are ads and blocking those with a pihole in section 4.11 and failing miserably. Cool to see some techniques I would never consider, and they work!
I am assuming it would completely prevent ads (so no need to figure out how to filter/block them) as the name of this field suggests that it might be used by YouTube to figure out if someone has a premium subscription or not. Toggling this field would not have led the author to the later protobuf rabbit hole as there would have been no need for it.
From personal experience, we programmers/hackers sometimes like to make things more complicated than they need to be just for the fun of it (and learning experience too!).
For those of you who use Android TV devices, SmartTube is a wonderful (side loaded) option which supports both hardcoded ad skipping as well as the standard YouTube ads.
This guy could've had similar results with an android tv device and the smart tube app and saved a shit ton of time and made money in other ways instead.
Incidentally, this is probably the best getting started guide for pfSense. When I set mine up last year, all tutorials were lacking. It was usually just installing pfSense, or some random settings that anyone would probably go through anyway. Took me awhile to collate the relevant information and set up my pfSense. I did eventually removed it and installed OPNSense, which has similar issues.
I can answer this as one of the mitmproxy devs: We're doing this for 10+ years as FOSS, we're a relatively well-known project (so lots of eyes hopefully), our software has absolutely zero telemetry / phone home functionality, and we're developing under our real names. We also have relevant backgrounds in either the security industry and academia, and absolutely no plans to monetize mitmproxy.
Does that make it guaranteed to be safe? Not really. I'd personally trust our TLS stack over most IoT TLS implementations, but Chrome/Firefox/Safari will do a better job at e.g. revocation checking. That being said, I'd argue that this is unlikely to be the weakest link in your threat model.
A few years ago pihole was all the rage. What happened? I'm genuinely asking what are the difference between the two approaches and when is one better than the other.
The article briefly talks about that. I’ll save you the hunt.
“ This unboxing and setup has been fun, but I’d like to block all the bad traffic on my network. I’ve been using a workhorse of a DNS-level adblocker called Pi-Hole on a… yes, Pi, but it would be nice if I can reclaim that wee bit of hardware for something else and use a comparable add-on module in pfSense. Let’s explore that now.”
So basically that was only doing DNS level blocking. This article is about traffic decryption and manipulation.
Pihole is still a wonderful application. I use it on my home network. One drawback that the pihole has vs pfSense is pihole cannot do anything about devices that have hard coded DNS ips (aka 1.1.1.1 or 8.8.8.8 etc).
DNS is really easy to redirect (at the firewall level) since it goes over UDP. The growing problem is DNS over HTTPS, which uses certificates and tcp and is much harder to redirect (without setting up a MITM and distributing the CA to all devices). Fortunately just blocking the DoH domains at the DNS level works, but unlike the global udp port 53 redirect, it’s a cat-and-mouse game.
The hardcoded issue is more of a consumer router limitation than a pihole issue. Any router that can redirect DNS request + dnsmasq can do what pf-blockerng does. You just don’t see it since pfsense does this in the background. All my ubiquiti stuff or Opnsense uses pihole fine with hardcoded DNS including chromecast (I use NextDNS instead of pihole but essentially the same thing).
Indeed, how it is described in section 3.2 of the article is how I also did it on my home router+pihole combo. Still have add that rule 1 though, dns over tls.
It is “protobuf” with a T, not “profobuf”.
I know the typo is in the headline on the original article, but it is bad to spread it, and it looks bad on the front page here.
if you want to DRM your app, yeah. In that case, also don't forget to check for microG or root (super scary stuff, a user having admin on their own device, imagine!) and ensure that the device isn't muted during ads as well as disabling app backups (they might be able to get at their own data!!1) and turning off screenshots (no benefit, but it can be claimed to be a security benefit just like denying root and turning off backups, and it will serve to further annoy the user).
If you don't mind that users can see what you're leaking to the server from their device, or sending to their device, then please don't use certificate pinning, or at least make it an option...
Unfortunately, there's two types of users MITMing apps, opening their browser's dev console etc.:
Those that know what they are doing (i.e. tinkering with the app to find out what makes it work or to modify it), and those that have no idea what any of this means and that get instructed by scammers on the internet (e.g. phone support scams) to do so.
The only alternatives to a service like youtube showing people ads are for its users to pay for it, for it to be funded through donations, for it to be run by the government and paid for through taxation or for it not to exist. I prefer the first or second approaches and Youtube is unusual among social media sites in actually giving me the first option. So I happily pay for premium and while I'd rather that were the only option (I think ad supported content is an inherently socially corrosive model) I dislike the attitude of those who reject ads but also refuse to pay.
(Some people are unable to afford it but that's an entirely separate social problem, and it would be unusual for somebody with the skills demonstrated in the article to be struggling to earn a living wage.)
What I would be interested in this protobuf inspection approach for would be implementing some decent parental controls. I would very much like to be able to enable/disable individual youtube channels. Currently all I can do is switch the whole site on and off. I have all the necessary infrastructure already, so I might give it a try.
There are so many reasons to block ads. Aesthetics alone. Protecting your valuable time. Consenting to watching an ad is not the same as consenting to your entire life being tracked and monitored.
Given that neither Facebook nor Google can appropriately police the content of their own ad networks (to the extent that they're the two biggest purveyors of malware and scams on the internet - in this rando's opinion), there is no moral argument against blocking ads.
In fact, not blocking internet advertising is a security risk.
If they get their house in order my opinion may change, but there's currently no business reason for them to change their existing lax systems; no pressure or threat from regulation to hold them liable for what they allow on their advertising networks.
Very well put. I have tried to argue the same point here and on reddit in past. The only real argument against I get is from the privacy perspective. That people tend to use alternative youtube clients or other such hacks to be able to consume ad free content anonymously and with the current state of google are not very keen on providing it with more information about them.
Personally I am trying to degooglify my life including working my own open source alternatives for some services I don't find much other good alternatives for- google keep and google books. But my youtube usage pattern being the data shared with google is quite low on the priority list for me but reasonable minds can differ.
On the other hand, if enough do start to pay for youtube premium then we would be able to much more fruitfully present our demands including for privacy when we are actual customers and not the product as in the current dynamics.
I dislike the attitude of those who reject ads but also refuse to pay.
How is this any different from changing the channel, leaving the room, or just hitting the mute button and closing your eyes in the scenario of "regular" TV when adverts or any other content you don't want to see appears? Compelled consumption should be illegal.
The assumption is that not many people would leave the room, close their eyes or mute the ads.
If you created a painless, super easy way to remove all ads, i'm sure that TV channels will also find it hard to sell to advertisers, and thus, their revenue would decrease.
My last CRT TV had a picture in picture mode. When ads started I pressed the PiP button on the remote, placed the channel I was looking at in the PiP window and started watching something else. When the ads were over I came back to that channel or stayed on the other one if I found something more interesting.
I watch TV on my tablet now, streamed from a Raspberry PI with a TV Hat. Again, I activate the popup player, start browsing, maybe checking HN or whatever. I put the volume off. Maybe I start doing something else. The advantage of a tablet is that I can bring it with me wherever I go in my house. The TV, not so much. I rarely switched on my TV in the past two years.
Over here volume boosting is illegal, so instead they DSP ad audio to maximise envelope across all frequency bands.
Since ad sections are your typical break from a program to get to the fridge or toilet or whatever, the DSP transform makes sure you still hear the ads and pick up dialog even when far away from the TV.
Downmixing audio so that you can both hear dialogue and not lose eardrums to music and 'splosions seems to be an intractable decades old problem for the movie industry but it sure as hell been solved a dozen times over by the ad biz.
If you don’t hugely care about the quality it’s easier. Movies also want to use the dynamic range for effect but they sometimes rely on people have better home audio systems than they actually do.
That always felt counterproductive to me. I knew people who did this and they still stared at the adverts. In fact, without the sound, you are probably focusing more on the ads, trying to figure out what is going on.
I would agree, the whole point was to enable conversation without the distraction of the ad sounds. If you're gonna watch the damned things anyway I'm not sure it helped
My grandparents did that, it was one of the principle annoyances I had with visting them as a kid
It was very shocking to go from 75dB to an ambient 30dB or something like that out in the countryside. I'd have much preferred to talk over or zone out over the commercials without the suddenly shocking lack of auditory stimulus!
Serious question here. What's the difference between not responding to the ad in any meaningful way vs blocking the ad entirely? Does youtube know when you've blocked the ad and therefore the content creator earns less ad revenue?
We need to differentiate a little more here. Instead of me having to watch another f*ing viagra ad, since I'm male and above 40, we should instead talk about substituting ads with getting actual fecal matter thrown at us. Your argument still applies. I should accept this because it is in my interest to support advertisers, since, really, I work for one. (In that I work for a private company that also pays for ads.)
Now before you dismiss this as childish and/ or obnoxious: please consider the point. We cannot gloss over _what_ we "have" to watch and not just that it's an ad.
It is true that things have to be paid for and I am 100% for this. But if you want me to basically degrade myself in order for me to get to watch your content, then wtf?
It's different becaue regular broadcast TV pay a fee to get the channel out of a limited amount of available spot, and then use that limited available spot to have higher ad price.
Of course on cabled channels, they get part of the fee of your package.
There is no "compelessed consumption", there is available package "this for free with ads", or "this for a fee", you're free to chose the one you want or neither.
I'm certain your company whichever it is would have an issue if I wanted to use its services but then run away when it came time to pay the bill.
> I dislike the attitude of those who reject ads but also refuse to pay
And I dislike YouTube's hostile ad escalation in recent years. One ad - fine, two ads - hmmm, three ads - what the hell. Unskippable ads. Inappropriate ads. Loud-ass eardrum ripping ads. Ads even on Premium.
I find this a false proposition, there are plenty of other ways to to support a video streaming platform. There is nothing that suggest a platform like youtube has to exist in it's current form either. If a monetizing strategy does not work it is not the users holding it wrong. People consumed videos online before youtube and will be consuming after youtube just fine. It is not like Google is the creative mind behind the content either, in fact, the streaming part is by far the most boring problem.
I really dislike the attitude of defending megacorps and worrying about their bottom lines, especially anti customer ones like Google.
You claim that there are plenty of other ways to support a video streaming platform yet fail to mention even one of them.
Things cost money. Every monetizing strategy involves users paying for it or the company making money from the users indirectly. OP mentions both of these. So tell me, what's a monetizing strategy other than these that works?
People consumed videos online at a very limited scale before YouTube, and those videos were usually hosted by few, generous individuals. Even if every user in the world decides to contribute 50% of their device storage for a decentralized streaming platform, I doubt it would even fit a small part of all videos in YouTube's catalog right now.
I really dislike the attitude of hating megacorps without really proposing any viable alternatives.
Nitpicking alternatives is not the main point. There is nothing that suggest a platform like youtube has to exists in its current form.
Consider a freemium model without the threat of adxtortion, obviously this would require youtube to offer a significant value add and/or premium content besides trying to be a monopoly and gatekeeping eyes. Make it purely subscription based (e.g. Netflix before ads). Ask creators to pay for the blue checkmark. Make it a loss leader. Plenty of adult streaming sites manages to do just fine without youtube style invasive ads. I'm sure much smarter people can name countless other ways as well, it also does not need to be a 1-1 alternative either.
By the same logic, it's irresponsible to watch ads and not buy the products. That's after all what keeps the wheels turning.
I remember I had this discussion after a school political debate in the 90s, with (adult) actual politicians. Textbooks at the time were not publicly funded, and naturally the textbook companies jacked up prices for their captive audience forced to buy their books.
This one party had the "brilliant" idea of ad-funded textbooks. I asked, if the textbook companies currently take $50 for the book, if it was instead funded by say McDonalds ads, how many extra burgers would each student have to buy that year? They didn't have any good answer to that.
This happened for real, actually, at least some german science fiction publishing houses did that. They would "insert" a page into the book, which picks up the story in some really cheesy way and then bends in within two sentences towards the main character needing a quick soup now (the advertise was for soup always, they just had that one sponsor apparently).
The introduction goes like: "Only Kirk kept helping himself, because he was convinced he would need strength for the upcoming events." and then below the black bars the actual ad: "The reader should do same bla e.g. soup bla takes just 5 minutes etc"
None. The textbooks would then be subsidized by McDonalds' advertising budget, reducing their profit margin.
It's the same as blocking YouTube ads; Google still pays the creator as if you had watched the ads, so your video playback is being subsidized by Google's ad business profits.
When you choose not to block ads, you aren't "supporting creators", you are supporting Google shareholders.
Point is, McDonald's wouldn't do that for long. They don't have that big margins.
Google's shareholders might, for a while, for the sake of "control". But either way, it's not sustainable. The anti-adblockers are right about that part. They're just wrong that watching ads without spending a ton of money on the products help matters.
I use Youtube through Piped (https://github.com/TeamPiped/Piped) to preserve privacy, block ads, and prevent getting sucked in by the algorithm.
The only part of Youtube that I find valuable is the content. Not the UI, not the comments, algorithm. Free content hosting is nice, but it's not the only platform hosting videos for free.
If I wanted to pay for a streaming service, it'd be Nebula (https://nebula.tv/), because I know it benefits creators.
But I'm never turning off the adblocker, thank you.
Maybe it's just my bubble, but it is often I hear that "Our Nebula subscribers fund this show, we couldn't do this with youtube revenue alone" or "Signing up to Nebula with my link gives me a steady source of income that youtube just cannot provide".
> it's not the only platform hosting videos for free.
You're only looking at this from your own point of view. The content producers are looking for monetization options, and youtube is the only game. Nebula might be sufficient for some small amount of content producers, but it's unlikely to hit mainstream, and not enough people want to pay.
It's unfortunate, but ads are the only game in town on the internet atm.
On top of that, in my experience both CuriousityStream and Nebula's search functionality is pretty bad: I got fed up of the number of times I searched for something mentioned in a spoken "advertisment" by users like Mustard on youtube who said they have extra content on those services and then I can't find it or find out how to list all videos by those users, I stopped my subscription to them...
Piped is a great web-based service, but since tvOS does not support web browsers on the Apple TV, to block YouTube ads, you either have to stream Piped videos to the Apple TV from another Apple device using AirPlay screen mirroring or use a workaround like the one described in TFA.
I'm using NewPipe (https://newpipe.net) on Android TV which provides an ad-free YouTube experience just like the Android phone version of NewPipe. Piped would also work on an Android TV browser like TV Bro (https://github.com/truefedex/tv-bro).
The legitimacy of ad blocking is well-established. People have been using DVRs, VHS players, and tape recorders to capture and consume ad-free broadcasts for decades.
I’m in the exact same mindset as you; youtube allows you to pay to rid yourself of ads (which is ironic because the more free you are with money the more attractive you must be to advertisers)- so I think they are better than most.
but if I must take an alternative position: the last time I used youtube without premium (which happens sometimes because its not so smooth to log in if its a temporary session); the number and length of the ads was absurd, multiple levels of unskippable ads, minutes long, with volume that is much higher than the content itself. Awful experience and I can see why people who don’t have the free money want to lower it a little.
Thats of course not including sponsored content which contains an ad inside the video itself- even YT premium users get those.
> So I happily pay for premium and while I'd rather that were the only option (I think ad supported content is an inherently socially corrosive model)
Still doesn't protect you from in-video sponsorships (skullshare, OstVPN, etc.), product placements, etc. Some creators especially do these because it protects them from platform demonetization risk.
Same shit with paying for cabletv & movie theatre tickets. If anything, people that pay are their most valuable targets for ads.
Even a newspaper that I sub to runs ads and a zillion trackers against me. Ugh.
I get where you're coming from, but the platform could more to protect paying members from this. E.g. creators with over $x revenue must tag promos so the platform ships them for paying users
To me at least the sponsorblock extension is completely ethical when you are using youtube premium. The creators get paid extra for a premium view anyway, plus I don't think advertisers for in video ads pay per view of that segment (if there are even tools to detect that metric) or anything like that so you're not even hurting the creator.
But I agree that something built in by youtube for premium users would be nicer. Would get youtube more premium users too I think because I was e.g. initially hesitent too of buying premium because I knew I would still be getting in video sponsors.
It doesn’t, but Nebula does. Creators don’t put sponsorships in their Nebula videos. And they had a lifetime subscription recently so personally I jumped on it and don’t have to deal with Yet Another Subscription…
I can be a petty individual at times, and the thing that convinced me to never pay a cent to youtube was their removing the ability for the app to continue to play the clip in the background when switching to another app or locking the phone.
I listen to news and podcast-esque things in the car going to work or school drop-off / pick-up, on the way to sport etc. I'd begrudgingly tolerate the ads if the app background-played but it doesn't without paying for premium. I'm somewhere on an "entitlement" scale here, but background-play being a premium feature really feels like it's stretching the friendship.
So... alternative front-end it is. Great experience and no ads to boot.
> removing the ability for the app to continue to play the clip in the background when switching to another app or locking the phone.
Do you know that the paid version has this exact feature? This is a limitation of the ad-supported version, because advertisers are paying to actually have people watch their ad.
They removed it from in front of the paywall to behind the paywall. The non-paid version used to do it. It was a memorably jarring experience working out WTF happened when background-play was rugged.
The said ability also exists in a premium subscription. So what you effectively saying is that YouTube offers you a valuable feature, but you refuse to pay for it.
YouTube is not offering a valuable feature here. It's an OS feature. YouTube is going out of its way for you not to have this feature, unless you pay them (even though it wasn't them who brought you the feature to begin with).
I understand why this upsets people.
Imagine Youtube preventing you from adjusting the volume unless you paid. This is similar.
No but you have to agree on the enshitification part. Youtube turned to one of the worst UX apps I have on my phone, I hate paying them for such a shitty product and I'm waiting for the time they're off this planet
yes, absolutely, but only inasmuch as it only decreases their producer surplus so it doesn't actually cost them anything. If the monopolist allowed competition, then I'd evaluate and choose, but I don't have that choice till then.
"you can believe in the benefits of law and order, and just walk away any time you encounter a thief who doesn't". Yes, or I can steal my stuff back which gives me pleasure.
"anyway, you can switch from the high end monopolist to the low brow monopolist so I don't see what you're complaining about" Yes, you don't.
the right to wear hair-shirts is not the only principle that counts.
The issue with paying for youtube premium is that you are still left with tons of ads. Until YouTube themselves doesn't tackle this issue as it should I refuse to pay to see sligtly less ads.
Half of the content on YouTube could be considered to be an ad by itself.
Also sponsors are being advertised regularly within videos which I would consider to be ads too
A lot of the videos I see have ads in them, section whith "this video is sponsored by this and that". That's definitely an ad. I would say most new (past few years) content by established channels has these. Some more obnoxious than others.
That's a way to look at it, and another way to look at it is this:
I already pay Google much more than I care to and am willing to in the form of my privacy and personal data because of the ubiquitious surveillance that Google performs on as many people as they possibly can.
If I could cut Google out of my life I would do it in an instant, but I can't because they won't allow it. In lieu of that I take whatever I can from them.
“To steal from a brother or sister is evil. To not steal from the institutions that are the pillars of the Pig Empire is equally immoral.” -- Abbie Hoffman
By that logic we shouldn't be even a allowed to look away or mute our sound when the ads are playing, after all if enough people did it it would be just as "damaging" as people with ad blockers.
Also, YouTube is a video streaming monopoly, if it didn't exist there would be a significant chance of new streaming platforms to succeed, but given that it captured the marked such chance is unlikely to exist, monopoly that they achieved hosting videos free of ads (or very light on these) and now that they have the control want to force people to pay or watch a ridiculous amount of ads.
> I dislike the attitude of those who reject ads but also refuse to pay.
What about fair advertising? The main problem here nobody dares to talk about because dealing with it would undermine the very essence of capitalism: unlimited growth, is that there is no way to have fair advertising exactly as there's no way to have a fair use of any resources. Once you allow anything to be used for profit, it will be abused from the strongest players at the expense of the others until the last drop. It would be extremely easy to put well defined limits on how much advertising can be shown, and make the Internet a better place, but no way, it's anti capitalistic and therefore a no-no. Ad blockers weren't born the same day advertising came to the Internet, and many years passed until someone realized we needed them; that was the day surfing became such a horrid experience thanks to unlimited, pervasive and ever growing advertising.
edit: and, by the way, I still have to see some company going bankrupt because of ad blockers.
I just subscribe to YouTube premium to support my favorite application out there.
I learn so much from the people who spend hours and hours making videos every month that I am more than happy to pay a measly $13 or whatever it is every month to YouTube.
If you continue to give Google money you'll continue to get things like AMP, Manifest V3, Web "Integrity", and whatever else they think up to track you across the web.
They're an ad company. They pay the creators per impression even if you block the ads. Blocking ads harms Google, not the content producers.
I'm giving them money to view fewer ads. Isn't this an inherently "anti-ad" consumer standpoint? I am telling YT/Google that I as a consumer am willing to pay money to not see ads.
Am I not telling them with my wallet to develop other ad-free solutions that I will pay them and the content creators money for?
> They pay the creators per impression even if you block the ads. Blocking ads harms Google, not the content producers.
Blocking ads and refusing to pay any money into the YT ecosystem decreases the revenue per viewer which will eventually reduce the amount of money YT pays to creators and/or increase the price they charge to YT premium subscribers.
I’m honestly not asking to be obtuse, but what difference does this “tracking” actually make? I block ads on the web because they’re so obnoxious and usually so utterly stupid (One weird trick to blast belly fat!!”), but I couldn’t care less if an ad profile exists on me or on some GUID tied to a browser I use[1]. What’s your pitch to someone who doesn’t care, that they should care?
[1] also, if tracking can help to replace idiotic ads like that with ones for some b2b software product I’d actually be interested in knowing about, please track me.
The idea that if you are willing to give up some privacy, the ads you see will be high quality and relevant. That sounds like a great trade and for twenty years I waited for those useful ads.
They still haven't appeared. When I consider what I trade for the ads I'm getting now, it's no where near good enough. My data is valuable and Google et al just aren't offering enough in return. The only place I ever see decent ads is on Google's search page.
I think the reason we see shitty ads like the belly fat ones, is because Google isn't actually trying to serve us first. Their main concern is ad dollars. So even though Google knows you watched a video on changing guitar strings an hour ago and now you are standing in a Guitar Center, instead of showing you an ad for guitar strings, you're going to see an ad for belly fat because that advertiser is willing to pay a fraction of a penny more.
So to answer your question about why you should care - it's because you are greatly overpaying for the service you are getting. Of course there are other reasons too - avoiding ads containing malware is one. Protecting yourself from tyrants is another. If you are socially or politically active, you may not trust that the government now or in the future can resist grabbing the data that shows you support abortion rights or attended a BLM or LGBTQ march or were part of the crowd on Jan 6.
Let me ask you this - if you learned the tracking is actually a person on the other side of the planet watching in real time, everything you do online, every conversation you have, every site you visit, and mix it with the data they can get from your phone (location, phone calls, music preferences, who you are spending time with, etc...) and they manually log it into a database, would that change how you feel about it?
I think there’s an opportunity cost not considered explicitly here, which is heavy users of YouTube (such as myself) find $13/month cheaper than wastes time watching ads.
If I added up the total ad time I’d have to see on a free account, the math would heavily favor paying to not see them vs my (or really most software engineers at the level of YouTube I consume)’s hourly rate.
It’s made decisions much easier for me if I take my hourly post-tax rate and compare it to services I’m using. If math works out, it’s generally worth it.
I’d love to fight the good fight against ads and stuff, but between working 9-5 and a side business, relationships, hobbies, I just don’t have the time.
You're giving them money because they're serving you ads in the first place.
I appreciate advertising money pays the salaries of people in such companies, but there are other less intrusive ways. Since I've grown up with the evolution of internet advertising, my brain is wired to just ignore it. I can't saying I've knowingly be influence by any form of internet advertising, ever.
A better solution for all concerned would just be to watermark a corner of a video with 'sponsored by company X' than the hours of human effort wasted in squeezing 30 seconds of adverts into everything, and the effort of people to block and get around that.
No, they're not going to leave money on the table. Eventually you'll be seeing ads too. This is just a hook period. I don't understand how we as a culture haven't learned this already. This is at least the fourth or fifth generation of this with media. How things actually work should be common sense by now.
It seems to me that all of google's most successful services (search, youtube, gmail and gsuite, maps/earth, android) are next to impossible to monetize profitably and have significant utility to the general public. It feels like these are services that governments should be building and funding themselves.
Youtube specifically has a plethora of useful information made by normal people. You can find hundreds of thousands of videos, in most languages, about doing most basic and complex repairs for almost any model of car made in the last few decades, for example. It is essentially a giant public library.
That is insane. No corporation has the ability to incarcerate you or kill you. No corporation can round up your family.
What, precisely, is the “threat” that Google presents that does not rely on a government to be the muscle. Are they going to cancel your Gmail account? Cut you off from YouTube?
Surely if they actually are as powerful and dangerous as you think they are you wouldn’t use their stuff at all. But then I guess they wouldn’t be all that powerful if you could just stop using them…
(Shrug) Insane, whatever. All I know is, when I call the IRS, I can get a human on the phone who actively wants to help.
Try that with Google, PayPal, Amazon, Apple, or any number of other companies when an error they've made but refuse to even explain, much less fix, threatens to wreck your livelihood.
To redress grievances with my government, I don't need to make the front page of HN or go viral on Twitter. We don't go a week around here without another front-page lamentation to appeal for noblesse oblige from one of these intentionally-faceless megacorps. That's not how you should have to deal with a company you're doing business with... but it is how you deal with a dictator who leaves you no other choice.
That's simple in countries without a Second Amendment, or that don't recognize self-defense as a fundamental human right, but it's not simple in this one.
It is deeper that that, corporations literally are governments. When you form a corporation you are creating the government that your organization will now operate under. usually this will require a license from whatever larger governmental structure you find yourself in.
Sometimes this is a publicly tradable for profit endeavor, sometimes it is private or perhaps non-profit(all profits have to be distributed back into the corporation), or even an actual public corporation(often called a town or a city,
I've been using premium for almost a decade now, since before it was rebranded from YouTube red. I'll let you know when it's safe to remove your tinfoil hat.
Oh and I'll be downloading my videos for offline viewing and listening to ad free unrestricted music as well.
Thank you for reminding me that yt-dlp also works with youtube music (didn't think of that). I just tried to list all the available formats of a song there:
ID EXT RESOLUTION FPS CH │ FILESIZE TBR PROTO │ VCODEC VBR ACODEC ABR ASR MORE INFO
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
233 mp4 audio only │ m3u8 │ audio only unknown Default
234 mp4 audio only │ m3u8 │ audio only unknown Default
599 m4a audio only 2 │ 1.05MiB 31k https │ audio only mp4a.40.5 31k 22k ultralow, m4a_dash
600 webm audio only 2 │ 1.27MiB 37k https │ audio only opus 37k 48k ultralow, webm_dash
139 m4a audio only 2 │ 1.67MiB 49k https │ audio only mp4a.40.5 49k 22k low, m4a_dash
249 webm audio only 2 │ 1.86MiB 55k https │ audio only opus 55k 48k low, webm_dash
250 webm audio only 2 │ 2.44MiB 71k https │ audio only opus 71k 48k low, webm_dash
140 m4a audio only 2 │ 4.42MiB 130k https │ audio only mp4a.40.2 130k 44k medium, m4a_dash
251 webm audio only 2 │ 4.71MiB 138k https │ audio only opus 138k 48k medium, webm_dash
Hm ... no mp3 (my car accepts mp3 only) and the bit rate is not very high. Is youtube music that bad?
Both AAC and Opus fix some of MP3's inherent design problems (like imperfect handling of short sharp transients no matter how much bitrate you throw at it), so the only reason to continue using MP3 is for compatibility with old devices.
Since downloads aren't an official part of Youtube's offering, they don't have to care about old offline-only hardware players only supporting MP3, either and anything that's modern enough to still support either a Youtube app or the website will also support either AAC or Opus.
> the bit rate is not very high
There's also a high bitrate available, but only for subscribers.
Tell me, do you casually click 15-20 videos on your phone while You're taxing before takeoff to be entertained for the whole flight? Do you use a media player that lets you turn off the screen but continue to listen to your just released yt podcast while you work out? Do you watch live feeds on your phone without ads? Or do you run a yt-dl scripts from the CL 3-4 times per year to farm w comments?
Not seeing ads is a benefit of the service. Paying for premium is to support the video makers and, yes, the service itself.
Paying for things you use is how you signal you like the product. The insane contortions people resort to in order to justify piracy boggles my mind. You either pay by watching ads or you pay the premium price. No one is entitled to YouTube. YouTube has to be paid for in order for it to exist and the creators to make stuff. That is the reason to pay for premium.
Or you can do what I do and support the creators on patreon and continue to use adblock on YouTube. That way you can consume content without feeling guilty and not support Google's monopoly at the same time.
No that's what you get when you're the product by being a free user. Paid service relationship works just fine for me - Google isn't ideal but YouTube is one of my main content sources + YouTube music for my family for slightly more than the price of Spotify family subscription - yeah it's an easy choice.
Spotify suggestions and playlists weren't a seller feature for me for years. Maybe I'm missing out on a few podcasts.
No, Google will keep fucking you over and destroying the Internet, whether you pay or not. Not to mention the fact that what they pay out to creators is absolutely pathetic. Go find their Patreon, their Ko-fi, hell their paypal, anything but giving Google 13 bucks.
“Consume” ads? That is a quaint 1960’s take that is long dead.
Ad companies have been tilting the agreement attention for content ever more in their favor in aggressive and privacy harming ways. They long ago broke any moral standing.
The content creators need to seek a better deal, they’re getting screwed by Google too.
I'd rather use their services and block their ads, if I'm honest.
Ad supporters talk like blocking ads is literal theft, which is absolutely laughable. It's further away from theft than piracy, which is also in no way literal theft.
If I'm watching traditional non-demand television, and I go to the bathroom or change the channel during an ad, am I stealing from the network or the show? Hell no, that's ridiculous.
Theft? Of course it's theft, if I reduce to what is happening - you're using their services for free with no compensation. That is the definition of theft.
I would agree with you it's ok if there was no way to _otherwise_ pay for the service. If they push a only ads-supported version, and I have no choice but see ads, and I don't consent to the impact of ads on my brain, it makes a case for blocking ads being ethically correct.
But since there is a choice on how to pay, I find reasoning is no longer ethically right. You can choice to pay with your attention and brain, or to pay with hard cold cash, so the argument of ads being shoved down your brain no longer holds. You can choose to not see ads and pay for the service, and you chose to steal.
And you can make the argument that stealing is ok since you steal from the bad guys, but then you don't get to complain when others may steal from you - we're all "the bad guy" for somebody else
No. Theft would mean they no longer have the service once I've taken it.
Me taking a copy of Shrek 2 at the local store and not paying for it is theft: the store can no longer benefit from Shrek 2.
Google can re-send the exact same bytes to someone else. All I've costed them is what it costs to send those bytes over. But then, would you consider going into a store, loitering for two hours, taking the sellers attention (therefore, costing them time that they cannot use to sell things to other customers) then leaving without buying anything theft ? Most reasonable people would say no. We'd all agree it's a dick move, but since corporations are not people, it doesn't matter.
Would you go into a restaurant, occupy a table, spend server's time to bring you only tap water, loiter for a couple of hours, and leaving without paying anything OK? if that's what you want, go to a public library.
I think the sooner we move from ads-supported models to pay-per-use like Netflix, the better we are - those that can afford will consume the best content, and the rest will stick to public domain.
Hear hear. I'm beyond tired of all these self-proclaimed hackers with their lips so far up Google's ass that they can taste what Sundar had for breakfast.
The ad industry is a scourge on humanity, and its gormless defenders are willing accomplices.
Ads are emphatically not a valid monetization tactic. Holding up a corner store at gunpoint is unethical; getting up to go to the bathroom during a commercial break is not. There has never, ever, ever, ever been any moral or ethical imperative to view ads, in any context. By asserting otherwise you're simply being dishonest.
None of the content I'm interested in is available elsewhere. I've checked for exactly this reason. I don't want to be freeloading off of google, ideally I'd not use their platform at all, just like how I replaced gmail with self hosting, googlemaps with openstreetmap, googlesearch with duckduckgo, etc.
It costs creators literally nothing to upload an mp4 file to a second website and it would create market forces where youtube now has to compete for views with those alternate platforms (even if it's fragmented). But they're not doing it. Okay, so then I need to use youtube, doesn't mean I need to give google my payment information to pay a fraction of that money onto creators and mainly further their adtech
Google uses their primary business (surveillance and propaganda) to subsidize their other endeavors, engaging in unfair business practices by providing services below cost to destroy any competition. Taking them up on their offer while protecting yourself from their primary operation is no more freeloading than buying only the loss leaders from one store while going elsewhere to get the rest of what you need. They're a business, not a public service.
And it's just a convenient consequence of doing the "morally right" thing, that you happen to get your content for free? And content creators be damned?
No, I just happened to always have it for free. They are the ones that decided that it was a good deal in exchange for tracking me throughout the internet, stalking me. They are the ones that decided to make my watching experience miserable by putting unskippable ads. They are the ones that decided to make the videos I watch crap, because if they're not 10 minutes long with a perfectly engineered cover image, they won't pay out the creators and they won't show their content. They are the ones allowing literal hour-long ads. They are the ones that decided to make my home page """algorithmic""", which is really "oh you watched a video game ? Others like <literal nazi>, you should watch it". They are the ones hiding, destroying, trying to piss me off by removing features one by one and putting them into Youtube Premium. Play in background ? High quality videos ? Not stopping autoplay every 30 minutes to ask me if I'm still here ? Picture-in-picture ? Adding to queue ? These are all features that they proudly displayed in blog posts saying how awesome they are, and that it'll always be free. Now, they blast me with popups telling me to get Youtube Premium. One per person in my household by the way, account sharing is bad and they must extract as much money as possible.
The content creators I support get their money on Patreon or whatever fundraising platforms they use. Same things for my favorite journals. The others ? Well, I don't care enough about them to think that I would pay for them. Maybe others will. And if they don't, well, they'll stop.
It would be, if Google didn't have a chokehold on most of the internet. Sure, Nebula exists, I can watch three creators there, woohoo. Let me go on Dailymotion too for those sweet 2005 videos.
Google did everything in their power to force themselves into every aspect of our lives and leaving no alternatives, or destroying them, or buying them. Now they get to deal with the consequences
The content creators could post anywhere, there is no reason they can't cross-post their videos to other platforms. Most publishers who are on Patreon post all their videos ad-free on there so you don't even need to go to YouTube.
The reason most publishers post on YouTube is because they depend on the revenue from the YouTube network.
If you don't want to watch ads, fine, but you are expressly violating the wishes of the people who are creating the content and then rationalizing it to yourself. The fact that you still rationalize not buying the ad-free premium offering is the kicker.
I'll stop freeloading when mega corps start paying back even a fraction of what they take from society. Governments have a setup for this, it's called taxation.
It would be, if Google didn't have a chokehold on most of the internet. Sure, Nebula exists, I can watch three creators there, woohoo. Let me go on Dailymotion too for those sweet 2005 videos.
Google did everything in their power to force themselves into every aspect of our lives and leaving no alternatives, or destroying them, or buying them. Now they get to deal with the consequences
I just have no sympathy for the ad industry. I wouldn't have gotten into ad blocking if ads were non-intrusive, non-deceptive, and purely contextual. I used to even click on them more than a decade ago. But no, the ad industry wasn't satisfied with the money they were already making. They wanted to stalk you across the web and shove endless amounts of junk ads to uninterested people.
The ad industry brought the current situation on to themselves.
Fortunately I bypass Google entirely and find ways of paying good creators, which ends up with more in their pocket and less in the pocket of one of the shittiest companies on earth.
Do not confuse Google's revenue with market rate of an impression on YouTube. More revenue for Google does not equal higher pay for content creators. Google pays them the minimum to keep them on the platform. And that minimum is tiny since their platform is essentially a monopoly.
I'm also intensely Youtube positive, even if I don't like ads or google.
Youtube is one of the best things on the internet. The shame is that it's centralized with a single point of failure.
The upsides of youtube are enormous - people learn a lot there. It's not just nerds learning about stuff, but everyone. How do I fix this thing on my car, etc? People show and tell about all kinds of topics. This is making people more knowledgeable and capable on a citizen level(!)
The written word champions here will have to realize that for some, videos are a superior medium for transmitting know-how.
If the ads were silent banners changing the aspect ratio of the videos, I wouldn't mind them.
30 second un-skippable advert to see a 7 year old 45 second clip? I press "back" and watch neither.
Thinking of supporting creators: I looked at Nebula a while back as an alternative; I think there was some UX issue back then, but they've likely improved it and I should look again.
If the ads were silent banners changing the aspect ratio of the videos, I wouldn't mind them.
This is an interesting idea. It is already used to some extent in live football matches broadcast on TV. The sidelines have their ads replaced. I think your idea is a good one and deserves some testing by Google/YouTube.
At this point I would pay those people to stop making videos and start writing again. Sitting through a 15 minute video to explain something that can be read in 2 minutes is a waste of everyone's time.
I find it’s pretty unusual to find something being taught in a YouTube video that couldn’t be learned from a book, repair manual/schematics, or a university course. Nothing’s stopping you from seeking out written material instead, especially if you’d be willing to pay people to _stop_ making videos.
The obvious reality here is that RandyLahey1989 from Halifax probably isn’t going to start a Substack about snowmobile repair, nor would anyone read it if he did, but his video on replacing the carb in a 2011 Switchback has hundreds of comments thanking him for his help. Wouldn’t you agree the internet’s a better place for giving Randy the chance to share his domain knowledge (and get paid for it)?
I seriously think the “everything should be an article” crowd is a bit disconnected with how the average person prefers to create. The future of consumption is video for a growing majority of internet users, one would be a fool to pretend otherwise.
Which, if people weren’t aware, is also a consequence of ads. It’s so the creator can get a mid-video ad. Even if you pay for yt premium, you’re still getting a garbage experience because creators fluff out videos to hit the higher minute mark.
Some videos are drawn out but lost aren’t. People will drop if the video gets too boring. It’s also very easy to skip in video ads or forward or reverse to the most replayed part of the video.
I’m eagerly awaiting the day when some pirate site feeds the videos through a machine learning thingy and outputs an appropriate length text summary, with an appropriate number of screenshots for following along.
I’d want the summary and images to be verbatim from the video, but for it to strip crap like “hey, it’s been a while since I made my last video, as you can see behind me, nessie the cow is caught in a tree in my vertical farm wall again, which you can see another video about. Today, we are going to explain how to open this laptop, but first I’m going to talk about [product placement]”
But that's not all about it. You probably don't know amount of courses available on YouTube. Chemistry, medicine, engineering, mathematics and what not.
I don't see a point in giving google any money when the price of premium seems to go up every time I open the page for it (it's literally gone up 50% in the last 2 months, with the cheaper tier also no longer being offered) on top of actively being worse than using normal adblockers since you won't get any equivalent to sponsorblock by paying for premium. It's literally worthless, at least until google begins clamping down on ad blocking.
I would not mind paying for "ad free Youtube" if it was like 5 - 10 bucks. I don't need or want Youtube Music. There was a YouTube Premium Lite at some point for some countries.
Plus paying for youtube premium does not remove the sponsor ads inside videos.
Also I feel like the algorithm has gotten worse and worse? I personally don't like to support that.
I pay for Youtube Premium, but still I have to run Sponsorblock to block the in-video embedded sponsorships and one uBlock origin scripts to remove Shorts from my Subscription.
I understand the sentiment, but the creators actually only got peanuts (most don't even see any money) out of your $13 while the rest go to Google. You are paying Google for youtube, and Google pay (some) content creators with a tiny fraction of your subscription money.
This is bullshit. I'm a full time youtuber, and creators get 55% of that money, and we really appreciate that income stream.
Youtube is actually one of the good companies out there when it comes to paying creators a fair share. No other company that I know of pay creators this well, and it is probably a big reason for their continued success.
Afaik From ad revenue channels get 55%. They also get money from premium subscribers depending on how much time they spent on channel. I wouldn't call it peanuts.
That’s true when they pay out. It’s supposedly hard to get to get them to actually pay.
They say they pay out 55% of ad revenue per video and 55% of subscription revenue.
Assuming 10% of video creators have successfully set up monetization (I made up that number), then they are only paying out 5.5% of ad revenue, since (as far as I know) the unclaimed ad revenue is not pooled and the distributed proportionately to other accounts.
It’s unclear if they put YouTube premium revenue in per-creator buckets in the same way as they do ad revenue. If so, then they would only be paying out 5.5% of subscription revenue in my 10% example. If, on the other hand, subscription revenue is split amongst just the monetized creators that you personally watch, then they would be paying the 55% their marketing department likes to brag about.
I haven’t been able to figure out which way they do the accounting.
However, as of 2021, over their service lifetime, they paid $30B to creators. Their 2022 revenue was $29B
So, they’re definitely keeping the vast majority of the combined ad and subscription money that comes in the front door (or revenue exploded in 2022).
I do that too when I really want to support someone. YouTube premium is a way to support each producers videos, not only the few that I might patronize on Patreon.
There are dozens and dozens of different creators of videos that I watch each month, so if I only used Patreon most wouldn't get anything from me.
The infrastructure for growing and preparing tobacco products also "costs rather steep amount of money" but isn't justification for supporting them. The incessant vomiting of advertising by Google into the faces of the public and the distortion of incentives for content creation has reached a point where the overused word "toxic" has really become warranted.
I'll pay Google when they start weeding out the utter garbage that is uploaded targeting kids. Things like frozen characters getting tired up and thrown in water, or their clay stomachs getting cut open. YouTube happily suggests these abusive videos when you are watching kids shows, and Google does stuff all about them
The last sentence in the Wikipedia article you link provides reason to believe that the extensive and largely unfocussed show of action Google made in 2017 did not, in fact, solve the problem.
Are you sure these videos and their targeting are still a thing? Your comment is the first I've heard about it in years, and looking now everything I'm finding is years old.
So have 100 different Patreon subscriptions each month? The minimum pledge is $1. What if I watch 200 different YT creators? What about the short videos? Should I create a new Patreon subscription for each individual creator I watch? What if my interests frequently change (they do). Should I spend hours per month managing individual Patreon subscriptions?
The original post is about blocking ads. Blocking ads reduces the amount of money going to creators. Now you are saying that paying actual real money to not see ads is also not the way.
> They shaft creators in every way possible.
I guess this could be true that YT "shaft[s] creators in every way possible". If this were true, I'm somehow guessing that not basically everyone would show their videos there, don't you think?
There's a balance here; being universally against ads (which quite a few people here are) while also refusing to pay anything for content is not a congruent view.
At a very minimum there is considerable costs associated with delivering the video content, as most of us know.
And for the record, I do patronize the creators whom I watch lots of consistently.
> I guess this could be true that YT "shaft[s] creators in every way possible". If this were true, I'm somehow guessing that not basically everyone would show their videos there, don't you think?
The fact that content creators are still using Youtube doesn't mean Youtube is not shafting content creators. Youtube has killed most of their competitors so it's not like content creators have other options right now, but I suspect new competitors will show up if Google continue to enshitify youtube.
The problem is that most people don't subscribe to hundreds of Patreon creators. It is actually REALLY hard to have a substantial income from Patreon unless you have like 1 million subscribers on youtube. YT Premium+Ads is the next best thing and makes most creators a lot more money with less effort.
Source: I'm a full time youtuber, I have done Patreon for over a year, and I have friends who are also full time youtubers.
For many it's not about supporting the platform and creators. YouTube can be unwatchable with ads. I believe this was done in part to push people to purchase premium. Some pay, some block, but nobody thinks the YouTube advertisement business is something done right.
I and other educational content creators thank you. YouTube is not evil, the service they provide for both content creators and viewers on YouTube is not only fair, it is clearly unmatched.
A problem with paying is that you have to be logged on so you can’t avoid being tracked and having every video you ever watch linked to you for all eternity.
You have privacy controls in your Google account. I have web & app activity off, location history off, YouTube search off and YouTube watch history auto deleting after a few months. https://myaccount.google.com/data-and-privacy
If you're talking about them building a secret extra profile about you with those things turned off, then they wouldn't need you to login for that.
This is misleading. At least with Google Play, they track all installed apps on your account forever.
even if you uninstall, remove from history in the app, and remove from Google account history, future API calls reflect that you've installed the app before.
And if you believe Google is not storing that information anyway I’ve got a beautiful bridge for sale.
If you don’t use an account you can create a fresh container every once in a while and start the game anew and you can choose to not associate it all with your identity.
If my country either took privacy seriously or took corporate malfeasance seriously, then Google wouldn't exist in the first place. Here's to hoping, though.
Read the privacy policy, they explicitly state they store it. Obviously, because in many cases they need to know who watched that. For instance for their licenses they need to be allowed to show you copyrighted content.
You can ‘pause history’ which means ‘If you turn off your YouTube watch history and have no significant prior watch history, YouTube features that rely on your watch history to give video recommendations, like recommendations on the YouTube homepage, are removed.’ it doesn’t mean they don’t store it.
Google stores everything and deletes nothing. If you don’t want Google to keep track of information, you have to make sure they don’t have it and never get it.
> Google stores everything and deletes nothing. If you don’t want Google to keep track of information, you have to make sure they don’t have it and never get it.
This would be a clear GDPR violation. This isn't the 2000s or 2010s any more.
This post is more of a technical breakdown of things, not some sort of advocacy for not paying content creators:
> Disclaimer: I want to support content creators, so to be fair, after a few months of blocking YouTube ads, I am now paying for YouTube Premium; Just because I can break something, doesn’t mean I need to.
As long as the youtube tos allows creators to upload videos with their own add I won’t be paying a dime for premium. Where is the point to pay for skipping 5s of ads, when there is another one by the creator for a whole minute in the middle of the video?
No, paying Nebula as an alternative to paying Youtube doesn't work for many viewers because most creators who create good content are not on Nebula. E.g. Many popular channels with worthwhile info such as Applied Science, Technology Connections, 3Blue1Brown, etc are not on Nebula.
Also, many people who use Youtube for learning DIY repair, hobbies, coding, etc and Nebula doesn't really cater to those genres. E.g. I watched some videos about configuring Unifi networks and then some tutorials on installing some flooring. These types of videos are not on Nebula's platform.
There is a huge variety and scope of educational material on Youtube and platforms like Nebula/CuriosityStream only have a fraction of that.
Nebulas Android app is insultingly poor quality and pretty much unusable on tablets/foldables (it locks in portrait - who the heck still does that on a VIDEO app?!)
I've had college students build better apps for homework. It's insulting considering the rather high price of a service.
Paying for YouTube premium does not remove the sponsors, in video ad breaks and all. Actually the only way to do that on mobile is with ReVanced, not matter how much you want to pay YouTube.
I do when I regularly watch a particular creator's videos over and over. However, this isn't the case for most of the videos I watch. Lots of one-off views.
This is one of the many things that make it _exactly_ like malware. Ads are delivered the same way malicious code or artifacts would be delivered to your device.
Weird-ass random subdomains, obfuscated query params -- no legitimate service that works for the user's benefit should behave like this.
But it's googlevideo.com, how could it be a video of some shyster pimping get-rich-quick investment schemes that are convincing enough to appear totally legit to anyone below the half-way point of the bell curve?
But it's a google ad, how could it link to a scam that looks exactly like my bank's website?
Which is besides the point and a minor nitpick at best.
The fact of the matter is these techniques are well established black hat ways of preventing the user from discovering what you're doing on their device.
Discovering what exactly? To bad they don't use a subdomain called "adplayback" I guess, but the query parameters are obviously only useful for YouTube internal, not the users.
And I won't even call them "obfuscated" -- it's just a batch of switches and plain IP and ID hash.
Back when YouTube wasn't owned by Google, replacing /watch?v=... with /get_video?video_id=... in the URL would immediately give you the video file (in FLV format, of course.)
There was also a relatively brief time when YT was owned by google but ads were delivered from a separate (sub)domain so DNS adblocking would work wonders.
Those days are gone as the distinction between ads and malware becomes a technicality.
> In fact, the YouTube app is zippier because fewer connections are made to ad URLs in the first place.
I swear on LG TV that webOS runs at a smooth 60 FPS when it's not connected to Wi-Fi and slows down as soon as it phones home for whatever telemetry and ads LG intend to serve me...
For LG TVs, if you set the region to "Other," it completely disables all the ads, recommended content, and telemetry [1], presumably because they can't keep track of all the changing laws for every nation on earth.
In my experience, there was a noticable performance improvement as well. Bootup times alone are probably 2x-3x faster.
In a previous role I was tasked with increasing the lighthouse/pagespeed score across some web properties. After some iterations and very little improvements we would be asked what else we could do. Did we need to speed up the backend? Could we lower latency, etc…
The solution: I set up a query param that would disable google tag manager. All of the crazy tracking and telemetry stuff we didn't control was the biggest issue.
You're not imagining it! The ads slow down webOS a lot, and blocking them with pi-hole made my TV much more usable. I highly recommend setting up pi-hole or similar, and blocking all the LG domains it tries to hit.
Easier solution: You can get YouTube Premium for $2 a month if you just happen to be in Argentinia while you sign up, even if you are using a US credit card to pay.
Nah. I’m old enough that i don’t care about playing the “catch the mouse” game with all the various ways to borderline-legally pay less (and maybe get your account flagged and suspended - good luck appealing to that).
I’ll just block ads, alphabet is doing fine anyway.
You can use a separate Google account with a separate email address for that. Using Apple Pay or similar, your payment also remains anonymous. And if you don’t care about history etc., you can switch to a new account every year or so.
Problem is that everyone just blocks the ads and forget to pay the creators directly, which by the way would be extremely costly and time consuming if you want to pay everyone you watch, therefore the need for a product like YT Premium...
On a side note, I noticed a rare tracking consent banner. You may want to update it to track users and respect GDPR correctly. It should be possible to refuse as easily as accepting to be tracked, with the same button size and colour, for example. The tracking should start after consent is given. Also, GDPR isn’t so much about accepting cookies but giving consent to be tracked. So many websites get it wrong, and the likelihood that you will have issues is very close to zero, but since it looks like you implemented your banner yourself, you may be interested.
I interpret this as an opt-in as you can just scroll past the banner and not be tracked. If the site starts tracking without clicking the consent the banner is useless, or maybe even worse than useless, from the legal point of view.
It's maddening how people just refuse to understand the GDPR. This is likely partly due to intentional misinformation campaigns from the spyware (i.e. advertisement) industry. And then the cargo cult takes care of the rest.
The general gist of GDPR is that if you're not doing some shady shit that your visitors wouldn't want you to do, you don't need a consent. As you said, it has nothing to do with cookies.
And yes, Google Analytics etc are shady shit that your visitors wouldn't want you to do.
Also most of the nags you see all the time are illegal for any sane intepretation of the law. But the regulators just don't care to enforce the law at all. So if you want to do shady shit, just do it without adding to the insult with having to bother with your illegal nag.
Because I already support my favorite creators in other ways. Because I'll still see ads when I use other devices. Because videos have extra ads in the form of sponsor segments.
Because ads are a parasite on society. Because their lying and psychological manipulation should be illegal. Because most of this tracking and privacy invasion mania is the ad industry's fault.
If there's a new product useful for me that I should know about, I'll find out here, in review sites, or when I visit a store, thank you very much.
Do you mean the Y Combinator sponsored posts? My understanding is that they are normal, on-topic posts that are just artificially promoted to the front page. I wouldn't even call that an ad any more than Tinder Boosts are ads.
When those are the worst ads left on the internet, I'll be a happy man.
That's a good question, and I think we haven't explored alternative solutions enough.
As for me, I'm happy to pay for Netflix, Nebula, my VPN, and other services. I still pay, but I'm disappointed in Spotify, who is pushing more and more soft ads even on supposed ad-free plans.
But a YouTube Premium subscription would be financing this ad machine and the decisions that come with it. Have you watched Shorts? No thanks.
I'm prepared. I own a 10tb hard drive that is half-filled with YouTube videos I've backed up. That's 13,000-odd videos in 360p, all raring to go once YouTube bites the dust.
Defending YouTube because we're afraid it will "go away" is the same Stockholm Syndrome that paralyzed people on Twitter for so long. I welcome a change that forces people onto more P2P-oriented services, the status-quo is obnoxious and unsustainable.
Good question. Youtube is convenient central repository of videos, but if it didn’t exist I imagine people would just use google to find videos on other video hosting sites.
What I find very unfair, is that I am paying for YouTube Premium, whose promise is "No ads",
but the "poor content creators" are injecting ads that are directly embedded inside the stream.
Like "Linus Tech Tips".
I think YouTube should force streamers to tag the timecode of their in-stream ads, and auto-skip them for Premium users.
It's like if you play a game and you purchase the In-App upgrade to remove the ads, and at the end there are still ads.
SponsorBlock effectively does this without the creators help. Even directly subscribing to creators these days isn’t enough, they want you to buy their merch and they almost never consider that a sponsorship. Need to stop acting like these big players are barely making any money.
There’s a reason your TV’s manufacturer doesn’t allow you to install browser addons (or for that matter any software that you really control) on your TV.
The solution is to stay away from poor content creators such as LTT.
I'd rather want a filter that filters all videos that have '...reacts to...' in the title or certain channels such as LTT that get pushed to my front page, even though I really, really don't want to see them.
Yea baked in ads are actually against YouTube TOS but I've tried to report one of the most obnoxious bad actors (they run 90 second TV-style ad breaks made up of 4-5 premade ads with nothing to do with the presenter)
I'd like to address the concept of "ads are creepy" which you will hear often. It's a false equivalence.
Most prominently you'll see the flag under "privacy settings" something like "don't show me relevant ads"; this is obviously a manipulative placebo. Ads are not the problem. That creepy feeling is the awareness that "they know everything about you", or literally how your vivisected intellect is presented in a marketplace for all bidders to insert their ideas.
They will continue surveillance and attention assault whether you let them show you a hint or not. They will continue to sell your identity, behavioral patterns, associates, interests, finances, grades, location, moods, biometrics, and anything else they can monetize. They will continue to attempt to alter your mental state and force you into doing things you wouldn't ordinarily do.
However you set that "relevant ads" button, you can be sure the trillion dollar corporation will not lose a penny when you check that box; they'll show you a different, equally profitable, ad, and your data firehose is still for sale.
It does seem weird though that the surveillance firms would go to the lengths of using dark patterns and persistent nagging to get users to allow targeted ads if it didn’t matter to them.
> I don't get why people block ads on YouTube, robbing individual creators. It's not like hulu or Amazon where you are just robbing megacorp and predatorial studios.
The greatest trick Google ever pulled was getting people to rationalize their ad campaign like this. They place the independent creators in front of themselves, so that blocking ads doesn't hurt the largest advertising company on the planet, it hurts the little creator who you're personally invested in. The honest truth is that if I had my way, all advertising would be gone from the internet. Yes, I understand the repercussions of that, but I view advertising and the implications of advertising to be a huge net negative, and I have no interest in being forced to watch any.
> I don't get why people block ads on YouTube, robbing individual creators. It's not like hulu or Amazon where you are just robbing megacorp and predatorial studios.
How much does YouTube/Google/Alphabet get from each ad view and how much of that goes to the actual uploader of the video? If the ratio is less than ~50%, I wouldn't feel too bad about it.
Secondly, not every could afford the $10 price, but still doesn't want to view ads. These people wouldn't pay the $10 price regardless.
Thirdly, if you follow this procedure and strip the ads from the stream, does that make it so YouTube doesn't count the ad impression?
Creator gets 55% of ad revenue, and 70% of direct contributions like superchats. Premium revenue is shared as well. Ad-blocked views count for analytics but not in ad impressions.
I'm not super familiar with YouTube terminology, is "YouTube Partner Program" something that applies to anyone who has ads on their YouTube channel? Seems to me something you need to apply to, and also only available in Canada, South Korea, Taiwan, the United Kingdom, and the United States which probably excludes more than 50% of popular channels on YouTube.
It seems to me that YouTube would serve ads on any channel, not just those part of the YouTube Partner Program, but the % revenue share isn't published for non-partners it seems.
Partners are everyone with monetization (revenue sharing) [1]. It's available in many many countries [2]. The countries you are listing are the early access to newer features like superchats, merch store, etc [3]
I'm not basing anything I say here on rumors or hearsay, I'm simply reading the content on Google's own websites regarding this, as I personally have no experience about it.
From the first link:
> I'm not a YouTube partner, so why am I seeing ads on my videos?
> YouTube may also place ads on videos in channels not in the YouTube Partner Program.
Doesn't this mean that YouTube is earning money from ads placed on videos where people don't get anything from the revenue?
Because YouTube ads like all ads are annoying. For the couple of times a month I end up watching something on YouTube by luck, why would I care about “creators”.
If you don’t care about the creators then why watch the content? Sure, the subscription might not make sense to you, but either the content has some value or not. The ads are the value exchange.
> If you don’t care about the creators then why watch the content?
Because he might not give a * about the creator or their way to monetization, but want to watch the content? And even then, the content itself doesn't seem to be that important either, seeing that they said "a couple times a month".
Probably it even falls under the category of "I watch it because it is there anyway, but I wouldn't miss it too much if the content hadn't been created to begin with".
I myself watch quite a bunch of YT with ads blocked and SponsorBlock to skip inserted product placements, because absolutely all of my consumption falls into that category. I wouldn't miss if tomorrow none of it was made any more. Well, maybe Smarter Every Day. But even then there are much better ways to support that channel. Most creators found out that real money doesn't come from YT but from sponsorships and side channels outside of the platform, anyway.
I guess my point is, either the content has some value to you or not. If you’d rather not sit through the ad for the content, that’s fine, go and spend your time doing something that does have value to you.
I use YouTube primarily as a diy reference manual. It’s infrequent enough that I don’t want to pay for a subscription. I will however exchange a small bit of time in order to get the content, because it has value to me at that moment.
Because I was tired and work was painful, I wanted some rest but YT injected some garbage content. They've exploited my vulnerable mental state to manipulate me into clicking, but I didn't like the content. Should I support predators?
Uninstalling is moving the icon to the top of the screen and letting it go over "uninstall" and freeing hundreds of MB. Deactivate is buried in settings -> apps -> YouTube -> deactivate -> confirm.
Primarily because I already pay for YouTube Premium on my main devices, but some of my other devices aren't signed into that. I'm not paying for it twice, especially not on my work account, that would be inappropriate. I already support most creators I'm subscribed to via Patreon; the ones I don't tend to not accept payment at all, usually smaller channels that do it just for fun. These channels also aren't big enough to be a YT partner, so they aren't getting any ad revenue; there's nothing to "rob" as you put it.
Secondarily, because I already run an ad blocker for the rest of the web, and I'm not ever going to turn it off on principle. I view ads as a malicious tax on my attention and a threat to my computer's security. They simply don't get to run on my machines. Monetize your content some other way, I'm happy to pay for it once you've earned my respect. (You do that by making good content.)
(This is also why I stopped watching regular TV; too many damn ads.)
Notably, I don't really "browse" YouTube. I have a small fixed set of subscriptions whose videos I watch. I use my content blocker to remove the "recommendations" sidebar and the end-of-video grid, because I find them distracting. So, yes, I run my "ad"-blocker even on my YT Premium devices because I gain other UX benefits from doing so.
I stopped paying for YT premium and figured out how to work ReVanced becuase YT premium doesn't actually block the minute-plus ads that creators put in their videos to ensure they actually get paid when YT stiffs them and ReVanced/Sponsorblock does.
Watching ads pays for nothing, buying stuff where the price includes a fraction of the ad budget of the company pays. Even when I am blocking ads, I still buy stuff, I still contribute to ad budgets, my money still gets spend on some ad campaign and ends up in the hands of some creator or whatever. At worst I will somewhat skew the way the money gets distribute by blocking ads, but that is something I am willing to accept in order to not get distracted, annoyed and tracked.
If possible, I would happily pay a reasonable amount every month to get rid of all ads everywhere even though I would essentially be paying twice, ones with the monthly payment and I would still pay for part of the ad budget with everything I buy. But this is currently not possible anyway and getting individual subscription everywhere - if even possible - will cost you an unreasonable amount and make deal with countless subscriptions unless you are a person only using a hand full of different sites.
Ya how dare they experiment and "hack" ads! This is certainly no place for people to talk about hacking things and taking away money from people.
We should only post stuff that is pro ads as ads support individuals!
You're really picking sides with the whole, no to Youtube, yes to Hulu. At the end of the day they are all corporations. If one corporation passes along some of the profits. It doesn't make it a good corporation. It just means their business model is that. If Google could not pay people it 100% would. They are not paying people because they are super kind, they are doing it as it attracts people to make videos. Which attracts people to watch ads...
I can answer it. I am not against advertisement. I'm against advertisement that does whatever possible to get in the way of viewer trying to watch a creator's content they want to support.
Did you know there were half an hour long advertisement blocks on YouTube? I saw them in long playing videos I turned on for kids. If that doesn't bother you, I don't think it's in my power to explain to you "why people block ads on YouTube".
I pay for premium, but when I'm visiting my parents in another country, some premium features are deactivated, no more yt in background, sometimes even ads. Also sponsored blocks in yt videos. Like really, at this point on desktop &mobile i get a better experience by using ublock+sponsorblock compared to yt premium... The only problem is tv- I can't use ublock there and using some box for yt is not that nice: no remote support, sometimes worse chromecast support. An revanced app for tv would be a godsent
Because just like with taxes, people want the benefits of large systems but balk at paying for it themselves even when the payment is just time/annoyance.
Ads are against my personal moral and ethical code. As far as I am concerned, ads, and paying to remove ads, are highly immoral actions.
Not to mention that no one has the right to force me to consume information I do not want to consume. If you voluntarily choose to serve me some content, and I choose to ignore parts of it, who the frak are you to criticize me. You don't get to choose on my behalf what content I consume.
I think it’s because we as humans are extremely selfish creatures…
It’s the same reason that software developers wouldn’t support the guy that built Sublime Text even though they used the app for their jobs and to build personal projects. It was undoubtedly the most popular text editor until Visual Studio Code.
It’s the same reason that the majority of successful startups don’t go back and support the maintainers of the FOSS they used to get rich.
It’s the same reason fans “pirated” their favorite bands music on Kazaa and Limewire without paying for it.
It’s the same reason we won’t ban assault rifles in the US, even though there were more than 400 mass shootings this year because we would prefer to have our guns then save a life.
We may even have an “evil nature” but I’ll leave that to theologians and philosophers to figure out.
Altruism does not come natural to us without obvious direct benefits unfortunately which is why we’ve developed governments, laws and weapons.
Because ads don't work on me, they just annoy me. Besides, my own devices should not act in someone else's interests. And, moreover, I'm an egoist. You want reliable income? Charge for your stuff then instead of relying on other people's empathy they may or may not have.
"Because ads don't work on me"
I used to think like this also until it dawned on me that I have no idea where the motivations and reasons for my decisions come from. This is because they are almost entirely subconscious. And if they are subconscious we have no real way of knowing whether we are or are not influenced by advertising.
e.g., visited the Heineken Brewery in Amsterdam when I was a late teenager which was basically an advertising museum of all their advertisements going back to the 1950s. Before that day I had never drank Heineken but after that I found myself drinking it regularly for years. If you asked me if I was influenced by advertising I would have said no way. Now I'm more open minded to that possibility hence I use adblock to shield my poor defenceless brain.
> If you don't want ads on youtube, just pay the $10 premium fee.
YT premium doesn't actually block the ads that creators put in their videos, SponsorBlock+AdBlock does. Give me the same functionality for 10$ in YT Premium and I will pay.
So how would you monetize YouTube with its huge infrastructure & payroll? And if everyone used something to block in-video sponsored ads, how would you monetize your hard work as a creator?
YouTube could offer a way to block sponsor segments too. If a small open source project run by one guy (super nice guy!) can do it, they can figure it out too.
The sponsor segments can be longer than any native YouTube ad so it makes YouTube premium a bit useless.
Ublock origin (on firefox) appears to completely block spotify ads in my browser. At least I assume that's what's blocking it. Have never heard an ad on a free account...
Because Google sucks as a company, that is the only reason. By paying for a family plan, it would still mean I would give money to a company I dislike.
No, this is nonsense. You cannot force someone to watch ads. Is it robbing video creators to mute an ad while it's playing? Is it robbing video creators to get up and grab a drink during an ad? If YouTube wants to monetize, then they can paywall their content, and more power to them. If I want to support a creator, I'll subscribe to their Patreon (and I do!). But my browser is a user agent operating on my behalf, running on a computer whose software I control, on a network whose traffic I control.
Suffering corporate brainwashing via ads is not some moral imperative, and I wish people would stop trying to pretend otherwise, especially on Hacker News, of all places.
> Is it robbing video creators to mute an ad while it's playing? Is it robbing video creators to get up and grab a drink during an ad?
There are many in the industry that would argue that it is, as would be "switching the channel" on a television.
That's why you see a patent every couple of years for things like automatically pausing ads when they detect that a user's gaze is not on the ad, or pausing the ad and content altogether until the user confirms that they saw the ad by saying a keyword from it.
There are a variety of reasons why these kinds of ad affirmation tools have not been employed yet, but it is just a matter of time until they are. There is simply too much money left on the table.
> I don't get why people block ads on YouTube, robbing individual creators. It's not like hulu or Amazon where you are just robbing megacorp and predatorial studios.
Simply put, fuck advertisements. And especially fuck loud, obnoxious, malware-laden, adver-shit. I will block anything that looks like an advert, malware, or otherwise against my purposes.
And do not forget that I'm simply preventing them on my computer, with software I control.
And "robbing"?? What a bloody joke. I never took anything, and I especially didn't use violence in doing so.
One of the things I never do is paying someone else to circumvent paying to the original vendor. I either buy it legally, in the correct region, or pirate it for free.
Ok, 3 bucks and inconvenience of using a vpn(if free it's also tracking you) and no blocking sponsored blocks and works worse in some countries without vpn? Yeah sure...
I pay for premium, but i du this solely for blocking tv ads and yt music, for the rest, ublock and sponsorblock do offer a better experience in browsers and completely free
Actually, YouTube as a service holds quite a bit value for me, so I am happily paying for premium subscription, which removes ads and also gives access to YouTube Music.
> Exploit a Protobuf Flaw to Easily Remove All Ads by Changing One Byte
He's intentionally corrupting the tag on one field of the protobuf. The "flaw" is apparently that Protobuf ignores tag numbers it doesn't recognize. But that's not a flaw, it's a core design feature of Protobuf, designed to allow extensibility.
> Notice how the Protobuf response payload is 1.87 MiB? As I said, Google makes it computationally expensive to decode, alter, and re-encode without the C++ source proto files, but a quick linear scan takes no effort at all.
1.87MB is not that big, and presumably these messages only come through occasionally, not in a constant stream, so I'm a bit perplexed about the purported performance barrier here.
The text seems to be claiming that Protobuf encoding is designed to be expensive to decode, but it's actually the opposite, Protobuf is intended to be efficient to decode.
He says you need the source proto (schema) files to make it efficient, but this isn't really true, you can decode directly into UnknownFieldSet easily enough.
Or better, he could have written his own fake .proto schema that covers just the one field he is aiming to remove. This would have been much less error-prone than the string-scanning approach which could accidentally match other data where the same byte sequence happened to appear by coincidence.
> While computationally expensive, decoding, editing, and re-encoding without the original schema leads to a modified encoding. This is likely because we cannot detect if ZigZag encoding is being used, or if a number is an int32, int64, sint32/64, varint, etc., plus the order of object fields is normally non-deterministic. Here is some Protobuf trivia on the matter:
I think he's misunderstanding here. The point is that the Protobuf encoder is allowed to encode fields in any order, hence decoding and immediately re-encoding a message can lead to different bytes. But, the receiver is supposed to treat the message the same regardless. It's unlikely that the YouTube app is going to notice if the field order changes.
(I used to work on Protobufs, a long time ago.)