Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
The Internet Privacy Security

Brave Browser First To Nix CNAME Deception (theregister.com) 47

An anonymous reader quotes a report from The Register: The Brave web browser will soon block CNAME cloaking, a technique used by online marketers to defy privacy controls designed to prevent the use of third-party cookies. The browser security model makes a distinction between first-party domains -- those being visited -- and third-party domains -- from the suppliers of things like image assets or tracking code, to the visited site. Many of the online privacy abuses over the years have come from third-party resources like scripts and cookies, which is why third-party cookies are now blocked by default in Brave, Firefox, Safari, and Tor Browser.

In a blog post on Tuesday, Anton Lazarev, research engineer at Brave Software, and senior privacy researcher Peter Snyder, explain that online tracking scripts may use canonical name DNS records, known as CNAMEs, to make associated third-party tracking domains look like they're part of the first-party websites actually being visited. They point to the site https://mathon.fr/ as an example, noting that without CNAME uncloaking, Brave blocks six requests for tracking scripts served by ad companies like Google, Facebook, Criteo, Sirdan, and Trustpilot. But the page also makes four requests via a script hosted at a randomized path under the first-party subdomain 16ao.mathon.fr. When Brave 1.17 ships next month (currently available as a developer build), it will be able to uncloak the CNAME deception and block the Eulerian script.
Other browser vendors are planning related defenses. "Mozilla has been working on a fix in Firefox since last November," notes The Register. "And in August, Apple's Safari WebKit team proposed a way to prevent CNAME cloaking from being used to bypass the seven-day cookie lifetime imposed by WebKit's Intelligent Tracking Protection system."
This discussion has been archived. No new comments can be posted.

Brave Browser First To Nix CNAME Deception

Comments Filter:
  • by The New Guy 2.0 ( 3497907 ) on Thursday October 29, 2020 @07:26PM (#60664154)

    Some form of cross-domain user tracking is needed for DoubleClick and Commission Junction to do their work... they've got to tie the ad seen on a site to the sponsor getting a sale.

    As these techniques go away, another one pops up. It has to, otherwise news sites would complain.

  • by davidwr ( 791652 ) on Thursday October 29, 2020 @07:37PM (#60664166) Homepage Journal

    The day will come when - for the sake of money - ads will be routed through the hosting web site.

    So an ad that appears on www.example.com's web page that's a 3rd party or "CNAME cloaked" ad today will be routed through the www.example.com server.

    Inefficient? Yes. More costly to deliver? Yes. Harder to block? Yes.

    • I’m fine with that, because it’ll stop letting these sites feign ignorance regarding all the crap their web pages are trying to force down our throats.

      And, unless they start hard-coding the ads in honest-to-goodness html rather than relying on scripts to generate them on the fly, they’ll still be easy enough to block.

      • by Tailhook ( 98486 )

        It’ll stop letting these sites feign ignorance

        No it won't. They'll still blame the advertisers and claim ignorance. The technical nuances won't end that.

    • The day will come when - for the sake of money - ads will be routed through the hosting web site.

      So an ad that appears on www.example.com's web page that's a 3rd party or "CNAME cloaked" ad today will be routed through the www.example.com server.

      Inefficient? Yes. More costly to deliver? Yes. Harder to block? Yes.

      I, personally, see that as a plus. That means that websites can't pawn off adding ads and the responsibility of making sure the ads are not bad (i.e. not ones that block the page, forces you to a different page, etc.) and the cost onto some third party. I feel like a lot of [large company] websites these days feign ignorance when it comes to bad/unsavory/controversial /intrusive/resource hog/large (in memory size) ads because they can just pawn the responsibility off. Maybe if it costs them something, they'

      • Unless they essentially set up their website's server to act as a proxy for certain url patterns. In which case, the advertisers get everything they want and XSS becomes literally impossible to prevent. I'm not saying what we have now is acceptable, advertising no the internet is absolutely garbage and the fact that online advertisers won't accept anything less is bullshit. 10 years ago we didn't have any of this and even today we don't have any of this on any other platform (radio, tv, newspapers, posters,
      • Comment removed (Score:4, Insightful)

        by account_deleted ( 4530225 ) on Thursday October 29, 2020 @09:20PM (#60664456)
        Comment removed based on user account deletion
        • This will never happen. What you're suggesting is that for this technical change to be made, every organization that puts up a website will have its own advertising department, selling advertisements. That's not sustainable, it's not possible for the vast majority of ad supported websites

          And yet that is how it worked for many years before the internet. Either you work for Facebook/Google or you've bought into their business model.

          • Comment removed based on user account deletion
            • You want us to go back to the days of having a handful of publishers who gatekeep every single thing we read and watch? Either you work for Facebook/Google or you've bought into their business model.

              Wait, what? The original comment is literally referring to a time where large corporations like Facebook and Google didn't exist and NO ONE had the same gatekeeping power on data and info like they do now. Like isn't that your point? Wasn't that your goal?

              In which case, you must work for Fox or Comcast as, based upon your original comment, you clearly want us to go back to the bad old days when only a handful of corporations were able to economically publish content we read.

              Wait, what? That's why the internet became so well-loved and used in it's introduction to the general public. Because there WAS NO handful of large corporations controlling what can be published AND there was virtually no cost to "publishing content". (ISP

        • by mwvdlee ( 775178 )

          Just as the anti-spammers made email immeasurably less useful

          In what way is email "immeasurably less useful"?

          • Comment removed based on user account deletion
            • by Okind ( 556066 )

              You're probably Gen Z or something, but there was a time in the mid nineties when if you sent an email, you could expect it 99% of the time to arrive at the destination. You didn't have to follow up with messages via other channels to ensure it had arrived.

              When I send or expect email, it arrives in the inbox 95% of the time. As intended. Email that doesn't is usually sent by companies and looks like an ad, so I'm not disappointed that it ends up in the spam folder.

              Sure, it's N=1 and YMMV, but normal email use does still exist.

            • by mwvdlee ( 775178 )

              Name calling; classy.

              I've been using email since about 1995 and can honestly say that these days spam is far better under control than it has ever been.

              At some point my domain was fetching 20k+ spam per day. I remember the war between spammers and anti-spammers; I was part of it, running all kinds of filters and custom rules to ensure email remained usable for my domains. Please understand that the sheer volume of spam was making email unusable at times.

              Today only the spammers have a serious chance of getting their emails to arrive because they know how to game the system.

              This is just bullshit, and you know it.

        • Comment removed based on user account deletion
        • This will never happen. What you're suggesting is that for this technical change to be made, every organization that puts up a website will have its own advertising department, selling advertisements. That's not sustainable, it's not possible for the vast majority of ad supported websites.

          I'd like to respectfully disagree with you on this point. Like we tend to think a lot of large departments have dedicated people handling things. But, in actuality, a lot of them don't or handle them in ways we tech people assume they would. Like, they might have a "department" of someone that handles web ads on their site. But that department might just be one person who was handed the responsibility despite having no training or experience with it. After all, I once had to explain to a sys admin at at

    • by GuB-42 ( 2483988 ) on Thursday October 29, 2020 @09:10PM (#60664412)

      The problem for advertisers with that solution is that they have no way of checking that the ad is actually shown. They have to trust the host for their analytics and billing, and it makes things much more complicated, especially for small players that advertisers have every reason not to trust.

      It is actually easier to imagine the opposite: content will be routed through the advertiser's network. Imagine something like cloudflare, but instead of just delivering content, it also inject ads and the content owner get his share of the revenue.

      This is terrible for the open web: more centralization, more control from tech giants. That's why I am not a fan of the war against 3rd party whatever. It gives more power to those who have their own ad networks. For example, Google can easily track you across all their sites and show you ads they can monetize, it is all first party. But a small, self-hosted blog can't do that, and doesn't have enough resources to negotiate their own advertising contracts. It isn't just about ads, you may want to integrate with a third party content processor for instance.

      And since we are talking about Brave, Brave solution is for everyone to go through Brave. They don't want to free you from tech giants, they want to be the tech giant.

    • Alot of porn sites already do this. Or so im told ;)
    • A web analytics company I worked for in the early 2000s was doing that back then to deal with third-party cookie blocking and cross-site data issues. We'd have the client either create A records pointing at our load balancer's public interfaces or delegate a subdomain to us so we could manage the records.

    • Google pays next to nothing in tax, nor upstream entities. By forcing ads onto searched domains, host countries can fairly and effectively tax per ad, and see if monopoly shares per national competition laws have been exceeded. This is what France and Spain wanted, and the UK will figure something out. Now an arms length transaction will be seen, and first handshake/view confirmation logged. For this reason, I see Google and others doing something about this. It is interesting when the title mentions abuse
    • by tlhIngan ( 30335 )

      This isn't too bad. Ads make web pages slow - either overloaded ad servers or other reasons. Often times the hosting server is faster and able to serve the ad faster.

      Even better, if ad networks started delaying, it forces the server to hang onto connections far longer and increases their server load, so maybe the site owners can pick ad networks that provide services without excessive server load.

    • It's already here.

      Over the last month or so, both cnn and thehill have started running their own ads as part of their main page.

      (I don't know if thehill has stopped pop-under to go with this; I turn off javascript before letting them load)

      hawk

    • If sites have to handle all the bandwidth for the third party ads and tracking they try cram onto a page because its proxied by their servers, maybe they'll think twice about how much they foist on the user.

  • Brave on smartphones (Score:3, Informative)

    by hcs_$reboot ( 1536101 ) on Thursday October 29, 2020 @08:33PM (#60664294)
    I've been using Brave browser on an iPhone ; it cuts ads natively and makes a difference, really. Opt out of the unnecessary Brave awards, and give it a try. Worth it.
    • by AmiMoJo ( 196126 )

      Have you tried Firefox? Better add-on UI, no "rewards" crypto currency bullshit.

      A recent change fixed rendering on most sites, it's very close to being perfect. Slashdot desktop mode is still broken but for most stuff it's a great browser and you can use your choice of ad-blocker and privacy enhancement.

      • You still can't install ad blockers though. Isn't any browser for iOS just a front end for Apple's?

        • by AmiMoJo ( 196126 )

          Oh yeah, iOS... Well I don't know then, on Android you can install uBlock Origin and in fact all other add-ons now.

  • by tepples ( 727027 ) <tepplesNO@SPAMgmail.com> on Friday October 30, 2020 @12:55AM (#60664862) Homepage Journal

    From the summary:

    But the page also makes four requests via a script hosted at a randomized path under the first-party subdomain

    When APK was promoting his DNS blocklist updating tool, I remember telling him several times that sites were going to randomize hostnames to evade blocklists. He never believed me. Now we have evidence.

  • Moves to catch out CNAME deception are likely to end up useless, because advertisers will just arrange with website owners to install reverse proxies. These mean that the site can plant cookies that appear to be confined to the site's domain, but in the back-end of the site, actually cause reverse-proxy requests to go out to advertisers, passing the user's info along for the ride.
    • You don't even need that.

      In DNS, a CNAME record just says "instead of a.b.com, go look at x.y.com" And then "x.y.com" resolves to, say, 192.0.2.7.

      The trivial and obvious workaround is to just setup a.b.com to point directly to 192.0.2.7. It's a little more overhead to administer than CNAME aliasing (since you need all such domains to update if the IP address changes, although you could automate this), but it's way less work than running a proxy.

      • Except that the adbuster plugins and browser devs can build up a database of those 192.0.2.7 and other privacy-attacking IP addresses. A proxy sits at the same IP address as the original website and is much harder to detect, especially if custom URIs are being generated by each client
        • The problem with that kind of blocking is that most of these are being hosted on large, multi-tenant infrastructure, where that IP address can correspond to many different web sites -- some tracking-related, and others not. Even if they weren't, you're describing a huge, mostly manual effort that goes well beyond the resources anyone would dedicate for this kind of heuristic mitigation.

Your own mileage may vary.

Working...