> instead, I found a flaw in the Protobuf format which allows me to reliably change one byte to obliterate ads.
Let me guess, the author changed the field number to a large unused number.
> Now, all we have to do is scan the Protobuf bytes for classic ad URL signatures like /pagead/ to bound our field search, then move backward from there until we find the target(s) field tags and thus field keys we would like to denature (e.g. 49399797 –> 49399796).
Yeah. This isn't a flaw, this is intended behavior.
If you're willing to go through the effort to find the tag, it's really not that much additional effort to then read the (varint) length right next to the tag and... just skip those bytes.
Yes, you'd need to copy your buffer to do this, or at least slide your bytes around. But the proof-of-concept script already has to perform a copy because the bytes object returned by mitmproxy's API (`body: bytearray = bytearray(flow.response.get_content(strict=False) or b"")`) is immutable, and even a memoryview isn't going to bypass this limitation.
On the protocol level everything is working as expected, but I think the flaw is that Google's way of dealing with these unknown fields in the ad data structure isn't to throw an error, but to pretend there are no ads to play. After all, Google will definitely release a new version of their app before they modify the protocol to make all the old versions not play ads anymore.
Google could shut down this method of ad blocking instantly by either doing basic certificate pinning or by altering their decoding logic to be less graceful of failures when it comes to extracting ad information. If I were on the YouTube team, I'd consider these flaws.
Smoothly handling missing or unexpected fields is half the value proposition of protobuf. May as well switch a a much simpler versioned binary protocol instead of all this schema and field tagging complexity if you want to reject every message that doesn't match the client's schema.
But rejecting unknown messages would likely degrade the user experience. Just because Google releases a new version doesn't mean everyone instantly has that new version installed everywhere.
Certificate pinning would be a solution, but the world seems to have decided that that's very difficult to get right. Probably easier to get right in an app than in a website, but I understand not using it.
They could manually sign the protobuf messages to ensure integrity. Duplicating some of the work TLS would already do, but doing it decoupled from TLS infrastructure may be easier.
But unless something like OP's hack becomes mainstream, Google's current approach could be the right one. Sure, it leaves them open to message manipulation, but the potential lost ad revenue from even a tiny failure rate around update time from the other approaches could easily outweigh what they lose from a handful of people running middleware boxes to block ads.
YouTube often degrades the user experience when it suspects ads being blocked. I think the idea that Google would care more about following prorobuf's best practices than rejecting ad blockers is strange from a business perspective.
Cert pinning for YouTube would actually be quite easy, as Google runs its own CA. They can just hard pin their root CA and update the app in twenty years or so when that expires.
AFAIK ignoring unknown fields is a MUST in the protobuf spec. It's safe to assume all of their tooling is built around this. It wouldn't make a difference anyway. As vitus pointed out, deleting the field isn't much harder than changing it to an unknown field.
You can do cert pinning. And the user can modify the app to pin their own cert. And you can lock down the device so the user can't modify the app. And the user can get a different device where they can modifiable apps. And you can add device attestation. And it's not yet feasible to extract an attestation key from a device, but it probably will be in the future. And then you will switch it to a physically uncloneable function. And then someone will figure out how to physically clone it anyway. And so on.
The war on ad-blocking is fundamentally the war on general-purpose computing. By the time you achieve unskippable ad blocking,
You know, you could also just refuse to send any video segments until the time when the ad is supposed to be over. Then the user may try to download their videos in advance, but most of the time they don't know what they're going to watch that far in advance, so they'll sit through the ad to avoid sitting through a black screen. That seems like a more sane thing to try. And you don't have to destroy the fabric of society to do it.
I’d be thrilled to have a black screen instead of ads. I suspect you assume that my motivation is to escape the interruption. To me, let me tell you—the interruption is a mild annoyance, while the ads themselves are an active assault.
Especially now that they’re individually and programmatically targeted to showcase and inflame the neuroses, health concerns, and predilections of each of the specific people in the room around the television.
Amazing how the HIV commercials only appear when individuals in risk groups are around. Those outed a friend once—luckily in a supportive environment.
And the random miscellaneous cancer drug ads come on when the friend who’s an older cancer survivor comes to visit. And the sports betting ads when friends facing gambling addiction are around. And if I hear one more ad hawking supplies for squealing tiny humans when new parents are around, so help me…
Instead of a black screen, I'd like to watch calm cat/dog sleeping videos when they try to serve ads. Maybe one day uBO will add this opt-in feature, like mute the lie and overlay it with a 5-minute preloaded neutral cute content, for desperate services that force users into it.
PS. spent 5 minutes on "a dog sleeping" without stupid music and couldn't find one. Search these days, man...
AFAIK Twitch already sends a simple "there's supposed to be an ad here" video stream during ad breaks when viewing through a non-web player. I'd take 30 seconds of silence over 30 seconds of advertisements any day of the week.
Except that Google introduced NEVER-ENDING ads in the middle of content. I was willing to watch normal-length ads at intervals. But when Google made it impossible for me to watch stuff while cooking because I have to keep herding the program along by pressing Skip every few minutes, I installed an ad-blocking client.
It's pathetic how Google pulls this douchebaggery and then whines when people fight back.
The point is that when ignoring unknown fields leads to users defeating your business model, even though the protocol requires it, the business logic of your software almost certainly should not. Protobuf working as intended, youtube client not so much. Agree that cert pinning is not the solution.
Protobuf and the app are behaving the right way. 99.999% of users aren't going to MitM your protocol.
How exactly should you deploy client code to the edge, which may not be updated, to handle "unknown" tag number fields? You don't, because that's crazy. Nobody should write software like that because it creates a maintenance hell where you can't upgrade or downgrade because "smart" applications are doing stupid, undeterministic things with the protocol.
It's impossible to reason and engineer backward / forward compatibility when you don't treat the wire format and API with respect.
Most of the major migration headaches I've had in my career have been the result of engineers trying to be clever in the time and place they wrote the code.
If you want to prevent MitM modification attacks, the way to do it is to sign the data. Trying to do it by making the serialization format less forgiving isn’t the right approach at all. It still has to be pretty flexible. It’s going to be pretty hard to come up with a format that cannot possibly be altered to make the client show no ads. Something like certificate pinning is way easier.
Cert pinning is not a solution and defeats legitimate traffic inspection cases. It also just moves the goalposts as the author discusses it can be defeated by a modified app binary. The industry has moved on. Sign your data if modification in-flight is a threat. I’m surprised google isn't doing that.
Cert pinning is a solution. Just because it is not an ideal solution and it is anti-consumer does not make it "not a solution". You can't modify an app binary on an Apple TV without first jailbreaking.
So cert pinning in this case would go from "anyone with a pihole or equivalent can block YT ads on their Apple TV" to "people who jailbreak their Apple TV and install a cert pinning breaker and have a pihole type setup can block ads".
If you are google and your goal is to get people to watch ads, cert pinning is clearly a win if you are at all worried about things like the OP. Clearly they are not very worried, presumably because the bar set by the OP is already too technical for most people (even if it was packaged in a more consumable way).
When you're running a proprietary video service that's supported by ads and analytics, there aren't that many "legitimate traffic inspection cases". Google prefers people not to mess with their network traffic and would also prefer it to be a bit harder to write YouTube downloader scripts.
From a user perspective, you'd want to break all TLS connections and sniff every bit of data on your network, but that's not the perspective Google has when developing their code.
Signing data is just duplicating TLS security measures with a second key. TLS already signs the data, Google just needs to verify the root of trust.
> Sign your data if modification in-flight is a threat.
Which effectively pins a different key in the binary. Might as well use certificate pinning, which provides both signing and encryption without a second layer of crypto.
Alternatively perhaps the cost of implementing / performing the overhead of signing and verification isn’t worth the cost given the relatively few people who are likely to do this
A legitimiate traffic inspection case, from the content publisher's perspective, would have an alternate certificate backed by a trusted authority who agreed to protect the ads.
> It also just moves the goalposts as the author discusses it can be defeated by a modified app binary. The industry has moved on. Sign your data if modification in-flight is a threat.
As a sibling comment has also pointed out, signing the data won't help against a user who's modifying the client. You can change the signature the client is expecting on your certificate... and you can also change the signature the client is expecting on your data.
It protects against things other than the intended client modifying the data. Someone said we need cert pinning to protect data integrity in the face of MITM. I am saying signing your requests solves MITM modifying the traffic, so you don’t need cert pinning. Solving binary integrity in hostile compute environments is a different problem.
Google still supports the YouTube app on the PlayStation 3. They are not going to rotate hashes/certs on that app because it's very likely there are between zero and two people who know how in the whole org. There are countless other supported devices like this that are either EOL or not receiving updates, and part of YouTube's value proposition is that they are available everywhere.
The current YouTube certificate has a lifetime of 84 days. The next one will live that long or even shorter. Certificates are rotated too quickly nowadays for pinning to be viable. They'd be better off pinning their CA than their certificate, but that might cause issues for users in certain scenarios.
Funny you mention that, because unnecessary "security" controls on streaming data is how Google broke Chromecasts lacked week, and still hasn't figured out how to fix.
I haven't had any trouble on my dumb Chromecast so I think they must've pushed an update to fix the issue already. The only app I remember breaking was Jellyfin, ironically enough.
Security controls weren't the reason the devices broke, which is why applications that didn't care about things like DRM still played just fine. The internal CA for the Chromecast hardware certification expired, which requires updating all Chromecasts or temporarily ignoring the expiry date in client apps. It seems like apps are doing the latter while Google is figuring out how to update the Chromecast certificate infra on short notice.
Yes, that's my point, although I can see why you interpreted it otherwise.
mitmproxy's API is flow.response.get_content(strict=False), which returns a bytes object; the proof-of-concept script then copies it into the bytearray using the code that I've cited.
A small C++/Go/... proxy can do the same thing with much, much less overhead. Been there, done that - for something well-defined like this, it is more stable and less work than fighting mitmproxy.
Routing everything through the proxy will degrade performance even with SNI interception.
Same with pfSense - a plain Linux server and a simple iptables rules set would do the job without having to fight against all the pfSense abstraction layers.
Write a .proto file with just enough of the reverse-engineered proto fields to auto-generate code and flip the flag. Cheaper than the Python implementation and easier to update when the proto changes.
Ignoring unknown field tags is an important Protobuf feature - it allows for compatible schema changes without breaking existing deployments.
It would, but it would also decrease the video quality. I'm not opposed to letting my kids watch YouTube, there is a lot of good quality content there, but having some agency in what they pick would be a lot better than the current behavior of short after short after short. Just like snacking on fast food.
I gotta say, I don’t get that perspective. The content is one thing, but YouTube is super reliable for me, streaming or watching. I can easily stream in 4k 60FPS from OBS and YouTube has never had issues ingesting it, though I generally do 1440p because my computer is slow. When watching, I have never had an interruption on my wired Apple TV even for 4k/60FPS.
I do hate the pushing of shorts and the algorithm that seems to have a 3 video memory, but aside from that I’m pretty happy, I don’t get the weird right wing stuff or creepy videos pushed at me or my kids.
For me the content is not the main problem, rather the consistent bloating and enshitification of the player and interface over the years. Nowadays I don't bother anymore and just use mpv and ytdlp to play the few videos I'm interested in.
I don't even bother using scripts, I just manually paste the URL of the video I want to watch into mpv. It's not slow enough for me to have to deal with the garbage Youtube interface.
I never got used to shorts/reels/etc, but it is troubling to see kids addicted to them. I have been thinking that by forcing some pause between videos it would remove some of their addictiveness.
It does. Sometimes I click on an interesting short and then keep swiping to see if anything else is interesting. When the app takes ten seconds to load, I go do something else because there's no real value in the shorts.
You want someone to show you how to write a C++/Go program to forward traffic? There are a lot of tutorials online that can already demonstrate this for you. :)
Can you put together a guide in response showing where the inefficiencies are and how to mitigate them with more simple software?
It sounds like the author was aware of at least parts of your comment. The post is very thorough. They benchmarked using python and c++ and the final impl doesn’t even decode protobuf. They used various mitm solutions. They are using pfsense for more than just “it’s muh security router”—they are vlanning and vpning the traffic so they can target inly the appletv on their network.
Your comment is cheap and dismissive. The author’s post is not. You owe it to the community to put your money where your mouth is.
Not sure what kind of answer you are looking for? I did not criticize the author's post. It was an enjoyable read, and I personally would have given up a long time before going to such impressive lenghts. The fact that the app isn't using certificate pinning is really interesting and the sheer amount of hacker spirit and determination is extremely wholesome.
I am, however, very familiar with this particular engineering challenge (specifically, attempting to build on pfSense and using mitmproxy scripts in production), so I wanted to share my personal experiences to hopefully save someone else some time and frustration while attempting the same thing.
https://github.com/elazarl/goproxy is pretty nice Go library for writing proxies, I used it once. Supports both HTTPS passthrough and MITM. Here's a trivial example MITMing connections to www.google.com and rejecting requests to https://www.google.com/maps while allowing everything else through:
-k is to ignore cert error; note how we don't need it for apple.com due to passthrough.
Remember to use your own cert rather than the hardcoded one in "production" (a trusted network like your home of course, probably a bad idea to expose it on the open Internet).
> I want to support content creators, so to be fair, after a few months of blocking YouTube ads, I am now paying for YouTube Premium; Just because I can break something, doesn’t mean I need to.
Does paying for YouTube Premium support creators? (If so, how much, compared to say Patreon?)
Not much compared to Patreon but if you watch more than a couple YouTubers can you reasonably be expected to subscribe to every YouTuber’s Patreon?
I don’t doubt any given YouTube premium subscription provides a negligible amount of income to a creator but watching their videos ad-blocked provides nothing.
(I use ublock on Zen and do not make enough money to be a Patron of anyone unfortunately)
I've seen a Linus Tech Tips video where the seekbar was very colorful due to SponsorBlock, someone added all the sponsors, product placement and tangents into it.
I admit I've marked segments on videos, e.g. skipping cringy jokes when I find the presenter annoying.
To clarify, are you saying that these segments were marked incorrectly?
If so, then it is a plain case of internet vandalism. I would just ignore such segments.
But if the segments were marked correctly and there were too many of them in the video, that is the problem caused by the video creator, not by the community which publishes the segments.
They were marked correctly, but I had a feeling someone was sufficiently annoyed with all the fluff in the video, that they went to the trouble. I think it was the only time I saw an LTT video with that many SB segments.
Really? I've been using sponsorblock for years and I don't feel like I've ever seen any of that. It's pretty rare for me to go back and watch something that was skipped, and when I do, I generally feel that skipping it was the right call.
Youtube has recently added a premium feature where if you skip ahead 5s, it will prompt you to skip an entire "commonly skipped" section. It seems like they've picked up on sponsorblock and are making it a feature for Premium users.
I don't think I've ever had it work on my pixel. I tap ahead through all ad reads I've already decided not to buy, and it's much more reliable to just skip ahead 30s/90s/etc than hope the prompt appears. I've seen the prompt maybe 5 times.
> If you're a YouTube Premium member, you won't see ads, so we share your monthly membership fee with creators. Best of all, the more videos you watch from your favorite creators, the more money they make.
Looking at my YouTube watch video, and that creates get about 45%, it tends to be about 50p an hour (I watch about 12 hours a month and pay about £12) so say 10 cents per 10 minute video.
From what I see ad views tend to net about $1-5 per thousand views, or well under 1 cent per video.
Ie a creator makes 20-100 times as much per view from me rather than a typical viewer.
Im not sure how it works if you end up watching music on repeat for 200 hours a month and 10 hours of new content. Probably fairer than the way Spotify distributes my subscription fee.
Supposedly creators get a bigger share from YT Premium users' compared to regular, ad-watching views, simply because skipped ads mean no revenue. It's still marginal because most people don't have Premium though.
> Supposedly creators get a bigger share from YT Premium users'
I've heard this multiple times before, but every time I go hunting for a source from Google/YouTube, I cannot find any official statements or confirmed information about this, seems this is mostly based on 3rd party analysis afaik.
Linus tech tips had a break down of their income. One thing Linus highlighted was that YouTube Premium revenue was much larger than most would expect. See https://www.youtube.com/watch?v=-zt57TWkTF4&t=400s (it's a little under 20% of their total revenue from YouTube).
I found this screenshot of the partner program contract that says it's a 55% split for either https://imgur.com/YjOHAAr
But for Premium the amount is distributed by watch time, whereas for ad-supported users it's by number of ad views. This means that for short videos where the value of the ad is higher then the value of the watch time, a "free" user wins, but for longer form videos where the watch time is longer, the Premium user wins.
LinusTechTips once showed the YouTube income breakdowns for some of their videos that showed this - for their hour+ long PC build streams, Premium income was higher and for shorter videos, Ads income was higher.
I've released an album via Distrokid which distributes the release to YouTube as well. You can look at detailed reports there. Youtube revenue is split into Ads, ContentID and Red (which I believe is the old name for Youtube Premium). I just checked and I am currently getting a bigger share from Ads than from Red, per play.
Is "per play" the correct metric to use? What I'd like to compare are the hypotheticals "everyone is on Premium" and "everyone runs all the ads", but I'm not sure how to extrapolate this from some random split (I assume you don't see the ratio of your viewers) of Premium-to-ad..
My gf’s YouTube account for some reason does not show ads on any device it is logged in, including the Apple TV. It is not premium, nor ever was premium.
Wonder what flag is set internally that disabled ads.
Your GF is essentially in the "control group" for ads. Her behavior can be compared to the behavior of people who see ads to better understand how ads affect those other users.
In which case she should've been shown noncommercial ads (government services and promotions of YouTube features) instead of no ads so that she would be less likely to notice.
Maybe she is in a holdback experiment. To understand how a feature affects the metrics (such as running ads), they often have some people in a holdback. I worked there and we did have such experiments for our features.
Long ago a Google music subscription would disable ads on YouTube. When they discontinued it / I cancelled, it took a good 6+ months before YouTube ads started up for me.
But of a “oh I see what people are complaining about” moment for me ;)
I am still paying for mine. My Google music all access I'm feeling lucky subscription turned into a YouTube music one, which includes YouTube premium, and I'm still only paying 8 bucks a month, which seems like a pretty good deal even if I also pay for Spotify.
I have no idea. I signed up for the music service under the $8/mo plan basically the day they announced it, and i've never canceled or missed a payment, but they've never increased my price. I just hope I haven't jinxed myself here.
I don't like to advertise this just in case it gets fixed, but I have that same experience for Twitch.
I don't run an adblocker and yet as long as I'm logged in, I get no ads. Not in the website nor in the mobile app. I don't have "turbo" and I don't even have amazon prime any more (which itself only very briefly suppressed adverts across twitch globally before they replaced it with a "Free sub" perk ). I don't have any of the other Turbo benefits, so it's not like I've been fully flagged as Turbo either.
I don't know if I accidentally bugged my account profile messing around back when they ran a bug bounty, but I'd happily provide more details in return for keeping this perk.
What's weird is that I vaguely remember once having a near-meltdown over the level of adverts on twitch when all I wanted to do was watch TV while I was heavily medicated and in pain in the hospital. Then some time a year or two later I was reflecting then suddenly realised I hadn't seen an advert for years.
I guess most likely there's some long forgotten ad-free A/B test that it's not worth cleaning up.
I've definitely benefitted over the years, I easily watch more twitch than any other platform. At £12/mo (roughly $15.50), twitch turbo is among the more expensive in the world. In the US and Europe it's $12 or €12, so we're getting straight ripped off in comparison.
> some long forgotten ad-free A/B test that it's not worth cleaning up.
That sounds about right. Different context but I once got on the good boy list at work by accident and it wasn’t fixed for about 6 month. On the first of every month I got a little corporate swag box in the mail thanking me for going “above and beyond”. Lots of cookies, blankets, coffee mugs and other trinkets.
> I discovered that putting a man-in-the-middle proxy between my Apple TV and the world lets me decrypt HTTPS traffic
This surprised me quite a bit because normally that shouldn't work, but then that surprise was exchanged for a different one, when I learned later down that you can add CAs to the certificate store of an Apple TV.
Nice and thorough writeup, thanks for sharing. A good carousel through the entire stack involved.
If I had to guess why Apple supports adding certificates, it’s probably to allow Apple TVs to work as AirPlay boxes in corporate/educational environments while playing nice with the IT/device management stuff that entails.
For instance, when I was in college, getting something on the college WiFi either required allow-listing it’s MAC address or installing a certificate.
Unfortunately Google can trivially block this by checking which CA signed their SSL certificate in the YouTube app. I don’t know if they will - doing so might break YouTube within a lot of corporate environments. But it would be unfortunately easy.
Of course Google can do this. And more. They could, if they wanted, to embed ads into the video stream itself with no way to distinguish them from the actual video content.
But they do not do it. They had so much time and opportunities to do that over the years. And yet, they did not do it.
I am not going to speculate why. But I suppose it is safe to assume that it is their intention to not do it.
Does anyone do that? The average developer likely would not think to do this because it is too computationally intensive to splice things into A/V streams on the fly.
A more clever developer could splice the ad into the video at an I frame, but then the ad needs to be a multiple of the number of frames that are both the I frame and follow the I frame. This also would mess with metadata on the length of the video that would need to be adjusted in advance. It is doable, but you give up flexibility and your HTTP sessions cease to be stateless. Then there is the need to handle splicing into audio and I do not know offhand if there is a cheap way of doing that at the server like you can do with video through I frame splicing.
It seems to me that they have lower server costs by doing things the current way.
SSAI (server side ad insertion) is not uncommon for premium streaming video; Twitch and Hulu have had the technology in use for years. It's also practically just a checkbox option to enable the feature for all major ad serving tech platforms, including Google's DoubleClick.
They're not using it simply because it increases server and bandwidth costs. YouTube is still positioned as part of Google's "moat" by driving down video ad price so no one else can build an ad empire off video instead of being a profit generating division on its own.
Youtube do their own re-encoding on upload to different quality levels, so they could theoretically hook that and make sure to provide suitable splice points and record them in the metadata.
> your HTTP sessions cease to be stateless
There's already pretty heavy magic around preventing people from simply grabbing all the HLS blocks, I think? All the work that yt-dlp does.
YouTube Videos are a stream, not a file you download. I’m not sure what the major technical nurdle is injecting ads directly into the stream. Also H.264 has key frames typically a few sounds apart anyway
I think that it should be sufficient to create content identifiers of all unitary parts of the video, e.g. parts between keyframes, and skip over the ones which are not supposed to be there.
These identifiers could be collected automatically by plugins like SponsorBlock in a community effort and then combined together to identify parts which are common for every viewer, i.e. the ones representing the original video content.
In other words, it seems to me that even putting ads directly into a video stream would not prevent people from being able to block these ads.
yet. They are moving forward with measures. YT webpage player.js no longer fetches individual video/audio stream URLs. It fetches single bundle pre-packaged on the server. Its a POST request now with only one URL parameter changing &rn=x, where x increments with every request, and ~2000 byte binary encoded body.
I remember people promising a rogue CA would not work anymore due to certificate transparency requiring certificates to be published in order to be valid, but it is quite obvious here that certificate transparency was not even needed. A private CA is different from a rogue CA, but if the private CA was not forced to do certificate transparency, I wonder what is supposedly forcing the public CAs to do it for their certificates to be “valid”.
> I wonder what is supposedly forcing the public CAs to do it for their certificates to be “valid”.
The power of browsers and operating systems including the cert in the default store distributed to everyone. Participating in cert transparency is a requirement.
How is that enforced as it was billed as certificates are not valid unless published, yet it is obvious certificates for a private CA are not being published and are treated as valid?
As I understand it there are various interested parties who monitor to make sure that the default CAs in the root store publish to the certificate transparency before they sign anything. A violation would be grounds for immediate removal. None of this applies to a private CA you add to your own store.
Ironically enough Android TV (at least version 7.X) does not let you do that, which I found out the hard way when trying to work around untrusted Let's Encrypt certificates.
Starting with Android 7, apps have to opt into user-installed certificates. Browsers often do (Firefox is an annoying exception, you need to turn it on in the dev settings and it doesn't work in the official release version of the browser), but apps usually don't even know that the setting exists.
Aside from that, Android has a very easy certificate pinning API where you can just assign a fingerprint to a domain name in the XML config files and it'll pin a certificate to that domain. Easy to bypass if you modify the APK file, but then you miss out on updates and other mechanisms could check if the signature has been tampered with.
With root access (shouldn't be too hard to gain on an Android device still running 7) you can add your certificate to the root certificate folder on the system partition. This will make Let's Encrypt work on all apps. It doesn't bypass certificate pinning, of course, but you don't need there for Let's Encrypt.
Most devices allow you to add CAs, but almost all apps nowadays use certificate pinning which means the system certificate store is ignored. I find it extremely surprising that YouTube doesn’t do that.
That sounds like you've just made it so your app doesn't work behind a corporate SSL proxy. I really need people to stop rolling there own SSL stores (looking at you python, java and nodejs). I spend way to much of my time getting things running on my work laptop that should just use the CA store IT pre-installed.
Is that a problem? What segment of Google's Apple TV revenue comes from people behind shitty middleboxes?
YouTube won't work on Chromecast if you're trying to MitM it, so clearly Google doesn't think this situation is worth making an exception for in their logic.
I can't help but wonder if any apps have tried doing TLS-in-TLS, with the outer TLS not caring about MITM, and the inner TLS doing certificate pinning?
> but almost all apps nowadays use certificate pinning which means the system certificate store is ignored
Certificate pinning (or rather, public key pinning) is technically obsolete and browsers themselves removed support for it in 2018. [1] Are there many apps still really using this?
HPKP, yes. Certificate pinning in apps is the norm.
The difference between HPKP and certificate pinning is that HPKP can pin certificates on the fly, whereas certificate pinning in apps is done by configuring the HTTPS client in the native application.
Apps like Facebook won't work on TLS MitM setups without using tools like Frida to kill he validation logic.
It's gotten less popular over the years as people keep asking "wait, what are we doing this for again?"; but it's still very popular in certain kinds of apps (anything banking related will almost certainly have it, along with easily broken and bypassed jailbreak detections, etc).
Most personal banking apps I’ve used still do this. The bank is liable for your lost funds if your corporate IT department doesn’t secure the MITM solution properly otherwise.
(The end customer isn’t liable for the bank’s inability to properly secure their app from MITM attacks…)
I don't have any numbers, but I think this is still pretty common. On iOS for example Alamofire which is a popular network stack, still offers this as a feature. I think the use case is a bit different for apps and web sites, especially for closed ecosystems like Apple's where reverse engineering is not as easy/straightforward.
A regime can now force you to install their "root certificate" (and forcing organizations under their rule, e.g. national banks) to use a certificate issued by them, and these certificates would also be able to MITM your connection to e.g. Google. (1)
Looking forward to Americans being forced to install the DOGE-CA, X-CA or Truth-CA or whatever...
> I find it extremely surprising that YouTube doesn’t do that.
Not surprising for me - it used to be only banks where it was required (sometimes by law) that any and all communication be intercepted and logged, but this crap (that by definition breaks certificate pinning) is now getting rolled out to even small businesses as part of some cyber-insurance-mandated endpoint/whatever security solution.
And Youtube is obviously of the opinion that while bankers aren't enough of a target market to annoy with certificate pinning breaking their background music, ordinary F500 employees are a significant enough target market.
I’ve tried implementing this a few times on my Apple TV to no avail. I think YouTube has implemented cert pinning on their app now or something. Has anyone else been able to get this working recently?
I really like everything related to network-wide blocking of shitty online services that are enforced on us !
On top of blocking adds (which is great), I wish there were more / easier ways to do network-wide blocking of all sorts of aggressive infinite scrolling (in my case : youtube shorts and instagram reels).
I often like to go on instagram to see posts / stories from the people I follow and I don't want to be suggested stupid videos that are especially designed to catch my attention. I know it's probably revealing a lack of strength on my side, but yeah, I often fall for watching a few of them and loosing 15 minutes of my life.
The problem is that advertisement business infects everything.
For instance, I could pay for Youtube Premium to ostensibly not be shown ads, but it doesn't change the fact that all the content[^1] in the ecosystem is still produced for maximizing watch time and/or being advertisement friendly.
I could pay for news, but that doesn't change the fact that the news is written to receive clicks from the non-paying users.
Paying for things does not help escaping the second order effects of advertisement.
I don’t understand this complaint in the context of YouTube. It’s the only major streaming service with plentiful new content that isn’t clickbait, focus-grouped, lowest-common-denominator, metrics-chasing trash. I can hop on and watch hours of jets flying through the Mach loop, people playing chess, and people machining metal. If those aren’t your thing, I bet there’s plenty of stuff that is.
Sure, there’s a lot of crap. But you don’t have to watch that.
> Sure, there’s a lot of crap. But you don’t have to watch that.
The way people complain, I genuinely think they don't know about this option.
For example, Mr. Beast content isn't for me. But I was also living blissfully under a rock for years without knowing who the heck he was. Now that I know about him I simply don't click on his content and therefore never see it in my feed.
"But what if I click by accident?" - glad you asked. Simply delete it from your watch history and see your recommendations improve.
> Sure, there’s a lot of crap. But you don’t have to watch that.
But even non-crappy content will be steered toward some direction by the advertisement, most videos are made just long enough to fit whatever is the new optimum time for revenue per view. And some subject will be censored to not displease advertisers.
Some people are not doing that, but it's simply because they don't rely on YouTube revenues.
The people who aren’t doing that still produce way more than 24 hours of quality content per day. And for those who do, I’ll judge them based on what they make, not how I imagine they decide what to make.
By way of analogy, large portions of Reddit have turned into every other social media hellscape.
Reddit is still awesome if you curate your subscriptions and avoid the big subs.
Is it cherry picking to say Reddit is awesome because I’ve carefully made it that way?
> Sure if you ignore everything wrong, you can say the system is alright.
This framing doesn’t make sense. It’s an ecosystem, and it’s not so much about “ignoring” things as much as it is about making active choices. If you go to a shopping district, there is nothing forcing you to shop at every store. If the district still has the stores you care about, shop at them.
> This framing doesn’t make sense. It’s an ecosystem, and it’s not so much about “ignoring” things as much as it is about making active choices. If you go to a shopping district, there is nothing forcing you to shop at every store. If the district still has the stores you care about, shop at them.
There ton of people that won't go to some shopping districts because the rest of the area is an intolerable mess.
In the same spirit, look a Twitter/X, sure, there still plenty of people making good content there, but you can't deny that the website policies are steering it in a peculiar direction, and lot of users choose to leave Twitter entirely to not be complicit.
> There ton of people that won't go to some shopping districts because the rest of the area is an intolerable mess.
But there is still a major difference between “this shopping area is mostly stores I don’t care about but has a few that I care about significantly” and “this shopping center is a complete nightmare and not worth wading through the nightmare for the the few stores I care about.”
I can easily think of a few real places in my city that fit into each category.
A better analogy would be the internet. This place has enormous mountains of crap. And yet there's more than enough good stuff for it to be worth it to me to pay a decent amount of money for access.
I'm not paying for YouTube, really. I'm paying for access to the output of various creators. The service also includes access to a bunch of other creators I'm not interested in. And that's fine, I don't access them, just like I pay Verizon and T-Mobile but don't use their service to access instagram.com.
I mean, yeah! Cherry-picking is the entire point of an on-demand video service. Are you just watching whatever it gives you in order? I seriously cannot comprehend what would possess someone to write this.
Recently I've been annoyed with Youtube Premium. I pay for an ad-free experience and do not see ads in the traditional (wait 5 seconds to skip) way, yet more and more content has inline product promotion where time is spent thanking a sponsor and pitching their product. So I'm paying not to avoid ads, but I'm still seeing paid promotion...
> where time is spent thanking a sponsor and pitching their product
I’ve been unsubscribing from folks who do that a lot. Instant unsubscribe if the product is questionable.
I’m not going to judge their business decision, but it tea sets an odd tone when I’m watching something informative and they bust out into a “someone paid me to say this”.
It's an old-fashioned plug, and you can hit the skip button. Usually there's a banner of some sort that makes it even easier to know when the plug is done. If that's too much, then find a way to live without the show.
google for "sponsorblock" extension for your browser, crowdsourced data makes it skip all the promotions, intros, "like and subscribe" and all other unneeded parts.
And when you're at it, ublock origin also skips the youtube ads.
There's also: https://freetubeapp.io/ , but it's a constant cat and mouse game with youtube, where you now have to refresh a video a few times before it starts playing (then it works fine), until they upgrade the software and then it works, until youtube changes something again.
You know who is the best target demographic for selling stuff? People with money.
So that's who you want to show ads to.
And do you know a proxy for "have money"? Paying for premium, when there is free.
Therefore, every time you pay for premium, all the advertisers look and say "I'd pay a lot to show ads to that guy". At some point, the premium service includes ads, because of so much potential extra revenue!
I'll never understand why people are reluctant to pay for a monthly service because of something they might do in the future to make the service worse.
If they do that thing then just cancel! It's incredibly easy to do!
Because if the service you pay for start to do what you expressively pay them not to do, your whole subscription since the beginning will feel like a waste.
Worst, your money was partially used against your interest, by financing people unilaterally altering a contract they made with you.
> your whole subscription since the beginning will feel like a waste.
This is such a bizarre way of looking at something. I've canceled many subscriptions because of changes made by the company and I never felt like the time I already paid for was a waste. I got the thing I was paying for, then it changed in a way I felt like it was no longer worth paying for so I stopped. It doesn't change the time I was using it at all.
If a company taking your money and using it to make the service works is your line in the sand I've got bad news for you about how almost every single companies uses the money you pay them.
And there have been a ton of things I just lost interest in over time and wasn't getting value from any longer, so I (usually, eventually) canceled. Doesn't typically mean my earlier subscription was a waste. When I got rid of my cable TV, doesn't mean I wished I never had it.
If your favorite restaurant changes their menu, does that make your past meals feel like a waste? It seems like a textbook economic transaction to buy when the deal is good and stop when it isn’t.
Restaurant aren't subscription based, you pay for a one-time meal.
The whole point of a subscription is to support an ongoing service _to you_, if your money is used to enshitify the service and make it work _against you_, there no point of paying it altogether, you will be better serve by piracy (as you don't provide them with money to enshitify it, nor to lobby against your interests).
“Your” money isn’t being used to work against you, you are voluntarily paying for what is currently on offer. They’ve announced major changes in advance so you have plenty of time to decide to cancel after the current month if the future service is not to your liking.
It’s rather entitled to think that your monthly payment gives you some kind of veto authority over their product plan. If you don’t like how they run their business, that doesn’t magically create the right to use their work on your terms.
It’s especially weird because the one thing guaranteed to result in more ads is not paying. People spend a lot of money making content for YouTube and something has to pay for it.
So do what I do and don’t watch it. Just don’t deprive the creators of revenue and then be indignant when everything is loaded up with ads and sponsored content because people need to pay rent.
> it doesn't change the fact that all the content[^1] in the ecosystem is still produced for maximizing watch time and/or being advertisement friendly.
That's just not true. There is an enormous amount of content on YouTube right now, which is made chiefly with quality in mind, by some of the most professional people in the industry. There's more than you could watch even if you watched for a thousand years.
You just have to use the like/dislike and subscribe functions, so the algorithm knows what you want.
They didn't though. Every single streaming service bar Netflix loses money. On top of that, they've all poisoned the well by creating as many subscription tiers as Dell has laptop SKUs and raising the price every 9 months so nobody knows what the service should cost.
This ensures that people start and stop subscriptions just to watch a single series, instead of sticking with a single service all year.
So it appears paying entrenched IP-hoarding organizations majority of your income further incentivizing their entrenchment is not the best business practice for a middlemen
The hoarding began once they decided to abandon the DVD market, paranoid about file ripping and sharing. Now TV shows are like videogames now, can't watch without an internet connection phoning home.
Which choice could they have made differently here? They took the "pay for it" option that you suggested and then you still blamed them for giving the company negative incentives.
Paying make it worse, paying doesn't prevent ads to be forced later (e.g: Netflix, Prime, Disney+) and split people fight against ad, as the ones with enough money to avoid them will berate the other for not paying, will still providing benefits to an ad-driven company.
Never pays to avoid ad, block them or get the content by other means.
It's akin to "never negotiate with terrorists" or "never pay ransom", you have to remove the incentive.
You could pay for them or Google could choose to take a different approach that is less intrusive. The assertion here seems to put the onus on the viewer. Considering YouTube pays little to nothing comparative to its profits based on content it does not make, I think a realignment of how Google operates YouTube could be an improvement for users of the service.
> The users of the internet have made their call and they often don't want to pay, so someone does.
Just because YouTube users put up with a broken system doesn't mean it's the correct, fair, or ethical approach. Beyond that many of the views are curated via algorithms that intentionally work against the user with an end goal to hold them in a viewing state regardless of the users original intent. With that in mind users should use tools against those malpractices and not feel bad about not paying for them. If someone is intentionally trying to manipulate you, what's stopping you from doing the same?
If Google were a fair and ethical company I think treating them the same would be more in line with your response. However, they are not.
YouTube can always choose to package the content in a financial transaction. They have chosen not to do so, and instead they are supplying advertisement alongside the content for which the viewer may or may not watch.
They can always change it, but then there are legal consequences of making it a financial transaction.
I know that I, as a user, ultimately have 2 choices: to pay for a subscription, or the choice to not use these services.
Option (1) does not block infinite scrolling content, it only removes adds. So this is missing the point. All i want is to not see these dumb shorts videos that I genuinely give no fuck about, but that manages to catch my attention regardless.
Then sure, I can always delete my social accounts, and ultimately i might end up doing it. But let me try to explain why I think this is difficult, and also unfair.
I give 2 purposes to these social networks: First, they play a role in personal-life balance as a way to be more integrated in my group of friends / local communities. Second, they play a role as citizen of my region (in my case, France and switzerland) by being a (sorta reliable) source of information through following accounts and newspapper on them.
Initially, none of these social-networks came with this super-fast / addictive content. They only started to integrate it, in my experience, since 5 years. So it seems to me that these companies have broke the initial contract that they "sold" to us: to connect with our friends & communities and to allow us to follow a specific set of public influencers.
I guess that I am mad that we, as a society, have allowed these companies to gain such an important role in our daily lifes (social life and public life) that they can now say : we will allow you to interact with some of our friends, but you will also have to watch our stupid videos... And unfortunaltey, it's not easy at all to spin up a concurrent social networks that would be full-filling this initial contract. Probably lots of people actually like to scroll on insta Reels and youtube Shorts.
This is why you fundamentally cannot rely on private companies to build the "town square". This will _always_ happen because every company has a profit motive (even if its a loooong tail via SV-style funding). The problem behind the problem is people want great communities and tools, but don't way to provide any effort to build them.
> All i want is to not see these dumb shorts videos that I genuinely give no fuck about, but that manages to catch my attention regardless.
My recommendations never shows any low quality content. All you have to do is like good stuff, dislike bad stuff, and subscribe to good channels. The algorithm works surprisingly well.
> we, as a society
There is no we and there has never been. You have to start taking responsibility for your own actions.
There are corners like Substack that are an exception. And at least services like YouTube and Spotify offer a paid alternative to ads. I for one would rather pay the ~$10/month than sit through ads. But we are still very much a minority of users.
Delete the app, use the webpage, and use a browser that allows user scripts. I found a good one that turns an Instagram page into just an image tag so you can just see the picture: https://greasyfork.org/en/scripts/5014-un-instagram
For web access, in Firefox I've been using the "SocialFocus" add-on, that allows you to remove certain blocks in "social" websites (for example, blocking Shorts or comments in YT), put a color filter to make it "black and white", or even blocking the whole site. I had to access Facebook a couple times some months ago, and the quantity of trash you can filter with this add-on is astounding. This developer has also a YouTube specific add-on I haven't tested yet, named "UnTrap for YouTube" that has almost 200 different options for blocking very specific stuff there. Their add-ons in [0]
For Android there's an App called Revanced that let's you apply patches on certain commercial apps like YouTube or Twitter modifying their behavior, and for example block shorts. See the patches available for YouTube in [1]. I'm still pending to test it, but if you do, go to their official site [2], or even better, to their GitHub releases [3] as it seems like there are a good bunch of scammy sites using their name.
Wouldn't risk trying to extract from IG too much, I used to yt-dlp from it a lot and use scripts to extract the images because I like to archive references, nothing on a massive scale we're talking <20 times a month and I got a warning that I could lose my username if I "use automated scraping tools".
Oh! Were you using your user cookie? I use yt-dlp a couple times a month, but I think I'm always unauthenticated (although I guess they could match my IP address in their logs)
> I know it's probably revealing a lack of strength on my side...
I think these tactics exploit our natural sense of curiosity and the aesthetics that surround it. So I don't think it's so much a lack of strength, but more of a jadedness we have build up and I think that's pretty bad. I respect the effort and creativity it takes to fight back and make the platform work for us instead of vice versa.
I feel this, particularly as a parent. It's difficulty watching your kids get lost in the algorithm. We regularly discuss this with them and they agree with our perceived harm, but it's just too difficult to resist. Heck, even I get lured into (doom)scrolling every now and then.
I've setup ad-filtering using pihole, where possible, but I'd prefer not to block youtube as a whole. But I'm definitely considering that in the future, to protect my family.
Imo the best thing that can work is introducing delays to the loading of videos, increasing as time goes by. Youtube introduced sth like this to me, when they were presumable trying "punishing" users with adblockers, and it worked as a charm to get me disengage from the youtube rabithole. A lot of such addiction dynamics work based on how fast getting the reward is, and these interuptions disturb this.
> I often fall for watching a few of them and loosing 15 minutes of my life.
If you're on iOS, set a time limit (Settings → Screen Time → App Limits → Instagram). Doesn't stop the initial scrolling but the "you've run out of time" pop-up is a good breakpoint. You can bypass it and give yourself another 15 minutes but making that choice is also a good breakpoint / reinforcement.
YouTube still provides RSS feeds for individual channels. Combine that with mpv's yt-dlp integration and you can avoid the official web frontend altogether.
I don't know how long it's going to last though, with the current trend of rug pulls and enshittification.
Youtube have been gradually cracking down on yt-dlp by blocking IPs that download (presumably without watching the adverts, or some other method to fingerprint it). Currently it's mostly annoying as I have to rotate through IPs every few days. But I imagine it'll get worse and worse until I stop watching youtube.
Pretty sure it's only gonna get deleted if either a) enough people use it so that a MBAs notice or b) the way it's accessing the data blocks a feature that an MBA wants
I wish they simply had a way to disable shorts. People have been clamoring for that option but yt ignores them because they know how addictive they are. I can't think of a more illustrative example of a conflict of interest and the contrast between the early days of computing that were driven by user demand.
What is "content"? I recently tried to use AppleTV Android app to play something and then use screen recorder app to record the phone screen. The recorder app was able to see the menus and even subtitles, but not the movie itself (black screen). Is the screen of my phone "mine"? Or does the manufacturer decide how can I use it?
The screen is yours, the content displayed is not. Same reason you can "buy" a movie, game, audio, ebook and have it disappear overnight. Same reason your security camera, car, oven may suddenly cease to work if the company shuts down their servers. Do we support it? You do because you paid for it.
> The screen is yours, the content displayed is not.
Sure but traditionally this was a purely legal mechanism. There was no technological measure preventing you from copying a book, only a legal threat looming over _what_ you do with the copy.
Nowadays we have this very corporate-positive situation where copyright holders have their cake by embedding DRM and eat it too by leveraging the DMCA to prevent DRM circumventions. So you can be screwed even if you only want to take private screenshots, make backups, or exercise fair use.
When I try to play something on youtube that has the DRM bit turned on (or anything on netflix), my whole entire screen turns off. Not only can I not see the content, I also can't use half of my screen for other purposes while I play the content on the other half.
Creative work, i.e. intellectual property. Much can be said about the state of copyright law in 2025, but the basic idea that you own what you create is the fundamental reason we (able to) prosper.
Note that a significant amount of videos on youtube, and in particular many of the highest quality ones (e.g. educational material from schools like MIT or individuals like 3blue1brown) are Creative Commons licensed, so in terms of copyright, you are free to download and share them. Many including MIT's lectures are also NC and SA, so having the ability to save them and strip any ads is obviously in accordance with the wishes of the creators.
As far as youtube's wishes go, I don't think people should have much concern for a company that's engaged in predatory pricing for years to develop a monopoly through network effects.
> I don’t think there’s a justification to arguing you own YouTube or the content.
This actually gets to the core of my sentiment. I am influenced by these systems, but I can't directly influence them back. I don't know if this is somehow wrong in principle, but I definitely want more.
There are ads on YouTube? I guess my browser blocks them so well that I didn’t know.
The real problem here is that the AppleTV experience is so much worse than an ordinary web browser experience. Apple locked the hardware down to the point that it benefits YouTube’s ad profits more than it benefits the end consumer who pays for it.
I never see ads on Linux, Windows or Android. Occasionally I try to watch YouTube on an iPad and am shocked at how frequent and irritating the ads are.
Same with browsing the web on an iPad outside of the home pi-hole'd network. Howwww do people deal with this every day?
The iPad is a work-issued device so I don't often use it for personal things. Every time I do it's a reminder of how irritating it is to do so.
It's kindof odd; before being issued an iPad I thought they were only useful as content consumption devices. Turns out it's super handy for quick remote access to work resources but locked to an ad-infested wasteland for general web browsing and streaming media. Who knew?
If we're getting to the point where we need to decrypt things and reverse engineer protocols, maybe we should... not use these devices? Maybe we should opt out of this economy? Maybe we should do other things to entertain ourselves?
While I do agree with you, I am a bit concerned about the recent developments with "paid, but still has ads" subscriptions and how Youtube might slip towards such practices as well as soon as they have a large enough number of paying customers. Their premium might suddenly not be so... premium.
I totally get it. That said, YouTube premium is worth every single penny and has only gained features over time; no other subscription I have comes close in terms of value.
Seems to still being trialed in only a few regions. It's No ads during videos (still display ads during search, etc.), except for shorts and music videos for 6€/m. Without all the other premium features
With respect to that, YouTube premium has been around for over ten years, the majority of which I've been a subscriber because adblocking on Apple TV (my primary YouTube experience) is far too much of a fuckabout for me to willingly engage in it, and they haven't yet done it. I think Google is well aware of the fact that Premium with ads is an utter non-starter as a product. What would you even be paying for then? This isn't like TV+ or Prime where you have exclusives, almost everyone who posts to YouTube would happily jump that ship given enough reason to.
And while there are still ads (sponsored segments) I personally have less problem with those since those are substantial money for the creators I enjoy, and a lot of the ones I watch actually manage to make them pretty funny. And hell, a couple I've even used their codes for shit over the years for. Like, an ad is an ad and some people hate all of them, but I can personally say I've engaged with ads from creators I like at an exceptional rate compared to... virtually every other type of advertising I've ever encountered.
There is for certain a wide gap between a sponsored segment from the same voice and some random ad coming in and blaring over the top. For me, I can handle the narrator delivering an ad, it's the intrusive slot machine aspect of generic ads that irk me. Happy youtube subscriber here, use the music too, great deal.
Youtube is one of the platforms where I find real value, usually in making/maintaining/repairing things, being able to skip through videos to find answers without worrying about ads definitely saves me significant time and therefore money.
Yeah I balked for a long time at paying for YouTube, but in the end, I consume magnitudes more YouTube than any other streaming platform. It's my most expensive video subscription but like... I can't say I don't use it.
It’s the only one I pay for. I have Netflix included in my cell plan. Every so often I fire it up to see what they have, find nothing, and go back to the good stuff.
Yep. Most folks I follow will record ads at a different time from the rest of the video too, wearing different clothes and in different lighting. Sometimes I can be bothered to grab the remote, sometimes not, lol.
I wish I could do this for Spotify. Paid plans still include ads.
They cram ads into podcast episodes which themselves also have ads, so you'll get the read ads + Spotify's local ads + Spotify laughs all the way to the bank.
I believe over time not having ads will be a thing of the past, and you'll instead pay for fewer ads. Like where else are people going to go for exclusive content?
I've never heard an ad on Spotify, so this is true only for podcasts then, correct? In that case I can at least be thankful that Spotify is the worst option for listening to podcasts.
I canceled my Spotify premium subscription because they showed sponsored content in the app. Not as egregious as jamming ads in between songs, but I still don’t want to have to scroll past a “sponsored” UI element to get to what I’m actually interested in.
Just buy the content and play it from your local devices. I use streaming simply for "auditioning" new music (and there are podcasts, YouTube channels that do that without a subscription, FWIW). I prefer then to buy the tracks from Bandcamp. Hopefully the artists get a bigger slice of the revenue that way.
I don't really listen to much Spotify but I feel like just the free plan in Firefox with uBlock Origin gave me an ad-free experience the last time I used it.
Sadly I think we're in need of the AriZona Iced Tea of streaming. A company that sells a streaming service, at a fixed price, makes a small profit and is happy with that profit.
The issue is that the current streaming services have cost billions to develop and companies and investors want that money back, times a 100. The money hasn't gone into a long term product that people will be happy with for decades, it has gone into a product that needs to return large chunk of money in a short time frame (and cover up other failed ventures).
The issue is that such a company either needs to make their own first-party content, or pay licensing fees for third-party content, and the companies those license fees are paid to are always looking to either cut out the middle service in favor of their own or increase what they're charging.
Or you can opt out. Both options are equally valid.
I won't pay for YouTube because the consistency of YouTube is massively variable. Sometimes channels I watch skip 6 months between videos. When I do watch stuff its usually in the background or when I just have a few minutes spare. Spending money to fill that time is unjustifiable unless it's a really low amount, and YouTube Premium isn't low enough yet.
Oddly though, if I could buy 100 'skip this ad' tokens for $10 that I could use when I'm pushed for time, but just suffer the ads when I'm not, I'd seriously consider it.
You can, but the complaint rings hollow when we’re talking about a service with enormous amounts of actual good content, and a straightforward non-abusive paid plan. If you don’t think it’s worth it, that makes complete sense. If somebody decides there isn’t anything worth paying or watching ads and just bails out, totally sensible. But this “ads are so terrible we should just abandon the service” thing is weird here. YouTube is an example of doing it right. They use ads to support a free tier, and have a paid plan that removes them. They don’t do nonsense where they take your money and still show you ads. They don’t serve unvetted ads that infect your computer with malware or mine cryptocurrency. If people won’t even consider paying for this (not merely deciding it’s not worth it, but refusing to even consider it as a possibility) then I have to conclude that they just think they’re entitled to get stuff for free.
I think most people don't have a problem paying for something that gives proper added value.
But what's happening is that companies are degrading the basic experience and expecting people to either be OK with it (like Roku's increasingly intrusive ad experience) or to pay up to avoid it (like with YouTube).
Perhaps on review of specific ad presentation practices, you could argue for a degradation of experience, but showing adds more or less within YouTube to free users seems like an acceptable method of generating revenue.
As an aside, the fact that people pay for cable and still have 4-7 minute ad-breaks every 15 minutes make anything YouTube does pale in comparison.
Except for the tracking that ads use and the possibility of getting malware because they aren't curated as well as they should be.
I also don't like companies aggressively trying to get me to buy stuff I don't want. Show a static image on the right somewhere with a link. Hell, show a dozen of them. Still less intrusive than an ad that shows up while you're in the middle of a video.
But the poor ad companies are apparently on the brink of bankruptcy based on how hard they are pushing things. Just a little bit of composure or any respect for the people that they are pushing these on and I'd have a different viewpoint. But they are always all-in on this.
Netflix shows ads to paying customers. We've seen the same playbook across a wide variety of products and services, it's only a matter of time until paying users get milked too.
When that happens, I’ll stop saying “just pay for it.” But until it does, I’ll continue paying for YouTube and being befuddled by people who get upset at their ads.
Increasingly the "basic" paid plan has ads and you now have to pay even more to not have ads. Doesn't seem like playing the game is doing anyone any favours.
Having the ability to tell a company enough is a enough serves as a ceiling for bullshit.
Where are you finding this "basic" plan? YouTube Premium has only a single tier that is completely ad-free. I hate Google as much as anyone, but shouldn't truth matter?
I've gone back to pirating everything. I can afford to pay for all the services, it's just the service and content quality has gotten so bad that it's just not worth it. I DO pay for content from other markets (French, Israeli, and Japanese), just not mine.
It's just like vehicles. There isn't a single vehicle sold in my market that I would pay anything for (ok, maybe the Ford Maverick). There's a bunch in other markets (Europe, South America, Asia), just not mine.
> I've gone back to pirating everything. I can afford to pay for all the services, it's just the service and content quality has gotten so bad that it's just not worth it.
If the content is so bad, then why the need to pirate it?
I started reading a great deal more at the start of the pandemic. I've kept it going since and it has been a real boon. I also switched back to physical books because I actually own them..
I can recommend "minitube" [1]. It's super minimalistic, and requires you to actively search for things to find them. No ads, no feeds, no short videos, nothing - just playlists for search terms. Uses yt-dlp and mpv behind the scenes, so it's using less than 5% CPU on my small Intel NUC machine, too.
I can't stress enough how it is soooo much better in terms of what type of content I consume now. Mr-Beast-cutting-style dumb videos ain't stand a chance to get my attention now.
Ironically, the author built it to be a children-safe environment to consume YouTube.
The problem is, that there is no alternative yet for that.
Movies are not an issue, there's piracy, music is not an issue, there's piracy, books are not an issue, there are libraries... and piracy, but youtube is still limited, and the only way to avoid the ads is to buy another device (computer), thus turning pretty much any smarttv (with features you paid for) into a dumb display (that you mostly cannot even buy anymore).
The alternative is paying for things you like so the people who make them can continue doing so. If you don’t think YouTube is worth paying for, it might be a good idea to reconsider the amount of time you spend on it or whether you want to help promote it.
"Piracy" of digital goods is an oxymoron... I don't think it's immoral. If you pay publishers, the creators don't get paid. And about the legality, well, just ask Meta what they think about torrenting.
Meta, however, is hoping to convince the court that torrenting is not in and of itself illegal, but is, rather, a "widely-used protocol to download large files." According to Meta, the decision to download the pirated books dataset from pirate libraries like LibGen and Z-Library was simply a move to access "data from a 'well-known online repository' that was publicly available via torrents."
To defend its torrenting, Meta has basically scrubbed the word "pirate" from the characterization of its activity. The company alleges that authors can't claim that Meta gained unauthorized access to their data under CDAFA. Instead, all they can claim is that "Meta allegedly accessed and downloaded datasets that Plaintiffs did not create, containing the text of published books that anyone can read in a public library, from public websites Plaintiffs do not operate or own."
While Meta may claim there's no evidence of seeding, there is some testimony that might be compelling to the court. Previously, a Meta executive in charge of project management, Michael Clark, had testified that Meta allegedly modified torrenting settings "so that the smallest amount of seeding possible could occur," which seems to support authors' claims that some seeding occurred. And an internal message from Meta researcher Frank Zhang appeared to show that Meta allegedly tried to conceal the seeding by not using Facebook servers while downloading the dataset to "avoid" the "risk" of anyone "tracing back the seeder/downloader" from Facebook servers. Once this information came to light, authors asked the court for a chance to depose Meta executives again, alleging that new facts "contradict prior deposition testimony."
If you pay publishers, the creators don't get paid.
Sure they do. The amount they get paid might not be enough. But by pirating, your guarantee the creator gets nothing at all. So... I stand by my statement. But, I will definitely agree that the whole "digital media" economy is fundamentally broken and hostile to both creators and consumers.
Sure, technically some creators get paid something. Some creators don't get paid anything. If those creators don't have the means to sue, that's their problem.
> the whole "digital media" economy is fundamentally broken and hostile to both creators and consumers.
This is why I think it's actually our moral imperative to not pay into this system wherever possible. (But personally, I choose to not consume rather than pirate. I'll pirate something to check it out. If it's nice, I'll buy it.)
Piracy offers the best service there is. You used to be able to buy DVDs, vhs tapes, etc., and you'd get the media, and even then you had to sometimes fast forward through ads.
Now, it's impossible to buy media in many cases, even if you click "buy", it might be gone after a month, because some contract somewhere expires, there are ads even in paid plans, there are limits, to what I can do with that media, and more and more services require you to continue paying for content you already "bought".
When they fix the "buy" button to actually mean "buy", and when they remove ads from "no ads" plans, i might reconsider. Until then, they're not getting any of my money anyway, piracy or not.
> When they fix the "buy" button to actually mean "buy", and when they remove ads from "no ads" plans, i might reconsider. Until then, they're not getting any of my money anyway, piracy or not.
This pretty much sums it up for me. I lost so much money over the years for so much content I technically should still "own access to".
And not just media, games and books, too. It's so ridiculous how important things like anna's archive have become because otherwise science would be so crippled that it wouldn't even function anymore.
I would love to pay for youtube premium, but i have a google workspace/apps/own-domain/whatever the hell they call it now account, and loads of stuff (like youtube premium) isn't supported.
There is an arms race between YouTube and Invidious. From time to time Invidious is not working, but the team has always found new ways to circumvent YouTube and deliver the videos without ads.
I've opted to installing opensource youtube app with Adblock and sponsor block.
LGTV Webos is so great, there is easy way to become "developer" and it will open official way to install homebrew apps on your own TV. Yeah, since you own it, it can be possible to do what you want with it.
Fu** you to all Golden-cage devices like Apple, Samsung, etc.
I prefer not to use the OS on my TVs and opt for never letting them online, I just hook up my Apple TV to it, this gives me complete control over my TV as things should be.
I am an Apple critic that has long bemoaned their practice of trying to lock people into their walled garden.
In the past, I used gaming consoles to stream, which I thought worked well.
I finally, angrily caved and bought an Apple TV because I had an app (LFC TV) that would only stream via AirPlay. After using it for a bit, I have to say I love the thing.
I liked it so much that I bought a second for my other TV.
Reasons:
- Build quality. The remote is machined aluminum and feels like a weapon.
- HDMI CEC implementation. I used HCMI CEC on the consoles I owned, but there was always something that didn't work quite right. The Apple TV seems to nail it on both setups I have YMMV.
- AirPlay. This one makes me a little angry, but if you find a need to stream from an iPhone, the Apple TV is pretty much the only game in town.
AirPlay is a killer feature for me and I love the AppleTVs I have. However, for kids TVs or the TVs that I don't use often, I just get an AirPlay capable 4k Roku stick. They're small, simple and work great as AirPlay receivers.
- Comes with a simple remote control which in addition to controlling the AppleTV also allows muting and changing the volume of your TV. As someone who uses my TV exclusively with the AppleTV this means my TV's remote simply sits in a cupboard.
- If you have an iPhone you can use it as a remote over WiFi, I do this all the time to turn off the TV from a room over when the kids need to stop watching. The iPhone can also act as a remote keyboard which can be very convenient for text input.
- The voice search feature works very well in my experience. The remote has a mic in it and you simply hold one button and dictate what you're searching for and 99% of the time for me it works perfectly.
- It's very fast and responsive, allows quick and easy switching between apps.
- It's popular such that any streaming provider probably has an app for it.
I should note that, when it comes to remote, one downside of Apple TV is that you can have at most one official remote paired to it at the same time. If you want two remotes for convenience, there are some third-party remotes that effectively present themselves as Bluetooth keyboards, but you lose some of the features with them, and they are usually flimsy plastic.
Also, Infuse, which is a nice app for playing video files over the network and support Jellyfin, Plex, and others. It also have Dolby and DTS decoders, which works great as the box only have PCM output.
I tried hooking up a Kodi install to my TV to get decent smart functionality on the old thing. Turns out remote control UI is actually quite hard to get right and all the open source options seem to miss the mark, despite the decades of hard work and best intentions.
With modern smart TVs I don't think you need any external boxes, but if you like to separate the smart from the TV, I don't think there are that many better options than either Apple TV or Chromecast with Android TV, depending on what tech company you'd like to share your data with.
Lower power consumption, actual 10-foot interface rather than squinting at the TV, lower maintenance, and (depending on your OS of choice) less intrusive OS-level advertising.
I do it with an air mouse keyboard combo[1]. See below, it's in between, it's small like a remote and sucks to type on, but better than selecting letters onscreen.
Asides from what the other replies mentioned, various streaming providers have PC streaming platforms that aren't as good as their streaming apps.
I'm currently watching Canadian and world championship curling, and the rights-holder in Canada (TSN) has a website that logs me out between every single game.
Otherwise I watch mostly Plex, and while there is a 10-foot interface (Plex HTPC), for whatever reason it stops my PC from sleeping when content is paused, so I'm forced to use the non-HTPC interface.
When watching TV, people enjoy using a remote to navigate the interface, instead of with keyboard/mouse/trackpad, potentially having to get up and go to the laptop to do that.
Lots of social commentary here, but I'd just note you're one mad lad. This is a great writeup and a nifty bit of sleuthing. I found it enjoyable to read.
Why would this be possible without pwning a CA? If so they can just patch it the day after they discover this article. There's no reason to do this anyway when you can just plug a video out from a PC to the TV.
YT Premium is $140/year (unless you know someone with an Indian credit card :), it's cheaper to buy a $100/yr Apple Developer sub, patch the app and sign with your cert.
It's $0 to go to Bittorrent and download movies, it's $0 to use adblocker and not have Youtube premium. There will almost always be piracy or piracy-adjacent cheaper options.
Arguably you want to spend a bit more than $0, e.g. a good VPN or a good seedbox. And VPNs can be as expensive as YouTube premium. (That said, VPNs have other uses, but "most people" probably don't really use VPNs much anyway)
Usenet costs around $3/m if you find one on promo. You don't need a VPN for that as it's all encrypted. YouTube Premium family plan costs $22.99+tax per month in the US. While it's not free, it's very close.
I block YouTube ads on all my devices by paying for YouTube Premium. It feels refreshing to be able to pay for a service I enjoy and therefore not be served ads which I don’t enjoy. It seems like a win-win to me. Doing something like this, while technically interestingly, seems like far more trouble than it’s worth for 99.99% of people, especially when there’s a reasonably priced way to block ads that also supports the service.
I paid for a family subscription a couple of years ago. It is very reasonably priced. Probably one of the least regretted subscriptions I have given the amount of use I get out of it
I’ve been paying for premium, basically because they’ve been sort of forcing to people with the ridiculous number of ads. I get zero ads injected. You’ll still get sponsorships that are part of the video done by the creator, which is now become a little bit more annoying. But at least it’s something that the content creator completely approves of and endorses. I can skip that part anyway.
I’ll probably cancel it soon, only because I need to stop watching so much of this stuff, and I need to get rid of things in life that I shouldn’t be paying for. Once I do that, I’ll never be able to watch YouTube again, because it was unbearable with the number of ads injected. I hate being reminded over and over that I am nothing but a consumer that they try to influence with ads over, amd over, and over, and over.
Off-topic, I recently got another free month of Amazon prime. I was watching some shows on there, and the ads are f’n annoying there too. I can’t believe they make people pay more now to remove the ads. I’ll never pay for Prime in any fashion.
I have paid for YouTube Premium for years and watch YouTube nearly every day and I have never seen an ad from YouTube (you still may see baked-in ads from the video creator but those can be automatically skipped with the SponsorBlock extension).
I do it this way, pay for premium and still use an ad blocker. I do it this way because there is no question whether or not I see ads. My conscience is clear because YouTube claims creators get a kickback when premium users watch their content.
For me it’s the best middle ground. I pay one bill, everyone gets paid.
One day my YT Premium subscription stopped playback when I was watching something while cooking and at the same time, some music video was playing on a different device. It said something like "you cannot use your premium account in multiple places".
I went back to my PC and immediately cancelled my subscription. That is a restriction that I don't have when I am not paying anything at all.
This blocking method also wouldn’t touch those. I’m comparing apples to apples. If you want to block ads inserted directly by video creators, you need something like SponsorBlock and to either DIY or rely on someone else to have done it before you.
That would be all nice and dandy, except that by doing that you validate all the things that Google did before to kill off any competition in the video hosting space.
There were plenty of platforms out there that could not rely on Google's bottomless coffers to sustain their operation. Were you paying for those as well?
I get that, but in that case it also makes sense to avoid YouTube altogether since you simply being there continues to deprive other services of the opportunity to compete. These days I think YouTube’s biggest competition is stuff like TikTok, which I find odious.
I totally get that the network effect makes it difficult to leave abusive platforms, but if one cares enough, it is possible to make that sacrifice. I deleted my Facebook account, for example, and now I can’t keep up with numerous people and groups that use Facebook. It was worth the sacrifice for me.
I put all the ad blockers on YouTube and I pay Nebula not because I particularly enjoy it (it's nice, but not the first thing I think about when I want to watching some videos) but because I want to signal content creators "hey, if you want to be supported by your audience but worry that YouTube is the only place where you can make a living out of it, there is an alternative."
I mean, they provide the service by stealing data from their users. I would argue that this is just as ethically fine as Youtube's entire business model.
> instead, I found a flaw in the Protobuf format which allows me to reliably change one byte to obliterate ads.
Let me guess, the author changed the field number to a large unused number.
> Now, all we have to do is scan the Protobuf bytes for classic ad URL signatures like /pagead/ to bound our field search, then move backward from there until we find the target(s) field tags and thus field keys we would like to denature (e.g. 49399797 –> 49399796).
Yeah. This isn't a flaw, this is intended behavior.
If you're willing to go through the effort to find the tag, it's really not that much additional effort to then read the (varint) length right next to the tag and... just skip those bytes.
Yes, you'd need to copy your buffer to do this, or at least slide your bytes around. But the proof-of-concept script already has to perform a copy because the bytes object returned by mitmproxy's API (`body: bytearray = bytearray(flow.response.get_content(strict=False) or b"")`) is immutable, and even a memoryview isn't going to bypass this limitation.
On the protocol level everything is working as expected, but I think the flaw is that Google's way of dealing with these unknown fields in the ad data structure isn't to throw an error, but to pretend there are no ads to play. After all, Google will definitely release a new version of their app before they modify the protocol to make all the old versions not play ads anymore.
Google could shut down this method of ad blocking instantly by either doing basic certificate pinning or by altering their decoding logic to be less graceful of failures when it comes to extracting ad information. If I were on the YouTube team, I'd consider these flaws.
Smoothly handling missing or unexpected fields is half the value proposition of protobuf. May as well switch a a much simpler versioned binary protocol instead of all this schema and field tagging complexity if you want to reject every message that doesn't match the client's schema.
But rejecting unknown messages would likely degrade the user experience. Just because Google releases a new version doesn't mean everyone instantly has that new version installed everywhere.
Certificate pinning would be a solution, but the world seems to have decided that that's very difficult to get right. Probably easier to get right in an app than in a website, but I understand not using it.
They could manually sign the protobuf messages to ensure integrity. Duplicating some of the work TLS would already do, but doing it decoupled from TLS infrastructure may be easier.
But unless something like OP's hack becomes mainstream, Google's current approach could be the right one. Sure, it leaves them open to message manipulation, but the potential lost ad revenue from even a tiny failure rate around update time from the other approaches could easily outweigh what they lose from a handful of people running middleware boxes to block ads.
YouTube often degrades the user experience when it suspects ads being blocked. I think the idea that Google would care more about following prorobuf's best practices than rejecting ad blockers is strange from a business perspective.
Cert pinning for YouTube would actually be quite easy, as Google runs its own CA. They can just hard pin their root CA and update the app in twenty years or so when that expires.
AFAIK ignoring unknown fields is a MUST in the protobuf spec. It's safe to assume all of their tooling is built around this. It wouldn't make a difference anyway. As vitus pointed out, deleting the field isn't much harder than changing it to an unknown field.
You can do cert pinning. And the user can modify the app to pin their own cert. And you can lock down the device so the user can't modify the app. And the user can get a different device where they can modifiable apps. And you can add device attestation. And it's not yet feasible to extract an attestation key from a device, but it probably will be in the future. And then you will switch it to a physically uncloneable function. And then someone will figure out how to physically clone it anyway. And so on.
The war on ad-blocking is fundamentally the war on general-purpose computing. By the time you achieve unskippable ad blocking,
You know, you could also just refuse to send any video segments until the time when the ad is supposed to be over. Then the user may try to download their videos in advance, but most of the time they don't know what they're going to watch that far in advance, so they'll sit through the ad to avoid sitting through a black screen. That seems like a more sane thing to try. And you don't have to destroy the fabric of society to do it.
I’d be thrilled to have a black screen instead of ads. I suspect you assume that my motivation is to escape the interruption. To me, let me tell you—the interruption is a mild annoyance, while the ads themselves are an active assault.
Especially now that they’re individually and programmatically targeted to showcase and inflame the neuroses, health concerns, and predilections of each of the specific people in the room around the television.
Amazing how the HIV commercials only appear when individuals in risk groups are around. Those outed a friend once—luckily in a supportive environment.
And the random miscellaneous cancer drug ads come on when the friend who’s an older cancer survivor comes to visit. And the sports betting ads when friends facing gambling addiction are around. And if I hear one more ad hawking supplies for squealing tiny humans when new parents are around, so help me…
I would rather watch a black screen than a majority of YouTube ads. Because:
- they are for a product that I just bought x 20 times;
- they are for a product that I do not need x 20 times;
- “we know you are old, so do this stupid thing… (have I said “x 20 times”?)
- “we know you are rich, so do that stupid thing…
And so it goes.
Instead of a black screen, I'd like to watch calm cat/dog sleeping videos when they try to serve ads. Maybe one day uBO will add this opt-in feature, like mute the lie and overlay it with a 5-minute preloaded neutral cute content, for desperate services that force users into it.
PS. spent 5 minutes on "a dog sleeping" without stupid music and couldn't find one. Search these days, man...
i'll give you one better for free. Behold the Sea Otters of the Monterey Bay Aquarium: https://www.montereybayaquarium.org/animals/live-cams/sea-ot...
Thank you!
> AFAIK ignoring unknown fields is a MUST in the protobuf spec.
Yes, but there isn't only an unknown field, but also a missing field. (The old field index) Thus it doesn't meet the requirements of the client.
Now that probably could be circumvented by doing more edits to the protobuf message. If nothing else works by injecting 0s length ads instead.
they'll sit through the ad to avoid sitting through a black screen
Bold claim.
AFAIK Twitch already sends a simple "there's supposed to be an ad here" video stream during ad breaks when viewing through a non-web player. I'd take 30 seconds of silence over 30 seconds of advertisements any day of the week.
+1. Especially those obnoxious, super-loud ads (seems like it's 99% of ads these days)
Except that Google introduced NEVER-ENDING ads in the middle of content. I was willing to watch normal-length ads at intervals. But when Google made it impossible for me to watch stuff while cooking because I have to keep herding the program along by pressing Skip every few minutes, I installed an ad-blocking client.
It's pathetic how Google pulls this douchebaggery and then whines when people fight back.
I remember when everybody in HN said they wished they could pay to avoid seeing ads and then Google introduced that feature.
The point is that when ignoring unknown fields leads to users defeating your business model, even though the protocol requires it, the business logic of your software almost certainly should not. Protobuf working as intended, youtube client not so much. Agree that cert pinning is not the solution.
Protobuf and the app are behaving the right way. 99.999% of users aren't going to MitM your protocol.
How exactly should you deploy client code to the edge, which may not be updated, to handle "unknown" tag number fields? You don't, because that's crazy. Nobody should write software like that because it creates a maintenance hell where you can't upgrade or downgrade because "smart" applications are doing stupid, undeterministic things with the protocol.
It's impossible to reason and engineer backward / forward compatibility when you don't treat the wire format and API with respect.
Most of the major migration headaches I've had in my career have been the result of engineers trying to be clever in the time and place they wrote the code.
The next best option is to version the api and support all old versions going back 10+ years
I agree, what they are doing with proto is much better
Uh… how about display an error message if the user isn’t subscribed to premium and the server doesn't send any ads?
If you want to prevent MitM modification attacks, the way to do it is to sign the data. Trying to do it by making the serialization format less forgiving isn’t the right approach at all. It still has to be pretty flexible. It’s going to be pretty hard to come up with a format that cannot possibly be altered to make the client show no ads. Something like certificate pinning is way easier.
Thoughts my own, smooth, uninterrupted video playback is much higher priority than recovering a small amount of ad revenue.
I'm very surprised Google isn't already certificate pinning.
Cert pinning is not a solution and defeats legitimate traffic inspection cases. It also just moves the goalposts as the author discusses it can be defeated by a modified app binary. The industry has moved on. Sign your data if modification in-flight is a threat. I’m surprised google isn't doing that.
Cert pinning is a solution. Just because it is not an ideal solution and it is anti-consumer does not make it "not a solution". You can't modify an app binary on an Apple TV without first jailbreaking.
So cert pinning in this case would go from "anyone with a pihole or equivalent can block YT ads on their Apple TV" to "people who jailbreak their Apple TV and install a cert pinning breaker and have a pihole type setup can block ads".
If you are google and your goal is to get people to watch ads, cert pinning is clearly a win if you are at all worried about things like the OP. Clearly they are not very worried, presumably because the bar set by the OP is already too technical for most people (even if it was packaged in a more consumable way).
When you're running a proprietary video service that's supported by ads and analytics, there aren't that many "legitimate traffic inspection cases". Google prefers people not to mess with their network traffic and would also prefer it to be a bit harder to write YouTube downloader scripts.
From a user perspective, you'd want to break all TLS connections and sniff every bit of data on your network, but that's not the perspective Google has when developing their code.
Signing data is just duplicating TLS security measures with a second key. TLS already signs the data, Google just needs to verify the root of trust.
> Sign your data if modification in-flight is a threat.
Which effectively pins a different key in the binary. Might as well use certificate pinning, which provides both signing and encryption without a second layer of crypto.
Only naively. You can do a key exchange.
Alternatively perhaps the cost of implementing / performing the overhead of signing and verification isn’t worth the cost given the relatively few people who are likely to do this
A legitimiate traffic inspection case, from the content publisher's perspective, would have an alternate certificate backed by a trusted authority who agreed to protect the ads.
> It also just moves the goalposts as the author discusses it can be defeated by a modified app binary. The industry has moved on. Sign your data if modification in-flight is a threat.
As a sibling comment has also pointed out, signing the data won't help against a user who's modifying the client. You can change the signature the client is expecting on your certificate... and you can also change the signature the client is expecting on your data.
It protects against things other than the intended client modifying the data. Someone said we need cert pinning to protect data integrity in the face of MITM. I am saying signing your requests solves MITM modifying the traffic, so you don’t need cert pinning. Solving binary integrity in hostile compute environments is a different problem.
Google still supports the YouTube app on the PlayStation 3. They are not going to rotate hashes/certs on that app because it's very likely there are between zero and two people who know how in the whole org. There are countless other supported devices like this that are either EOL or not receiving updates, and part of YouTube's value proposition is that they are available everywhere.
The current YouTube certificate has a lifetime of 84 days. The next one will live that long or even shorter. Certificates are rotated too quickly nowadays for pinning to be viable. They'd be better off pinning their CA than their certificate, but that might cause issues for users in certain scenarios.
I'd consider cert pinning malware behaviour if it rejects the certificates explicitly trusted/installed by the user.
> I'd consider cert pinning malware behaviour if it rejects the certificates explicitly trusted/installed by the user.
You might be interested to know that this is official policy on Android. Yes, I'm appalled too.
Funny you mention that, because unnecessary "security" controls on streaming data is how Google broke Chromecasts lacked week, and still hasn't figured out how to fix.
I haven't had any trouble on my dumb Chromecast so I think they must've pushed an update to fix the issue already. The only app I remember breaking was Jellyfin, ironically enough.
Security controls weren't the reason the devices broke, which is why applications that didn't care about things like DRM still played just fine. The internal CA for the Chromecast hardware certification expired, which requires updating all Chromecasts or temporarily ignoring the expiry date in client apps. It seems like apps are doing the latter while Google is figuring out how to update the Chromecast certificate infra on short notice.
> the bytes object returned by mitmproxy's API (`body: bytearray = bytearray(flow.response.get_content(strict=False) or b"")`) is immutable
Byte objects are immutable, but bytearray objects are not.
Yes, that's my point, although I can see why you interpreted it otherwise.
mitmproxy's API is flow.response.get_content(strict=False), which returns a bytes object; the proof-of-concept script then copies it into the bytearray using the code that I've cited.
A small C++/Go/... proxy can do the same thing with much, much less overhead. Been there, done that - for something well-defined like this, it is more stable and less work than fighting mitmproxy.
Routing everything through the proxy will degrade performance even with SNI interception.
Same with pfSense - a plain Linux server and a simple iptables rules set would do the job without having to fight against all the pfSense abstraction layers.
Write a .proto file with just enough of the reverse-engineered proto fields to auto-generate code and flip the flag. Cheaper than the Python implementation and easier to update when the proto changes.
Ignoring unknown field tags is an important Protobuf feature - it allows for compatible schema changes without breaking existing deployments.
I would love to degrade my YouTube experience and make it slower when switching videos, would make it a lot less addictive specially with shorts.
I am experimenting a bit and definitly, a little bit loading delay helps to break the loop and „wake up“
21th century will be remembered as the great digital drug crisis.
Maybe wait until the brain implants.
Or the Start of the Digital Drug Era.
Slowing down certain domains bandwidth can help too.
It would, but it would also decrease the video quality. I'm not opposed to letting my kids watch YouTube, there is a lot of good quality content there, but having some agency in what they pick would be a lot better than the current behavior of short after short after short. Just like snacking on fast food.
Thought this was sarcasm till the end. Good idea
Google has been doing that for you since they bought Youtube.
I gotta say, I don’t get that perspective. The content is one thing, but YouTube is super reliable for me, streaming or watching. I can easily stream in 4k 60FPS from OBS and YouTube has never had issues ingesting it, though I generally do 1440p because my computer is slow. When watching, I have never had an interruption on my wired Apple TV even for 4k/60FPS.
I do hate the pushing of shorts and the algorithm that seems to have a 3 video memory, but aside from that I’m pretty happy, I don’t get the weird right wing stuff or creepy videos pushed at me or my kids.
For me the content is not the main problem, rather the consistent bloating and enshitification of the player and interface over the years. Nowadays I don't bother anymore and just use mpv and ytdlp to play the few videos I'm interested in.
The time you spent wrangling your player and scripts costs at least x10 the time it takes for you to open a browser, and visit m.youtube.com
I don't even bother using scripts, I just manually paste the URL of the video I want to watch into mpv. It's not slow enough for me to have to deal with the garbage Youtube interface.
Isn’t Google degrading your user experience well enough?
This comment made me wonder if some folks have been compelled to find a way to block shorts.
My use of YouTube predates shorts, and I haven’t been a huge shorts consumer on social platforms, and I seem kind of indifferent to them. Anyone else?
Maybe there is something we can figure out and share with our friends who want to manage their shorts use.
Also, apps like opal can be really helpful.
https://www.opal.so/
I never got used to shorts/reels/etc, but it is troubling to see kids addicted to them. I have been thinking that by forcing some pause between videos it would remove some of their addictiveness.
It does. Sometimes I click on an interesting short and then keep swiping to see if anything else is interesting. When the app takes ten seconds to load, I go do something else because there's no real value in the shorts.
Sounds great, looking forward to the detailed blog post where you share how to do it!
You don't sound like you are actually looking forward to this.
You want someone to show you how to write a C++/Go program to forward traffic? There are a lot of tutorials online that can already demonstrate this for you. :)
Can you put together a guide in response showing where the inefficiencies are and how to mitigate them with more simple software?
It sounds like the author was aware of at least parts of your comment. The post is very thorough. They benchmarked using python and c++ and the final impl doesn’t even decode protobuf. They used various mitm solutions. They are using pfsense for more than just “it’s muh security router”—they are vlanning and vpning the traffic so they can target inly the appletv on their network.
Your comment is cheap and dismissive. The author’s post is not. You owe it to the community to put your money where your mouth is.
Not sure what kind of answer you are looking for? I did not criticize the author's post. It was an enjoyable read, and I personally would have given up a long time before going to such impressive lenghts. The fact that the app isn't using certificate pinning is really interesting and the sheer amount of hacker spirit and determination is extremely wholesome.
I am, however, very familiar with this particular engineering challenge (specifically, attempting to build on pfSense and using mitmproxy scripts in production), so I wanted to share my personal experiences to hopefully save someone else some time and frustration while attempting the same thing.
Should I not have commented at all?
Exactly my thoughts.
> A small C++/Go/… proxy
Got any recommendations for lightweight proxies that can run on macOS and serve other devices in the home?
https://github.com/elazarl/goproxy is pretty nice Go library for writing proxies, I used it once. Supports both HTTPS passthrough and MITM. Here's a trivial example MITMing connections to www.google.com and rejecting requests to https://www.google.com/maps while allowing everything else through:
Try: -k is to ignore cert error; note how we don't need it for apple.com due to passthrough.Remember to use your own cert rather than the hardcoded one in "production" (a trusted network like your home of course, probably a bad idea to expose it on the open Internet).
> I want to support content creators, so to be fair, after a few months of blocking YouTube ads, I am now paying for YouTube Premium; Just because I can break something, doesn’t mean I need to.
Does paying for YouTube Premium support creators? (If so, how much, compared to say Patreon?)
Not much compared to Patreon but if you watch more than a couple YouTubers can you reasonably be expected to subscribe to every YouTuber’s Patreon?
I don’t doubt any given YouTube premium subscription provides a negligible amount of income to a creator but watching their videos ad-blocked provides nothing.
(I use ublock on Zen and do not make enough money to be a Patron of anyone unfortunately)
> watching their videos ad-blocked provides nothing.
it provides the view count, for which the creator reaps rewards from as part of the boost in the algorithm from youtube.
Not to mention that a lot of creators on youtube also do sponsored segments.
And that’s why there is SponsorBlock
which has horrible issues with moderation and zealots over-blocking random things in videos
"horrible" is kind of overstated, I feel.
I use SponsorBlock and haven't had any issues. I enjoyed when it skipped 99% of an MKBHD video, it was kind of funny.
I've seen a Linus Tech Tips video where the seekbar was very colorful due to SponsorBlock, someone added all the sponsors, product placement and tangents into it.
I admit I've marked segments on videos, e.g. skipping cringy jokes when I find the presenter annoying.
To clarify, are you saying that these segments were marked incorrectly?
If so, then it is a plain case of internet vandalism. I would just ignore such segments.
But if the segments were marked correctly and there were too many of them in the video, that is the problem caused by the video creator, not by the community which publishes the segments.
They were marked correctly, but I had a feeling someone was sufficiently annoyed with all the fluff in the video, that they went to the trouble. I think it was the only time I saw an LTT video with that many SB segments.
You can adjust the settings to block only actual ads
Sponsor block may have issues for content creators, but as a viewer I don’t care; at all.
I mean issues in that they over-mark things that are unrelated, instead of just skipping sponsor-related segments.
Really? I've been using sponsorblock for years and I don't feel like I've ever seen any of that. It's pretty rare for me to go back and watch something that was skipped, and when I do, I generally feel that skipping it was the right call.
Youtube has recently added a premium feature where if you skip ahead 5s, it will prompt you to skip an entire "commonly skipped" section. It seems like they've picked up on sponsorblock and are making it a feature for Premium users.
I don't think I've ever had it work on my pixel. I tap ahead through all ad reads I've already decided not to buy, and it's much more reliable to just skip ahead 30s/90s/etc than hope the prompt appears. I've seen the prompt maybe 5 times.
Is this the new artists-doing-free-work-for-exposure?
They get far more from a premium viewer than an ad viewer.
Could you please substantiate that claim?
https://support.google.com/youtube/answer/7060016?hl=en
> If you're a YouTube Premium member, you won't see ads, so we share your monthly membership fee with creators. Best of all, the more videos you watch from your favorite creators, the more money they make.
https://www.reddit.com/r/youtube/comments/177353i/you_should...
Looking at my YouTube watch video, and that creates get about 45%, it tends to be about 50p an hour (I watch about 12 hours a month and pay about £12) so say 10 cents per 10 minute video.
From what I see ad views tend to net about $1-5 per thousand views, or well under 1 cent per video.
Ie a creator makes 20-100 times as much per view from me rather than a typical viewer.
Im not sure how it works if you end up watching music on repeat for 200 hours a month and 10 hours of new content. Probably fairer than the way Spotify distributes my subscription fee.
Supposedly creators get a bigger share from YT Premium users' compared to regular, ad-watching views, simply because skipped ads mean no revenue. It's still marginal because most people don't have Premium though.
> Supposedly creators get a bigger share from YT Premium users'
I've heard this multiple times before, but every time I go hunting for a source from Google/YouTube, I cannot find any official statements or confirmed information about this, seems this is mostly based on 3rd party analysis afaik.
Linus tech tips had a break down of their income. One thing Linus highlighted was that YouTube Premium revenue was much larger than most would expect. See https://www.youtube.com/watch?v=-zt57TWkTF4&t=400s (it's a little under 20% of their total revenue from YouTube).
I found this screenshot of the partner program contract that says it's a 55% split for either https://imgur.com/YjOHAAr
But for Premium the amount is distributed by watch time, whereas for ad-supported users it's by number of ad views. This means that for short videos where the value of the ad is higher then the value of the watch time, a "free" user wins, but for longer form videos where the watch time is longer, the Premium user wins.
LinusTechTips once showed the YouTube income breakdowns for some of their videos that showed this - for their hour+ long PC build streams, Premium income was higher and for shorter videos, Ads income was higher.
I've released an album via Distrokid which distributes the release to YouTube as well. You can look at detailed reports there. Youtube revenue is split into Ads, ContentID and Red (which I believe is the old name for Youtube Premium). I just checked and I am currently getting a bigger share from Ads than from Red, per play.
Is "per play" the correct metric to use? What I'd like to compare are the hypotheticals "everyone is on Premium" and "everyone runs all the ads", but I'm not sure how to extrapolate this from some random split (I assume you don't see the ratio of your viewers) of Premium-to-ad..
https://support.google.com/youtube/answer/7060016?hl=en
> Does paying for YouTube Premium support creators? (If so, how much, compared to say Patreon?)
Yes. Recent info is sparse, but when they initially released it as Youtube Red it was generally much more than they got from ads per view.
Yes,.more than ads, less than patreon.
It's based off of watch time rather than ad impressions so creators with long form content do a lot better from it.
Well it would be less than patreon, youtube the platform obviously costs more to run than patreon the platform
My gf’s YouTube account for some reason does not show ads on any device it is logged in, including the Apple TV. It is not premium, nor ever was premium.
Wonder what flag is set internally that disabled ads.
Interesting. If you can DM me the username and email associated with the account, I can look into this and get it fixed for her.
Perhaps set the account to only show ads until she’s caught up!
That would be illegal.
And by fixed you mean.. show more ads??
"We're sorry for any inconvenience this error may have caused"
More like Mitch Hedberg would have said: "Sorry for the convenience."
Why would anyone want this fixed?
It's a joke
How would you know what to buy without ads?!
Woooosh
Your GF is essentially in the "control group" for ads. Her behavior can be compared to the behavior of people who see ads to better understand how ads affect those other users.
In which case she should've been shown noncommercial ads (government services and promotions of YouTube features) instead of no ads so that she would be less likely to notice.
Maybe she is in a holdback experiment. To understand how a feature affects the metrics (such as running ads), they often have some people in a holdback. I worked there and we did have such experiments for our features.
Isn't that pretty unethical without an IRB and informed consent?
How does ethics even come into this? They didn't require consent to show ads in the first place. Why require consent to not show ads?
this comment is hilarious no matter how you look at it
The is the advertising industry, unethical is their middle name
That's academic ethics. Academia holds itself to a high standard - voluntarily. Used car salesmen do not.
I mean, it’s Google.
Long ago a Google music subscription would disable ads on YouTube. When they discontinued it / I cancelled, it took a good 6+ months before YouTube ads started up for me.
But of a “oh I see what people are complaining about” moment for me ;)
I am still paying for mine. My Google music all access I'm feeling lucky subscription turned into a YouTube music one, which includes YouTube premium, and I'm still only paying 8 bucks a month, which seems like a pretty good deal even if I also pay for Spotify.
How did you manage to avoid the last price increase? I thought they’d ended that sweet deal for everyone (myself included)
I have no idea. I signed up for the music service under the $8/mo plan basically the day they announced it, and i've never canceled or missed a payment, but they've never increased my price. I just hope I haven't jinxed myself here.
I don't like to advertise this just in case it gets fixed, but I have that same experience for Twitch.
I don't run an adblocker and yet as long as I'm logged in, I get no ads. Not in the website nor in the mobile app. I don't have "turbo" and I don't even have amazon prime any more (which itself only very briefly suppressed adverts across twitch globally before they replaced it with a "Free sub" perk ). I don't have any of the other Turbo benefits, so it's not like I've been fully flagged as Turbo either.
I don't know if I accidentally bugged my account profile messing around back when they ran a bug bounty, but I'd happily provide more details in return for keeping this perk.
What's weird is that I vaguely remember once having a near-meltdown over the level of adverts on twitch when all I wanted to do was watch TV while I was heavily medicated and in pain in the hospital. Then some time a year or two later I was reflecting then suddenly realised I hadn't seen an advert for years.
I guess most likely there's some long forgotten ad-free A/B test that it's not worth cleaning up.
I've definitely benefitted over the years, I easily watch more twitch than any other platform. At £12/mo (roughly $15.50), twitch turbo is among the more expensive in the world. In the US and Europe it's $12 or €12, so we're getting straight ripped off in comparison.
> some long forgotten ad-free A/B test that it's not worth cleaning up.
That sounds about right. Different context but I once got on the good boy list at work by accident and it wasn’t fixed for about 6 month. On the first of every month I got a little corporate swag box in the mail thanking me for going “above and beyond”. Lots of cookies, blankets, coffee mugs and other trinkets.
Afaik Youtube cannot legally display ads to some countries' residents, it could explain this behavior.
The above is true. Some countries don't get ads. Lucky them. Albania, Cambodia, Ivory Coast, Laos, Myanmar, Macau, Madagascar, Maldives, and Russia.
Use a proxy server/VPN and go ad free.
Why don't they serve placeholder unpaid noncommercial ads (YouTube features, government services) to such users instead?
Presumably he lives in the same place as his girlfriend.
She may have created the account abroad.
Which begs the question: if you used a proxy server/VPN and created an account "overseas", would you get ads?
> I discovered that putting a man-in-the-middle proxy between my Apple TV and the world lets me decrypt HTTPS traffic
This surprised me quite a bit because normally that shouldn't work, but then that surprise was exchanged for a different one, when I learned later down that you can add CAs to the certificate store of an Apple TV.
Nice and thorough writeup, thanks for sharing. A good carousel through the entire stack involved.
If I had to guess why Apple supports adding certificates, it’s probably to allow Apple TVs to work as AirPlay boxes in corporate/educational environments while playing nice with the IT/device management stuff that entails. For instance, when I was in college, getting something on the college WiFi either required allow-listing it’s MAC address or installing a certificate.
This, and the fact that a fair bit of this would 'come for free' due to tvOS being based on iOS which has supported custom CAs for ages.
Unfortunately Google can trivially block this by checking which CA signed their SSL certificate in the YouTube app. I don’t know if they will - doing so might break YouTube within a lot of corporate environments. But it would be unfortunately easy.
Of course Google can do this. And more. They could, if they wanted, to embed ads into the video stream itself with no way to distinguish them from the actual video content.
But they do not do it. They had so much time and opportunities to do that over the years. And yet, they did not do it.
I am not going to speculate why. But I suppose it is safe to assume that it is their intention to not do it.
Does anyone do that? The average developer likely would not think to do this because it is too computationally intensive to splice things into A/V streams on the fly.
A more clever developer could splice the ad into the video at an I frame, but then the ad needs to be a multiple of the number of frames that are both the I frame and follow the I frame. This also would mess with metadata on the length of the video that would need to be adjusted in advance. It is doable, but you give up flexibility and your HTTP sessions cease to be stateless. Then there is the need to handle splicing into audio and I do not know offhand if there is a cheap way of doing that at the server like you can do with video through I frame splicing.
It seems to me that they have lower server costs by doing things the current way.
SSAI (server side ad insertion) is not uncommon for premium streaming video; Twitch and Hulu have had the technology in use for years. It's also practically just a checkbox option to enable the feature for all major ad serving tech platforms, including Google's DoubleClick.
They're not using it simply because it increases server and bandwidth costs. YouTube is still positioned as part of Google's "moat" by driving down video ad price so no one else can build an ad empire off video instead of being a profit generating division on its own.
Youtube do their own re-encoding on upload to different quality levels, so they could theoretically hook that and make sure to provide suitable splice points and record them in the metadata.
> your HTTP sessions cease to be stateless
There's already pretty heavy magic around preventing people from simply grabbing all the HLS blocks, I think? All the work that yt-dlp does.
YouTube Videos are a stream, not a file you download. I’m not sure what the major technical nurdle is injecting ads directly into the stream. Also H.264 has key frames typically a few sounds apart anyway
I think twitch embeds their ads. To block there ads you now need to pretend to be in one of the ad-free countries.
I think that it should be sufficient to create content identifiers of all unitary parts of the video, e.g. parts between keyframes, and skip over the ones which are not supposed to be there.
These identifiers could be collected automatically by plugins like SponsorBlock in a community effort and then combined together to identify parts which are common for every viewer, i.e. the ones representing the original video content.
In other words, it seems to me that even putting ads directly into a video stream would not prevent people from being able to block these ads.
What are the ad free countries?
Russia
>But they do not do it.
yet. They are moving forward with measures. YT webpage player.js no longer fetches individual video/audio stream URLs. It fetches single bundle pre-packaged on the server. Its a POST request now with only one URL parameter changing &rn=x, where x increments with every request, and ~2000 byte binary encoded body.
It requests pre sliced segments in form of
and pushes those directly into MediaSource sourceBuffersDoing that across billions of streams a day will cost big computer costs to encode it as they are dynamic ads
> [...] when I learned later down that you can add CAs to the certificate store of an Apple TV.
Same. I would not have guessed that that's possible but I guess I never tried to access a resource without a valid certificate chain on Apple TV.
I remember people promising a rogue CA would not work anymore due to certificate transparency requiring certificates to be published in order to be valid, but it is quite obvious here that certificate transparency was not even needed. A private CA is different from a rogue CA, but if the private CA was not forced to do certificate transparency, I wonder what is supposedly forcing the public CAs to do it for their certificates to be “valid”.
> I wonder what is supposedly forcing the public CAs to do it for their certificates to be “valid”.
The power of browsers and operating systems including the cert in the default store distributed to everyone. Participating in cert transparency is a requirement.
How is that enforced as it was billed as certificates are not valid unless published, yet it is obvious certificates for a private CA are not being published and are treated as valid?
As I understand it there are various interested parties who monitor to make sure that the default CAs in the root store publish to the certificate transparency before they sign anything. A violation would be grounds for immediate removal. None of this applies to a private CA you add to your own store.
Ironically enough Android TV (at least version 7.X) does not let you do that, which I found out the hard way when trying to work around untrusted Let's Encrypt certificates.
Starting with Android 7, apps have to opt into user-installed certificates. Browsers often do (Firefox is an annoying exception, you need to turn it on in the dev settings and it doesn't work in the official release version of the browser), but apps usually don't even know that the setting exists.
Aside from that, Android has a very easy certificate pinning API where you can just assign a fingerprint to a domain name in the XML config files and it'll pin a certificate to that domain. Easy to bypass if you modify the APK file, but then you miss out on updates and other mechanisms could check if the signature has been tampered with.
With root access (shouldn't be too hard to gain on an Android device still running 7) you can add your certificate to the root certificate folder on the system partition. This will make Let's Encrypt work on all apps. It doesn't bypass certificate pinning, of course, but you don't need there for Let's Encrypt.
Most devices allow you to add CAs, but almost all apps nowadays use certificate pinning which means the system certificate store is ignored. I find it extremely surprising that YouTube doesn’t do that.
That sounds like you've just made it so your app doesn't work behind a corporate SSL proxy. I really need people to stop rolling there own SSL stores (looking at you python, java and nodejs). I spend way to much of my time getting things running on my work laptop that should just use the CA store IT pre-installed.
Is that a problem? What segment of Google's Apple TV revenue comes from people behind shitty middleboxes?
YouTube won't work on Chromecast if you're trying to MitM it, so clearly Google doesn't think this situation is worth making an exception for in their logic.
I can't help but wonder if any apps have tried doing TLS-in-TLS, with the outer TLS not caring about MITM, and the inner TLS doing certificate pinning?
> but almost all apps nowadays use certificate pinning which means the system certificate store is ignored
Certificate pinning (or rather, public key pinning) is technically obsolete and browsers themselves removed support for it in 2018. [1] Are there many apps still really using this?
[1]: https://en.m.wikipedia.org/wiki/HTTP_Public_Key_Pinning
HPKP, yes. Certificate pinning in apps is the norm.
The difference between HPKP and certificate pinning is that HPKP can pin certificates on the fly, whereas certificate pinning in apps is done by configuring the HTTPS client in the native application.
Apps like Facebook won't work on TLS MitM setups without using tools like Frida to kill he validation logic.
Mobile apps still frequently do, yes.
It's gotten less popular over the years as people keep asking "wait, what are we doing this for again?"; but it's still very popular in certain kinds of apps (anything banking related will almost certainly have it, along with easily broken and bypassed jailbreak detections, etc).
Most personal banking apps I’ve used still do this. The bank is liable for your lost funds if your corporate IT department doesn’t secure the MITM solution properly otherwise.
(The end customer isn’t liable for the bank’s inability to properly secure their app from MITM attacks…)
I don't have any numbers, but I think this is still pretty common. On iOS for example Alamofire which is a popular network stack, still offers this as a feature. I think the use case is a bit different for apps and web sites, especially for closed ecosystems like Apple's where reverse engineering is not as easy/straightforward.
https://github.com/Alamofire/Alamofire
Certificate pinning seems like extreme overkill for nearly all applications. Are most folks really doing this?
A regime can now force you to install their "root certificate" (and forcing organizations under their rule, e.g. national banks) to use a certificate issued by them, and these certificates would also be able to MITM your connection to e.g. Google. (1)
Looking forward to Americans being forced to install the DOGE-CA, X-CA or Truth-CA or whatever...
1) https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-roo...
> I find it extremely surprising that YouTube doesn’t do that.
Not surprising for me - it used to be only banks where it was required (sometimes by law) that any and all communication be intercepted and logged, but this crap (that by definition breaks certificate pinning) is now getting rolled out to even small businesses as part of some cyber-insurance-mandated endpoint/whatever security solution.
And Youtube is obviously of the opinion that while bankers aren't enough of a target market to annoy with certificate pinning breaking their background music, ordinary F500 employees are a significant enough target market.
I’ve tried implementing this a few times on my Apple TV to no avail. I think YouTube has implemented cert pinning on their app now or something. Has anyone else been able to get this working recently?
I really like everything related to network-wide blocking of shitty online services that are enforced on us !
On top of blocking adds (which is great), I wish there were more / easier ways to do network-wide blocking of all sorts of aggressive infinite scrolling (in my case : youtube shorts and instagram reels).
I often like to go on instagram to see posts / stories from the people I follow and I don't want to be suggested stupid videos that are especially designed to catch my attention. I know it's probably revealing a lack of strength on my side, but yeah, I often fall for watching a few of them and loosing 15 minutes of my life.
> that are enforced on us !
You don’t have to use them and you could pay for them.
The users of the internet have made their call and they often don’t want to pay, so someone does.
As a whole the users of the internet are not rewarding anyone for NOT showing ads. We want our content and we want if for free generally.
The problem is that advertisement business infects everything.
For instance, I could pay for Youtube Premium to ostensibly not be shown ads, but it doesn't change the fact that all the content[^1] in the ecosystem is still produced for maximizing watch time and/or being advertisement friendly.
I could pay for news, but that doesn't change the fact that the news is written to receive clicks from the non-paying users.
Paying for things does not help escaping the second order effects of advertisement.
[^1]: To a close approximation.
I don’t understand this complaint in the context of YouTube. It’s the only major streaming service with plentiful new content that isn’t clickbait, focus-grouped, lowest-common-denominator, metrics-chasing trash. I can hop on and watch hours of jets flying through the Mach loop, people playing chess, and people machining metal. If those aren’t your thing, I bet there’s plenty of stuff that is.
Sure, there’s a lot of crap. But you don’t have to watch that.
> Sure, there’s a lot of crap. But you don’t have to watch that.
The way people complain, I genuinely think they don't know about this option.
For example, Mr. Beast content isn't for me. But I was also living blissfully under a rock for years without knowing who the heck he was. Now that I know about him I simply don't click on his content and therefore never see it in my feed.
"But what if I click by accident?" - glad you asked. Simply delete it from your watch history and see your recommendations improve.
Either that, or “that stuff is bad” is meant to be understood as “nobody should watch it.”
Which is even dumber. How immature do you have to be to think you can dictate the tastes of others.
> Sure, there’s a lot of crap. But you don’t have to watch that.
But even non-crappy content will be steered toward some direction by the advertisement, most videos are made just long enough to fit whatever is the new optimum time for revenue per view. And some subject will be censored to not displease advertisers.
Some people are not doing that, but it's simply because they don't rely on YouTube revenues.
The people who aren’t doing that still produce way more than 24 hours of quality content per day. And for those who do, I’ll judge them based on what they make, not how I imagine they decide what to make.
So your whole argument is just cherry picking? Sure if you ignore everything wrong, you can say the system is alright.
By way of analogy, large portions of Reddit have turned into every other social media hellscape.
Reddit is still awesome if you curate your subscriptions and avoid the big subs.
Is it cherry picking to say Reddit is awesome because I’ve carefully made it that way?
> Sure if you ignore everything wrong, you can say the system is alright.
This framing doesn’t make sense. It’s an ecosystem, and it’s not so much about “ignoring” things as much as it is about making active choices. If you go to a shopping district, there is nothing forcing you to shop at every store. If the district still has the stores you care about, shop at them.
> This framing doesn’t make sense. It’s an ecosystem, and it’s not so much about “ignoring” things as much as it is about making active choices. If you go to a shopping district, there is nothing forcing you to shop at every store. If the district still has the stores you care about, shop at them.
There ton of people that won't go to some shopping districts because the rest of the area is an intolerable mess.
In the same spirit, look a Twitter/X, sure, there still plenty of people making good content there, but you can't deny that the website policies are steering it in a peculiar direction, and lot of users choose to leave Twitter entirely to not be complicit.
> There ton of people that won't go to some shopping districts because the rest of the area is an intolerable mess.
But there is still a major difference between “this shopping area is mostly stores I don’t care about but has a few that I care about significantly” and “this shopping center is a complete nightmare and not worth wading through the nightmare for the the few stores I care about.”
I can easily think of a few real places in my city that fit into each category.
YouTube is still arguably in the first category.
A better analogy would be the internet. This place has enormous mountains of crap. And yet there's more than enough good stuff for it to be worth it to me to pay a decent amount of money for access.
I'm not paying for YouTube, really. I'm paying for access to the output of various creators. The service also includes access to a bunch of other creators I'm not interested in. And that's fine, I don't access them, just like I pay Verizon and T-Mobile but don't use their service to access instagram.com.
My gob is properly smacked by this reply.
I mean, yeah! Cherry-picking is the entire point of an on-demand video service. Are you just watching whatever it gives you in order? I seriously cannot comprehend what would possess someone to write this.
You get to pick the cherries that you eat.
Do you not choose what to buy when you go to the supermarket?
Recently I've been annoyed with Youtube Premium. I pay for an ad-free experience and do not see ads in the traditional (wait 5 seconds to skip) way, yet more and more content has inline product promotion where time is spent thanking a sponsor and pitching their product. So I'm paying not to avoid ads, but I'm still seeing paid promotion...
> I'm paying not to avoid ads, but I'm still seeing paid promotion...
It seems like you have shifted from having a problem with the platform to having a problem with the content producers. Can’t win?
People all the way down...
SponsorBlock works great.
https://sponsor.ajay.app/
> where time is spent thanking a sponsor and pitching their product
I’ve been unsubscribing from folks who do that a lot. Instant unsubscribe if the product is questionable.
I’m not going to judge their business decision, but it tea sets an odd tone when I’m watching something informative and they bust out into a “someone paid me to say this”.
It's an old-fashioned plug, and you can hit the skip button. Usually there's a banner of some sort that makes it even easier to know when the plug is done. If that's too much, then find a way to live without the show.
google for "sponsorblock" extension for your browser, crowdsourced data makes it skip all the promotions, intros, "like and subscribe" and all other unneeded parts.
And when you're at it, ublock origin also skips the youtube ads.
There's also: https://freetubeapp.io/ , but it's a constant cat and mouse game with youtube, where you now have to refresh a video a few times before it starts playing (then it works fine), until they upgrade the software and then it works, until youtube changes something again.
YouTube has a “jump ahead” built in - at least on the phone - which skips sponsored bits
You know who is the best target demographic for selling stuff? People with money.
So that's who you want to show ads to.
And do you know a proxy for "have money"? Paying for premium, when there is free.
Therefore, every time you pay for premium, all the advertisers look and say "I'd pay a lot to show ads to that guy". At some point, the premium service includes ads, because of so much potential extra revenue!
And that's why I don't pay for premium.
I'll never understand why people are reluctant to pay for a monthly service because of something they might do in the future to make the service worse.
If they do that thing then just cancel! It's incredibly easy to do!
Because if the service you pay for start to do what you expressively pay them not to do, your whole subscription since the beginning will feel like a waste.
Worst, your money was partially used against your interest, by financing people unilaterally altering a contract they made with you.
> your whole subscription since the beginning will feel like a waste.
This is such a bizarre way of looking at something. I've canceled many subscriptions because of changes made by the company and I never felt like the time I already paid for was a waste. I got the thing I was paying for, then it changed in a way I felt like it was no longer worth paying for so I stopped. It doesn't change the time I was using it at all.
If a company taking your money and using it to make the service works is your line in the sand I've got bad news for you about how almost every single companies uses the money you pay them.
And there have been a ton of things I just lost interest in over time and wasn't getting value from any longer, so I (usually, eventually) canceled. Doesn't typically mean my earlier subscription was a waste. When I got rid of my cable TV, doesn't mean I wished I never had it.
If your favorite restaurant changes their menu, does that make your past meals feel like a waste? It seems like a textbook economic transaction to buy when the deal is good and stop when it isn’t.
Restaurant aren't subscription based, you pay for a one-time meal.
The whole point of a subscription is to support an ongoing service _to you_, if your money is used to enshitify the service and make it work _against you_, there no point of paying it altogether, you will be better serve by piracy (as you don't provide them with money to enshitify it, nor to lobby against your interests).
“Your” money isn’t being used to work against you, you are voluntarily paying for what is currently on offer. They’ve announced major changes in advance so you have plenty of time to decide to cancel after the current month if the future service is not to your liking.
It’s rather entitled to think that your monthly payment gives you some kind of veto authority over their product plan. If you don’t like how they run their business, that doesn’t magically create the right to use their work on your terms.
It’s especially weird because the one thing guaranteed to result in more ads is not paying. People spend a lot of money making content for YouTube and something has to pay for it.
We already have more ads. The "promise" is that, by paying, we will get no more ads. For now.
I didn't ask for that content. I don't understand why I have to pay it.
So do what I do and don’t watch it. Just don’t deprive the creators of revenue and then be indignant when everything is loaded up with ads and sponsored content because people need to pay rent.
"Might" is misleading. "Will" is more realistic.
You don't pay for premium because one day maybe it'll have ads?
The mental gymnastics people employ to not pay for content with either money or ad impressions is just silly.
> it doesn't change the fact that all the content[^1] in the ecosystem is still produced for maximizing watch time and/or being advertisement friendly.
That's just not true. There is an enormous amount of content on YouTube right now, which is made chiefly with quality in mind, by some of the most professional people in the industry. There's more than you could watch even if you watched for a thousand years.
You just have to use the like/dislike and subscribe functions, so the algorithm knows what you want.
Every one of the streaming services that I paid extra to go ad free decided to push ads anyway.
And they got their subscriber still I guess….
As users of these services as a whole we reward this kinda thing and then are upset when it happens again.
I don’t like any of this situation but I also think the user’s choices incentivize it.
They didn't though. Every single streaming service bar Netflix loses money. On top of that, they've all poisoned the well by creating as many subscription tiers as Dell has laptop SKUs and raising the price every 9 months so nobody knows what the service should cost.
This ensures that people start and stop subscriptions just to watch a single series, instead of sticking with a single service all year.
So it appears paying entrenched IP-hoarding organizations majority of your income further incentivizing their entrenchment is not the best business practice for a middlemen
The hoarding began once they decided to abandon the DVD market, paranoid about file ripping and sharing. Now TV shows are like videogames now, can't watch without an internet connection phoning home.
Which choice could they have made differently here? They took the "pay for it" option that you suggested and then you still blamed them for giving the company negative incentives.
Paying make it worse, paying doesn't prevent ads to be forced later (e.g: Netflix, Prime, Disney+) and split people fight against ad, as the ones with enough money to avoid them will berate the other for not paying, will still providing benefits to an ad-driven company.
Never pays to avoid ad, block them or get the content by other means. It's akin to "never negotiate with terrorists" or "never pay ransom", you have to remove the incentive.
I'm not that old and yet old enough to remember internets before ad-supported free content, which was just infinitely better.
I've been on the internet since the mid 90s and that entire time it has relied on ad supported free content.
Yeah, my first ad blocker was "AdSubtract" in ~2000: https://paulenglish.com/intermute.html
You could pay for them or Google could choose to take a different approach that is less intrusive. The assertion here seems to put the onus on the viewer. Considering YouTube pays little to nothing comparative to its profits based on content it does not make, I think a realignment of how Google operates YouTube could be an improvement for users of the service.
> The users of the internet have made their call and they often don't want to pay, so someone does.
Just because YouTube users put up with a broken system doesn't mean it's the correct, fair, or ethical approach. Beyond that many of the views are curated via algorithms that intentionally work against the user with an end goal to hold them in a viewing state regardless of the users original intent. With that in mind users should use tools against those malpractices and not feel bad about not paying for them. If someone is intentionally trying to manipulate you, what's stopping you from doing the same?
If Google were a fair and ethical company I think treating them the same would be more in line with your response. However, they are not.
People have voted with their wallets on YouTube that they don’t want to pay for premium, and prefer to watch ads or block them.
Ads aren’t “forced” upon YouTube users, people have the option to pay but they just don’t want to pay.
YouTube can always choose to package the content in a financial transaction. They have chosen not to do so, and instead they are supplying advertisement alongside the content for which the viewer may or may not watch.
They can always change it, but then there are legal consequences of making it a financial transaction.
Paying users are too valuable not to serve ads to. Their clicks are worth more: ad-free tiers are always temporary.
Not that it matters: I pay for the bandwidth and hardware too. So I decide what it serves and runs.
I know that I, as a user, ultimately have 2 choices: to pay for a subscription, or the choice to not use these services.
Option (1) does not block infinite scrolling content, it only removes adds. So this is missing the point. All i want is to not see these dumb shorts videos that I genuinely give no fuck about, but that manages to catch my attention regardless.
Then sure, I can always delete my social accounts, and ultimately i might end up doing it. But let me try to explain why I think this is difficult, and also unfair.
I give 2 purposes to these social networks: First, they play a role in personal-life balance as a way to be more integrated in my group of friends / local communities. Second, they play a role as citizen of my region (in my case, France and switzerland) by being a (sorta reliable) source of information through following accounts and newspapper on them.
Initially, none of these social-networks came with this super-fast / addictive content. They only started to integrate it, in my experience, since 5 years. So it seems to me that these companies have broke the initial contract that they "sold" to us: to connect with our friends & communities and to allow us to follow a specific set of public influencers.
I guess that I am mad that we, as a society, have allowed these companies to gain such an important role in our daily lifes (social life and public life) that they can now say : we will allow you to interact with some of our friends, but you will also have to watch our stupid videos... And unfortunaltey, it's not easy at all to spin up a concurrent social networks that would be full-filling this initial contract. Probably lots of people actually like to scroll on insta Reels and youtube Shorts.
This is why you fundamentally cannot rely on private companies to build the "town square". This will _always_ happen because every company has a profit motive (even if its a loooong tail via SV-style funding). The problem behind the problem is people want great communities and tools, but don't way to provide any effort to build them.
> All i want is to not see these dumb shorts videos that I genuinely give no fuck about, but that manages to catch my attention regardless.
My recommendations never shows any low quality content. All you have to do is like good stuff, dislike bad stuff, and subscribe to good channels. The algorithm works surprisingly well.
> we, as a society
There is no we and there has never been. You have to start taking responsibility for your own actions.
There are corners like Substack that are an exception. And at least services like YouTube and Spotify offer a paid alternative to ads. I for one would rather pay the ~$10/month than sit through ads. But we are still very much a minority of users.
Delete the app, use the webpage, and use a browser that allows user scripts. I found a good one that turns an Instagram page into just an image tag so you can just see the picture: https://greasyfork.org/en/scripts/5014-un-instagram
For web access, in Firefox I've been using the "SocialFocus" add-on, that allows you to remove certain blocks in "social" websites (for example, blocking Shorts or comments in YT), put a color filter to make it "black and white", or even blocking the whole site. I had to access Facebook a couple times some months ago, and the quantity of trash you can filter with this add-on is astounding. This developer has also a YouTube specific add-on I haven't tested yet, named "UnTrap for YouTube" that has almost 200 different options for blocking very specific stuff there. Their add-ons in [0]
For Android there's an App called Revanced that let's you apply patches on certain commercial apps like YouTube or Twitter modifying their behavior, and for example block shorts. See the patches available for YouTube in [1]. I'm still pending to test it, but if you do, go to their official site [2], or even better, to their GitHub releases [3] as it seems like there are a good bunch of scammy sites using their name.
--
Wouldn't risk trying to extract from IG too much, I used to yt-dlp from it a lot and use scripts to extract the images because I like to archive references, nothing on a massive scale we're talking <20 times a month and I got a warning that I could lose my username if I "use automated scraping tools".
Oh! Were you using your user cookie? I use yt-dlp a couple times a month, but I think I'm always unauthenticated (although I guess they could match my IP address in their logs)
I think the urls might be specific to your session in some cases. I’ve noticed some old IG posts I’ve put in bookmarking services say they’re expired.
So passing to yt-dlp would be traceable back to me in that case.
Definitely wasn’t cookies that’s what surprised me.
Why would you use an account to do that?
I didn’t that’s what surprised me. I think some urls are unique to your session.
Not that it should matter I don’t think I’m the one at fault here.
AFAIK you need a username to be able to extract anything from instagram at all.
You don't, I don't have an IG account but my wife occasionally sends me links to reels that I use yt-dlp to download.
It's 11 years old, I'm impressed that it even works.
> I know it's probably revealing a lack of strength on my side...
I think these tactics exploit our natural sense of curiosity and the aesthetics that surround it. So I don't think it's so much a lack of strength, but more of a jadedness we have build up and I think that's pretty bad. I respect the effort and creativity it takes to fight back and make the platform work for us instead of vice versa.
I feel this, particularly as a parent. It's difficulty watching your kids get lost in the algorithm. We regularly discuss this with them and they agree with our perceived harm, but it's just too difficult to resist. Heck, even I get lured into (doom)scrolling every now and then.
I've setup ad-filtering using pihole, where possible, but I'd prefer not to block youtube as a whole. But I'm definitely considering that in the future, to protect my family.
Imo the best thing that can work is introducing delays to the loading of videos, increasing as time goes by. Youtube introduced sth like this to me, when they were presumable trying "punishing" users with adblockers, and it worked as a charm to get me disengage from the youtube rabithole. A lot of such addiction dynamics work based on how fast getting the reward is, and these interuptions disturb this.
This has worked great for me to prevent the infinite scrolling on instagram: https://www.distractionfreeapps.com/index.html
I'm not going to trust that until its on F-Droid.
> I often fall for watching a few of them and loosing 15 minutes of my life.
If you're on iOS, set a time limit (Settings → Screen Time → App Limits → Instagram). Doesn't stop the initial scrolling but the "you've run out of time" pop-up is a good breakpoint. You can bypass it and give yourself another 15 minutes but making that choice is also a good breakpoint / reinforcement.
Hit that "For you" at the top and select the "Following" feed. Only the posts from the people you follow, no suggested posts, no ads.
Until the company decides to unilaterally reenable that setting to "help you get more from their service".
That's not persistent :(
YouTube still provides RSS feeds for individual channels. Combine that with mpv's yt-dlp integration and you can avoid the official web frontend altogether.
I don't know how long it's going to last though, with the current trend of rug pulls and enshittification.
Youtube have been gradually cracking down on yt-dlp by blocking IPs that download (presumably without watching the adverts, or some other method to fingerprint it). Currently it's mostly annoying as I have to rotate through IPs every few days. But I imagine it'll get worse and worse until I stop watching youtube.
I've been using the same IP for ages and never had problems with yt-dlp as a whole - it's always just some specific videos where it won't work.
Pretty sure it's only gonna get deleted if either a) enough people use it so that a MBAs notice or b) the way it's accessing the data blocks a feature that an MBA wants
Or just use a localhost invidious instance.
I wish they simply had a way to disable shorts. People have been clamoring for that option but yt ignores them because they know how addictive they are. I can't think of a more illustrative example of a conflict of interest and the contrast between the early days of computing that were driven by user demand.
Love the engineering, but it's kind of sad the hoops we have to jump through to get some semblence of owning our hardware or software.
Well you own the device in this case. I don’t think there’s a justification to arguing you own YouTube or the content.
What is "content"? I recently tried to use AppleTV Android app to play something and then use screen recorder app to record the phone screen. The recorder app was able to see the menus and even subtitles, but not the movie itself (black screen). Is the screen of my phone "mine"? Or does the manufacturer decide how can I use it?
The screen is yours, the content displayed is not. Same reason you can "buy" a movie, game, audio, ebook and have it disappear overnight. Same reason your security camera, car, oven may suddenly cease to work if the company shuts down their servers. Do we support it? You do because you paid for it.
> The screen is yours, the content displayed is not.
Sure but traditionally this was a purely legal mechanism. There was no technological measure preventing you from copying a book, only a legal threat looming over _what_ you do with the copy.
Nowadays we have this very corporate-positive situation where copyright holders have their cake by embedding DRM and eat it too by leveraging the DMCA to prevent DRM circumventions. So you can be screwed even if you only want to take private screenshots, make backups, or exercise fair use.
When I try to play something on youtube that has the DRM bit turned on (or anything on netflix), my whole entire screen turns off. Not only can I not see the content, I also can't use half of my screen for other purposes while I play the content on the other half.
FWIW, I am no longer paying for netflix.
Creative work, i.e. intellectual property. Much can be said about the state of copyright law in 2025, but the basic idea that you own what you create is the fundamental reason we (able to) prosper.
I'm thinking of the Youtube videos as content.
Note that a significant amount of videos on youtube, and in particular many of the highest quality ones (e.g. educational material from schools like MIT or individuals like 3blue1brown) are Creative Commons licensed, so in terms of copyright, you are free to download and share them. Many including MIT's lectures are also NC and SA, so having the ability to save them and strip any ads is obviously in accordance with the wishes of the creators.
As far as youtube's wishes go, I don't think people should have much concern for a company that's engaged in predatory pricing for years to develop a monopoly through network effects.
> I don’t think there’s a justification to arguing you own YouTube or the content.
This actually gets to the core of my sentiment. I am influenced by these systems, but I can't directly influence them back. I don't know if this is somehow wrong in principle, but I definitely want more.
> but I can't directly influence them back.
Opting out of viewing is directly influencing.
As an individual viewer of course the creator of the content is the one with influence.
There's potentially millions of viewers, there's no magic influence that you'd ever notice.
By "system", I was referring to the middleman infrastructure (Youtube, in this case).
Any $30 Android shitbox with a nieuwpipe apk has been able to do this for ~ 10 years.
There are ads on YouTube? I guess my browser blocks them so well that I didn’t know.
The real problem here is that the AppleTV experience is so much worse than an ordinary web browser experience. Apple locked the hardware down to the point that it benefits YouTube’s ad profits more than it benefits the end consumer who pays for it.
I never see ads on Linux, Windows or Android. Occasionally I try to watch YouTube on an iPad and am shocked at how frequent and irritating the ads are.
Same with browsing the web on an iPad outside of the home pi-hole'd network. Howwww do people deal with this every day?
The iPad is a work-issued device so I don't often use it for personal things. Every time I do it's a reminder of how irritating it is to do so.
It's kindof odd; before being issued an iPad I thought they were only useful as content consumption devices. Turns out it's super handy for quick remote access to work resources but locked to an ad-infested wasteland for general web browsing and streaming media. Who knew?
If we're getting to the point where we need to decrypt things and reverse engineer protocols, maybe we should... not use these devices? Maybe we should opt out of this economy? Maybe we should do other things to entertain ourselves?
I realize it’s anathema to a lot of people, but you could just... pay for stuff. YouTube has an ad-free premium option.
While I do agree with you, I am a bit concerned about the recent developments with "paid, but still has ads" subscriptions and how Youtube might slip towards such practices as well as soon as they have a large enough number of paying customers. Their premium might suddenly not be so... premium.
And then you cancel. I did that with Amazon, will do it with others when I start seeing ads.
I totally get it. That said, YouTube premium is worth every single penny and has only gained features over time; no other subscription I have comes close in terms of value.
Have they not already with Premium Lite or whatever it is called?
I don’t see anything like that on https://youtube.com/premium
Seems to still being trialed in only a few regions. It's No ads during videos (still display ads during search, etc.), except for shorts and music videos for 6€/m. Without all the other premium features
I would guess that music producers are demanding unreasonable amounts of money per view, so carving them out of the equation is a fine trade IMO
With respect to that, YouTube premium has been around for over ten years, the majority of which I've been a subscriber because adblocking on Apple TV (my primary YouTube experience) is far too much of a fuckabout for me to willingly engage in it, and they haven't yet done it. I think Google is well aware of the fact that Premium with ads is an utter non-starter as a product. What would you even be paying for then? This isn't like TV+ or Prime where you have exclusives, almost everyone who posts to YouTube would happily jump that ship given enough reason to.
And while there are still ads (sponsored segments) I personally have less problem with those since those are substantial money for the creators I enjoy, and a lot of the ones I watch actually manage to make them pretty funny. And hell, a couple I've even used their codes for shit over the years for. Like, an ad is an ad and some people hate all of them, but I can personally say I've engaged with ads from creators I like at an exceptional rate compared to... virtually every other type of advertising I've ever encountered.
There is for certain a wide gap between a sponsored segment from the same voice and some random ad coming in and blaring over the top. For me, I can handle the narrator delivering an ad, it's the intrusive slot machine aspect of generic ads that irk me. Happy youtube subscriber here, use the music too, great deal.
Youtube is one of the platforms where I find real value, usually in making/maintaining/repairing things, being able to skip through videos to find answers without worrying about ads definitely saves me significant time and therefore money.
Yeah I balked for a long time at paying for YouTube, but in the end, I consume magnitudes more YouTube than any other streaming platform. It's my most expensive video subscription but like... I can't say I don't use it.
It’s the only one I pay for. I have Netflix included in my cell plan. Every so often I fire it up to see what they have, find nothing, and go back to the good stuff.
Sponsored segments are also trivially skippable.
Yep. Most folks I follow will record ads at a different time from the rest of the video too, wearing different clothes and in different lighting. Sometimes I can be bothered to grab the remote, sometimes not, lol.
I wish I could do this for Spotify. Paid plans still include ads.
They cram ads into podcast episodes which themselves also have ads, so you'll get the read ads + Spotify's local ads + Spotify laughs all the way to the bank.
I believe over time not having ads will be a thing of the past, and you'll instead pay for fewer ads. Like where else are people going to go for exclusive content?
I've never heard an ad on Spotify, so this is true only for podcasts then, correct? In that case I can at least be thankful that Spotify is the worst option for listening to podcasts.
I canceled my Spotify premium subscription because they showed sponsored content in the app. Not as egregious as jamming ads in between songs, but I still don’t want to have to scroll past a “sponsored” UI element to get to what I’m actually interested in.
Moved to Apple Music and so far so good.
Just buy the content and play it from your local devices. I use streaming simply for "auditioning" new music (and there are podcasts, YouTube channels that do that without a subscription, FWIW). I prefer then to buy the tracks from Bandcamp. Hopefully the artists get a bigger slice of the revenue that way.
YouTube premium also includes ad-free YouTube Music. Yes there are still sponsorships in podcasts as usual, but no injected ads.
I highly recommend Radiooooo. They're DJ curated and very good. Dirt cheap for what you get.
I don't really listen to much Spotify but I feel like just the free plan in Firefox with uBlock Origin gave me an ad-free experience the last time I used it.
> Spotify laughs all the way to the bank
FWIW, I don't think Spotify makes much, if any, money lol
Net profit was €1.14bn for 2024, which feels like a reasonable amount of money.
Sadly I think we're in need of the AriZona Iced Tea of streaming. A company that sells a streaming service, at a fixed price, makes a small profit and is happy with that profit.
The issue is that the current streaming services have cost billions to develop and companies and investors want that money back, times a 100. The money hasn't gone into a long term product that people will be happy with for decades, it has gone into a product that needs to return large chunk of money in a short time frame (and cover up other failed ventures).
The issue is that such a company either needs to make their own first-party content, or pay licensing fees for third-party content, and the companies those license fees are paid to are always looking to either cut out the middle service in favor of their own or increase what they're charging.
> I don't think Spotify makes much, if any, money
per their financial statements, about 150Mio in operating profits per quarter. Gross profit of 1.000Mio per quarter.
I'd like to have that kind of "not much money"
It's not that simple. It's common enough now to classify some ads as.... not adverts. So even if you pay for no ads, you get ads.
Completely untrue in the case of YouTube Premium. I literally haven't seen an ad for over a decade now.
Or you can opt out. Both options are equally valid.
I won't pay for YouTube because the consistency of YouTube is massively variable. Sometimes channels I watch skip 6 months between videos. When I do watch stuff its usually in the background or when I just have a few minutes spare. Spending money to fill that time is unjustifiable unless it's a really low amount, and YouTube Premium isn't low enough yet.
Oddly though, if I could buy 100 'skip this ad' tokens for $10 that I could use when I'm pushed for time, but just suffer the ads when I'm not, I'd seriously consider it.
You can, but the complaint rings hollow when we’re talking about a service with enormous amounts of actual good content, and a straightforward non-abusive paid plan. If you don’t think it’s worth it, that makes complete sense. If somebody decides there isn’t anything worth paying or watching ads and just bails out, totally sensible. But this “ads are so terrible we should just abandon the service” thing is weird here. YouTube is an example of doing it right. They use ads to support a free tier, and have a paid plan that removes them. They don’t do nonsense where they take your money and still show you ads. They don’t serve unvetted ads that infect your computer with malware or mine cryptocurrency. If people won’t even consider paying for this (not merely deciding it’s not worth it, but refusing to even consider it as a possibility) then I have to conclude that they just think they’re entitled to get stuff for free.
I think most people don't have a problem paying for something that gives proper added value.
But what's happening is that companies are degrading the basic experience and expecting people to either be OK with it (like Roku's increasingly intrusive ad experience) or to pay up to avoid it (like with YouTube).
Perhaps on review of specific ad presentation practices, you could argue for a degradation of experience, but showing adds more or less within YouTube to free users seems like an acceptable method of generating revenue.
As an aside, the fact that people pay for cable and still have 4-7 minute ad-breaks every 15 minutes make anything YouTube does pale in comparison.
Except for the tracking that ads use and the possibility of getting malware because they aren't curated as well as they should be.
I also don't like companies aggressively trying to get me to buy stuff I don't want. Show a static image on the right somewhere with a link. Hell, show a dozen of them. Still less intrusive than an ad that shows up while you're in the middle of a video.
But the poor ad companies are apparently on the brink of bankruptcy based on how hard they are pushing things. Just a little bit of composure or any respect for the people that they are pushing these on and I'd have a different viewpoint. But they are always all-in on this.
> but you could just... pay for stuff.
Careful... In the Kingdom of the Netherlands your comment will be considered by a court of law as aggravated assault.
Netflix shows ads to paying customers. We've seen the same playbook across a wide variety of products and services, it's only a matter of time until paying users get milked too.
When that happens, I’ll stop saying “just pay for it.” But until it does, I’ll continue paying for YouTube and being befuddled by people who get upset at their ads.
Increasingly the "basic" paid plan has ads and you now have to pay even more to not have ads. Doesn't seem like playing the game is doing anyone any favours.
Having the ability to tell a company enough is a enough serves as a ceiling for bullshit.
Where are you finding this "basic" plan? YouTube Premium has only a single tier that is completely ad-free. I hate Google as much as anyone, but shouldn't truth matter?
I've gone back to pirating everything. I can afford to pay for all the services, it's just the service and content quality has gotten so bad that it's just not worth it. I DO pay for content from other markets (French, Israeli, and Japanese), just not mine.
It's just like vehicles. There isn't a single vehicle sold in my market that I would pay anything for (ok, maybe the Ford Maverick). There's a bunch in other markets (Europe, South America, Asia), just not mine.
> I've gone back to pirating everything. I can afford to pay for all the services, it's just the service and content quality has gotten so bad that it's just not worth it.
If the content is so bad, then why the need to pirate it?
OP said content quality so I'm assuming the streaming is shittier quality than, for example, BluRay quality you might get from torrenting.
I stick to old stuf from the 1930s to 1990s
I will say the Criterion Channel is excellent and I do subscribe to them.
I've started reading a great deal more. I'm tired of wrangling with my entertainment.
I started reading a great deal more at the start of the pandemic. I've kept it going since and it has been a real boon. I also switched back to physical books because I actually own them..
I can recommend "minitube" [1]. It's super minimalistic, and requires you to actively search for things to find them. No ads, no feeds, no short videos, nothing - just playlists for search terms. Uses yt-dlp and mpv behind the scenes, so it's using less than 5% CPU on my small Intel NUC machine, too.
I can't stress enough how it is soooo much better in terms of what type of content I consume now. Mr-Beast-cutting-style dumb videos ain't stand a chance to get my attention now.
Ironically, the author built it to be a children-safe environment to consume YouTube.
[1] https://flavio.tordini.org/minitube
Choice is a luxury for most.
Have fun!
The problem is, that there is no alternative yet for that.
Movies are not an issue, there's piracy, music is not an issue, there's piracy, books are not an issue, there are libraries... and piracy, but youtube is still limited, and the only way to avoid the ads is to buy another device (computer), thus turning pretty much any smarttv (with features you paid for) into a dumb display (that you mostly cannot even buy anymore).
The alternative is paying for things you like so the people who make them can continue doing so. If you don’t think YouTube is worth paying for, it might be a good idea to reconsider the amount of time you spend on it or whether you want to help promote it.
> but youtube is still limited, and the only way to avoid the ads is to buy another device (computer)
YouTube premium is cheaper than another computer and works on all devices.
It's crazy how that option completely evades many people's reasoning on the subject.
But you still get in-video ads ("this video is sponsored by shadow raid vpn"), that (on a computer) you can skip with sponsorblock.
Alternatives:
- Not consuming exploitative entertainment
- "Piracy"
I like the download-YT-content-locally then play. A project hit the front page recently that used yt-dlp to more or less do this.
Piracy isn't an alternative - it's illegal/immoral.
But, the good news is there are two alternatives for all of the above... pay for the content. Or, don't consume the content.
"Piracy" of digital goods is an oxymoron... I don't think it's immoral. If you pay publishers, the creators don't get paid. And about the legality, well, just ask Meta what they think about torrenting.
EDITED for tone.
I should have included:
---
Meta, however, is hoping to convince the court that torrenting is not in and of itself illegal, but is, rather, a "widely-used protocol to download large files." According to Meta, the decision to download the pirated books dataset from pirate libraries like LibGen and Z-Library was simply a move to access "data from a 'well-known online repository' that was publicly available via torrents."
To defend its torrenting, Meta has basically scrubbed the word "pirate" from the characterization of its activity. The company alleges that authors can't claim that Meta gained unauthorized access to their data under CDAFA. Instead, all they can claim is that "Meta allegedly accessed and downloaded datasets that Plaintiffs did not create, containing the text of published books that anyone can read in a public library, from public websites Plaintiffs do not operate or own." While Meta may claim there's no evidence of seeding, there is some testimony that might be compelling to the court. Previously, a Meta executive in charge of project management, Michael Clark, had testified that Meta allegedly modified torrenting settings "so that the smallest amount of seeding possible could occur," which seems to support authors' claims that some seeding occurred. And an internal message from Meta researcher Frank Zhang appeared to show that Meta allegedly tried to conceal the seeding by not using Facebook servers while downloading the dataset to "avoid" the "risk" of anyone "tracing back the seeder/downloader" from Facebook servers. Once this information came to light, authors asked the court for a chance to depose Meta executives again, alleging that new facts "contradict prior deposition testimony."
If you pay publishers, the creators don't get paid.
Sure they do. The amount they get paid might not be enough. But by pirating, your guarantee the creator gets nothing at all. So... I stand by my statement. But, I will definitely agree that the whole "digital media" economy is fundamentally broken and hostile to both creators and consumers.
Sure, technically some creators get paid something. Some creators don't get paid anything. If those creators don't have the means to sue, that's their problem.
> the whole "digital media" economy is fundamentally broken and hostile to both creators and consumers.
This is why I think it's actually our moral imperative to not pay into this system wherever possible. (But personally, I choose to not consume rather than pirate. I'll pirate something to check it out. If it's nice, I'll buy it.)
Piracy offers the best service there is. You used to be able to buy DVDs, vhs tapes, etc., and you'd get the media, and even then you had to sometimes fast forward through ads.
Now, it's impossible to buy media in many cases, even if you click "buy", it might be gone after a month, because some contract somewhere expires, there are ads even in paid plans, there are limits, to what I can do with that media, and more and more services require you to continue paying for content you already "bought".
When they fix the "buy" button to actually mean "buy", and when they remove ads from "no ads" plans, i might reconsider. Until then, they're not getting any of my money anyway, piracy or not.
> When they fix the "buy" button to actually mean "buy", and when they remove ads from "no ads" plans, i might reconsider. Until then, they're not getting any of my money anyway, piracy or not.
This pretty much sums it up for me. I lost so much money over the years for so much content I technically should still "own access to".
And not just media, games and books, too. It's so ridiculous how important things like anna's archive have become because otherwise science would be so crippled that it wouldn't even function anymore.
I would love to pay for youtube premium, but i have a google workspace/apps/own-domain/whatever the hell they call it now account, and loads of stuff (like youtube premium) isn't supported.
I had that issue. I just created a new account solely for YouTube
Same. It’s wild that Google can’t sort that out
Make another account.
For ad free Youtube, go to https://yewtu.be or any other Invidious instances https://docs.invidious.io/instances/
There is an arms race between YouTube and Invidious. From time to time Invidious is not working, but the team has always found new ways to circumvent YouTube and deliver the videos without ads.
there's a reason the author included "on AppleTV" in the title. Alternative clients/frontends etc simply don't work
Well, other than this one: https://apps.apple.com/us/app/yattee/id1595136629 https://github.com/yattee/yattee
The UX is not great, though.
This wouldn't work on Roku TVs etc since there's no "browser" :(
I've opted to installing opensource youtube app with Adblock and sponsor block. LGTV Webos is so great, there is easy way to become "developer" and it will open official way to install homebrew apps on your own TV. Yeah, since you own it, it can be possible to do what you want with it.
Fu** you to all Golden-cage devices like Apple, Samsung, etc.
I prefer not to use the OS on my TVs and opt for never letting them online, I just hook up my Apple TV to it, this gives me complete control over my TV as things should be.
Nice to see a writeup that includes the failures too
So I have to ask, I am legitimately curious, how is AppleTV better than hooking up a laptop with an air mouse on your TV?
I am an Apple critic that has long bemoaned their practice of trying to lock people into their walled garden.
In the past, I used gaming consoles to stream, which I thought worked well.
I finally, angrily caved and bought an Apple TV because I had an app (LFC TV) that would only stream via AirPlay. After using it for a bit, I have to say I love the thing.
I liked it so much that I bought a second for my other TV.
Reasons:
- Build quality. The remote is machined aluminum and feels like a weapon.
- HDMI CEC implementation. I used HCMI CEC on the consoles I owned, but there was always something that didn't work quite right. The Apple TV seems to nail it on both setups I have YMMV.
- AirPlay. This one makes me a little angry, but if you find a need to stream from an iPhone, the Apple TV is pretty much the only game in town.
AirPlay is a killer feature for me and I love the AppleTVs I have. However, for kids TVs or the TVs that I don't use often, I just get an AirPlay capable 4k Roku stick. They're small, simple and work great as AirPlay receivers.
Nice! I didn't realize Apple licensed that tech to others. Definitely good to know.
In addition to the sibling comment, it also:
- Comes with a simple remote control which in addition to controlling the AppleTV also allows muting and changing the volume of your TV. As someone who uses my TV exclusively with the AppleTV this means my TV's remote simply sits in a cupboard.
- If you have an iPhone you can use it as a remote over WiFi, I do this all the time to turn off the TV from a room over when the kids need to stop watching. The iPhone can also act as a remote keyboard which can be very convenient for text input.
- The voice search feature works very well in my experience. The remote has a mic in it and you simply hold one button and dictate what you're searching for and 99% of the time for me it works perfectly.
- It's very fast and responsive, allows quick and easy switching between apps.
- It's popular such that any streaming provider probably has an app for it.
I should note that, when it comes to remote, one downside of Apple TV is that you can have at most one official remote paired to it at the same time. If you want two remotes for convenience, there are some third-party remotes that effectively present themselves as Bluetooth keyboards, but you lose some of the features with them, and they are usually flimsy plastic.
Also, Infuse, which is a nice app for playing video files over the network and support Jellyfin, Plex, and others. It also have Dolby and DTS decoders, which works great as the box only have PCM output.
I tried hooking up a Kodi install to my TV to get decent smart functionality on the old thing. Turns out remote control UI is actually quite hard to get right and all the open source options seem to miss the mark, despite the decades of hard work and best intentions.
With modern smart TVs I don't think you need any external boxes, but if you like to separate the smart from the TV, I don't think there are that many better options than either Apple TV or Chromecast with Android TV, depending on what tech company you'd like to share your data with.
Lower power consumption, actual 10-foot interface rather than squinting at the TV, lower maintenance, and (depending on your OS of choice) less intrusive OS-level advertising.
> laptop with an air mouse on your TV?
Having done the Windows Media Center version of that: it sucks a lot. Remote-control friendly interfaces are actually hard.
Typing a youtube/netflix search box with a remote seems harder to me than doing it comfortably on a decent keyboard.
I do it with an air mouse keyboard combo[1]. See below, it's in between, it's small like a remote and sucks to type on, but better than selecting letters onscreen.
https://www.amazon.com/Wireless-Keyboard-W1-Multifunctional-...
You can connect a Bluetooth keyboard to an Apple TV.
we use voice or input from phone (we get a prompt on phone when we highlight a textbox on apple tv)
Mostly because there is no laptop hooked up to your TV. I wouldn’t want to have a laptop standing around, which is mostly an aesthetic choice.
Yeah, basically the size of a hockey puck. And priced a lot lower than a laptop of course.
Asides from what the other replies mentioned, various streaming providers have PC streaming platforms that aren't as good as their streaming apps.
I'm currently watching Canadian and world championship curling, and the rights-holder in Canada (TSN) has a website that logs me out between every single game.
Otherwise I watch mostly Plex, and while there is a 10-foot interface (Plex HTPC), for whatever reason it stops my PC from sleeping when content is paused, so I'm forced to use the non-HTPC interface.
Convenience.
When watching TV, people enjoy using a remote to navigate the interface, instead of with keyboard/mouse/trackpad, potentially having to get up and go to the laptop to do that.
YouTube will detect when you don't stream their ads and will ask you to disable your ad blocker and comment as to what's up.
This is a novella that just keeps getting twistier, going deeper, and turning out more rewarding.
And clearly all these "reasoning" LLMs trained heavily on Eric Draken's refreshingly introspective monologue full of interjections and discoveries.
(2022)
Previous discussion:
https://news.ycombinator.com/item?id=37279109
Lots of social commentary here, but I'd just note you're one mad lad. This is a great writeup and a nifty bit of sleuthing. I found it enjoyable to read.
I don't use it all that much, but the one feature I wish I had was the ability to scrub forward or backwards at will on an Instagram video.
Does this work for Amazon Prime as well? I installed AdGuard Home last night and these two have been the only outliers so far.
why does it say proFobuf? mistake?
…or get an Android TV box and run Tubular ;)
Why would this be possible without pwning a CA? If so they can just patch it the day after they discover this article. There's no reason to do this anyway when you can just plug a video out from a PC to the TV.
A PC isn’t an Apple TV
YT Premium is $140/year (unless you know someone with an Indian credit card :), it's cheaper to buy a $100/yr Apple Developer sub, patch the app and sign with your cert.
It's $0 to go to Bittorrent and download movies, it's $0 to use adblocker and not have Youtube premium. There will almost always be piracy or piracy-adjacent cheaper options.
Arguably you want to spend a bit more than $0, e.g. a good VPN or a good seedbox. And VPNs can be as expensive as YouTube premium. (That said, VPNs have other uses, but "most people" probably don't really use VPNs much anyway)
Usenet costs around $3/m if you find one on promo. You don't need a VPN for that as it's all encrypted. YouTube Premium family plan costs $22.99+tax per month in the US. While it's not free, it's very close.
Shows how this is the typical HN article of nonsense that is not applicable to real life.
Why hack your Apple TV like this, so you can afford an Apple TV but not YT premium? Or just use adblocker.
For movies yea Bittorrent is alive and well not that I would know :)
>so you can afford an Apple TV but not YT premium?
How many months of YT Premium does it take to exceed the cost of the Apple TV? They're like $150...
Yes sure, but if you want to hack things, just get something Android based that lets you side load or instal whatever you want.
But I like hacking Apple things :3
I block YouTube ads on all my devices by paying for YouTube Premium. It feels refreshing to be able to pay for a service I enjoy and therefore not be served ads which I don’t enjoy. It seems like a win-win to me. Doing something like this, while technically interestingly, seems like far more trouble than it’s worth for 99.99% of people, especially when there’s a reasonably priced way to block ads that also supports the service.
I paid for a family subscription a couple of years ago. It is very reasonably priced. Probably one of the least regretted subscriptions I have given the amount of use I get out of it
I had been paying for the service for years. They recently increased the price 40% overnight. I cancelled.
It's great value if you use YouTube a lot, but terrible value if you use YouTube every three months to look up a car or washing machine repair video.
I paid for YouTube Premium and still got ads, though fewer. So I cancelled. Are they now offering YT Premium ad free?
I’ve been paying for premium, basically because they’ve been sort of forcing to people with the ridiculous number of ads. I get zero ads injected. You’ll still get sponsorships that are part of the video done by the creator, which is now become a little bit more annoying. But at least it’s something that the content creator completely approves of and endorses. I can skip that part anyway.
I’ll probably cancel it soon, only because I need to stop watching so much of this stuff, and I need to get rid of things in life that I shouldn’t be paying for. Once I do that, I’ll never be able to watch YouTube again, because it was unbearable with the number of ads injected. I hate being reminded over and over that I am nothing but a consumer that they try to influence with ads over, amd over, and over, and over.
Off-topic, I recently got another free month of Amazon prime. I was watching some shows on there, and the ads are f’n annoying there too. I can’t believe they make people pay more now to remove the ads. I’ll never pay for Prime in any fashion.
I have paid for YouTube Premium for years and watch YouTube nearly every day and I have never seen an ad from YouTube (you still may see baked-in ads from the video creator but those can be automatically skipped with the SponsorBlock extension).
The ads which the "ad free" Premium service permits:
1. Sponsored in-video ads.
2. Ad overlays on videos (at the discretion of content creators).
3. Merchandise store ads below videos (also at the discretion of content creators).
4. YouTube and Google ads for various products and services in the video feed.
Ah I also use uBlock Origin so I guess that is why I haven't seen #4.
My personal experience for the entire time the service has been available: if I get a single ad, then I'm not signed in to the right account.
I do it this way, pay for premium and still use an ad blocker. I do it this way because there is no question whether or not I see ads. My conscience is clear because YouTube claims creators get a kickback when premium users watch their content.
For me it’s the best middle ground. I pay one bill, everyone gets paid.
I haven’t seen a single ad in over a year. You still get paid sponsorships depending on the channel though
Yeah, I use YouTube more than any other streaming service, and I happily pay for it.
The ability to download videos is super duper useful, and the higher streaming quality is a nice extra.
But most of all, no ads while still rewarding the creators I watch is great.
One day my YT Premium subscription stopped playback when I was watching something while cooking and at the same time, some music video was playing on a different device. It said something like "you cannot use your premium account in multiple places".
I went back to my PC and immediately cancelled my subscription. That is a restriction that I don't have when I am not paying anything at all.
YouTube Premium doesn't get rid of ads though, as many of the videos themselves are still full of ads/sponsors.
This blocking method also wouldn’t touch those. I’m comparing apples to apples. If you want to block ads inserted directly by video creators, you need something like SponsorBlock and to either DIY or rely on someone else to have done it before you.
That would be all nice and dandy, except that by doing that you validate all the things that Google did before to kill off any competition in the video hosting space.
There were plenty of platforms out there that could not rely on Google's bottomless coffers to sustain their operation. Were you paying for those as well?
I get that, but in that case it also makes sense to avoid YouTube altogether since you simply being there continues to deprive other services of the opportunity to compete. These days I think YouTube’s biggest competition is stuff like TikTok, which I find odious.
>since you simply being there continues to deprive other services of the opportunity to compete
If DancingBacons posted other places, I'd go other places.
Saying something like this completely ignores the realities of network effect.
I totally get that the network effect makes it difficult to leave abusive platforms, but if one cares enough, it is possible to make that sacrifice. I deleted my Facebook account, for example, and now I can’t keep up with numerous people and groups that use Facebook. It was worth the sacrifice for me.
"If you don't like it, you can simply stop participating in society" is not really a good argument to me, but I'm glad it works for you.
I put all the ad blockers on YouTube and I pay Nebula not because I particularly enjoy it (it's nice, but not the first thing I think about when I want to watching some videos) but because I want to signal content creators "hey, if you want to be supported by your audience but worry that YouTube is the only place where you can make a living out of it, there is an alternative."
Or simply pay for YouTube. They provide a service, it’s not our job as technologists to enable stealing it.
I mean, they provide the service by stealing data from their users. I would argue that this is just as ethically fine as Youtube's entire business model.
... if there'd be a healthy amount of alternatives/competitors to chose from, that would probably be true.
However, as we all know, it's basically a monopoly.
Absolutely! When you discount for cable tv, satellite tv, airborne tv, Netflix, Amazon, HBO, Disney and others.
Because we are hackers and everything we don't like (or don't want to pay for) is automatically a "monopoly".
Just the other day I was discussing similar approach to remove political content from Reddit app.
On Reddit, all the subreddits are constantly bombarded with Trump/Elon/Political content and there is currently no way to mute that content on mobile.
It would be cool if someone can come up with a raspberry pi based system to do this for reddit.
I need this for openwrt:)
I need this for my pihole!
This article is crazy engineering work
YouTube is hard to watch with ads once you’ve watched it without ads for a long time.
Neat post to learn about the current way the video stream works.
Has anyone else found enough utility in paying for a YouTube premium acct maybe for their entire household vs other streaming services?
what about in openwrt?
note that GDPR consent section on the site is invalid, it does not have "decline" button. so might as well just get rid of it.
Now for someone to figure out blocking FireTV OS
The typical HN article of nonsense that is not applicable to real life.
Why hack your Apple TV like this, so you can afford an Apple TV but not YT Premium? Or just use adblocker ublcok origin with a PC then instead.
For movies yea Bittorrent is alive and well not that I would know :)
> The typical [HACKERnews] article [about hacking] that is applicable to [computer enthusiasts].
Fixed that for you.