Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Brave browser first to nix CNAME deception, the sneaky DNS trick used by marketers
#1
https://www.theregister.com/2020/10/28/b...ame_block/        Brave browser first to nix CNAME deception, the sneaky DNS trick used by marketers to duck privacy controls
Next release will block third-party trackers posing as first-party resources
Wed 28 Oct 2020 // 19:40 UTC 6 Reg comments Got Tips?
Thomas Claburn in San Francisco Bio Email

The Brave web browser will soon block CNAME cloaking, a technique used by online marketers to defy privacy controls designed to prevent the use of third-party cookies.

The browser security model makes a distinction between first-party domains – those being visited – and third-party domains – from the suppliers of things like image assets or tracking code, to the visited site. Many of the online privacy abuses over the years have come from third-party resources like scripts and cookies, which is why third-party cookies are now blocked by default in Brave, Firefox, Safari, and Tor Browser. Microsoft Edge, meanwhile, has a tiered scheme that defaults to a "Balanced" setting, which blocks some third-party cookies. Google Chrome has implemented its SameSite cookie scheme as a prelude to its planned 2022 phase-out of third-party cookies, maybe.

While Google tries to win support for its various Privacy Sandbox proposals, which aim to provide marketers with ostensibly privacy-preserving alternatives to increasingly shunned third-party cookies, marketers have been relying on CNAME shenanigans to pass their third-party trackers off as first-party resources.

The developers behind open-source content blocking extension uBlock Origin implemented a defense against CNAME-based tracking in November and now Brave has done so as well.
CNAME by name, cookie by nature

In a blog post on Tuesday, Anton Lazarev, research engineer at Brave Software, and senior privacy researcher Peter Snyder, explain that online tracking scripts may use canonical name DNS records, known as CNAMEs, to make associated third-party tracking domains look like they're part of the first-party websites actually being visited.

They point to the site https://mathon.fr as an example, noting that without CNAME uncloaking, Brave blocks six requests for tracking scripts served by ad companies like Google, Facebook, Criteo, Sirdan, and Trustpilot.    But the page also makes four requests via a script hosted at a randomized path under the first-party subdomain 16ao.mathon.fr.

"Inspection outside of the browser reveals that 16ao.mathon.fr actually has a canonical name of et5.eulerian.net, meaning it’s a third-party script served by Eulerian," observe Lazarev and Snyder.

When Brave 1.17 ships next month (currently available as a developer build), it will be able to uncloak the CNAME deception and block the Eulerian script.

Other browser vendors are planning related defenses. Mozilla has been working on a fix in Firefox since last November. And in August, Apple's Safari WebKit team proposed a way to prevent CNAME cloaking from being used to bypass the seven-day cookie lifetime imposed by WebKit's Intelligent Tracking Protection system.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Avira Secure Browser Online safety right from your browser mrtrout 0 868 06-09-2023 , 06:02 AM
Last Post: mrtrout
  Brave 1.33.106 New Released mrtrout 0 1,129 12-15-2021 , 09:12 AM
Last Post: mrtrout
  Brave Browser Gives Up on Google, Goes for Privacy-Focused Search Engine mrtrout 2 1,129 10-22-2021 , 12:03 PM
Last Post: Mike
  Brave reveals why it is disabling Google's FLoC in the browser mrtrout 0 1,049 04-13-2021 , 10:09 AM
Last Post: mrtrout
  Iridium, Brave, Mozilla Firefox, Tor - Secure browser alternatives in 2021 mrtrout 0 1,004 01-16-2021 , 03:38 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)