Brave blocks CNAME tracking, what about Vivaldi?



  • So this is circulating the news for a month now,
    https://www.theregister.com/2020/10/28/brave_cname_block/ ,
    https://www.ghacks.net/2020/11/17/brave-browser-gets-cname-based-adblocking-support/, but we don't have a thread here.
    It's the old (sad) story about cursed Google's API and how uBlock could block it only in Firefox, and not always successfully: https://blog.apnic.net/2020/08/04/characterizing-cname-cloaking-based-tracking/

    Fig2_Detection-performance-of-browsers-and-extensions.png

    ๐Ÿ‘‰ So what about Vivaldi? Is there something planned for the existing toolbox? M3 will find its way, but this is equally important for what Vivaldi stands for.

    moved from General Discussion > Security & Privacy



  • @npro Ooh! Thanks for this new-to-me info. Ugh.

    I note that https://blog.apnic.net/2020/08/04/characterizing-cname-cloaking-based-tracking/ [nor the other two] failed to include uMatrix in their tests, which is a bit annoying. So i wondered how i could test anyway. I looked at https://browserleaks.com/ & could see no obvious mention of CNAME. Next i tested with https://panopticlick.eff.org/, which seems now to have evolved into https://coveryourtracks.eff.org. My result was

    Our tests indicate that you have you have strong protection against Web tracking, though your software isnโ€™t checking for Do Not Track policies.
    IS YOUR BROWSER:
    Blocking tracking ads? Yes
    Blocking invisible trackers? Yes
    Unblocking 3rd parties that honor Do Not Track? No
    Protecting you from fingerprinting? Your browser has a unique fingerprint

    Again, it also seems to have no explicit mention of CNAME.

    The rotten whack-a-mole game continues anon.

    Spoiler

    Btw i am not bothered about that finding re uniqueness. I use the extension Canvas Blocker (Fingerprint protect) & so every new tab, & every tab reload, has a new "unique" HTML5 Canvas Fingerprinting Signature.



  • @guigirl

    Sites and Internet marketing companies may use CNAME cloaking to avoid detection by content blockers, regardless of whether they are integrated in the browser natively, provided by browser extensions, or through other means such as the HOSTS file or DNS.
    CNAME tracking, also called CNAME cloaking, works through redirects by using subdomains of the main domain which are then redirected automatically to a tracking domain. Most content blockers distinguish between first and third party resources, and CNAME tracking uses this to avoid detection.

    tl;dr: you can do it with uMatrix (I think and I believe I am right) but it can be a pain.

    uBlock has evolved into a (off. supported) less granular and less verbose (& abandoned) uMatrix now -it used to be the ad-block part of the 2 contained in HTTP-Switchboard as we know- so they are both content blockers, so imo what is said there applies to both, it's just that with uMatrix you have more power to overcome the hurdles, but you have to do it manually which can become a real pain. The difference between a newer version of uBlock for Firefox and an older one for it and the Chromium browsers, is that because of Firefox's API it can reveal the CNAME redirections and block them by default now, making it easier for the user, while in uMatrix if you don't block 1st-party scripts by default (which usually nobody does), a subdomain of it (for which you have also most probably accepted a cookie) can use a CNAME and redirect you to another url that tracks you, with its script or with the shared cookie. So to overcome this with uMatrix one should block everything 1st-party, have the domain list always expanded, check the subdomains if they include a CNAME redirection with thedrill command for example, then leave their scripts blocked. You can read all details in the 1st link which links to brave's post and test, and I'm sure the real paper contains much more and far more juicy info, but I don't have the time to study it now.

    /added: P.S. about those tests, well they don't say anything to me in general, I find them too vague and thus unreliable, html5 fingerprinting is also another subject.

    P.S.2 But as these methods of tracking are so sophisticated, one couldn't rely just on a "mazochistic" uMatrix configuration and whatever a user says, a native "solution" would be welcomed, where at least you know that these things and their shenanigans are being monitored and overlooked by professionals.



  • @npro said in Brave blocks CNAME tracking, what about Vivaldi?:

    in uMatrix if you don't block 1st-party scripts by default (which usually nobody does), a subdomain of it (for which you have also most probably accepted a cookie) can use a CNAME and redirect you to another url that tracks you, with its script or with the shared cookie. So to overcome this with uMatrix one should block everything 1st-party, have the domain list always expanded, check the subdomains if they include a CNAME redirection with thedrill command for example, then leave their scripts blocked

    Good info thx. My default global uM policy for a long time has been block everything except 1st-party, & then finesse individual cells on individual sites until achieving acceptable minimum functionality. Now, following your insights here, i've edited my global policy to block all. Over time in coming days as i return to each of my regular sites, i'll do the now-needed extra finessing to make them work again. Thx again.



  • @npro Thanks for the informative articles, I did not know about this. But not really surprising that advertisers will do anything they can to track users, even abusing the DNS system.

    I tested in Firefox (+uBlockO) with the site mentioned in the Reg article, and the CNAME host is blocked:
    8cc76133-36eb-42b0-a17e-361fdd26f4ec-image.png

    $ dig 16ao.mathon.fr | grep CNAME
    16ao.mathon.fr.         187     IN      CNAME   mathon.eulerian.net.
    mathon.eulerian.net.    7087    IN      CNAME   et5.eulerian.net.
    

    Do you know how this exactly works in uBlock (Firefox)? Where are the rules or settings to control CNAME blocking, are there special lists?

    In principle I definitely agree that requests that use CNAMEs for other domains should not be allowed to set cookies. However, it might cause issues with sites that rely on these cookies for site functions, media playback or similar. The use of CNAME aliases are very common for sites that use a CDN for their content, and it does not have to mean it's for tracking purposes.

    $ dig download.vivaldi.com | grep CNAME
    download.vivaldi.com.   300     IN      CNAME   downloads.vivaldi.netdna-cdn.com.
    

    It could also mean that browsing would be a little slower, as the browser/extension has to check if the host has a CNAME on another domain for each request, and possibly also if that domain is on a tracker-list.



  • @Pathduck said in Brave blocks CNAME tracking, what about Vivaldi?:

    The use of CNAME aliases are very common for sites that use a CDN for their content, and it does not have to mean it's for tracking purposes.

    Yes, CNAME is not new, it's just that some abuse it which can lead to fatal consequences, I don't remember if this is included in the links above https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
    It is a disgusting practice especially when you see it cheered for and being proud about it officially, https://experienceleague.adobe.com/docs/id-service/using/reference/analytics-reference/cname.html?lang=en ๐Ÿคฎ , this is quite informational how it works, I am not in the position though to follow all details without an extensive study on the matter, which requires a LOT of time, and many many tests with inspecting all 1st-party cookies involved as well, therefore I said that it should be looked and maintained by Vivaldi in the first place.

    Do you know how this exactly works in uBlock (Firefox)? Where are the rules or settings to control CNAME blocking, are there special lists?

    Unfortunately no, I suspect how (what everyone assumes about blocklists) but can't speculate on this, if it's not being taken care though I guess one should study the whole git of uBlock as well, argh...



  • @npro It looks like the code itself is here:
    https://github.com/gorhill/uBlock/blob/master/platform/firefox/vapi-webrequest.js

    From the logger, it looks like it just finds out the CNAME domain, then matches this to existing known trackers from the lists:

    bc2d4a34-da25-4327-9d48-80c40f5c687d-image.png

    I can't see any setting to toggle this kind of testing on or off if one would want to.


  • Moderator

    This should be implemented in Vivaldi. ๐Ÿ‘

    I moved the thread to Feature Requests forum now!

    I added internal this feature request VB-74773 "Block of CNAME tracking"



    โ‡’ @all Please vote for https://forum.vivaldi.net/topic/53563/brave-blocks-cname-tracking-what-about-vivaldi/1



  • @Gwen-Dragon Thanks, wonderful idea! ๐Ÿ‘


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.