Name and shame
What companies are doing this?
PS: FF rulz!
Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security. In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021), KU Leuven- …
Technical steps to counter this are very welcome, of course, but we need national regulators to hit all the (adtech) companies providing this and all the (website owner) companies using this with massive fines.
In particular, setting up such a CNAME within your domain would be immediate evidence of your intent to bypass user decisions on control of cookies and should be all the evidence needed for a large fine.
In fact, even before regulators move on this, it would be good if a campaign group announced that if any of the top 10,000 websites are found to still be using this technique in 30 days time, they will be named and shamed, with maximum possible publicity in major newspapers in the countries in which they operate.
Use only legitimate cookies and honour user privacy settings or be named and shamed.
CNAMEs have legitimate uses too - e.g. shop.domain.com pointing at a hosted shopping system, who's underlying DNS may change on their backend. Just having a CNAME isn't necessarily evidence that you're doing anything untoward.
CNAMEs that point to tracking domains, on the other hand, should indeed be nuked from orbit. I suspect the answer is in-browser resolving/checking and then referencing a blocklist, to avoid throwing babies out with the bathwater.
> I suspect the answer is in-browser resolving/checking and then referencing a blocklist, to avoid throwing babies out with the bathwater.
AIUI that's part of what the Manifest V3 upset was about. Ublock already looks for CNAMEs like this in order to block them, but will/would have lost that ability as a result of Manifest V3 being implemented in Chrom(e|ium).
Not all of these leaks exposed sensitive data but some did. Out of 103 websites with login functionality tested, the researchers found 13 that leaked sensitive info, including the user's full name, location, email address, and authentication cookie.
Implies that it is possible for trackers (much as think all tracking should be illegal) to write non-leaking scripts. Since users could never have consented to have private info leaked even they had agreed to the site using the data themselves, any script which leaks should be an instant fine of 10% ofglobal turnover. No ifs, no buts because the can be no defense.
Most definitely name and shame (as a minimum) and should the game be raised to 'prosecute' for violations of the GDPR and/or Anti-Trust as this is a deliberate 'deception' to ensure that ad-trackers continue to work?
Perhaps we also need a new 'first party' (same origin - exactly the same URL), 'second party' (sub-URL of the first party domain) and 'third party' (different domain) approach and rulesets in our defenses?
G
This is tracking and so the user should be asked if they want this to happen, if they agree that their data is taken out of the EU.
Much worse is what google analytics does - tracks users from site to site, how forms are filled in, etc. I have never been asked if I want this to happen.
Non-agreed use should be banned.
problem is that you probably have 'agreed' when you dismissed that obligatory t&c popup.
go to tvlicensing.co.uk and check their cookie policy (a 599kb PDF if you download it) for somewhere that you would think shouldn't need much of a policy (no advertising) but actually reveals a lot about how much other sites must be hiding behind their simple 1 paragraph 'accept or bugger off' versions
That is illegal on two levels.
1) Obtuse T&C
2) Blocking access if not logging in.
Really cookies are only absolutely needed if you are logging in. On all other sites I also block 1st person cookies. Only a year later I discovered some sites use a cookie to count site views.
This post has been deleted by its author
They're tracking you when you do DNS lookups. You don't mention handling that yourself.
Smug Bastard probably has the URIs of all 17 web sites that still work without Javascript pasted into his huge hosts file. If it's found in the hosts file, there's no DNS lookup , right?
> 1st party cookies are set to be prompted if to be set & I tend to say no. 3rd party ones never get set at all.
You do realise that the purpose of CNAMEing a subdomain is to turn third party requests into first party requests, right?
> Then I've got a hosts file so large
Do you also realise that a hosts file is not a firewall?
> Oh and I don't run javascript
Neither is it needed by this technique.
In fact, all it takes to track you using DNS is for your computer to make a DNS request which, e.g., if you haven't disabled prefetch in your browser, may be made before you even access the relevant page.
A lot of sites no longer rely on cookies as they are unreliable. There are tons of other ways of tracking browsers whether you allow it or not:
- Browser Fingerprinting
- IndexDB
- Local Storage
- DNS Queries
Some of these methods may or may not work depending on a wide variety of factors, not all of which are under your control....
I didn't vote either way, and this is supposition, but I'm wondering if the downvotes are because people sometimes treat NoScript like a perfect firewall. It's not. It can help, but if people think they can just install it and everything will be fine, they're wrong several times. It helps in the case of running JS from a site like this, but most of the time, a site will just pull in a script from the source in the HTML. So in the case of this attack, it's not all that likely to produce different results on a site using this and a site using classic attacks. Therefore, though it's useful, it isn't really a good solution for the problem as described. Maybe some are expressing that view in their votes.
I didn't downvote you either – thank you for providing an actual suggestion; on the whole, I agree with you. For me, NoScript is just part of a multi-pronged strategy that includes UBlock Origin, Privacy Badger, DNS over HTTPS, enforcing HTTPS and where possible avoiding sites that are still HTTPS refuseniks, DDG Privacy Essentials, blocking all third-party cookies, a regularly updated ~2MB hosts file that blocks a range of types of site, and, most importantly, the application of more than a little common sense. Of course, this all makes the web look much more broken (which, as an aside, this article demonstrates it already is), and I don't enjoy having to wear a suit of armour just to go and buy a pint of milk, but I don't really feel safe doing anything else. And stuff like this tells me I'm still not completely safe anyway, but it's a start.
None of which gives anyone an excuse to passively downvote a request for clarification of previous downvoting without explaining why. These forums are supposed to be a place for discussion, and just repeatedly shouting "BOOOO!" doesn't add a great deal to it. By all means, shout boo and then explain why (assuming someone else hasn't already, in which case you can also shout "Hear, hear!" at them), but otherwise it makes it look like either you (a) haven't got a plausible argument against the point, or (b) are simply lazy. Of course, if you actually are a bored chimp in a safari park, feel free to continue throwing faeces.
You have to admire the simplicity of the technical solution
Unfortunately, the simplicity of the solution simply reveals how broken the underlying security model is.
In retrospect, it was a terrible idea to allow individual web pages to interact with any other server than the one from which the page was retrieved. Even that wouldn't stop that server from passing information on to a third party, but at least the responsibility would be clear.
’tis evil.
I'd be surprised if Facebook & friends aren't doing this. Google doesn't need to due to the stupidity of websites using a plethora of Google resources. Why do Theme designers and websites generally think it's cool to have similar fonts to standard ones, but Google Hosted, Google Analytics instead of their own, Google hosted javascript instead of their own. Google APIs when there are no Google services like Maps on the page. I can't see how the use of any of that is legal in the EU and the quite a few other countries with similar laws.
Parasites.
In the past few years I've worked on a web application for members of the public applying for bank accounts and another used by financial advisers to apply for pensions for people. Needless to say, neither application displayed ads, and both processed lots of confidential information.
But there was the Google Analytics link on the landing page.
Honestly, if CNAMEs become restricted, they'll just end up using regular A/AAAA records.
Using a CNAME is surely more convenient, but if you can set one, a regular A/AAAA can be set to some tracker IP addresses just as well, and will work fine. And then, what?
The solution is not technological here, it has to be law+enforcement with meaningful fines.
> Honestly, if CNAMEs become restricted, they'll just end up using regular A/AAAA records.
Or, indeed, a DNAME (giving the same flexibility as a CNAME, just with a less commonly known feature).
When that gets blocked, no drama, just add some NS records and delegate a zone out to $advertiser's nameservers
As you say, the solution isn't technical one - limiting CNAMEs to acting like an alias breaks a lot, and fixes precisely nothing. What's needed is for the underlying business model to stop being viable, because of meaningful enforcement (we already have the laws)
>> Honestly, if CNAMEs become restricted, they'll just end up using regular A/AAAA records.
> Or, indeed, a DNAME (giving the same flexibility as a CNAME, just with a less commonly known feature).
Or, indeed, a first-party proxy to a third-party site. Which you can't detect from the client end (whereas an A/AAAA record you could theoretically check it's within the same AS or something)
Quite a few companies have been doing this for years.
Some also put scripts required for the site to work on the same subdomain the tracking beacons/code uses so you have to allow access to the subdomain.
What's probably more surprising these days is how many companies don't do it already.
Unless something drastic happens that costs the companies significant money, the whole thing is just an arms race. Every time we patch the holes in the walls, another crack appears to let the data stream out into the small number of data oceans, who can then mix it all around between them for financial gain.
Which is why the technical countermeasures need to be combined with two other things:
1) Laws. When I say "do not track" I mean "do not track". Any tracking is clearly illegal. If you don't want to serve me without tracking, that is fine - I will take my business elsewhere (possibly even paying more).
2) Name and shame. None of the UK top 1000 brands should be able to afford to ignore "do not track" requests. The newspapers should be full of it, and MPs should be asking questions in parliament about why is the government doing any business with these companies.
You mention MPs. Those same MPs whose petition.parliament.uk website has Google Analprobe trackers on it?
...which means, with all the other information that Google probably has dredged about you from elsewhere, likely positively identifying you with your email address via those sites that use Google Recaptcha on the login screen (at the very least, along with all their other sources of exfiltration), means that Google also knows what political issues you are interested in, which is surely protected Special Category Data (Sensitive Personal Data)?
(Which is why any organisation that uses *any* Google 'assets' (SIGINT, indeed) without fully thinking through the consequences needs their collective heads examined. (Other data reaping scum are available, sadly.))
I have to agree that if consumers wouldn't consume tracking tainted tat, we wouldn't have this problem.
Laws don't work because companies view them as things to get around.
Fines don't work because companies view them as a cost of doing business.
Public shaming doesn't work because the public as a whole ignores it.
It is time we fought back at all this. I'm thinking browser extensions with the explicit aim of poisoning Web analytics and even trying deliberately to crash badly-written code. I'm thinking a smart DNS sever running locally. I'm thinking all this should be included in popular distros.
Only today I was a victim of back-button hijacking. Preventing a person from leaving a physical store until they have spent long enough looking at advertisements is not something that would be tolerated in real life.
Some of us are not going to put up with this anymore.
Only today I was a victim of back-button hijacking. Preventing a person from leaving a physical store until they have spent long enough looking at advertisements is not something that would be tolerated in real life.
Just close that browser window and blacklist that site (easy enough with a PiHole).
This latest revelation is the last straw. Every ISP should be answering the ongoing crisis impacting their customers by actively hiding them.
Strip out the information in packets that help identify customers and then assign a random IP. In short ISP's should be connecting their customers via their own in-house VPN a virtual TOR network if you will.
The ISP's of this world should be anonymising their bill paying customers and if marketing is unhappy, then they can help alleviate the situation by offering to pay the bill themselves - if you're skint, you can always get online for free, but you've got to suffer the stalkers.
Why, having paid an exorbitant fee to my ISP, do they sit by and watch me get chased around the playground by bullies, sticking revealing images of Russian's, who want to marry ME tomorrow, in my face at every turn. I went their once...and will they never let me forget it..hahaha!
No seriously. ISP's should be stepping up and improving their service.
A lot of ISPs sell DNS data to advertisers, some of them also inject ads into the pages you request.
European ISPs don't as it will get them in a lot of legal trouble, but even so I am using Pi-Hole in combination with Unbound.
Not sure that any ISP is your friend.
God preserve me from my friends, with my enemies I can deal myself.
Most definitely name and shame (as a minimum) and should the game be raised to 'prosecute' for violations of the GDPR and/or Anti-Trust as this is a deliberate 'deception' to ensure that ad-trackers continue to work?
Perhaps we also need a new 'first party' (same origin - exactly the same URL), 'second party' (sub-URL of the first party domain) and 'third party' (different domain) approach and rulesets in our defences?
G
"...marketers have stepped up efforts to evade anti-tracking measures..."
Doesn't that sound like a job for the DMCA? "...It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself..."
Seems to me that "anti-tracking measures" are a type of "access control".
You can find most of the culprits' destination domains in the reasonably-frequently-updated NextDNS CNAME Cloaking Blocklist on GitHub, and add them to the blocklist of your choice.
This stuff. CNAME bollox like that are used industry-wide. Add TXT records to the mix. In fact most things about DNS can be abused in one way or another. Add a sprinkling of javascript at the CDN level and cookies just become mildly useful to have if not a distraction to the main issue.
Anonymous for good reasons.