Enhanced Privacy in Firefox: Total Cookie Protection

Mozilla has significantly strengthened anti-tracking capabilities within its Firefox browser. A recent blog post detailed the introduction of an additional layer of anti-cookie tracking integrated into Firefox 86’s enhanced tracking protection (ETP) strict mode, now termed “Total Cookie Protection” (TCP).

A Major Step Forward in Privacy

Mozilla characterizes this development as a “major privacy advance,” designed to thwart cross-site tracking by isolating third-party cookies on a per-website basis.

How Total Cookie Protection Works

The concept, as Mozilla explains, is akin to utilizing separate cookie containers for each website visited. Consequently, cookies from a platform like Facebook will not be stored alongside those from an online retailer, for example.

Comprehensive Data Partitioning

According to Mozilla, this new privacy feature “provides comprehensive partitioning of cookies and other site data between websites” within the Firefox browser.

Combating "Supercookies" and Cross-Site Tracking

Combined with a previously announced anti-tracking feature targeting so-called “supercookies” – trackers that employ obscure methods to store user IDs in browser components like Flash storage, ETags, and HSTS flags – these features collectively aim to “prevent websites from being able to ‘tag’ your browser,” thereby eliminating prevalent cross-site tracking methods.

Exceptions for Legitimate Cross-Site Cookies

A “limited exception” exists for cross-site cookies when they are essential for non-tracking functions. Mozilla cites popular third-party login providers as an example.

Maintaining User Experience

“Only when Total Cookie Protection detects that you intend to use a provider, will it grant that provider permission to utilize a cross-site cookie specifically for the site you are currently accessing,” Mozilla explains. “Such momentary exceptions ensure robust privacy protection without disrupting your browsing experience.”

The Ongoing Arms Race Against Adtech

Tracker blocking has consistently been a dynamic challenge against the adtech industry’s commitment to monitoring web users and resisting consent for online tracking. Significant resources are continually invested in developing innovative techniques to circumvent privacy measures.

Browser Makers Taking a Stronger Stance

This battle has intensified in recent years as browser developers adopt more assertive pro-privacy and anti-tracker positions.

Mozilla’s History of Tracker Blocking

Mozilla initiated default tracker blocking in 2018 and subsequently made ETP the default in Firefox in 2019, blocking cookies from companies identified as trackers by its partner, Disconnect.

Apple’s Intelligent Tracking Prevention

Apple’s Safari browser introduced “Intelligent Tracking Prevention” (ITP) in 2017, utilizing machine learning to identify trackers and segregate cross-site scripting data to safeguard user browsing history.

Google’s Phased Approach to Third-Party Cookies

Google announced plans to phase out support for third-party cookies in Chrome in January 2020, with a projected timeline of two years. However, the company is still developing its “privacy sandbox” project, currently under scrutiny by U.K. antitrust regulators.

Responding to Market Trends

Google began making privacy-focused announcements in 2019, responding to growing concerns about online privacy and the actions of other browser developers.

Temporary Rollbacks and Renewed Efforts

In April of last year, Google temporarily reversed a change that had restricted access to third-party cookies, citing pandemic-related concerns about website functionality. This change was reinstated in July.

Chrome’s Lagging Position

Despite these efforts, Google is often considered to be behind other browser makers in implementing robust privacy protections.

Market Share Implications

Given Chrome’s dominant market share, a significant portion of web users remain vulnerable to increased tracking compared to those using more privacy-focused browsers.

The Persistent Need for Innovation

As Mozilla’s latest feature demonstrates, the effort to counter adtech’s disregard for privacy is an ongoing process without a definitive endpoint. Therefore, a slow response to privacy concerns is comparable to offering minimal privacy protection.

Emerging Threats: CNAME Tracking

A concerning development, outside the realm of third-party cookies, is detailed in a recent research paper analyzing CNAME tracking – a DNS-based anti-tracking evasion technique. The study found that the use of this method has increased by approximately 20% in under two years.

Concerns About “Unblockable” Tracking

CNAME tracking has been a source of concern since around 2019, when developers first observed its use on a French newspaper website. Its prevalence has been steadily rising, according to the research.

How CNAME Tracking Works

In essence, CNAME tracking disguises the tracker by embedding it within the first-party context of the visited website, utilizing a subdomain that acts as an alias for the tracker domain.

DNS Delegation and Security Implications

As explained by researcher Lukasz Olejnik, “This scheme works thanks to a DNS delegation. Most often it is a DNS CNAME record. The tracker technically is hosted in a subdomain of the visited website.”

This approach can “fool fundamental web security and privacy protections,” leading browsers to treat the tracker as legitimate first-party content.

Unlocking Access to First-Party Cookies

This misclassification grants trackers access to first-party cookies, which can then be transmitted to remote servers, enabling surveillance and data collection.

Criteo and Circumventing Apple’s ITP

The researchers discovered that one tracker provider, Criteo, reverted to using the CNAME cloaking scheme specifically when detecting the Safari browser, presumably to bypass Apple’s ITP.

Broad Cookie Leaks

The paper also highlights the potential for “broad cookie leaks” due to the current web architecture, allowing unrelated cookies to be sent to the tracker subdomain.

Historical Concerns and Escalating Risks

Olejnik documented this issue as early as 2014, but the problem has since escalated significantly. “As the tip of the iceberg, we found broad data leaks on 7,377 websites. Some data leaks happen on almost every website using the CNAME scheme (analytics cookies commonly leak). This suggests that this scheme is actively dangerous. It is harmful to web security and privacy.”

Widespread Cookie Leaks

The researchers found cookies leaking on 95% of the studied websites.

Sensitive Information Exposure

In some cases, leaked information included private or sensitive data, such as a user’s full name, location, email address, and even authentication cookies.

Web Security Vulnerabilities

The paper also raises concerns about web security, particularly when CNAME trackers are served over HTTP instead of HTTPS, potentially enabling man-in-the-middle attacks.

Defending Against CNAME Cloaking

The researchers emphasize that defending against CNAME cloaking will require significant browser updates and new techniques. Currently, Firefox offers some defense, while Chrome does not.

Safari and Brave’s Efforts

WebKit engineers, responsible for Apple’s Safari browser, are working on enhancements to ITP to counteract CNAME tracking. The Brave browser also implemented changes last fall to combat the technique.

Brave’s Recursive DNS Checks

“In Brave 1.17, Brave Shields will now recursively check the canonical name records for any network request that isn’t otherwise blocked using an embedded DNS resolver. If the request has a CNAME record, and the same request under the canonical domain would be blocked, then the request is blocked. This solution is on by default, bringing enhanced privacy protections to millions of users.”

Chrome’s Need for Action

The researchers stress that Chrome, with its large market share, needs to address this issue.

Supplementing Existing Tracking Methods

Tom Van Goethem, one of the paper’s authors, explained that their data indicates publishers using CNAME tracking are doing so to supplement other, more conventional third-party tracking methods.

Incremental Tracking Capabilities

“Our data shows that publishers who adopt CNAME-based already have a considerable number of trackers (20+ per site on average), and find that this number of trackers remains stable over time. This indicates that CNAME-based tracking is not used as a replacement of the typical third-party tracking, but rather to increment their tracking capabilities, e.g. targeting users with anti-tracking mechanism,” he stated.

Safari as a Catalyst

The researchers speculate that the rise in CNAME cloaking is partly due to trackers attempting to circumvent Apple’s strict anti-tracking protections in Safari.

The Need for Comprehensive Defenses

Van Goethem emphasized the importance of deploying multiple defenses to combat various tracking techniques effectively.

Total Cookie Protection and CNAME Tracking

While Firefox’s new TCP feature doesn’t directly address CNAME-based tracking, it does protect against cookie syncing between sites that employ first-party tracking.

Beyond Cookies: Fingerprinting

Other tracking methods, such as device fingerprinting and ephemeral fingerprinting, can bypass browser-based defenses against cookie-based tracking. Therefore, comprehensive protection is essential.

Raising Awareness and Incentivizing Action

The researchers hope their analysis will raise awareness and encourage browser vendors and users to advance defenses against CNAME tracking.

Potential Security Risks

“Furthermore, we hope that our study will highlight the potential security impact that publishers face by including CNAME-based trackers. Throughout our study we discovered two security issues that affect all visitors of publisher sites; in one case the issue is still not fixed (despite multiple attempts of reaching out to the tracker to report the vulnerability), putting visitors of hundreds of websites at risk.”

Regulatory Intervention

Regulatory action and enforcement could also play a role in curbing the use of the CNAME technique.

This report was updated with additional comment.