back to article Brave browser first to nix CNAME deception, the sneaky DNS trick used by marketers to duck privacy controls

The Brave web browser will soon block CNAME cloaking, a technique used by online marketers to defy privacy controls designed to prevent the use of third-party cookies. The browser security model makes a distinction between first-party domains – those being visited – and third-party domains – from the suppliers of things like …

  1. John Smith 19 Gold badge
    Coat

    Sooner or later we're going to have to work out a way to fund all this.

    Yes it's all pretty despicable

    But how do work out a way that makes it affordable yet rewards people who do the work?

    Fook nose.

    1. Anonymous Coward
      Meh

      Re: Sooner or later we're going to have to work out a way to fund all this.

      Brave rewords users who accept adverts. I find this disturbing because it implies users can be bribed to watch/interact with potentially harmful influence bodies . Well at least it will put a hole in Googles bucket of cash and start spreading it around.

      1. Martin Gregorie

        Re: Sooner or later we're going to have to work out a way to fund all this.

        Brave rewords users who accept adverts. I find this disturbing ...

        But at least when you turn 'rewards' off, it stays off when the browser gets upgraded. This is unlike the so-called "privacy protection features" provided by certain other browsers where the privacy protection controls just get more carefully hidden and reset to default values which, oddly enough, always seem to be 'protection disabled', by the next release.

        Must be lazy programmers: surely no company would ever think of doing that reset deliberately. .

    2. katrinab Silver badge
      Paris Hilton

      Re: Sooner or later we're going to have to work out a way to fund all this.

      Why not show the same ad to everyone, like in the dead-tree newspaper days.

      YouTubers for example make way more money from sponsorships than they do from Adsense. Picking a one size fits all ad that they think is relevant and interesting to their viewers seems to work a lot better than all this AI stuff.

      1. vtcodger Silver badge

        Re: Sooner or later we're going to have to work out a way to fund all this.

        And while we're at it, ban scripting in ads. That should hopefully largely eliminate the security threat that causes many of us to block advertising.

    3. Blackjack Silver badge

      Re: Sooner or later we're going to have to work out a way to fund all this.

      Again, it has been proved that personalized ads make less money that ads that show you what you are looking for.

      Personalized ads mostly makes money by selling your data.

      1. Steve Davies 3 Silver badge
        FAIL

        Re: ads that show you what you are looking for

        funny that. The few ads that I see are ALL for things I was looking for. I had one from Amazon today that was trying to sell me a travel guide for somewhere I visited in 2014 and given the current situation, it will be highly unlikely that I'll be even thinking of going back before 2024.

        Anyway, who wants the 2014 version of a travel guide?

        1. Anonymous Coward
          Anonymous Coward

          Re: ads that show you what you are looking for

          > Anyway, who wants the 2014 version of a travel guide?

          A time traveller who wants to come prepared.

          (Interesting to hear that in 2014 tree-based travel guides were still a thing)

          1. Blackjack Silver badge

            Re: ads that show you what you are looking for

            In 2014 tree based computer magazines and game magazines were still a thing.

            1. adam 40 Silver badge

              Re: ads that show you what you are looking for

              Even weirder is that in 2024, trees are still a thing... but only just.

    4. big_D Silver badge

      Re: Sooner or later we're going to have to work out a way to fund all this.

      First party ads, no tracking. Simple.

      I'm happy for an ad to be shown to me, based on the site I am visiting.

      I am totally against people tracking me from site to site and building a (faulty) profile about me. Let the site I'm visiting handle the showing of the ad.

    5. Ochib

      Re: Sooner or later we're going to have to work out a way to fund all this.

      This report sponsored by Raid Shadow Legends

      1. David 132 Silver badge
        Happy

        Re: Sooner or later we're going to have to work out a way to fund all this.

        And this response is brought to you by Tidymans Carpets.

        "Tidymans - For The Deep Shag That Really Satisfies"

      2. stiine Silver badge

        Re: Sooner or later we're going to have to work out a way to fund all this.

        This just means that instead of a CNAME to get you to adnetwork.tld, they'll need to set up A or AAAA records, or run a secure proxy.

  2. Imhotep

    Nice Browser

    I've been using Brave exclusively on my IPad - which is pretty much the only place I use a web browser now - and am pretty happy with it. Now if Apple only provided a way to specify a default browser so links don't open in Safari, I'd be all set.

    1. tip pc Silver badge

      Re: Nice Browser

      “ Now if Apple only provided a way to specify a default browser”

      Brave should prompt you about the new iOS 14 feature that lets you set a default browser.

      If not it’s in settings.

      I don’t use brave as I don’t like the rewards feature.

      If they did a paid for version I may reconsider

      1. Anonymous Coward
        Anonymous Coward

        Re: Rewards

        you do know you're not forced to use rewards!?

        1. Mage
          Happy

          Re: Rewards

          And can even turn off the Rewards Icon too.

        2. Anonymous Coward
          Anonymous Coward

          Re: Rewards

          Not forced to use Rewards but obviously rewards must track you to earn rewards.

          Believe what you want. But if rewards is not built into the browser then it shouldn’t track you, if rewards is built in, even if turned off, you can be tracked by brave.

          I have a choice to use brave or not. I chose to not use it.

    2. Mage
      Thumb Up

      Re: Nice Browser

      I switched to Brave on all my Androids as Firefox sort of broke their GUI. I switched long ago on 64 bit Linux from Firefox to Waterfox due to stupid changes. I use Classic Theme restorer to make the Waterfox GUI sane, but I think Firefox disabled that and lots of other stuff which is why I switched to Waterfox. Still using uMatrix for blocking scripts, though I used to use NoScript.

      1. stiine Silver badge
        Unhappy

        Re: Nice Browser

        Sort of broke their GUI? Are you kidding, their new GUI is unusable.

    3. adam 40 Silver badge
      Mushroom

      But when will they fix their bugs?

      I used Brave on Win 10 and found that their file chooser locked up file explorer when selecting images to upload.

      This was pretty nasty an unless you already had a command window open, so you could restart explorer.exe, or else the machine locked up and you had to reboot.

      I went to the trouble of filing a bug through their arcane bug system (which won't accept bugs unless you use Brave to file them - which when your machine is locking up with Brave, is pretty difficult (so I filed another bug for that too)).

      The upshot? Brave ignored the bugs for a month then automatically closed them.

      So I went back to Chrome, which uses more memory, but at least it's stable.

  3. Pascal Monett Silver badge

    "the page also makes four requests via a script"

    And that script is blocked by NoScript.

    NoScript and uBlock Origin, the two stalwart champions of security and privacy.

  4. daalmo

    CNAME Cloaking browser comparison

    APNIC performed a comparison of the main browsers with and without the main ad blockers in August 2020. Looks like I'll be switching from Ghostery to uBlock Origin. Full report at end of article.

    https://blog.apnic.net/2020/08/04/characterizing-cname-cloaking-based-tracking/

  5. Kevin McMurtrie Silver badge

    Broken edge hosting

    CNAME is used for edge caching too. Brave will simply stop working unless they maintain allow/block lists for cookies.

  6. Anonymous Coward
    Anonymous Coward

    Computer Misuse ACT

    IMHO I believe that if a user has gone out of their way to adjust the settings of their web browser to limit tracking then anything that tries to circumvent the users settings should be considered unlawful under the Computer Misuse ACT and offenders fined and or even face criminal prosecution on repeated offenses.

  7. EnviableOne Silver badge
    Windows

    Need a maintained Content list

    for some reason Content securtiy policies aren't cutting it

    there should be a part of the page that lists the cdns, alternate domains, that host the actual content of the site, so you can automagically allow just those connections for a specific page, I hate having to unblock <RandomString>.$CDN.com and about six variants of the hosting company, 3 more of the site owner and some random js library, just to get the page to actually load.

    /me goes to write a web crawler and build a browser extension .....

  8. Jamie Jones Silver badge

    How does this help?

    All they need to do is change the CNAME to an A.

    Ultimately, it's the site owner that determines whether a site is part of his domain or not.

    Possibly breaking legitimate CNAME usage with a dodgy bandaid fix is counterproductive.

    If you want to block 3rd party cookies, you need to block all cookies from a different *site* not just a different domain (that would also get rid of the need for that database of which top level domains give public domains at the second level, and which at the third etc. - a noble project, but the fact it's needed is a big hack)

  9. JulieM

    Time to get aggressive

    Why would someone be using a CNAME to disguise third-party content as first-party? Answer: Because they know people object to third-party content. It's straight-up deception; trying to sneak in the back door because you correctly guessed you would not be welcome via the front door.

    Instead of just passively blocking third-party content, it's time browser manufacturers started taking a harder line; for instance, returning altered cookies to poison the trackers and invalidate what they are collecting.

    If you are going to play silly buggers, don't take on an Olympic medallist.

  10. Mobster

    The CNAME would have to be created within the original first site domain, so this means that domain administrators from the first site would have to be complicit. As such, we should treat the first site as a malicious actor and not worry about putting the burden on web browsers to "uncloak" CNAMES, I would think ....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like