As browser-makers move to defang third-party (tracking) cookies, marketers are increasingly switching to alternative tracking techniques. One of these is CNAME cloaking, which not only evades anti-tracking measures on most widely-used browsers but, according to researchers, it also introduces serious security and privacy issues.
Third-party cookies and anti-tracking protections
In 2019, Firefox was equipped with Enhanced Tracking Protection by default, blocking known trackers, third-party tracking cookies and cryptomining scripts. Social media trackers and tracking content in private Windows were added to that list a few months later. In August 2020, Firefox received a new protection feature to hamper redirect tracking. Last month, Firefox received protection against cache-based tracking “supercookies”.
On Tuesday, Mozilla released Firefox 86, and with it yet another new anti-tracking feature build into the browser’s Enhanced Tracking Protection (ETP): Total Cookie Protection.
“Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site,” Mozillans Tim Huang, Johann Hofmann and Arthur Edelstein explained.
There are exceptions to that rule, though: cross-site cookies needed for non-tracking purposes (e.g., for single sign-on purposes). “Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting,” they noted.
Since its inception, the Chromium-based Brave browser introduced privacy/anti-tracking features such as a system for hiding privacy-harming page elements and third-party tracking ads, browser fingerprint randomization, default removal of common tracking parameters from URLs, protection against query parameter tracking, temporary removal of Google’s Reporting API, CNAME-based adblocking, etc.
Safari has its Intelligent Tracking Prevention feature that employs anti-fingerprinting protection (it presents a simplified version of the user’s system configuration to websites) and now effectively blocks all third-party cookies by default.
In early 2020, Google laid out a roadmap for making third party cookies obsolete by 2022, and works on creating alternative technologies/standards that will permit ad personalization without affecting user privacy.
CNAME cloaking dangers
According to researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem, CNAME cloaking is a tracking evasion scheme that is not new but is rapidly gaining in popularity.
The scheme takes advantage of a CNAME record on a subdomain.
“The tracker is injected in the first-party context, the context of the visited website. A website example.com is embedding the content of the form xxx.example.com. But in reality, this subdomain xxx.example.com is an alias for the tracker domain, the yyy.tracker.com, a separate domain hosted at a third-party server,” Lukasz Olejnik explained.
“This scheme works thanks to a DNS delegation. Most often it is a DNS CNAME record. The tracker technically is hosted in a subdomain of the visited website.”
And because most anti-tracking works on the principle of filter lists, the CNAME cloaking scheme effectively renders most browsers’ anti-tracking defenses ineffective, he notes.
“As of today, from the major web browser vendors only Firefox offers defenses. Since uBlock version 1.25 under Firefox, the extension dynamically resolves hosts and sanitizes such requests if a match is found. Such a measure does not work under Chrome because this web browser does not offer a way for extensions to dynamically resolve hostnames.”
What’s more, CNAME cloaking leads to session fixation and persistent cross-site scripting vulnerabilities, potentially opening users and publishers to attack, as well as massive cookie leaks.
“In 95% of cases of websites using this technique, we found cookies leaking to external tracker servers in an unsanctioned manner, invisible to the user. In some cases, we confirm that the leaked cookies contain private/sensitive data. All these likely trigger the violation of data protection regimes such as the GDPR, or maybe even the CCPA,” Olejnik concluded.
UPDATE (March 5, 2021, 05:05 a.m. PT):
AdGuard has published a list of all known CNAME-cloaked trackers for content blockers to use.
“This is the most complete auto-updating repository of actively used hidden trackers by now, consisting of more than 6000 entries. The list is to be updated on a regular basis to add new hidden trackers as they’re being detected,” said Andrey Meshkov, CEO of AdGuard, but warned that that this isn’t a definitive solution for the CNAME-cloaked tracking problem.
“We plan to keep the filter list up to date, but the number of hidden trackers constantly grows, meaning that the number of blocking rules will be increasing as well. The problem is, Safari and Chrome in their chase after the total control over content blocking limit the number of blocking rules to 50,000 and 150,000 (as planned in Manifest V3) respectively. Even today we see that Safari’s 50,000 rules are barely enough to protect yourself against ads, trackers, and everything else bad that’s lurking on the web. One day they will simply run out of space to protect users against actual threats, and this day is closer than you might think.”