Researchers at KU Leuven are reporting mechanisms whereby cookies can be used to bypass browser and extension based protections from cookie tracking by 3rd parties. https://wholeftopenthecookiejar.eu/static/tpc-paper.pdf Companion website: https://wholeftopenthecookiejar.eu/ It seems like all popular browsers and extensions are vulnerable to varying degrees, including TBB, ABP, UBO etc. At least Gorhill/UBO has addressed some of the issues identified, but this looks to be an important thing to monitor/have mitigations for, for people here. I do not know, and would be interested to discuss, the extent to which controls such as site containers in FF help. Various commentaries: https://www.schneier.com/ https://www.theregister.co.uk/2018/08/17/usenix_cookies/ https://www.bleepingcomputer.com/ne...browser-tracking-protections-and-ad-blockers/ https://www.tomsguide.com/us/ad-tracking-block-fail,news-27819.html https://boingboing.net/2018/08/16/who-left-open-the-cookie-jar.html
So what is a temporary solution? Using multiple browsers at once, I guess. Each one to login to different website/webapp...
Hey, compartmentalization Just using multiple browsers is iffy. Much better is using multiple VMs. And better yet, multiple physical machines. If I were seriously into that, I'd probably go with a bunch of microcomputers on a KVM switch.
Haven't read the pdf yet but once again, things like this is precisely why I advocate being careful what you put online at all. These issues come up with regular monotony.
As far as temporary solutions are concerned, I think having controls in the router completely independent of clients and browsers is a start, and I also believe (not sure, haven't tested), is that the FF multi-account-containers will assist is limiting contagion, but I'm not sure about this. Also, a fairly fanatical compartmentalisation approach including opsec in terms of browser use - a pain and always prone to slip-ups. I'm also using multiple profiles created with firejail (rather than browser-based profile management), because that allows you to have different policies and file locations enforced by the firejail sandbox. I don't think there are long-term solutions as far as browsers are concerned because they have become too complex, are glitzy front-ends to a controlling mainframe that gets to execute what it likes on your machine (for "functionality" read addictive eye-ball grabbing), and the business models of the browser developers is actively hostile to privacy. Browsers were "sold" on the basis that code run on them would be completely isolated from your real computer, and from each session. That's a lie. I believe the only privacy respecting paradigm will be use of structured messaging according to an agreed domain schema (a bit like EDI), encrypted in transit, and completely parsed, processed and rendered by client software under your control, with good sandboxing/decoupling between processing and rendering (this is impossible with browsers because html is designed with a rendering expectation and has numerous extensions which can be implemented such as webrtc). I think that dark marketplaces may be the first to develop such schemes, mainly to protect the marketplace owners. Of course, that would require a different attitude to latency, although one I would greatly value - because I loved the days when you submitted batch jobs that the computer got on with while enjoying my life elsewhere! The issue is that this way of working, while better for most people most of the time, is inimical to the desire of the free commercial services who wish to grab your eyeballs.
There is an interesting discussion (with @gorhill participarting) on ghacks-user.js with several good links.
@summerheat - thanks, something to absorb in those discussions! That responsiveness and transparency is something that's always been good about uBO.
If I test Google Chrome with the AdGuard browser extension everything is blocked. No vulnerability. https://wholeftopenthecookiejar.eu/data/extensions/Adguard-AdBlocker/chrome/2.7.2 So no problem when using uBlock Origin and/or AdGuard?
Haven't read the report yet, but I assume that Ghostery and uBlock are vulnerable because the problem lies in the browser itself, right? And the funny thing is that this report was sponsored by Facebook, since when are they so concerned about this topic LOL. Yes exactly, I do use ad and tracking blockers but I don't have any illusions about companies not being able to track me. The problem lies in the whole browser architecture.
With uBO, on FF on linux, got a cookie with link-shortcut-icon https://wholeftopenthecookiejar.eu/data/extensions/uBlock-Origin/firefox/1.14.18#leak-test-modal The other two tests were OK.
These cookie- and content-bypasses are how ad reinsertion companies like Instart Logic do their dirty work. Chrome/ium is more vulnerable to these than Firefox, which is why Gorhill created uBO-Extra to protect the browser and the blocker: https://github.com/gorhill/uBO-Extra. (JSPenguin also offers Nano Defender, an alternative to uBO-Extra which I use https://jspenguin2017.github.io/uBlockProtector/#extra-installation-steps-for-ublock-origin)
Actually, Temporary Containers is the way to go as it opens every site in its own temporary container (and not only specific sites). I use it alongside First-Party Isolation. All tests on that site failed for me.
@summerheat - thanks, I've been evaluating temporary containers too, can't remember where I was with that!
If I am not mistaken, this is a Firefox issue, fixed in Nightly: https://bugzilla.mozilla.org/show_bug.cgi?id=1433700
Firefox 65: New Cookie Jar Policy to block tracking September 23, 2018 https://www.ghacks.net/2018/09/23/firefox-65-new-cookie-jar-policy-to-block-tracking/
blocking tracking cookies is already present in firefox 63beta, 64 nightly got an additional part, its usable.
