Web trackers using CNAME to bypass anti tracking
-
Have you guys seen this?
https://www.theregister.com/2021/03/04/adguard_cname_tracker/
AdGuard on Thursday published a list of more than 6,000 CNAME-based trackers so they can be incorporated into content-blocking filters.
CNAME tracking is a way to configure DNS records to erase the distinction between code and assets from a publisher's (first-party) domain and tracking scripts on that site that call a server on an advertiser's (third-party) domain. Such domain cloaking – obscuring who controls a domain – undoes privacy defenses, like the blocking of third-party cookies, by making third-party assets look like they're associated with the first-party domain.
This blurb doesn't do this issue justice. Because of the use of CNAMEs, the third parties now appear to be a first party subdomain, as such our browser sends them our session cookies for the sites in question.
This is a pretty scary security issue in my opinion.
-
Does pi-hole address this with it's Deep CNAME inspection feature?
-
@Danp said in Web trackers using CNAME to bypass anti tracking:
Does pi-hole address this with it's Deep CNAME inspection feature?
Good question, I don't know.
Apparently uBlock Origin in FF does, but not in Chromium based browsers because FF has a DNS API, and the others don't.
-
@Danp said in Web trackers using CNAME to bypass anti tracking:
Does pi-hole address this with it's Deep CNAME inspection feature?
Looks like the answer is yes. This is how uBlock Origin's works too.
-
Time to move to whitelisting instead.
-
@scottalanmiller said in Web trackers using CNAME to bypass anti tracking:
Time to move to whitelisting instead.
You mean "Allow List "
-
@dbeato said in Web trackers using CNAME to bypass anti tracking:
@scottalanmiller said in Web trackers using CNAME to bypass anti tracking:
Time to move to whitelisting instead.
You mean "Allow List "
They didn't get the memo:
