github AdguardTeam/AdguardForMac v2.10.0
2.10
on GitHub

latest releases: v2.15.0, v2.14.2, v2.15.0-beta-1...
17 months ago

Disclaimer Adguard for Mac is not an open-source project. We use GitHub as an open bug tracker for users to see what developers are working on.

AdGuard v2.10 for Mac brings many new features and various changes.

DNS filtering enabled by default

DNS protection is now enabled by default for all users. If you are not using any DNS server, the system DNS server with the AdGuard DNS filter will be automatically selected. This change was partially necessary to implement another important feature: experimental support for Encrypted ClientHello (ECH).

Experimental Encrypted ClientHello support

What is Encrypted ClientHello?

Nowadays, almost every HTTPS connection is encrypted and no one can see what’s inside it. However, the very first packet of the connection, called ClientHello, indicates the name of the server you are connecting to. Say you want to open www.google.com, your ISP cannot see what exactly you send and receive from it, but they know what website you are communicating with. This is where Encrypted ClientHello (ECH) comes in handy. It encrypts this last bit of unencrypted information, making your HTTPS connection fully encrypted. This means that third parties, such as your ISP, will not be able to see what is inside the connection or which site the connection was made to.

AdGuard is not the only one working to support ECH. Browsers such as Chrome and Firefox are also in the process of adding ECH support. However, AdGuard has a significant advantage.

Assuming that Chrome has added support for ECH, it means it only works within Chrome and does not extend to other apps and browsers. In contrast, AdGuard's ECH support automatically works in all apps and browsers that AdGuard filters. Therefore, you don't have to wait for operating systems or apps to support this feature, as it is automatically available in your pocket with AdGuard.

How to enable ECH support

To enable ECH support, follow these steps:

  1. Make sure that DNS protection is on. ECH relies on data obtained through DNS, so in order for AdGuard to receive this data and enable ECH globally for users, DNS filtering is necessary.

  2. Check if the Block ECH option is turned off, as it may interfere with this feature.

  3. Go to Advanced Settings and turn on network.https.ech.enabled.

To make sure ECH is working, use one of the following methods:

  1. Go to https://crypto.cloudflare.com/cdn-cgi/trace/ and check if it says sni=encrypted.

  1. Go to https://defo.ie/ech-check.php and check if it says SSL_ECH_STATUS: success.

Limitations and issues

ECH is a new technology, so you may encounter some issues when using it.

  1. ECH support may slow down your browsing speed a bit. However, we are already working on improving this!

  2. ECH support must be implemented on both sides. AdGuard supporting it is not enough; the server must also support it. Currently, these servers are few, because the technology is new and has not yet been finalized. However, the number of servers supporting ECH is expected to grow.

New Advanced Settings

In the Advanced settings you'll find a bunch of new features that can be divided into 4 categories:

  • Anti-DPI options allow low-level modification of filtering requests to protect user traffic from Deep Packet Inspection (DPI)

    • stealth.antidpi.clienthello.split.fragment.size
    • stealth.antidpi.http.space.juggling
    • stealth.antidpi.http.split.fragment.size

  • Keepalive options let you configure settings for working with Keepalive connections

    • network.tcp.keepalive.enabled
    • network.tcp.keepalive.interval.seconds
    • network.tcp.keepalive.timeout.seconds

  • DNS-related options help you fine-tune DNS settings
    network.https.ech.enabled

    • dns.proxy.fallback.on.upstreams.failure.enabled
    • dns.proxy.http3.enabled
    • dns.proxy.parallel.upstream.queries.enabled
    • dns.proxy.servfail.on.upstreams.failure.enabled

  • Certificate security options allow you to check the certificates of websites and web services by various criteria

    • network.https.enforce.certificate.transparency

CoreLibs, DnsLibs, Scriptlets, and ExtendedCSS have undergone many changes. Furthermore, the Ukrainian filter has been added.

Changelog

Features

  • DNS filtering and system DNS are enabled by default for all users #1217
  • Added Tor Browser support #1045
  • Added Arc Browser support #1188
  • When reporting in Safari, a new tab opens by default instead of a window #1100

Fixes

  • Export fails when object names contain invalid characters for a file system #1198
  • Network service is not connected if the app starts with Filter update check interval disabled #1190
  • The number of remaining days of the license period on the main screen and the License screen does not match #1177
  • The filtering service crashes when reading the system certificate store on MacOS 13 #1151

Versions

CoreLibs

  • Updated CoreLibs to v1.11.79 #1221
  • Encrypted ClientHello support #1565
  • Added exact match syntax for HTTPS exclusions #1691
  • Implemented "Protect from DPI" for plain HTTP #1629
  • Improved failure detection when starting network extension due to "no network" #1679
  • "Protect from DPI" allows to configure HTTPS fragmentation #1649
  • Added signed Certificate Timestamps (SCT) support #1529
  • Netbiosd process starts using a lot of CPU when pausing AdGuard #937
  • Fixed dropped TCP/HTTP connections #1658
  • Ads are not blocked by Brook #1641
  • Using NEAppProxyFlow.networkInterface, if installed, instead of RouteResolver #1677
  • Fixed incorrect work of the @match field for userscripts #1650
  • HTTPS filtration breaks trading.finam.ru #1724
  • elearning.ual.pt doesn't open with "Protect from DPI" enabled #4451
  • Filtering does not work on websites with dot at the end #1741
  • path modifier does not work on yandex.ru/images/ #1738

DnsLibs

  • Updated DnsLibs to v2.1.27 #1211
  • Added tplinkdeco.net to fallback domains #175
  • Added tplinkextender.net to fallback domains #183
  • Crash in IPv6-only networks on Android #182
  • Timing out DNS upstream leads to many requests pending #40

Scriptlets

  • Updated Scriptlets to v1.9.1
  • Added new m3u-prune scriptlet #277
  • Added more possible values in the set-attr scriptlet
    #283
  • Improved 'adjust-setTimeoutandadjust-setInterval` scriptlets #262
  • Improved json-prune scriptlet #282
  • Fixed compatibility for the noopcss redirect #299
  • Fixed compatibility issue for the google-ima redirect #272
  • Fixed compatibility issue between prevent-addEventListener and userscripts #271
  • Fixed error in prevent-element-src-loading #270
  • Fixed xml-prune-related errors #289

ExtendedCss

​* Updated ExtendedCss to v2.0.51

  • The content' property in style' in IAffectedElement is now optional
    #163

Important for filter maintainers

  • Added $permissions modifier #419
  • Added regexp support for $domain modifier #1550
  • Added $url modifier #1551
  • Improved compatibility of $redirect syntax with uBO #1605
  • Improved $jsonprune #1710
  • $jsonprune modifier should be able to handle jsonp #1717
  • Send the original rule to the filtering log when applying the converted uBO-syntax HTML rule ##^script:has-text()#1709
  • The problem of converting HTML filtering to uBO has been solved #1708
  • $generichide + $generichide,badfilter causes that protection can't be enabled/disabled #1681
  • In some cases $important modifier doesn't work #1695
  • $removeparam exclusions don't work #1704
  • The correct rule is marked as invalid #1625
  • The element hiding exception doesn't work if the rule contains ~domain #1673

How to install AdGuard for MAC

Check out latest releases or
releases around AdguardTeam/AdguardForMac v2.10.0

Don't miss a new AdguardForMac release

NewReleases is sending notifications on new releases.

Get notifications