> your ad blocker will need to introspect and run rules on the contents of every request payload. The impact to web browsing performance would be prohibitive.
Could ad blockers run WebAssembly? I suppose it will be up to the task, because it means minimum work for a GC, and no overhead coming from dynamic types of js. With the jit compilation it will be comparable by performance to a native code and native code has no issues dealing with every payload byte-per-byte.
> And if it got to that point Google would just randomise the payload.
And then ad blockers start to measure entropy.
> It's pretty easy to do with obfuscation tools.
It is easy to do, but obfuscation really works only when no one is targeting you specifically, when you are defending yourself from bots that try random targets in hopes to find vulnerable ones. Against targeted attacks it becomes an arms race, so you'd need to change constantly, and eventually you will need to spent a lot of time discovering the ways how your obfuscation is defeated, so it comes to an equal amount of difficulties for both sides.
On the side note, I wonder is there possible an attack of poisoning google stats by sending the fake data from the website. Probably the Google's trick to overcome this threat is to control CDN, so it gets the data from the trusted server.
Could ad blockers run WebAssembly? I suppose it will be up to the task, because it means minimum work for a GC, and no overhead coming from dynamic types of js. With the jit compilation it will be comparable by performance to a native code and native code has no issues dealing with every payload byte-per-byte.
> And if it got to that point Google would just randomise the payload.
And then ad blockers start to measure entropy.
> It's pretty easy to do with obfuscation tools.
It is easy to do, but obfuscation really works only when no one is targeting you specifically, when you are defending yourself from bots that try random targets in hopes to find vulnerable ones. Against targeted attacks it becomes an arms race, so you'd need to change constantly, and eventually you will need to spent a lot of time discovering the ways how your obfuscation is defeated, so it comes to an equal amount of difficulties for both sides.
On the side note, I wonder is there possible an attack of poisoning google stats by sending the fake data from the website. Probably the Google's trick to overcome this threat is to control CDN, so it gets the data from the trusted server.