CNAME-based tracking

[yellowzip2]

I finally switched from ungoogled-chromium (pf4public overlay) to Firefox (with the usual privacy tweaks) recently in part prompted by claims made recently about CNAME deception.

CNAME tracking abuses DNS records to erase the distinction between first-party and third-party contexts. Firefox running the uBlock Origin 1.25+ extension can see through CNAME deception whereas Chromium based projects running uBlock Origin may not.

Has anyone here been following developments with CNAME-based tracking with regard to browser choice?

[pjp]

Thanks for the heads up. I hadn't seen that one.

I find it sad that Firefox seems to be the least worst option. I've never used Chrome for personal use, and only briefly tried Chromium.
_________________
Quis separabit? Quo animo?

[yellowzip2]

[pa4wdh]

It's indeed one of the bad signs of the state to today's internet: "Gee, users don't want to be tracked and are blocking us, lets try an other way so they can't block us".

It's not a browser based solution, but my way of working seems to work against this kind of tracking as well. I'm user BIND to do DNS based blocking. I create zones for domains i wish to block and insert a wildcard in there which directs the requist to my own webserver (which answers with a 404 ).

For example, i have blocked doubleclick.net, so any request for anything within that domain is redirected. Now lets assume they start using cname based tracking under tracker.example.com. Now tracker.example.com will resolve into <something>.doubleclick.net, and from there it's again redirected to my own system.

I haven't actually ran into cname based tracking yet, so this is all theory. Any other insights or comments are welcome
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com

[figueroa]

One of my tools is I have over 60,000 entries sent to 0.0.0.0 in /etc/hosts. 191 of them are doubleclick.net entries.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi

[yellowzip2]

none

[figueroa]

See my posts in the following forum page regarding my two scripts to curate your own /etc/hosts additions.
https://forums.gentoo.org/viewtopic-t-1107432-highlight-hosts.html

Don't stop at the first post. I continued to share improvements which I continue to use, shared in the last post of that thread, on the second page.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi

[Zucca]

I've been using https://someonewhocares.org/hosts/ as my source for domains to block.

Although I try to keep my /etc/hosts clean so I pass the block list hosts -file for my dns as an additional hosts -file.
_________________
..: Zucca :..

[figueroa]

[Zucca]

Using dnsmasq:

[Zucca]

BTW... There is a project which merges several bad host lists from the net to a single one: https://github.com/Ultimate-Hosts-Blacklist/Ultimate.Hosts.Blacklist
_________________
..: Zucca :..

[figueroa]

[figueroa]

[Zucca]

I found it while searching for the someonewhocares -site.
I think I could give it a try. My current hostlist already block smart TV commercials quite well, but some still get past it.
_________________
..: Zucca :..

[pjp]

Since the discussion of blocking hosts has expanded, it seems worth noting that it isn't a useful defense against the CNAME issue mentioned in the article.
_________________
Quis separabit? Quo animo?

[yellowzip2]

none

[pjp]

I'm no fan of Apple, but this was notable:

[yellowzip2]

AdGuard : cname-trackers - in case you're not using : Ublock-Origin.

[pjp]

I have Origin installed, but I don't understand how to use it. It doesn't seem to block as much as I would prefer. I still rely on uMatrix (I'm aware it has been abandoned).

While I'm not worried about those two extensions, I have always considered extensions a "concern."

Then along came...

https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/
_________________
Quis separabit? Quo animo?

[yellowzip2]

[yellowzip2]

none

[Hu]

Browser extensions have always had this problem. The scope of access is so coarse that most extensions that intend to be broadly useful end up empowered to cause tremendous havoc if abused. Mozilla killed XUL extensions in part with the claim that the new permissions-based model would be so much better, because extensions would be required to declare what they wanted and users could review it. In practice, the permission scopes are too broad to be useful, and the Firefox user base fragmented. Some people refused to upgrade to XUL-free versions. Some fled to a variety of forks, many of which have as their main claim to fame that XUL-extensions still work.

[alamahant]

Will having such a massive hosts file somehow impact web browsing speed or performance?
Thanks a lot
_________________

[figueroa]

[Tony0945]