SoylentNews is people
SoylentNews
Firefox 86 Introduces Total Cookie Protection:
Today we are pleased to announce Total Cookie Protection, a major privacy advance in Firefox built into ETP Strict Mode. Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site.
[...] In 2019, Firefox introduced Enhanced Tracking Protection by default, blocking cookies from companies that have been identified as trackers by our partners at Disconnect. But we wanted to take protections to the next level and create even more comprehensive protections against cookie-based tracking to ensure that no cookies can be used to track you from site to site as you browse the web.
In addition, Total Cookie Protection makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers. Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you're currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.
In combination with the Supercookie Protections we announced last month, Total Cookie Protection provides comprehensive partitioning of cookies and other site data between websites in Firefox. Together these features prevent websites from being able to "tag" your browser, thereby eliminating the most pervasive cross-site tracking technique.
(Score: 2, Interesting) by Anonymous Coward on Wednesday February 24 2021, @08:45AM
Before they do that, can they make the default setting for XSS prevention "block and don't prompt"? That pop-up is annoying, but not quite enough to make me go looking for the magic mozilla string to turn it off.
(Score: 4, Insightful) by progo on Wednesday February 24 2021, @10:35AM (13 children)
Google, the ad company, pays [theverge.com] for about half of Mozilla's budget [ghacks.net]. So I'm skeptical about just how total this cookie protection is.
(Score: 2) by progo on Wednesday February 24 2021, @10:40AM
Actually, that 2019 report I quoted has about half of the revenue being "other" from a successful lawsuit in Mozilla's favor. Google actually pays about 100% of Mozilla's budget!
(Score: 3, Interesting) by gtomorrow on Wednesday February 24 2021, @11:21AM (8 children)
So, what exactly are you suggesting? That the summary's quoted information is a lie? That Firefox's Cookie Protection actually captures and sends/shares all that information to Google? I'm not saying you should blindly "believe the hype," just maybe lower your paranoia setting.
To paraphrase, Firefox is the worst browser except for all the others.
(Score: 2) by aristarchus on Wednesday February 24 2021, @11:24AM (2 children)
I am quite sure that is what the GP is suggesting. And quite the reasonable suggestion it is! Linux Mint now comes with "Web Apps"! I wonder why. . . .
(Score: 2) by progo on Wednesday February 24 2021, @11:32AM
I'm not going to speculate on what Firefox does and doesn't send to Google.
But I'm damn sure Total Cookie Protection isn't total protection against Google gathering data it doesn't need to service you, via cookies.
(Score: 2) by gtomorrow on Wednesday February 24 2021, @12:23PM
Non sequitur much? Are we having fun yet, Zip?
(Score: 2) by progo on Wednesday February 24 2021, @11:39AM (2 children)
Waterfox, available on some platforms, is Firefox minus Mozilla services minus Google services.
(Score: 4, Insightful) by gtomorrow on Wednesday February 24 2021, @12:28PM (1 child)
Yeah, thanks but no thanks. I tried that and what's that other one?...personally, I'm done with browsers with a dev staff of one. I might as use Dillo [dillo.org].
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @04:34PM
These people [wikipedia.org] would like to have a chat with you...
(Score: 2) by PiMuNu on Wednesday February 24 2021, @06:14PM (1 child)
> makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers
> Total Cookie Protection detects that you intend to use a provider
Cynical me: Like google, for example? How does the detection work?
Non-cynical moment: it would be extremely challenging for google to control firefox at such a detailed level. Remember, the probability of a leak grows rapidly with the number of people and organisations involved. Firefox management don't seem to be competent enough to orchestrate such a conspiracy.
(Score: 2) by maxwell demon on Thursday February 25 2021, @07:39AM
So it basically enforces a cartel of existing login providers, as new ones won't be able to work?
I can certainly see why Google would like that.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by maxwell demon on Wednesday February 24 2021, @11:28AM
Maybe Google knows about another way (that is not publicised) to uniquely identify you when using Firefox, so they don't have to rely on those cookies.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @12:47PM
Well, Mozilla will send halved cookies to Google then.
(Score: 0, Interesting) by Anonymous Coward on Wednesday February 24 2021, @03:12PM
You seem to have forgotten that Mozilla fired the Firefox developers, who now have the “opportunity “ to work for free for a foundation with an 8 million dollar grant while Mozilla keeps the revenue from the Google deal to help them pivot to being a subscription VPN. Provider. Except that Apple is including provying web traffic in iOS 14.5 so that Google, Facebook, etc can’t track your ur IP.
Watch for Samsung to do the same to further differentiate themselves on Android (they already offer a year more of Security updates than the Google Pixel).
Will Firefox survive long term on the “work for us for free to demonstrate your skills” long-term? Even the Linux foundation pays Linus Thorvaldsen a paycheque.
(Score: 3, Informative) by RamiK on Wednesday February 24 2021, @11:57AM (2 children)
The web server can still stick a unique identifier in the cookie, log each visit per-IP and per-ID and periodically send the logs over to the ad-network.
compiling...
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @04:37PM (1 child)
This is true but a non-issue. That's how advertising was done in the beginning and the amount of fraud was super high. It also doesn't jive well with the real-time bidding.
That was the past, we are not going back to it.
(Score: 2) by RamiK on Wednesday February 24 2021, @05:01PM
Not to worry. Thanks to CPU aided DRM it's now possible for the ad-networks to develop and deploy binary closed source DRM modules that will issue, verify and sign the cookies and logs much like how video DRM plugins work in your browser.
Making progress.
Server-side ad insertion is standard practice with video streaming. Once the incentives kick-in they'll implement the above DRM scheme.
What's old is new again.
compiling...
(Score: 4, Interesting) by bzipitidoo on Wednesday February 24 2021, @12:00PM (8 children)
One kind of cookie I very much dislike is the sort that counts how many times you've visited the originating site, so that sites such as NYT and WaPo can scold you that you've used all the free visits you're allowed and must now subscribe or register or whatever. I frequently delete those. I find it very cheeky of them to get my own browser and computer to aid them in those schemes. Make my own stuff rat me out. It's the very essence of Treacherous Computing.
In contrast, I have never run into any scolding for having visited, say, the Pirate Bay, TorrentFreak, Sci-Hub, a far right news/propaganda site, a pr0n site, or anything else that some might consider naughty and/or subversive. No doubt I have been tracked. Still, can do somewhat to mitigate the tracking, such as, using separate user profiles or user accounts. Only visit site x while logged in as user x. There's a whole lot more tracking going on that that done by cookies. Browsers keep history, cache, and, if you use it, passwords and user IDs. There's also fingerprinting. Lots of stuff that can potentially be used to track you.
(Score: 2) by inertnet on Wednesday February 24 2021, @12:19PM (2 children)
I use a VPN for "none of your business" related stuff, like for instance health related searches. And porn of course.
(Score: 1, Informative) by Anonymous Coward on Wednesday February 24 2021, @01:24PM (1 child)
Doesn’t stop browser fingerprinting.
(Score: 2) by inertnet on Wednesday February 24 2021, @01:54PM
No, but browsing can't be traced back to me because I don't use any accounts and only use this VPN in a separate VM. Otherwise a VPN would be pointless.
(Score: 2) by c0lo on Wednesday February 24 2021, @02:19PM
Understandable, those a low budget organizations. I reckon they outsourced the scolding to NSA or other TLA.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by SpockLogic on Wednesday February 24 2021, @02:26PM
You might find Cookie AutoDelete a useful addition to your browsing armory.
"Firefox and Chrome WebExtension that deletes cookies and other browsing site data as soon as the tab closes, domain changes, browser restarts, or a combination of those events."
https://github.com/Cookie-AutoDelete/Cookie-AutoDelete [github.com]
Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
(Score: 1, Informative) by Anonymous Coward on Wednesday February 24 2021, @02:35PM
Use Brave.
The default settings get rid of most of this junk. If necessary you can add even more restrictions on a per site basis with literally two clicks. For instance the NYTimes runs a whole ton of crapware on their site so it's a good place to disable scripts. Interestingly enough their site is also just about fully functional with all the crapware disabled, including comments and what not - though that part requires a hair more work.
The "ad replacement" stuff for Brave is opt-in, and I would not recommend opting in to it. Beyond that you basically get a hyper-fast Chrome since it's based on the exact same base engine with a whole bunch of stuff (ad-blocker, TOR browser, fingerprint protection, cookie manager, etc, etc) built in. First browser, I never had to rely on extensive extensions to get to a usable state.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @05:01PM
The NYT is up to some shady stuff. I have NoScript on and yet when I visit certain pages [nytimes.com] it magically switches itself to Temp. Trusted in front of my eyes, activating the paywall.
(Score: 1) by hemocyanin on Thursday February 25 2021, @04:10AM
Among other things, I have NYT and WaPo in my /etc/hosts file -- honestly, I'd rather hear about why I need a car warranty than provide clicks to the people telling me why we need to extend the wars we have and start new ones.
(Score: 2, Funny) by Anonymous Coward on Wednesday February 24 2021, @12:02PM (1 child)
{ultimate; extended; additional; extra; enhanced} cookie protection {plus; gold; platinum}
but wait there is more...
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @05:04PM
I love me some premium services. Where may I sign up to autopay?
(Score: 1, Insightful) by Anonymous Coward on Wednesday February 24 2021, @02:08PM (12 children)
https://hacks.mozilla.org/2021/02/introducing-state-partitioning/ [mozilla.org]
In a nuthsell, they are sandboxing cookies on a per-domain basis except if you meet certain criteria, after which they join the sandboxes. Of course that means that they will have to maintain a white-list. Three guesses who is going to be in that white-list, and the first two don't count.
I don't think there is really much of a question about whether cross-site authentication was introduced precisely to make the market resistant any regime where user privacy was respected. If you can't run a web site without being punitively effected by the market aggregation of cross-site authentication services (ie. you use it because you have to, not because you want to), then that is certainly the kind of thing that anti-trust law was created for.
IOW, if you have to white-list certain vendors and integrate them into your software in order to be a player in the market, then they are monopolies by definition.
(Score: 2) by SomeGuy on Wednesday February 24 2021, @02:41PM (7 children)
So is there any way to manually tell Firefox that you actually DON'T want these "officially" white-listed sites as part of the sandbox?
Let me guess, there are actually "protections" in place to prevent that?
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @02:59PM (4 children)
The browser is still open source. Fix it yourself.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @03:06PM
I did but as soon as I forked it my dog dyed her hair blue and insisted that I give all my money to homeless transvestites, growling something about a Code of Conduct. Ballmer was right: open source is a cancer.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @04:16PM
Yeah, Mozilla is going to take a patch that pisses in Google's cornflakes. That'll happen /s
(Score: 3, Funny) by Tork on Wednesday February 24 2021, @05:51PM (1 child)
Heh. "Could someone please spend some unpaid hours fixing my browser?"
🏳️🌈 Proud Ally 🏳️🌈
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @07:05PM
Are you dense? Fix it yourself, or pay someone to care.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @04:39PM
I'm running v86 and I am not seeing any such controls in the controls panel. If anything like that exists, it is undocumented. Which is true with much of the built in exploit-bait that is firefox.
Given that both Chrome and FF are free, and that Google funds mozilla, there is some question in my mind about how independent Mozilla really is. If Chrome is a product line of Google, and is paid for by Google, and Firefox is is paid for by Google, and provides services to Google (in the fashion of making commodity user data available to Google), then doesn't that make Firefox a product line of Google?
The products are technically different, but so are GMC and Chevy pickups. That doesn't make GMC a 501-3c. The consistent conformance with Googles interests, suggest a contractor rather than donee relationship.
(Score: 1) by hemocyanin on Thursday February 25 2021, @04:14AM
I have the "self-destructing cookies" addon and have it set to destroy cookies when I close a tab. It's not a perfect solution but better than nothing so long as you remember to kill the tab and open a new one rather than do a string of things in one tab.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @03:18PM (3 children)
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @04:40PM
Your 401(k)/bank/... site begs to differ. As much as I would like to agree with the whole "vote with your feet", the reality doesn't match up with that expectation. The whole "It's not us, it's you and you should change" is unidirectional from sites/companies to their consumers.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @04:42PM
I agree with this. There are certain things that SHOULD break. Cross-site auth provided by the big vedors is a bridge too far, and the vendors who do it should get spanked for it.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @10:28PM
at least have the option. i'm glad they are segregating cookies by domain finally.
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @03:03PM (1 child)
I would force sites to share cookie data with me over a back channel, otherwise I would not pay them.
(Score: 2) by PiMuNu on Wednesday February 24 2021, @06:21PM
Does google analytics harvest cookie data? Does that workaround this stuff?
(Score: 2) by tangomargarine on Wednesday February 24 2021, @04:04PM (1 child)
N/A
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Wednesday February 24 2021, @04:46PM
Turn that frown... upside down: Someone has found a workaround 5, 6, 7, .... seconds ago