SoylentNews is people
SoylentNews
Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today's blocking techniques.
A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other browsers susceptible. This fix is now available to uBlock Origin users.
[...]Here's where it all began: in a GitHub issue earlier this month, a developer who goes by the name Aeris online, said that French newspaper website liberation.fr uses a tracker crafted by French marketing analytics outfit Eulerian "that seems to be unblockable."
What makes it so is that the domain referenced appears to be a first-party page element – associated with the website publisher's domain – rather than a third-party page element – associated with a domain other than the visited website.
[...]In a conversation with The Register, Aeris said Criteo, an ad retargeting biz, appears to have deployed the technique to their customers recently, which suggests it will become more pervasive. Aeris added that DNS delegation clearly violates Europe's GDPR, which "clearly states that 'user-centric tracking' requires consent, especially in the case of a third-party service usage."
[...]"This exploit has been around for a long time, but is particularly useful now because if you can pretend to be a first-party cookie, then you avoid getting blocked by ad blockers, and the major browsers – Chrome, Safari, and Firefox," said Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, in an email to The Register.
"This is an exploit, not an 'oopsies,' because it is a hidden and deliberate action to make a third-party cookie appear to be first-party to skirt privacy regulations and consumer choice. This is yet another example of the 'badtech industrial complex' protecting its river of gold."
[...]Using DNS records to make a third-party domain appear to be first-party was documented previously in a 2014 paper by Lukasz Olejnik and Claude Castelluccia, researchers with Inria, a French research institute. The technique is also discussed in a 2010 academic research paper, "Cookie Blocking and Privacy: First Parties Reman a Risk," by German Gomez, Julian Yalaju, Mario Garcia, and Chris Hoofnagle.
Two days ago, uBlock Origin developer Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0. Firefox supports an API to resolve the hostname of a DNS record, which can unmask CNAME shenanigans, thereby allowing developers to craft blocking behavior accordingly.
"uBO is now equipped to deal with third-party disguised as first-party as far as Firefox's browser.dns allows it," Hill wrote, adding that he assumes this can't be fixed in Chrome at the moment because Chrome doesn't have an equivalent DNS resolution API.
(Score: 4, Insightful) by jmichaelhudsondotnet on Friday November 22 2019, @02:05PM (8 children)
Which is to say even firefox is not trying to block tracking, they are letting us, for now, have addons that track us, which they deactivate periodically through incompetence or treachery.
Correct me if I am wrong, once they tag your browser UID once, they have you everywhere.
Sounds like a minesweeper puzzle style game where your job is to identify every single packet from logical deduction with partial information.
This makes an oppositional struggle between browser makers and privacy-software makers, which seems to me inefficient.
Seems the privacy-software makers should be calling the shots at the browser devel, but for some reason they are not.
The bells and whistles web is too complicated for small project teams without financing. As soon as financing gets involved there is tracking.
Could I suggest we create a 'simpleweb' of only text and images, where everything is so simple buildilng hidden tracking is impossible and where all the data transmitted is so small encryption is more pheasible? And browsers can be lightweight? Maybe distribute a few aspects of dns and ssl, maybe throw in random pageloads, random network traffic.
Because the 4k 3d 5g web is going to be like this, forever, and that is by design.
Anyone looking to see how crazy and alarmist I am, consider my posts from months ago on this topic of FF regarding their mega cert fail. This confirms what I suggested they were doing then, based upon their consistent pattern of user betrayal.
And also why I left hackernews, my ideas on the topic were immediately censored, so there is probably some synergy going on between those two entities.
(Score: 5, Funny) by Anonymous Coward on Friday November 22 2019, @03:25PM (1 child)
We have. And, we still do. And, you're still crazy.
(Score: 2) by jmichaelhudsondotnet on Sunday November 24 2019, @04:11PM
In a blind world, the one eyed man is king.
https://archive.is/VCtvi [archive.is]
https://archive.is/SDcbq [archive.is]
It would have been more effective to point out my error, there is admittedly a dyslexic logic error that slipped by in this.
(Score: 2, Informative) by Anonymous Coward on Friday November 22 2019, @03:29PM
>Could I suggest we create a 'simpleweb' of only text and images, where everything is so simple buildilng hidden tracking is impossible
All they need is to inert an image from a CDN and they can track you (this is called a "tracking pixel"). So, that won't make hidden tracking impossible. The server logs from every web server have enough information to tell who had what page open and for approximately how long (although it can't tell if you close the browser/tab or manually type in a new URL).
>and where all the data transmitted is so small encryption is more pheasible?
This is already the case. But most content providers are too lazy to enforce it.
>And browsers can be lightweight?
That ship sailed a long time ago.
(Score: 3, Informative) by Anonymous Coward on Friday November 22 2019, @04:06PM (2 children)
The thing is:
1. If you consider tracking by scripts, the fix is simple: NoScript + whitelist. I do this all time. SN works without scripts very well. If some site wants me to run their code in order to show me text, this site has nothing to offer for me as I look for sites giving me information in form of text/images.
2. If we consider CDNs and similar server, the only answer is point 1. + IP scrambling, by using e.g. Tor.
I would give kingdom for the "simpleweb", but see the entire problem: In the "simple web" era, many worthy sites have been created not by corporations, not by company-sponsored influencers, but by users. Many times with the idea: "It was useful for me, I hope this will be useful for you". Now this changed to "give me munnies i need this". Even in open source, where this first idea was the source of really useful tools we use everyday in GNU. So, even if You magically create such "simple web" thing, there will be nobody to be in it. Business will stay out as they would have no tracking possibilities and netiquette is... how it is, for user, not for business. Users will stay out as they are now busy working for true companies customers: their shareholders, usually for modern "social media" as it has some instant gratification addiction schemes.
I have a "simple web" website (hobby related), so there is also another problem: The backbone of the "simple web" are links. Generally, without the mesh of links between sites this would fall apart, as searching, not only by search engines, but searching for topics, works this way. So currently people are discouraged from linking as this would make the customer leave the "site". In fact, people are publishing links less and less.
And the tip: I never registered in HN as they are more companies-friendly there, euphemistically speaking.
(Score: 2, Interesting) by Anonymous Coward on Saturday November 23 2019, @02:38AM
If you do this I would also recommend the add-on Behind The Overlay. In a lot of cases when they use js to hide the content a single click removes the overlay and lets you read it without enabling any scripts at all.
Now I just need to automate inspect element - delete the no-js node div - close inspector for ebay pages.
(Score: 2) by jmichaelhudsondotnet on Sunday November 24 2019, @04:19PM
thanks for this, upvoted.
I am not publishing links less and less! I am publishing them more!
https://jmichaelhudson.net/favorite-places/ [jmichaelhudson.net]
https://jmichaelhudson.net/must-read/ [jmichaelhudson.net]
Can we get the sheep away from facegag? That is the question.
I have a feeling there will be some kind of web 10.x box one day where you plug it into the old internet and it gives you the 1995 internet, and all the kids will love it, and it all starts over again.
As long as this doesn't start at the pentagon or unit 8200 we have a chance, but as with things like steemit and reddit, the actual police and military are trying to *themselves* be the revolutionary movement but which acts more like a bugzapper than a way to reform anything.
The internet is just connecting everything with logical data, there are many, many ways to do this and what we consider 'the internet' was just a learning experience teaching us what happens if you let the garbage people take over.
But it was no surprise to me, I was writing about how this was going to happen in 2002. I actually thought up a business plan for a purely shill company, then thought, 'wait a minute, this is evil. This must be stopped.'
Yet here we are.
(Score: 3, Informative) by jb on Saturday November 23 2019, @04:11AM (1 child)
gopher still works just fine
(Score: 0) by Anonymous Coward on Saturday November 23 2019, @04:59AM
Just what I was going to say. Plus, numerous browsers still support it. On top of that, if you don't trust any of those clients, the protocol is so simple that basic socket programming is really all you need to implement it yourself.