As most readers know, online ads are a big threat to both privacy and security.
Ads affect your privacy because they also function as tracking, collecting data about your browsing habits and preferences. This data allows advertisers, such as Google and Facebook, to target you with specific ads (more data = more advertising revenue).
In terms of security, advertisements can also be malicious – see malvertising. Most ads you see on websites are fed in through third-party advertising domains. These third-party domains can be used – or hijacked – to deliver malicious payloads through the ads they are serving. Malware can even be hidden in the pixels of an ad’s image and instantly infect your device when the page loads – no clicks required!
The issue of malicious ads has been in the news many times. It can be problematic even on large, trusted websites (anywhere ads are hosted):
Since ads are fed in through third-party domains, these sites had no idea what was going on until many of their visitors were already affected.
Overview of VPN ad blockers
There are a few different ways to block ads on your devices. Each option below has pros and cons:
- Browser-based ad blockers – This is the most popular solution with ad blockers, such as uBlock Origin, being used by millions. The main drawback, however, is that these only work with supported browsers. Be careful when using free browser ad blockers – sometimes they are financed or built by the advertisers themselves.
- Ad blocker through your router or device – Some routers also support ad blocking. Additionally, network ad blocking can be done through a device, such as an eBlocker or a Raspberry Pi running Pi-Hole.
- VPN ad blockers – In this case the ad blocker works when you are connected to your VPN. I’ve seen three different ways that VPNs implement ad blockers: through the server network, through the VPN client, and through a browser add-on. We’ll discuss these further below.
VPN Ad blockers in comparison
In this guide we’ll examine the following VPN ad blockers:
- CyberGhost – Unlike most VPN ad blockers, CyberGhost does not filter DNS requests. Instead, it looks inside traffic and modifies requests to certain domains (traffic manipulation), which creates problems that are explained further below.
- NordVPN – NordVPN blocks ads via DNS requests.
- Perfect Privacy – Perfect Privacy uses also filters unwanted domains (ads and more) via DNS requests.
- Private Internet Access – Private Internet Access blocks ads via DNS requests.
- PureVPN – PureVPN does not appear to block any ads whatsoever. There is no indication that PureVPN is implementing any ad blocking, despite advertising this “feature” boldly on their website.
The purpose of this article was to compare other VPN services to Perfect Privacy’s TrackStop filter, which I use and recommend. To do this, 10,000 URLs were selected from publicly-available lists, such as https://adaway.org/hosts.txt, http://pgl.yoyo.org/adservers/ for advertisements, as well as http://www.malwaredomainlist.com/ and https://zeustracker.abuse.ch/blocklist.php, for fraud and malware domains.
Here were the results:
% Ads Blocked
% Malware Blocked
*CyberGhost is currently looking inside traffic and modifying requests with certain domains, rather than filtering through DNS requests (what most VPNs do).
*Perfect Privacy did well because it uses large, custom-built lists to filter traffic, which include all the lists in the testing sample. However, please keep in mind that no ad blocker is 100% effective. The test results above are just based off the testing sample.
Here is the domain list test sample, which you can use to test any ad blocker:
CyberGhost ad blocker
CyberGhost is an interesting case, but not in a good way. Instead of filtering ads and malicious
content via DNS requests, they actually look inside the traffic and modify requests to certain domains so they display content from Cyberghost instead.
This is problematic for a few reasons. First, manipulating traffic is something a trustworthy VPN provider should not do – even with good intentions. Secondly, this only works over http since https connections are encrypted and Cyberghost cannot (easily) access that content.
Looking into this issue a bit more, there is some interesting history to this. Back in 2016, CyberGhost made headlines because it was installing their own root certificate on a user’s computer, effectively doing a man-in-the-middle attack on all https traffic. Not only was the traffic processed locally, it was also sent back to a CyberGhost server that decided what to change.
Here’s an excerpt from when this controversy originally surfaced in 2016 [original source now appears to be offline]:
A VPN that installed a root certificate in your computer (like the [CyberGhost 5] version) will be able to attack all your SSL-encrypted traffic. This is otherwise known as a Man-in-the-Middle attack. CyberGhost can intercept and decrypt all of the data that goes through the encrypted link – even sensitive information such as email addresses, passwords, and bank account details. And it can re-encrypt the data and pass it to the website like nothing happened.
With the CyberGhost version tested for this article, there is no root certificate being installed. But because they are still using the same methods to filter traffic, that means their “ad blocker” does not effectively work on HTTPS websites. Basically, CyberGhost’s ad blocker is barely working, especially since it will be ineffective on all HTTPS websites.
NordVPN ad blocker
On their website, NordVPN refers to their ad blocker as CyberSec. The CyberSec ad blocker works by blocking advertisement and malware domains via DNS requests, which requires a list of domains. NordVPN sends blocked domains to 127.0.0.1.
While it did OK in the area of ad blocking, there were many known malware domains that were not blocked and getting through.
Perfect Privacy ad blocker
Perfect Privacy employs a TrackStop filter to block all kinds of unwanted domains via DNS requests. Within the member dashboard, you can activate different filters for TrackStop to block:
- Tracking and Advertisements (over 30,000 domains filtered)
- Malware and Phishing (over 65,000 domains filtered)
- Facebook and other Social Media domains
- Google (includes approximately 400 Google domains)
- Child protection (blocks adult content)
Perfect Privacy’s TrackStop filter is unique in that it blocks traffic at the VPN server level, rather than through the app. This means it will be activated with any device and VPN protocol using the network (all devices). TrackStop can be activated through the user dashboard and will be applied throughout the VPN network within 3 minutes.
For these reasons, Perfect Privacy offers the best advertisement, tracking, and malware blocking solution of those tested. However, I have seen some complaints in the Perfect Privacy forums about their Child protection filter letting adult sites through.
Private Internet Access ad blocker
Just like with NordVPN, Private Internet Access filters advertisements and malware domains via DNS requests. PIA’s ad blocker is called PIA MACE on their website. PIA sends blocked domains to 188.8.131.52.
While PIA did slightly better than NordVPN with the total number of domains blocked, it still has quite a bit of room left for improvement.
PureVPN’s non-existent ad blocker
Right now, PureVPN promises an ad-blocker on their website:
PureVPN’s ad-blocker removes all kinds of ads and online litter while you’re browsing online. In doing so, it improves your browsing speeds by blocking images from consuming bandwidth, and analytics codes and scripts running in the background of the page you’re browsing online.
But when you open up the PureVPN app, you see that there are no specific settings for ad blocking.
Meanwhile, the website claims, “Every subscription plan includes PureVPN’s Content Filtering features without any extra cost.”
When testing the PureVPN client on various news sites, all ads and tracking were getting through. Nothing was getting blocked.
At this point it was necessary to clarify with PureVPN what exactly was going on. Here is a transcript of the chat:
Visitor: Hello. I have a question about the ad-filter. Do i need to activate it, because it does not seem to be working
Visitor: for instance, i still see ads on theregister.co.uk and other sites
O’Brien: Well we do not provide add blocker with our service now
Visitor: huh? but it is advertised on your website? it says all plans include that
O’Brien: Could you please share with us the screen shot of that advertisement. It was offered in the past but not now
Visitor: sure one sec
O’Brien: Let me check – This is the content filtering and it does not
blocks any paid ad
Visitor: what does it block then?
O’Brien: This blocks the content which you don’t want to access.
It was clear that “O’Brien” was not going to provide any answers, so the chat was ended.
To follow-up on this pointless chat, the below questions were emailed to PureVPN support:
How do you define “Ads” in the context of your content filtering webpage?
What kind of content is being blocked, how is it determined?
How is the blocking of any content implemented technically?
PureVPN replied with a canned response and a random link that has absolutely nothing to do with ad blocking. PureVPN’s reply:
Thanks for contacting us. Ads can be quite annoying. Not only online popup advertisements ruin your browsing experience but they also end up leading you to malicious or spam URLs. Luckily, you can now block ads before they appear on your browser with PureVPN. Learn how to use content filtering and prevent ads.
At this point, the only conclusion I could reach is that there is no ad blocking feature and PureVPN is carrying out false advertising and fraud. Of course, this is not surprising at all given PureVPN’s history. See my review of PureVPN for more information.
Conclusion on VPN ad blockers
As you can see in this report, some VPN ad blockers work well, some work OK, and some do not work at all.
If you want the most robust advertisement, tracking, and malware filter, I would recommend the TrackStop filter from Perfect Privacy. Perfect Privacy’s TrackStop filter is also a good solution for an ad blocker on a router, since this will protect every device on the network.
The ad blockers from both NordVPN and Private Internet Access filter content via DNS requests, but many advertisement and malware domains were still getting through. It would be good if they expanded their filter lists to include more domains.
I would not recommend CyberGhost’s ad blocker for reasons explained above. And finally, with PureVPN, the “ad blocker” does not appear to exist.
To layer up with additional protection, you can also use a browser-based ad blocker, such as uBlock Origin, in combination with your VPN ad blocker.