Brave browser first to nix CNAME deception, the sneaky DNS trick used by marketers to duck privacy controls

[steven36]

Next release will block third-party trackers posing as first-party resources

 

 

The Brave web browser will soon block CNAME cloaking, a technique used by online marketers to defy privacy controls designed to prevent the use of third-party cookies.

 

The browser security model makes a distinction between first-party domains – those being visited – and third-party domains – from the suppliers of things like image assets or tracking code, to the visited site. Many of the online privacy abuses over the years have come from third-party resources like scripts and cookies, which is why third-party cookies are now blocked by default in Brave, Firefox, Safari, and Tor Browser.

 

Microsoft Edge, meanwhile, has a tiered scheme that defaults to a "Balanced" setting, which blocks some third-party cookies. Google Chrome has implemented its SameSite cookie scheme as a prelude to its planned 2022 phase-out of third-party cookies, maybe.

 

While Google tries to win support for its various Privacy Sandbox proposals, which aim to provide marketers with ostensibly privacy-preserving alternatives to increasingly shunned third-party cookies, marketers have been relying on CNAME shenanigans to pass their third-party trackers off as first-party resources.

 

The developers behind open-source content blocking extension uBlock Origin implemented a defense against CNAME-based tracking in November and now Brave has done so as well.

CNAME by name, cookie by nature

In a blog post on Tuesday, Anton Lazarev, research engineer at Brave Software, and senior privacy researcher Peter Snyder, explain that online tracking scripts may use canonical name DNS records, known as CNAMEs, to make associated third-party tracking domains look like they're part of the first-party websites actually being visited.

 

They point to the site https://mathon.fr as an example, noting that without CNAME uncloaking, Brave blocks six requests for tracking scripts served by ad companies like Google, Facebook, Criteo, Sirdan, and Trustpilot.

 

But the page also makes four requests via a script hosted at a randomized path under the first-party subdomain 16ao.mathon.fr.

 

"Inspection outside of the browser reveals that 16ao.mathon.fr actually has a canonical name of et5.eulerian.net, meaning it’s a third-party script served by Eulerian," observe Lazarev and Snyder.

 

When Brave 1.17 ships next month (currently available as a developer build), it will be able to uncloak the CNAME deception and block the Eulerian script.

 

Other browser vendors are planning related defenses. Mozilla has been working on a fix in Firefox since last November. And in August, Apple's Safari WebKit team proposed a way to prevent CNAME cloaking from being used to bypass the seven-day cookie lifetime imposed by WebKit's Intelligent Tracking Protection system.

 

Source

[caraid]

From the viewpoint of security, it's better if we use open-source browsers such as Mozilla's Firefox.

[steven36]

16 minutes ago, caraid said:

From the viewpoint of security, it's better if we use open-source browsers such as Mozilla's Firefox.

Brave is a Open Source  Browser  made by  a co founder of Mozilla Firefox and inventor  of JavaScript .

 

You can review everything they do right here

https://github.com/brave/brave-browser

 

 

When Closed Sourced Browsers  with  lots of users add  things that block marketers they face antitrust scrutiny only opensource  ones can get away with it without having to fight in court about it..  Your opinion about Open Source is only valued  in the Open Source community and Privacy community.  The Masses is going  to use  Google Chrome and Apple Safari most don't even read  Tech News  and the ones that do are Fanboys so your fighting a losing battle here .   It yet to be seen can the Government control them  and the masses could care less about privacy.