# CNAME-based tracking

## yellowzip2

I finally switched from ungoogled-chromium (pf4public overlay)  to Firefox (with the usual privacy tweaks) recently in part prompted by claims made recently about CNAME deception.

CNAME tracking abuses DNS records to erase the distinction between first-party and third-party contexts. Firefox running the uBlock Origin 1.25+ extension can see through CNAME deception whereas Chromium based projects running uBlock Origin may not.

Has anyone here been following developments with CNAME-based tracking with regard to browser choice?Last edited by yellowzip2 on Sun Mar 14, 2021 3:42 am; edited 6 times in total

----------

## pjp

 :Crying or Very sad: 

Thanks for the heads up. I hadn't seen that one.

I find it sad that Firefox seems to be the least worst option. I've never used Chrome for personal use, and only briefly tried Chromium.

----------

## yellowzip2

 *pjp wrote:*   

> I find it sad that Firefox seems to be the least worst option...

 

Never thought we'd be here in 2021! Agree with the sentiment entirely.

----------

## pa4wdh

It's indeed one of the bad signs of the state to today's internet: "Gee, users don't want to be tracked and are blocking us, lets try an other way so they can't block us".

It's not a browser based solution, but my way of working seems to work against this kind of tracking as well. I'm user BIND to do DNS based blocking. I create zones for domains i wish to block and insert a wildcard in there which directs the requist to my own webserver (which answers with a 404  :Smile:  ).

For example, i have blocked doubleclick.net, so any request for anything within that domain is redirected. Now lets assume they start using cname based tracking under tracker.example.com. Now tracker.example.com will resolve into <something>.doubleclick.net, and from there it's again redirected to my own system.

I haven't actually ran into cname based tracking yet, so this is all theory. Any other insights or comments are welcome  :Smile: 

----------

## figueroa

One of my tools is I have over 60,000 entries sent to 0.0.0.0 in /etc/hosts.  191 of them are doubleclick.net entries.

----------

## yellowzip2

noneLast edited by yellowzip2 on Wed Mar 31, 2021 7:35 am; edited 7 times in total

----------

## figueroa

See my posts in the following forum page regarding my two scripts to curate your own /etc/hosts additions.

https://forums.gentoo.org/viewtopic-t-1107432-highlight-hosts.html

Don't stop at the first post. I continued to share improvements which I continue to use, shared in the last post of that thread, on the second page.

----------

## Zucca

I've been using https://someonewhocares.org/hosts/ as my source for domains to block.

Although I try to keep my /etc/hosts clean so I pass the block list hosts -file for my dns as an additional hosts -file.

----------

## figueroa

 *Zucca wrote:*   

> ...
> 
> I pass the block list hosts -file for my dns as an additional hosts -file.

 

OK, I give up. That sounds like a good trick. HOW do you do that? (Asking for a friend.   :Smile:   )

----------

## Zucca

Using dnsmasq:

```
no-hosts

addn-hosts="/etc/hosts"

addn-hosts="/etc/yourbadhostsfile"
```

The reason setting no-hosts first and then adding /etc/hosts is because hosts in /etc/hosts now override the same ones in latter files. It's rarely neccessary, so most people would only need 

```
addn-hosts="/etc/yourbadhostsfile"
```

 in their config.

----------

## Zucca

BTW... There is a project which merges several bad host lists from the net to a single one: https://github.com/Ultimate-Hosts-Blacklist/Ultimate.Hosts.Blacklist

----------

## figueroa

 *Zucca wrote:*   

> Using dnsmasq:
> 
> ```
> no-hosts
> 
> ...

 

Thanks for those details. I think I'll remain happy for now appending my host blocks to /etc/hosts, since I'm not already running dnsmasq and don't need another program installed or process running.

But someday ...

----------

## figueroa

 *Zucca wrote:*   

> BTW... There is a project which merges several bad host lists from the net to a single one: https://github.com/Ultimate-Hosts-Blacklist/Ultimate.Hosts.Blacklist

 

That's a great resource. I didn't know about that. I'm studying the site and keeping notes.

For the time being, my 60K line long hosts file does all the blocking I need.

----------

## Zucca

I found it while searching for the someonewhocares -site.

I think I could give it a try. My current hostlist already block smart TV commercials quite well, but some still get past it.

----------

## pjp

Since the discussion of blocking hosts has expanded, it seems worth noting that it isn't a useful defense against the CNAME issue mentioned in the article.

----------

## yellowzip2

noneLast edited by yellowzip2 on Wed Mar 31, 2021 7:35 am; edited 3 times in total

----------

## pjp

I'm no fan of Apple, but this was notable:  *Quote:*   

> Apple's answer to marketer angst over being denied analytic data by Safari has been to propose a privacy-preserving ad click attribution scheme that allows 64 different ad campaign identifiers – so marketers can see which worked.
> 
> Google's alternative proposal, part of its "Privacy Sandbox" initiative, calls for an identifier field capable of storing 64 bits of data – considerably more than the integer 64.
> 
> As the Electronic Frontier Foundation has pointed out, this enables a range of numbers up to 18 quintillion, allowing advertisers to create unique IDs for every ad impression they serve, information that could then be associated with individual users.

   *Quote:*   

> Google Chrome has implemented its SameSite cookie scheme as a prelude to its planned 2022 phase-out of third-party cookies, maybe.

  And that just means that they've found a way to not rely on 3rd-party cookies.

Privacy Sandbox seems aptly named to indicate the sandboxing of privacy.

Although from August, 2020, this was interesting (primarily the browsers / add-on comparisons):

https://blog.apnic.net/2020/08/04/characterizing-cname-cloaking-based-tracking/

----------

## yellowzip2

AdGuard : cname-trackers - in case you're not using : Ublock-Origin.

----------

## pjp

I have Origin installed, but I don't understand how to use it. It doesn't seem to block as much as I would prefer. I still rely on uMatrix (I'm aware it has been abandoned).

While I'm not worried about those two extensions, I have always considered extensions a "concern."

Then along came...

https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/

----------

## yellowzip2

 *pjp wrote:*   

> ...but I don't understand how to use it...

 

Ublock-Origin is now a recommended extension on Firefox. Not too naive to trust them here, i hope.

How I use it - Ublock-Origin Wiki > Filter lists from around the web < FilterLists + LAN block

----------

## yellowzip2

noneLast edited by yellowzip2 on Wed Mar 31, 2021 7:35 am; edited 1 time in total

----------

## Hu

Browser extensions have always had this problem.  The scope of access is so coarse that most extensions that intend to be broadly useful end up empowered to cause tremendous havoc if abused.  Mozilla killed XUL extensions in part with the claim that the new permissions-based model would be so much better, because extensions would be required to declare what they wanted and users could review it.  In practice, the permission scopes are too broad to be useful, and the Firefox user base fragmented.  Some people refused to upgrade to XUL-free versions.  Some fled to a variety of forks, many of which have as their main claim to fame that XUL-extensions still work.

----------

## alamahant

Will having such a massive hosts file somehow impact web browsing  speed or performance?

Thanks a lot

----------

## figueroa

 *alamahant wrote:*   

> Will having such a massive hosts file somehow impact web browsing  speed or performance?
> 
> Thanks a lot

 

Short answer is no. I suspect it may be measurable but is not perceptible. My /etc/hosts file is over 60,000 lines.

I think browsing is actually faster. Advertising and tracking puts a big burden on web browsing.

----------

## Tony0945

 *figueroa wrote:*   

> I think browsing is actually faster. Advertising and tracking puts a big burden on web browsing.

 

I notice that on sites that display lots of stuff from twitter or facebook that the pages load fast then about ten seconds later, jerks all around as those links load.

----------

## pjp

@yellowzip2:

I've seen the Origin website, but thanks for the link. My impression from the author was that it was supposed to be (paraphrasing) "better by default" than uMatrix. In my opinion, Origin does very little (compared to uMatrix) by default.

 *yellowzip2 wrote:*   

> Interesting author. Not sure the "Extensions bad" trope is going to be believed at this stage (current year) - didn't we do this already?

  By "doing this already," do you mean the problem has been resolved, there was never a problem, something else? I'm not sure why the author's about page and tropes have to do with the underlying problem.

----------

## yellowzip2

noneLast edited by yellowzip2 on Wed Mar 31, 2021 7:36 am; edited 2 times in total

----------

## pjp

No problem, I mainly wanted to ensure the author didn't have a track record of frequently being wrong.

On the matter of "bad by default," I do consider that to be true as a precaution until I'm "otherwise convinced" on an individual basis. I have no way of meaningfully evaluating extensions. I have 4 enabled (HTTPS Everywhere, uBlock Origin, uBlock Scope, and uMatrix). A fifth remains installed but has been disabled for a long time (NoScript). I had Privacy Badger(?) and a couple / few others installed, but I don't recall what they were. With XUL, I used an extension to automatically delete cookies... I miss that one, but haven't been "convinced" to trust an alternative.

----------

## yellowzip2

noneLast edited by yellowzip2 on Wed Mar 31, 2021 7:36 am; edited 9 times in total

----------

## Zucca

I remember there were some concerns with Privacy Badger. EFF has affiliates. And the concern was that PB would add the domains of these affiliates to the whilelist.

I tried to search for the article about it, but couldn't find it. Maybe it isn't a concern anymore?

----------

## figueroa

I find that Privacy Badger in Firefox helps me. It keeps me informed and sometimes out of trouble.

I only run four extension:

Duck Duck Go Privacy Essentials

Privacy Badger

Facebook Container

Web Developer

Blocking I do with /etc/hosts and I've started to use adguard.com's DNS. I don't see any difference with adguard's DNS though, but it seems fast.

----------

## pjp

 *yellowzip2 wrote:*   

> I currently do this in Firefox-87.0 natively on both PC and Mobile: See about:preferences#privacy | Cookies and Site Data < Delete cookies and site data when Firefox is closed. I frequently close my browser and cleanup with a bash script!

  I have "delete when closed" enabled too, but primarily because it is better than nothing. The extension I used deleted them a short time after closing the tab. I think the time was configurable.

I thought I had WebRTC disabled, but I didn't see what I was expecting, so maybe I'm thinking of something else. I'll look into some the options you mentioned, thanks!

 *Zucca wrote:*   

> I remember there were some concerns with Privacy Badger. EFF has affiliates. And the concern was that PB would add the domains of these affiliates to the whilelist.
> 
> I tried to search for the article about it, but couldn't find it. Maybe it isn't a concern anymore?

  Maybe it was this?  *Quote:*   

> Ars Technica notes that if an advertiser makes a commitment to respect Do Not Track requests, their cookies will be unblocked from Privacy Badger.

  https://en.wikipedia.org/wiki/Privacy_Badger#Reception

I'd forgotten about that, but I think that was why I stopped using it.

----------

## yellowzip2

noneLast edited by yellowzip2 on Wed Mar 31, 2021 7:36 am; edited 1 time in total

----------

## pjp

Absolutely, don't trust any source blindly. I remember the issue. That wikipedia since has had a reference to the issue is not relevant to whether or not it was if not still is an issue. Also, it isn't "wikipeidia," it specifically references Ars Technica. According to the archived article, Ars quoted "the EFF". Of course, by 2014 Ars' content suffered considerably, but I'm not aware of any pattern of negligence, only lower quality in general. But that seems to be Condé Nast's specialty. 

That an unrelated problem was identified years later by someone other than EFF isn't really meaningful. Yes, it is good that at the time, the EFF addressed the defaults, but that's bare minimum IMO. I'd expect nothing less. As an aside, the "learn over time" was one of the features I didn't care for. It translated to me as "exposed to threats until some unknown future time and date."

----------

## yellowzip2

noneLast edited by yellowzip2 on Wed Mar 31, 2021 7:37 am; edited 1 time in total

----------

## pjp

From that same Ars article you linked to, this seemed the part directly related to the previously brought up issue of allowing cookies from "affiliates" (emphasis added):  *Quote:*   

> Users who install Privacy Badger can whitelist websites. Additionally, "Advertisers and other third-party domains can unblock themselves in Privacy Badger by making a strong commitment to respect Do Not Track requests," the EFF said.

  At the time, that was a design choice. I even understand the motivation... "if advertisers will be nice, we won't punish them for it." 

I have relatively low to moderate concern about tracking for advertising, but extreme concern about the use of that data for purposes other than advertising.

----------

## yellowzip2

noneLast edited by yellowzip2 on Wed Mar 31, 2021 7:37 am; edited 1 time in total

----------

## pjp

Well, it was really about a past implementation, so that it has gone on for this many posts seems unfortunate. I prefer blocking as much as possible by default, and distrust mechanisms that try to sound strong on blocking while simultaneously allowing "friends" through the back door. "I said no one is allowed in, not that its okay if they come in the back door as long as I'm not informed about it." *shrug* To each their own. It reminds me of disreputable "opt-in" knowing full well most people don't want that. And I fully acknowledge that it probably isn't as bad as I just described. When uMatrix becomes less helpful, I may have to try PB again.

----------

