Security Bits — 4 April 2021
Feedback & Followups
- 🇺🇸 Following on from the excellent Motherboard reporting last time that showed how easy it was to hijack the SMS messages destined for a US cellphone number, the major US carriers have changed their practices to thwart the abuses Motherboard highlighted — www.vice.com/…
Deep Dive — What’s SmartBlock?
Mozilla release a new feature update to Firefox once a quarter, and the most recent update to be released was Firefox 87. Its big marquee new feature is a whole new take on protecting your privacy online which Mozilla have named SmartBlock.
What makes this interesting is that Mozilla are taking a completely new approach to prevent cross-site tracking. How well will it work? Only time will tell, but it’s certainly worth watching!
Firstly, let’s just get this out of the way — it is impossible for any browser to stop a site you visit from tracking your activity on that site. Facebook knows what you do on Facebook, and it always will! This is first-party tracking.
First-party tracking can actually track you across websites too if the two websites agree to share their first-party data with each other behind the scenes. Facebook knows what you did on Facebook, and WhatsApp knows what you did on WhatsApp, and since both are Facebook companies, the data can be combined to track you across sites. The same is true with Google’s massive suite of products.
Neither basic first-party tracking nor first-party-tracking across sites require the browser’s help to do what they do. It’s the servers capturing the data, and the organisations running those servers sharing it.
Third-party tracking is different. Third-party tracking does require the browser’s help because it’s built on cookies.
As a quick reminder, a cookie is a token handed to your browser by a web server that your browser is supposed to return to that same web server on all subsequent visits until the cookie expires. This lets the server recognise you as you. If you think about it — when I log in to Office365 and check my email I go to the identical URL to all the other Office365 users, and yet, I see my email, not anyone else’s. How does the server know it’s me? Cookies!
Every web server your browser makes a request to can offer a cookie, and the browser is supposed to return that cookie to that server in subsequent requests. Note that cookies are site-specific.
Another quick reminder that web pages are made up of multiple components, and they can be loaded from multiple servers. When you go to one website it gives your browser some HTML that your browser interprets. That HTML can embed references to images and other content on other web servers, and the browser then contacts those servers to fetch that content.
The server you directly pointed your browser at is the first party, your browser the second, and each other server content is loaded from to compete the page is considered a third party. If your page embeds a YouTube video, a Tweet, and a Flickr image then there are three third parties involved.
Third-party cross-site tracking depends on websites you visit all embedding content from the same third party, the tracking site. You go to your favourite photography blog and it embeds an image from Evil Trackrs ‘R Us, you go to your favourite puppy video aggregator and they also embed an image from Evil Trackrs ‘R Us, and then you go to your favourite news website for some doom scrolling and they also embed an image from Evil Trackrs ‘R Us. The first time your browser was asked to fetch an image from the Evil Trackrs ‘R Us server it generated a random ID for you and returned it with the image as a cookie. Every subsequent time your browser was asked to fetch an image from Evil Trackrs ‘R Us it returned their cookie, allowing them to recognise you. The final piece of the puzzle is that when a browser fetches media for embedding in a page, it includes the URL the media is being embedded in as part of the request. This allows web servers to prevent un-wanted embedding, or hotlinking, but it also allows trackers to know where you are each time you return their cookie to them, letting them track you from website to website to website.
It’s all About the Cookies
So, cross-site tracking where the website owners are not all collaborating behind the scenes depends on third-party cookies, and cookies depend on the browser retaining and returning them like the spec says they should.
If it were not for the fact that there are very legitimate uses for third-party cookies (single-sign-on solutions for example), the obvious answer would be to block all of them. The only cookies that your browser would store would be those for the server the user directly visited, i.e., the one in the address bar. All other cookies would be ignored. This is what happens when you turn off third-party cookies in your browser’s settings. If you do that, quite a bit of the internet will work fine, but, some things will break.
So, the answer is to somehow accept and return good cookies but refuse to cooperate with bad cookies. That’s what all cross-site tracking protection comes down to, telling the good third-party cookies from the bad.
With Safari’s Intelligent Tracking Protection feature Apple accepts all cookies as normal, but it uses complex algorithms and AI to figure out which cookies to forget when making requests to third parties.
Note that Apple’s technique still involves communicating with the tracking servers — they still see you, but they see you as a fresh browser each time Safari forgets the cookie it was previously given.
Apple’s approach as the effect of shattering tracking profiles into pieces. The trackers still see everything you do, but they see you are lots of separate people. This means that if the trackers found a way to re-connect the pieces somehow, they could still track you.
This is why trackers are starting to experiment with fuzzier approaches that allow them to say that these pieces are probably from the same person because they jumped from the same residential IP to the same mobile IP at about the same time. This is also where browser fingerprinting comes in. If they can somehow tell that two browsing sessions were carried out on the same exact copy of a browser, then they can re-connect those pieces.
What makes Mozilla’s approach different is that they want to attack the problem on the other side — they want to avoid ever communicating with the tracking servers at all! You can’t join the dots when there are no dots!
If a browser blocks the tracker script from loading, then all calls to the API by the website’s own code will fail, causing the site to potentially break. FireFox has been doing this in Private tabs, and it does, in their words:
“[sometimes] result in images not appearing, features not working, poor performance, or even the entire page not loading at all.”
Because the requests are intercepted before they leave the browser the tracking server sees nothing. There are no pieces to re-connect! And, because the browser returns emulations of the tracking API, the websites continue to function just fine too. The circle has been squared!
Note that this approach requires pro-active development work by Firefox to emulate each tracking API, and, the emulation code has to be bundled into Firefox, so, this additional protection has a finite scope. It can never block all tracking, but, it can block the most commonly used APIs at any given time.
Remember, for a tracker to be widely adopted its API needs to be stable and easy to use by website owners. If the trackers were to try to thwart this by regularly changing their APIs, then every website owner using that tracker would need to regularly update their websites too. If the trackers try to annoy FireFox by artificially making work for them, they’ll create the same work for the people they absolutely need to keep happy — website owners!
Frankly, this is a master-stroke by Mozilla — hats off them I say! 🙂
- Mozilla’s blog post announcing the feature: blog.mozilla.org/…
- A nice explanation from iMore: Firefox gets its own intelligent tracker blocking in latest version — www.imore.com/…
❗ Action Alerts
- Avast found 204 Fleece-ware apps on the iOS AppStore and Google Play Store that together defrauded users of over $400M – www.imore.com/…
- Whistleblower: Ubiquiti Breach “Catastrophic” — krebsonsecurity.com/…
- Facebook announces big changes to comments and your News Feed — www.imore.com/…
- Related: 🎧 An excellent interview with form British deputy PM and current Facebook VP of Global Affairs Nick Clegg: Decoder: Facebook’s VP of Global Affairs doesn’t think the platform is polarizing — overcast.fm/…
- From Android 11 onwards, most Google Play apps will be blocked from scanning your phone to detect the other apps you have installed (exceptions are being made for AV and file managers) — arstechnica.com/…
- Snapchat is experimenting with probability matching as a possible workaround for Apple’s upcoming App Tracking Transparency (ATT) feature. It promises to stop when ATT goes live — 9to5mac.com/…
- The PHP project has responded very responsibly to an attack that appears to have been designed to highlight a problem in their infrastructure rather than to be genuinely malicious. The PHP project will stop running its own Git infrastructure, and host the project from GitHub instead — nakedsecurity.sophos.com/…
- (Via NosillaCastaway Allister Jenks): 1Password have improved their password generator to make it more secure and more human-friendly — blog.1password.com/…
- 🎧 Some wonderful insights into some major real-world breaches we’ve talked about in this segment over the years: The Changelog: Big breaches (and how to avoid them) — overcast.fm/…
- NFTs are a hot topic ATM, and while they’re not strictly security-related they are definitely security-adjacent, depending as they do on cryptographic building blocks. This post explains how they fit in to the bigger picture from an artist’s POV, and also does an excellent job of debunking the myth that NFTs are necessarily spectacularly bad for the environment: What Does It Mean To Buy a Gif? — jackrusher.com/…
Just Because it’s Cool 😎
- The Bank of England have revealed the design of their new £50 note featuring mathematician, computer scientists, and cryptographer extraordinaire Alan Turing — nakedsecurity.sophos.com/…
- 🎧 A very interesting new podcast from VOX exploring the edges of our current scientific understanding: Unexplainable — www.vox.com/…
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
|A link to audio content, probably a podcast.
|A call to action.
|The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
|A link to graphical content, probably a chart, graph, or diagram.
|A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
|A link to an article behind a paywall.
|A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
|A tip of the hat to thank a member of the community for bringing the story to our attention.