uBlock Origin for Firefox addresses new first-party tracking method

[Karlston]

uBlock Origin for Firefox addresses new first-party tracking method

The latest version of the content blocker uBlock Origin for the Mozilla Firefox web browser includes a new feature to detect a new first-party tracking method that some sites have started to use recently.

 

The issue was first reported ten days ago by user Aeris on the project's official GitHub page. Some sites started to use canonical name records (CNAMEs) to bypass filters used in content blockers. First-party resources, e.g. a subdomain, are not blocked usuall unless they are known to only serve advertisement.

 

The main issue from a content blocking perspective is that identification and detection is difficult. The extensions would have to uncloak alias hostnames in order to provide the user with information and the ability to do something about it.

 

Raymond Hill, the developer of uBlock Origin, found a way to address the new first-party tracking method in Mozilla Firefox.

 

Side-note: Why only Firefox?  Because Mozilla has created DNS APIs that may be used to expose the CNAME while Google has not. For now, it is not possible to protect against this form of tracking in Google Chrome. Hill writes "Best to assume it can't be fixed on Chromium if it does not support the proper API".

 

 

Firefox users who upgrade to the latest version of uBlock Origin, may notice a new permission request (Access IP address and hostname information). This is required to unlock access to the DNS API in the browser extension.

 

Firefox users who run the extension need to do the following to set things up properly on their end:

1. Open the Settings of the extension, e.g. from about:addons or by clicking on the dashboard icon in the uBlock Origin interface.
2. Check the "I am an advanced user" box on the first page that opens.
3. Activate the settings icon next to the option to open the advanced settings.
4. Change the value of the parameter cnameAliasList to *.

The change runs the actual hostnames through the filtering that uBlock Origin applies again. The log highlights these in blue.

Network requests for which the actual hostname differs from the original hostname will be replayed through uBO's filtering engine using the actual hostname. [..] Regardless, uBO is now equipped to deal with 3rd-party disguised as 1st-party as far as Firefox's browser.dns allows it.

The setting of the wildcard means that the process is done for any hostname that differs; this works but it means that a certain number of network requests are processed twice by uBlock Origin.

The next step is for me to pick a cogent way for filter list maintainers to be able to tell uBO to uncloak specific hostnames, as doing this by default for all hostnames is not a good idea -- as this could cause a huge amount of network requests to be evaluated twice with no benefit for basic users (default settings/lists) while having to incur a pointless overhead -- for example when it concerned CDNs which are often aliased to the site using them.

Hill wants to switch to using a maintained list of known offenders that uBlock Origin (UMatrix will support this as well) will process while leaving any other hostname untouched.

Closing Words

Firefox users may change the configuration to make sure that they are protected against this new form of tracking. Chromium users cannot because the browser's APIs for extensions does not have the capabilities at the time of writing.

 

 

Source: uBlock Origin for Firefox addresses new first-party tracking method (gHacks - Martin Brinkmann)

[funkyy]

This will apply when version 1.24 stable becomes available. It's in BETA at the moment.

[steven36]

Bad news: 'Unblockable' web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much

 

 

Ad-tech arms race continues: DNS system exploited to silently follow folks around the web

 

 

 

Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today's blocking techniques.

 

A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other browsers susceptible. This fix is now available to uBlock Origin users.

 

The tracker relies on DNS queries to get past browser defenses, so some form of domain-name look-up filtering could thwart this snooping. As far as netizens armed with just their browser and a regular old content-blocker plugin are concerned, this tracker can sneak by unnoticed. It can be potentially used by advertising and analytics networks to fingerprint netizens as they browse through the web, and silently build up profiles of their interests and keep count of pages they visit.

 

And, interestingly enough, it's seemingly a result of an arms race between browser makers and ad-tech outfits as they battle over first and third-party cookies.

Ooh, la la

Here's where it all began: in a GitHub issue earlier this month, a developer who goes by the name Aeris online, said that French newspaper website liberation.fr uses a tracker crafted by French marketing analytics outfit Eulerian "that seems to be unblockable."

 

What makes it so is that the domain referenced appears to be a first-party page element – associated with the website publisher's domain – rather than a third-party page element – associated with a domain other than the visited website.

 

In response to privacy concerns, companies like Apple and Mozilla have, over the past few years, introduced tracking protection mechanisms in their respective browsers, Safari and Firefox, and have begun blocking third-party cookies – set by third-party trackers – by default.

 

Many marketers, keen on maintaining their tracking and data collection capabilities, have turned to a technique called DNS delegation or DNS aliasing. It involves having a website publisher delegate a subdomain that the third-party analytics provider can use and aliasing it to an external server using a CNAME DNS record. The website and its external trackers thus seem to the browser to be coming from the same domain and are allowed to operate.

 

As Eulerian explains on its website, "The collection taking place under the name of the advertiser, and not under a third party, neither the ad blockers nor the browsers, interrupt the calls of tags."

But wait, there's more

Another marketing analytics biz, Wizaly, also advocates this technique to bypass Apple's ITP 2.2 privacy protections.

 

As does Adobe, which explains on its website that one of the advantages of CNAME records for data collection is they "[allow] you to track visitors between a main landing domain and other domains in browsers that do not accept third-party cookies."

 

In a conversation with The Register, Aeris said Criteo, an ad retargeting biz, appears to have deployed the technique to their customers recently, which suggests it will become more pervasive. Aeris added that DNS delegation clearly violates Europe's GDPR, which "clearly states that 'user-centric tracking' requires consent, especially in the case of a third-party service usage."

 

A recent statement from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany notes that Google Analytics and similar services can only be used with consent.

 

"This exploit has been around for a long time, but is particularly useful now because if you can pretend to be a first-party cookie, then you avoid getting blocked by ad blockers, and the major browsers – Chrome, Safari, and Firefox," said Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, in an email to The Register.

 

"This is an exploit, not an 'oopsies,' because it is a hidden and deliberate action to make a third-party cookie appear to be first-party to skirt privacy regulations and consumer choice. This is yet another example of the 'badtech industrial complex' protecting its river of gold."

 

The Register asked Eulerian to comment but as yet no one has replied.

 

Using DNS records to make a third-party domain appear to be first-party was documented previously in a 2014 paper by Lukasz Olejnik and Claude Castelluccia, researchers with Inria, a French research institute. The technique is also discussed in a 2010 academic research paper, "Cookie Blocking and Privacy: First Parties Reman a Risk," by German Gomez, Julian Yalaju, Mario Garcia, and Chris Hoofnagle.

 

Two days ago, uBlock Origin developer Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0. Firefox supports an API to resolve the hostname of a DNS record, which can unmask CNAME shenanigans, thereby allowing developers to craft blocking behavior accordingly.

 

"uBO is now equipped to deal with third-party disguised as first-party as far as Firefox's browser.dns allows it," Hill wrote, adding that he assumes this can't be fixed in Chrome at the moment because Chrome doesn't have an equivalent DNS resolution API.

 

Aeris said, "For Chrome, there is no DNS API available, and so no easy way to detect this," adding that Chrome under Manifest v3, a pending revision of Google's extension platform, will break uBO. Hill, uBO's creator, recently confirmed to The Register that's still the case.

 

Even if Chrome were to implement a DNS resolution API, Google has made it clear it wants to maintain the ability to track people on the web and place cookies, for the sake of its ad business.

Apple's answer to marketer angst over being denied analytic data by Safari has been to propose a privacy-preserving ad click attribution scheme that allows 64 different ad campaign identifiers – so marketers can see which worked.

 

Google's alternative proposal, part of its "Privacy Sandbox" initiative, calls for an identifier field capable of storing 64 bits of data – considerably more than the integer 64.

 

As the Electronic Frontier Foundation has pointed out, this enables a range of numbers up to 18 quintillion, allowing advertisers to create unique IDs for every ad impression they serve, information that could then be associated with individual users.

 

Source

[vitorio]

This is a cat and mouse race.

[steven36]

1 hour ago, vitorio said:

This is a cat and mouse race.

Firefox  changing  to Web extensions,  Cloudflare  and sites that need  a cookie token made it worse were some sites need 1st party cookies  if there scanning  .  I use waterfox classic with cookie controller i block all 1st party cookies  by default for years now , only i allow 1st party cookie in sites that require  a cookie  to view or to sign in. But so much DODOS  attacks more and more sites require a cookie to get passed Cloudflare if you download movies  and TV shows shows it's a pita .   

 

It just shows  when  Tech companies add baked in protection the more aggressive  Data collection becomes  .  if they cant  track you using 3rd party cookies they will use another method and after a few years blocking 3rd party cookies want be any good no more because they track you with 1st party cookies.  By baking it in and setting it default they just made it worse  they should of  left things be  were  it was optional. Now we back were started off at we need and ad-blocker because built in protection dont do it's job.