Open Bug 1691728 Opened 4 years ago Updated 3 months ago

Firefox provides the same ID at each execution for supercookies tracking

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 85
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: pachainti, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Hi,
firefox, since 85+, provides supercookies protection https://blog.mozilla.org/security/2021/01/26/supercookie-protections/. However, according to this test https://github.com/jonasstrehle/supercookie, the protection works well on GNU/Linux, but it fails on windows and macOS.

Actual results:

Firefox provides the same ID at each execution. In particular, sometimes it works while other not.

Expected results:

Firefox should provide a different ID at each execution https://github.com/jonasstrehle/supercookie

Summary: Supercookies tracking → Firefox provides the same ID at each execution for supercookies tracking
Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core

The supercookie protection that Firefox is adopting is based on partitioning the network state. Firefox will isolate the network state by the first-party domain. In other words, the tracking script can still build up supercookies, but they can only be fetched within the same top-level. For example, If foo.com uses a script to create supercookies, they won't exist under bar.com. So, trackers won't be able to use supercookies to track the browsing history.

So, it's fine to see the same ID under the same domain. What we don't want to see is that the same ID is shown under another site using the same script.

Well. Can you clarify why under GNU/Linux and android 9 and 10 and firefox 85+, the ID changes automatically? I already tried to create a fresh profile without any customization and extension, but the behaviour is the same.

(In reply to pachainti from comment #2)

Well. Can you clarify why under GNU/Linux and android 9 and 10 and firefox 85+, the ID changes automatically? I already tried to create a fresh profile without any customization and extension, but the behaviour is the same.

Tim, can you look into why this testcase doesn't pass/fail reliably?

Flags: needinfo?(tihuang)

Sure, I can dig into this.

Bug 1618257 would explain why it doesn't work in some cases. That bug contains conflicting reports though, possibly due to platform differences.

I investigated their claim that "Clear Website Data" does not change the ID, I confirmed this and it appears that network partitioned cache is not being cleared (Bug 1541885).

Depends on: 1541885
See Also: → 1618257

Any update?

The page is not working anymore for me to test.

Flags: needinfo?(tihuang)

Are you talking about this page https://supercookie.me/? For me it works.

It works again. Weird. I couldn't get an ID this morning.

Severity: -- → S3
Priority: -- → P3

Any update?

You need to log in before you can comment on or make changes to this bug.