Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday November 22 2019, @05:37AM   Printer-friendly
from the cat-and-mouse dept.

Bad news: 'Unblockable' web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much

Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today's blocking techniques.

A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other browsers susceptible. This fix is now available to uBlock Origin users.

[...]Here's where it all began: in a GitHub issue earlier this month, a developer who goes by the name Aeris online, said that French newspaper website liberation.fr uses a tracker crafted by French marketing analytics outfit Eulerian "that seems to be unblockable."

What makes it so is that the domain referenced appears to be a first-party page element – associated with the website publisher's domain – rather than a third-party page element – associated with a domain other than the visited website.

[...]In a conversation with The Register, Aeris said Criteo, an ad retargeting biz, appears to have deployed the technique to their customers recently, which suggests it will become more pervasive. Aeris added that DNS delegation clearly violates Europe's GDPR, which "clearly states that 'user-centric tracking' requires consent, especially in the case of a third-party service usage."

[...]"This exploit has been around for a long time, but is particularly useful now because if you can pretend to be a first-party cookie, then you avoid getting blocked by ad blockers, and the major browsers – Chrome, Safari, and Firefox," said Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, in an email to The Register.

"This is an exploit, not an 'oopsies,' because it is a hidden and deliberate action to make a third-party cookie appear to be first-party to skirt privacy regulations and consumer choice. This is yet another example of the 'badtech industrial complex' protecting its river of gold."

[...]Using DNS records to make a third-party domain appear to be first-party was documented previously in a 2014 paper by Lukasz Olejnik and Claude Castelluccia, researchers with Inria, a French research institute. The technique is also discussed in a 2010 academic research paper, "Cookie Blocking and Privacy: First Parties Reman a Risk," by German Gomez, Julian Yalaju, Mario Garcia, and Chris Hoofnagle.

Two days ago, uBlock Origin developer Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0. Firefox supports an API to resolve the hostname of a DNS record, which can unmask CNAME shenanigans, thereby allowing developers to craft blocking behavior accordingly.

"uBO is now equipped to deal with third-party disguised as first-party as far as Firefox's browser.dns allows it," Hill wrote, adding that he assumes this can't be fixed in Chrome at the moment because Chrome doesn't have an equivalent DNS resolution API.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by barbara hudson on Saturday November 23 2019, @12:40PM (1 child)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Saturday November 23 2019, @12:40PM (#923800) Journal
    Or links in a terminal :-)
    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Monday November 25 2019, @12:04PM

    by Anonymous Coward on Monday November 25 2019, @12:04PM (#924481)

    I use wget to download files now. This must look interesting in some server logs.