I thought that I finally found a best ad blocking software. Well, it can block ads. But it also adds their own root CA certificate to your system. They also install a kernel extension, but this seems to be fine, it is required to filter traffic transparently. Having a "fake" root CA certificate in the system is a terrible idea. That means that they (or anyone who have that certificate) can do MitM on all of your HTTPS traffic (to Google, your bank, PayPal, etc). That is not required to filter traffic. You can implement exactly the same functions with Little Snitch and a list from, for example, http://pgl.yoyo.org/adservers/. So, I would not recommend anyone to use AdGuard because of that certificate installation.