Saturday, April 09, 2011

Updated - Create your own TPL for IE9

Tracking Protection List, that is.  For the IE9 users out there who want a little more fine grained control over what gets delivered to your browser and who have access to web server, you can create your own handy-dandy TPL.

First, a quick review of what a TPL does on IE9. A TPL is a plain text file that you can open up and read directly to see what's in it. Nothing compiled or hidden here.

When you add and enable a list in your browser, it checks that list for instructions on how to handle the stuff the web page you want to view is trying to download.  Each thing that comes in is evaluated for two things:
  1. Is it coming from the same site where you're browsing? An example of this is news site like LA Times with ads from Double-click. If the content is coming from the LA Times, it is allowed. If it is not, the next thing kicks in.
  2. Is there a rule for it in one of the TPLs loaded in the browser? The rules are relatively simple - yes, let it downlaod or no, block that sucker. If it is blocked, the browser refuses the connection and the junk doesn't download.
OK, now that you know the basics, here's the two caveats:
  1. If you have multiple TPLs, and one says No, don't download X and another says Yes, download X, the Yes rule wins.  The exception to this is your built-in personalized list. The rules in that list take precedence over the rules in all other lists. The problem I find with the personalized list is that it will block cookies and tracking stuff, but it doesn't let you specify exactly what things you want to block.
  2. The professionally prepared lists may block advertisement and tracking stuff, but they don't block annoying sites as such. They really don't handle the social media sites very well, letting Facebook in particular run rough-shod across a page.
In general, the TPLs work pretty well as long as you do NOT load the TRUSTe TPL, last link on this page: http://www.iegallery.com/us/trackingprotectionlists/default.aspx. Why not? TRUSTe is the Trojan Horse of the TPL world, and deliberately allows all the tracking shit to access your computer.  If you don't install it, it can't override the other lists.

Be sure to install Easy List, which is from the same company that produces the Ad Block plug-in for Firefox.  The lists from Abine and Privacy Choice are pretty good, too. Once in place, your browser will automatically go and check them for updates.  They work sliently in the background at all times. The updates are delivered transparently and you don't have to restart the browser.

The issue that happened today was a site I use all the time suddenly and obnoxiously displayed the Facebook "Like" button. I started checking other sites I frequent and realized that this miserable bit of crapware was infesting everything. I looked at the various TPLs I have installed, and found that none of them attempted to block any Facebook stuff downloaded as a 3rd party item on a web site. The Like button sits inside an Iframe in the page, which further masks its presence. 

After a little searching, I found some great information from the W3C on how to build a TPL. It's located here: http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/ A little dense to get through, but if you use Easy List's TPL as a model, not hard to figure out. Start at section 4 - List Format, and read down.

Armed with a bit of knowledge, I opened up Notepad and created a TPL that blocked Facebook as a 3rd party download to my system. The file reads:

msFilterList
: Expires = 5
# blocked strings
- like.php
# domain rules
-d facebook.com
-d facebook.net

This says check for a list update every five days, block any URI (Uniform Resource Identifier) that has "like.php" anywhere in the URL, and block anything from either facebook domain, .com or .net. I saved it as "personaltpl.tpl" and uploaded it to my web server. (You can save it with a  .txt extension and it will work just as well, by the way.) I also created a simple HTML file that just had a link to the tpl file with a little added javascript to tell the browser to install the file. I took that code from the links on Microsoft's page with the TPLs list I linked above.  

After I uploaded the files, I browsed to the HTML page, clicked the link and installed the new TPL.  Bye-bye Facebook Like buttons.  The extra nice thing is I can add whatever other blocks I want to the file at any time and block the stuff the other lists won't do. When I go to a third party site (making it first party), then the list doesn't block stuff because it is being delivered directly and it's assumed that if you are on the site, you want stuff from that site.

So there's a little tutorial on how to take blocking into your own hands if you're using IE9. You can actually also use this method in IE8, it's just harder to install the lists.

The TPL list method is efficient and effective. You can see the marketing hyenas trying to keep people from using it by turning it off by default in IE9 and not promoting the TPL list links. In truth, it is as or more easy to use than downloading Ad Block for Firefox. After all, Firefox doesn't come with it installed and ready to switch on, does it? You have to know about it and go find it.  Here's how to get "Ad Block" for IE9, easy.
  1. Click the Gear icon in the upper right corner of the browser window.
  2. In the menu, select Saftey/Tracking Protection. A new window opens.
  3. In that window, look for the item "Your Personalized List" in the main window. Select it.
  4. Click the "Enable" button.
Congratulations, you now have "Ad Block" for IE9 working.  Want to add a few more lists? Go to the Internet Explorer Gallery site (it's a preloaded bookmark in the browser, but if you're incapable of using bookmarks, here's the URL: http://www.iegallery.com/us/). On the home page, there's a BIG button that says "Get Tracking Protection Lists".  Click it for the page I linked to above. Install Easy List. That will give you the actual, latest "Ad Block" blocking list. 
Now, see, that wasn't so hard, was it? If you want to block even more, build a custom TPL and put it on your own website or ask a friend with a site to post it for you.

For how to get the same protection on XP with IE8, read over my Safe Browsing article, especially Chapter 15, How I Browse.  It is a more manual version of what I told you to do with IE9, plus you can't add pre-compiled lists of blocked 3rd party sites, you have to build your own list, but it works and you don't have to worry about ad-ons breaking or being incompatible with the latest update.

It's popular among the technorati to scream and howl about how awful IE is, and never offer a hint to ordinary users on how to turn on built-in features of the product that are as if not more effective than the plug-ins for other browsers.  This post is for the majority of web site users who are on IE and who are getting sick and tired of being sneered at instead of helped by your allegedly technically literate friends.  The sad truth is they don't know about the real differences between browsers, don't understand security, confuse blocking ads with being secure, and reflexively bash Microsoft instead of critically interrogate all corporate claims.  They probably don't know about TPL and its status as a proposed standard for dealing with attempts to track you, or about how your personal list trumps commercially prepared TPLs.  Etc.

Safe browsing means not being railroaded by corporation or the conventional wisdom of the hip crowd.

Anglachel

Update - with thanks to commenter John, I have been pointed at a very interesting site by Hal Berenson.  Hal has three links of relevance to this particular post:

2 comments:

Anonymous said...

"TRUSTe gets its Tracking Protection List act together"

http://hal2020.com/2011/04/10/truste-gets-its-tracking-protection-list-act-together/

Berban said...

Hey Anglachel, great informative post!!
Unfortunately I can't get it to work for jack s*** :( For instance I tried various simple tests such as
- logo3w.png
which should seemingly block the Google logo, yet it never succeeded in doing that. I wasn't able to figure out the javascript to add my own TPL but I just went into the registry and altered the source file of an existing .tpl file. This seemed to work as the new text would display when you double-clicked the tpl in the IE9 gui. But I could not get any actual blocking to take place. I even tried taking an existing tpl such as Abine and modifying a single line in the source file yet it still would not block the element I specified.
Sorry for the rant but I'm just very confused and wondering if you had any insights.
Thanks again! -berban