Security Bits Logo no alpha channel

Security Bits — 4 April 2021 Including Deep Dive on Firefox’s SmartBlock

Security Bits — 4 April 2021

Feedback & Followups

Deep Dive — What’s SmartBlock?

Mozilla release a new feature update to Firefox once a quarter, and the most recent update to be released was Firefox 87. Its big marquee new feature is a whole new take on protecting your privacy online which Mozilla have named SmartBlock.

What makes this interesting is that Mozilla are taking a completely new approach to prevent cross-site tracking. How well will it work? Only time will tell, but it’s certainly worth watching!

Important Context

Firstly, let’s just get this out of the way — it is impossible for any browser to stop a site you visit from tracking your activity on that site. Facebook knows what you do on Facebook, and it always will! This is first-party tracking.

First-party tracking can actually track you across websites too if the two websites agree to share their first-party data with each other behind the scenes. Facebook knows what you did on Facebook, and WhatsApp knows what you did on WhatsApp, and since both are Facebook companies, the data can be combined to track you across sites. The same is true with Google’s massive suite of products.

Neither basic first-party tracking nor first-party-tracking across sites require the browser’s help to do what they do. It’s the servers capturing the data, and the organisations running those servers sharing it.

Third-party tracking is different. Third-party tracking does require the browser’s help because it’s built on cookies.

As a quick reminder, a cookie is a token handed to your browser by a web server that your browser is supposed to return to that same web server on all subsequent visits until the cookie expires. This lets the server recognise you as you. If you think about it — when I log in to Office365 and check my email I go to the identical URL to all the other Office365 users, and yet, I see my email, not anyone else’s. How does the server know it’s me? Cookies!

Every web server your browser makes a request to can offer a cookie, and the browser is supposed to return that cookie to that server in subsequent requests. Note that cookies are site-specific.

Another quick reminder that web pages are made up of multiple components, and they can be loaded from multiple servers. When you go to one website it gives your browser some HTML that your browser interprets. That HTML can embed references to images and other content on other web servers, and the browser then contacts those servers to fetch that content.

The server you directly pointed your browser at is the first party, your browser the second, and each other server content is loaded from to compete the page is considered a third party. If your page embeds a YouTube video, a Tweet, and a Flickr image then there are three third parties involved.

Third-party cross-site tracking depends on websites you visit all embedding content from the same third party, the tracking site. You go to your favourite photography blog and it embeds an image from Evil Trackrs ‘R Us, you go to your favourite puppy video aggregator and they also embed an image from Evil Trackrs ‘R Us, and then you go to your favourite news website for some doom scrolling and they also embed an image from Evil Trackrs ‘R Us. The first time your browser was asked to fetch an image from the Evil Trackrs ‘R Us server it generated a random ID for you and returned it with the image as a cookie. Every subsequent time your browser was asked to fetch an image from Evil Trackrs ‘R Us it returned their cookie, allowing them to recognise you. The final piece of the puzzle is that when a browser fetches media for embedding in a page, it includes the URL the media is being embedded in as part of the request. This allows web servers to prevent un-wanted embedding, or hotlinking, but it also allows trackers to know where you are each time you return their cookie to them, letting them track you from website to website to website.

It’s all About the Cookies

So, cross-site tracking where the website owners are not all collaborating behind the scenes depends on third-party cookies, and cookies depend on the browser retaining and returning them like the spec says they should.

If it were not for the fact that there are very legitimate uses for third-party cookies (single-sign-on solutions for example), the obvious answer would be to block all of them. The only cookies that your browser would store would be those for the server the user directly visited, i.e., the one in the address bar. All other cookies would be ignored. This is what happens when you turn off third-party cookies in your browser’s settings. If you do that, quite a bit of the internet will work fine, but, some things will break.

So, the answer is to somehow accept and return good cookies but refuse to cooperate with bad cookies. That’s what all cross-site tracking protection comes down to, telling the good third-party cookies from the bad.

Apple’s Approach

With Safari’s Intelligent Tracking Protection feature Apple accepts all cookies as normal, but it uses complex algorithms and AI to figure out which cookies to forget when making requests to third parties.

Note that Apple’s technique still involves communicating with the tracking servers — they still see you, but they see you as a fresh browser each time Safari forgets the cookie it was previously given.

Apple’s approach as the effect of shattering tracking profiles into pieces. The trackers still see everything you do, but they see you are lots of separate people. This means that if the trackers found a way to re-connect the pieces somehow, they could still track you.

This is why trackers are starting to experiment with fuzzier approaches that allow them to say that these pieces are probably from the same person because they jumped from the same residential IP to the same mobile IP at about the same time. This is also where browser fingerprinting comes in. If they can somehow tell that two browsing sessions were carried out on the same exact copy of a browser, then they can re-connect those pieces.

FireFox’s Approach

What makes Mozilla’s approach different is that they want to attack the problem on the other side — they want to avoid ever communicating with the tracking servers at all! You can’t join the dots when there are no dots!

Up to now, I’ve kept things a little simpler than they really are for the sake of clarity. Website owners don’t directly embed an image or something like that from a tracking server into their website. Instead, they embed some JavaScript code which then does something to cause the browser to need to fetch something from one or more tracking servers. Basically, there’s a layer of indirection that makes Mozilla’s job much harder.

The tracking industry is very well motivated to make it as difficult as possible to block their tracking — their fiscal survival literally depends on it! So, the JavaScript they use to embed the tracking is also pro-actively trying to detect the presence of tracking prevention and let the website know its monetisation is being blocked.

As a website owner, including a tracker in your website is a lot like making use of an open-source JavaScript API like moment.js for time calculations, or is.js for data validation. It’s a Script tag that loads some JavaScript that has an API your code interacts with.

If a browser blocks the tracker script from loading, then all calls to the API by the website’s own code will fail, causing the site to potentially break. FireFox has been doing this in Private tabs, and it does, in their words:

“[sometimes] result in images not appearing, features not working, poor performance, or even the entire page not loading at all.”

What Mozilla have done now is found a way to block the tracking script without breaking websites. They do this by intercepting the calls to load the tracking JavaScript and replying with JavaScript of their own that emulates the tracker’s API. This means the site’s own JavaScript does not receive errors from the function calls it thinks its making to the tracker, it simply receives fictitious answers!

Because the requests are intercepted before they leave the browser the tracking server sees nothing. There are no pieces to re-connect! And, because the browser returns emulations of the tracking API, the websites continue to function just fine too. The circle has been squared!

Note that this approach requires pro-active development work by Firefox to emulate each tracking API, and, the emulation code has to be bundled into Firefox, so, this additional protection has a finite scope. It can never block all tracking, but, it can block the most commonly used APIs at any given time.

Remember, for a tracker to be widely adopted its API needs to be stable and easy to use by website owners. If the trackers were to try to thwart this by regularly changing their APIs, then every website owner using that tracker would need to regularly update their websites too. If the trackers try to annoy FireFox by artificially making work for them, they’ll create the same work for the people they absolutely need to keep happy — website owners!

Frankly, this is a master-stroke by Mozilla — hats off them I say! 🙂

Links

❗ Action Alerts

Worthy Warnings

Notable News

Interesting Insights

Just Because it’s Cool 😎

  • The Bank of England have revealed the design of their new £50 note featuring mathematician, computer scientists, and cryptographer extraordinaire Alan Turing — nakedsecurity.sophos.com/…

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top