I'm sure it's only a matter of time before folks are able to fingerprint the responses that come back from the actual service's origin vs Google's service, or perhaps by abusing the health-check that exists at /healthy
Which wouldn't help much when tracking happens on server-side. By the time your adblocker is able to analyze the response Google will already have tracked your visit.
The end game for ad blocking is to render each page in its own vm/container, have some AI blank out things that look like ads, and stream the transformed video to the user
But then your ad blocker will need to introspect and run rules on the contents of every request payload. The impact to web browsing performance would be prohibitive.
And if it got to that point Google would just randomise the payload. It's pretty easy to do with obfuscation tools.
> your ad blocker will need to introspect and run rules on the contents of every request payload. The impact to web browsing performance would be prohibitive.
Could ad blockers run WebAssembly? I suppose it will be up to the task, because it means minimum work for a GC, and no overhead coming from dynamic types of js. With the jit compilation it will be comparable by performance to a native code and native code has no issues dealing with every payload byte-per-byte.
> And if it got to that point Google would just randomise the payload.
And then ad blockers start to measure entropy.
> It's pretty easy to do with obfuscation tools.
It is easy to do, but obfuscation really works only when no one is targeting you specifically, when you are defending yourself from bots that try random targets in hopes to find vulnerable ones. Against targeted attacks it becomes an arms race, so you'd need to change constantly, and eventually you will need to spent a lot of time discovering the ways how your obfuscation is defeated, so it comes to an equal amount of difficulties for both sides.
On the side note, I wonder is there possible an attack of poisoning google stats by sending the fake data from the website. Probably the Google's trick to overcome this threat is to control CDN, so it gets the data from the trusted server.
