1598969 - Block trackers using CNAME Cloaking (1st-party tracker blocking)

Status: RESOLVED WONTFIX

(Core :: Privacy: Anti-Tracking, enhancement, P3)

Description

[Asif Youssuff]

As per articles like https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a and https://github.com/uBlockOrigin/uBlock-issues/issues/780

It'd be nice if Firefox would automatically block first party trackers using CNAME cloaking to hide the tracking entity.

Comment 4

[(no longer active)]

Attachment: Sneak peak

Screenshot from my local build which has a fix for this bug applied.

When visiting walmart.com, a tracking pixel is loaded from https://omniture-ssl.walmart.com, which is a CNAME alias to walmart.com.ssl.d1.sc.omtrdc.net. ETP restrictions are applied to this tracking pixel (notice in the screenshot: no Cookie header, trimmed Referer header, devtools showing resource as coming from a tracker.)

Comment 5

[Asif Youssuff]

This is landing in Brave soon: https://brave.com/privacy-updates-6/

Comment 6

[Steven Englehardt [:englehardt]]

Defenses shipped by Safari: https://webkit.org/blog/11338/cname-cloaking-and-bounce-tracking-defense/.

Comment 7

[Simon Mainey]

FYI: https://thehackernews.com/2021/02/online-trackers-increasingly-switching.html

Wouldn't incorrect partyness have consequences e.g. for heuristics, despite ETP's dFPI (in strict mode)

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee didn't login in Bugzilla in the last 7 months.
:timhuang, could you have a look please?
For more information, please visit auto_nag documentation.

Comment 9

[Mizanur Rahman]

home guide master is my <a href="https://homeguidemaster.com/best-grill-accessories-kit/">website</a>,
you can visit my website and content.

Comment 10

[Mizanur Rahman]

(In reply to Mizanur Rahman from comment #9)

home guide master is my https://homeguidemaster.com/best-grill-accessories-kit/,
you can visit my website and content.

Comment 11

[Europeflyscreen]

Unsupported post request. Object with ID '1379468732474099' does not exist, cannot be loaded due to missing permissions, or does not support this operation. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api for https://bit.ly/3zz0W6D

Comment 12

[Europeflyscreen]

(In reply to Europeflyscreen from comment #11)

Unsupported post request. Object with ID '1379468732474099' does not exist, cannot be loaded due to missing permissions, or does not support this operation. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api for more information https://bit.ly/3zz0W6D

Comment 13

[Benjamin VanderSloot [:bvandersloot]]

So we have moved slowly on this for a variety of reasons. The upside is that this provided us with a clear view of the second-order effects of blocking CNAMEs. One of the reactions we see is trackers asking for A records in the first-party's namespace, rather than CNAMES. This is an escalation by trackers that seems unwise to escalate against- I don't think it is wise to maintain an IP address blocklist or to try to identify proxying schemes by trackers that may crop up if we do.

We also see that CNAMEs can be a useful tool for solving legitimate use cases that are broken by third-party cookie deprecation, e.g. a third-party login provider. However, because of open issues around CNAMEs, potentially legitimate users hesitate to employ CNAMEs, in fear that their use case will be disabled by antitracking teams. This is also less than good.

The good news is that TCP is now enabled for all users by default. This greatly reduces the efficacy of tracking across first parties. And we can still add domains that are CNAMEd to trackers to our blocklist independently, which will require more effort but is an avenue available that maintains current abstractions over the network layer by antitracking.

Given all of this, we are making the tough call to WONTFIX this. However, if the conditions change such that CNAME tracking becomes critical despite TCP, we will change course.