According to a Haaretz article, Israeli cyber firms have developed the technology to deliver very advanced spyware through commercial, very-targeted advertising (Revealed: Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense Exists - Israel News - Haaretz.com) (https://archive.ph/Vkxt1). Also see restoreprivacy’s article at State Spyware Extensively Using Ads as Distribution Channel | RestorePrivacy.
With this technology, they can target people with very specific characteristics. An example from the article-
“However, these technologies can also be used for security aims, such as for surveilling suspected targets, even without knowing personal information about them. One can imagine, for example, an advertising campaign that is geared toward an audience of nuclear scientists of Iranian origin between the ages of 35 and 65 who passed through the airport in Tehran over the past year. After these individuals are profiled and receive the first ads, they can continue to be targeted over time; the technology can pinpoint where they traveled and when.”
If it is possible to do that, is it also possible for them to detect people using the tor browser and send advertisements with spyware crafted specifically to infect anyone who is viewing via the tor browser?
With millions of people using the tor browser every day, such ad-based malware could be used to deanonymize a lot of people. And the targets would never know, since they cannot tell a relatively benign ad on a webpage from a malicious one. A threat actor like Insanet or NSO Group could collect a lot of intelligence that way, as could a state-sponsored threat actor who may or may not have purchased their tools.
How can we protect against this attack? We can set noscript to the safest privacy level, but a large amount of websites do not work at the safest privacy level. This forum does not work well without javascript, for example. The archive website requires tor uses to pass a captcha that requires javascript as well. But without the safest privacy level, tor browser does not block advertisements. The theory is that adding an adblock extension like ublock origin could result in browser fingerprinting. But without something like ublock origin, how do we defend against this attack when we visit a website that requires javascript? For all we know, Google is already cooperating with the NSA to send malicious ads to anyone that it detects as a tor user, allowing the NSA to hack their computers or at least deanonymize them. If they are not doing that, they could very well do that in the future, especially given how obedient big tech is to the government.
Is this new threat enough justification to add ublock origin in addition to noscript to the default tor browser configuration? Perhaps ublock origin could be modified so that the user cannot choose their filter lists or change their ublock origin settings, so that everyone’s settings are identical. Would that result in identical fingerprints between tor users, while still allowing for some degree of protection against this type of attack? Or is that still not a good idea?
How can we solve this problem?