Firefox’s anti-tracking safeguards have been strengthened by Mozilla. The enhanced tracking protection (ETP) stringent mode of Firefox 86 now includes an additional anti-cookie tracking layer that the company is calling “Total Cookie Protection,” according to a blog post published yesterday (TCP).
This “significant privacy advance,” as it is billed, stops cross-site tracking by compartmentalizing third-party cookies by website.
Mozilla compares this to having a different cookie jar for each website, so, for example, Facebook cookies aren’t kept in the same container as cookies for the website where you bought your most recent pair of sneakers, and so on.
In Firefox, the new privacy layer “provides comprehensive segmentation of cookies and other site data between websites,” according to Mozilla.
Targeting so-called “supercookies,” or sneaky trackers that store user IDs in “increasingly obscure” areas of the browser (like Flash memory, ETags, and HSTS flags), where it’s challenging for users to delete or block them, along with another anti-tracking feature Mozilla announced last month, the features work together to “prevent websites from being able to ‘tag’ your web browser, hence removing the most widespread cross-site monitoring strategy,” according. Cross-site cookies have a “minimal exemption” when they are required for non-tracking functions; Mozilla cites prominent third-party login services as an example.
The adtech sector has long been determined to continue monitoring web users, and in defiance of the idea that individuals would consent to having their online activities spied upon, has been engaging in a fight against tracker blocking by investing resources in the development of nefarious new methods to do so. But since browser manufacturers have adopted a more stern pro-privacy/anti-tracker posture in recent years, this conflict has intensified.
For instance, Mozilla started to make tracker blocking the standard back in 2018 and later made ETP the standard in Firefox in 2019, blocking cookies of businesses that its partner, Disconnect, classified as trackers.
Mozilla’s most recent anti-cookie tracking tool, however, demonstrates that there is no finish line in the fight to beat adtech’s aversion to permission and privacy. Therefore, to be sluggish to implement it is debatably not all that different from not delivering any privacy protection at all.
To illustrate, a privacy research group examined CNAME tracking, also known as a DNS-based anti-tracking avoidance technique, and discovered that use of the cunning anti-tracking avoidance method had increased by about a fifth in less than two years. This is a worrying development on the non-third-party cookie-based tracking front.
Since early 2019 when developers discovered it being utilized in the open by a French news site, the method has caused widespread concerns about “unblockable” web surveillance. According to the report, use has increased since that time.
In simple words, the CNAME tracking technique hides the tracker by inserting it into the first-party setting of the accessed website — through the information getting embedded through a subdomain of the website that is effectively a proxy for the monitoring domain.
There are “significant consequences for web security and privacy” with the CNAME tracking method. For instance, if a tracker is tricked into showing up as a genuine first-party information on a website that is visited, “numerous rewards” become obtainable, including access to first-party cookies, that can then be sent to remote third-party servers, allowing the surveillance entity to do whatever it wants with the sensitive data.
The danger is that by avoiding detection by anti-trackers, some of the ingenious engineering being done to preserve privacy by preventing trackers may be rendered ineffective.
In order to get around Apple’s ITP, researchers discovered that the tracker Criteo switched its tracking code back to the standard CNAME cloaking technique when it identified that Safari was being used.
There are more issues with CNAME tracking as well: his approach “unlocks a mechanism for broad cookie leaks” as a result of the current web architecture, as Olejnik puts it, detailing how the use of the method might result in “several unrelated, genuine cookies” being delivered to the tracking subdomain.
Olejnik first raised this issue in a report published in 2014, but he claims that the issue has since gotten far worse: “As the tip of the iceberg, we discovered widespread data leaks on 7,377 websites. Almost every website using the CNAME system has some data leakage. This implies that the scheme is purposefully risky. It compromises site security and user privacy.
On 95% of the websites used for the study, the researchers discovered cookies leaking.
Additionally, they claim to have discovered cookie breaches caused through other third-party scripts, indicating that in those cases, spilled cookies could enable the CNAME tracker to follow visitors between domains.
They discovered that sensitive or confidential information, including a user’s complete name, location, email address, and the authenticating cookie, was occasionally present in leaked data.
The researchers highlight that Firefox does offer a defense against this method, Chrome does not; and that in order to protect against the CNAME cloaking scheme, some big browsers will need to learn some fresh techniques.
Additionally, engineers working on the WebKit engine, which powers Apple’s Safari browser, have been improving ITP to make it more resistant to CNAME tracking. The usage of the CNAME method may well be reduced through regulatory changes and enforcement.