back to article Mozilla Firefox keeps cookies kosher with quarantine scheme, 86s third-party cookies in new browser build

Mozilla has revised the way the latest build of the Firefox browser handles HTTP cookies to prevent third-parties from using them to track people online, as part of improvements in build 86 of the code. HTTP cookies are files stored by web browsers to save state – e.g. is the user logged in? – that get set by code running on …

  1. StrangerHereMyself Bronze badge

    Don't understand

    Firefox already had a setting that blocked third-party cookies, but they replaced it with its Tracking Protection setting.

    Thing is, I don't really know what it does, and which third party cookies are henceforth blocked. If they only block a known subset it becomes an arms-race with trackers continuously coming up with new cookies and tracking schemes.

    1. John Robson Silver badge

      Re: Don't understand

      Of course it's an arms race.

      The question is:

      login.company.com is probably the same domain as company.com

      But what about fb.company.com, which when you look it up is actually a reference to faecebook. Faecebook can then set a cookie that *looks* like a cookie from company.com, but is actually a third party cookie.

      1. Charlie Clark Silver badge

        Re: Don't understand

        I'm not sure how many companies would approve such sub-domains – there are definite legal ramifications – but even so DNS checks for the ip-addresses would soon indicate the real owner.

        1. Androgynous Cupboard Silver badge

          Re: Don't understand

          More than you'd think, apparently. There's a whole article on the topic: https://www.theregister.com/2021/02/24/dns_cname_tracking/

          As for DNS checks to identify the owner, not really. It resolves to Amazon Cloud - now what? Is it the a cloudy server for the domain I intended to visit, or a cloudy server for some adslinger?

          1. Charlie Clark Silver badge

            Re: Don't understand

            It's still going to make aggregation across websites more difficult. And, the legal consequences of providing a domain for potential GDPR breaches are definitely more serious than just running a third-party tracker.

        2. iron Silver badge

          Re: Don't understand

          All of them that use advertising. That has been the ad industry standard way to track you for several years now.

    2. Greybearded old scrote Silver badge

      Re: Don't understand

      Well, it is explained in the article. There are some cases when you might want a third party cookie to function, such as a single sign on. That's still a 'turkeys voting for christmas' situation, but if the turkeys want the convenience there it is.

      FB will still be able to track you on those sites, or else it can't work.

  2. Mike 137 Silver badge

    Only one buttock?

    This, yet again, seems a half arsed solution to only part of the problem.

    Under European Directive 2002/58/EC (implemented in the UK as the Privacy and Electronic Communications Regulations 2003) there is a distinction made between cookies essential for providing a service to the user (e.g. shopping cart purchase lists) and other cookies. This is regardless of whether [a] they are literally "cookies" or any other kind of tracker, and [b] they are first or third party in origin. At the risk of over-simplification, essential cookies are allowed automatically, but informed user consent is required for non-essential cookies.

    So measures that only address literal cookies but not other trackers, or that only distinguish between first and third party trackers, do not protect user privacy to any useful extent.

    1. Charlie Clark Silver badge

      Re: Only one buttock?

      I don't agree. While this doesn't prevent tracking per se, it does significantly limit tracking across websites, which is what most of the trackers are interested in. Also, as a browser setting, it overcomes user inertia when it comes to handling cookie settings: most will go with "accept all" to continue with whatever they're doing.

  3. ExampleOne

    Blocking cookies simply stops the easiest and laziest way of tracking people. It isn't hard to track by abusing the browser cache.

    Of course, I have rarely seen a discussion of alternative methods of tracking, it is all about the cookies.

    1. Dan 55 Silver badge

      Firefox reduced browser fingerprinting when they did the Tor uplift project and again in FF 72. And probably other times as well.

    2. Cuddles Silver badge

      "Of course, I have rarely seen a discussion of alternative methods of tracking, it is all about the cookies."

      Really? I see such discussion quite frequently. Here's a handy link to get you started, although obviously there are plenty more that don't happen to use that exact word - https://search.theregister.com/?q=fingerprinting

    3. iron Silver badge

      Literally the previous Firefox release had protections against other forms of tracking which was discussed on this very website. (cache based techniques in that case)

  4. Howard Sway Silver badge

    Time to take Single Sign On out of the hands of Google and Facebook

    Make them pay for a non profit, security and privacy focused independent org that has sole responsibility for SSO authentication and tokens, that they are not allowed to have any influence over. They've abused their dominance of SSO to track people for profit, and have therefore forfeited the right to stay in the game.

    1. Steve Davies 3 Silver badge
      Big Brother

      Re: Time to take Single Sign On out of the hands of Google and Facebook

      Google and Twitter are not alone.

      You can add Twitter and now Apple into the mix.

      As a side note, 'Sign on with Apple' is being investigated for Anti-Trust violations. If they are guilty then the others are even guiltier as it is far more widespread.

      1. HildyJ Silver badge
        Facepalm

        Re: Time to take Single Sign On out of the hands of Google and Facebook

        And M$ / Bing

  5. Anonymous Coward
    Anonymous Coward

    Google and its ad tech frenemies

    The Cat & Mouse game with cookies is rather pointless these days.

    Now that web browsers are so bloated they are like another OS they can be easily fingerprinted by sites pushing different fonts, blank .pdf's, webgl etc.

    I've been looking at a script used by an advertiser that uses these techniques to fingerprint the exact make and model of the user's Android device to push fake virus warnings to trick users into installing questionable apps from Google's Play store, "free" iPhone scams and surveys.

    The advertiser even boasts that they can bypass ad blockers but from my own testing uBlock Origin seems to be able to block the script as most of the infected CloudFront servers are blocked by the community supported Easy List.

    1. This post has been deleted by its author

  6. Pascal Monett Silver badge

    "Google [..] are racing to develop various Privacy Sandbox proposals"

    No need, Mozilla has a great idea. The cookie jar seems perfect to me. A jar per website, and nobody's hands in any jar they don't belong. Sounds good.

    Of course, that will not be to Google's liking, but I don't give a rat's ass about that.

    1. Adelio Silver badge

      Re: "Google [..] are racing to develop various Privacy Sandbox proposals"

      Ban all tracking and ads. There, that is what I want, simples.....

    2. The Sprocket

      Re: "Google [..] are racing to develop various Privacy Sandbox proposals"

      Works for me . . . for now.

  7. Anonymous Coward
    Anonymous Coward

    Offspring reference - nice

    Well done. Now i have to play it to get it out of head.

  8. gggirlgeek

    Useless if it allows the cookies for targeted advertising anyway

    "Rather it's Total Cookie Protection With Some Exceptions, Handled Automatically" ..."Meanwhile, Google and its ad tech frenemies are racing to develop various Privacy Sandbox proposals so they can implement behavioral ad targeting"

    I don't WANT exceptions! Behavioral ad targeting is exactly what I'm trying to avoid. I don't want Google shaping my searches and influencing my opinions by "telling me what I want to hear"...it thinks! Total Cookie Protection sounded exciting until I read this. How do we force it to work "properly"?

  9. CRConrad
    Holmes

    Glaring gigantic loophole.

    FTFA:

    ...until the Storage Access API, a proposed JavaScript API to handle legitimate exceptions to privacy protections like SSO usage, sees wider adoption.
    So what's to stop unscrupulous advertiser scum from using that API just as if their scummy advertising were a legitimate exception from user privacy?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021