{"id":23350,"date":"2021-04-04T14:17:35","date_gmt":"2021-04-04T21:17:35","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=23350"},"modified":"2021-04-04T14:20:01","modified_gmt":"2021-04-04T21:20:01","slug":"sb-2021-04-04","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/04\/sb-2021-04-04\/","title":{"rendered":"Security Bits \u2014 4 April 2021 Including Deep Dive on Firefox&#8217;s SmartBlock"},"content":{"rendered":"<h1>Security Bits \u2014 4 April 2021<\/h1>\n<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Following on from the excellent Motherboard reporting last time that showed how easy it was to hijack the SMS messages destined for a US cellphone number, the major US carriers have changed their practices to thwart the abuses Motherboard highlighted \u2014 <a href=\"https:\/\/www.vice.com\/en\/article\/5dp7ad\/tmobile-verizon-att-sms-hijack-change\">www.vice.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/tmobile-completes-stirshaken\/\">T-Mobile Completes Rollout of Anti-Spam \u2018STIR\/SHAKEN\u2019 Technology \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 What&#8217;s <em>SmartBlock<\/em>?<\/h2>\n<p>Mozilla release a new feature update to Firefox once a quarter, and the most recent update to be released was Firefox 87. Its big marquee new feature is a whole new take on protecting your privacy online which Mozilla have named <em>SmartBlock<\/em>.<\/p>\n<p>What makes this interesting is that Mozilla are taking a completely new approach to prevent cross-site tracking. How well will it work? Only time will tell, but it&#8217;s certainly worth watching!<\/p>\n<h3>Important Context<\/h3>\n<p>Firstly, let&#8217;s just get this out of the way \u2014 it is impossible for any browser to stop a site you visit from tracking your activity on that site. Facebook knows what you do on Facebook, and it always will! This is first-party tracking.<\/p>\n<p>First-party tracking can actually track you across websites too if the two websites agree to share their first-party data with each other behind the scenes. Facebook knows what you did on Facebook, and WhatsApp knows what you did on WhatsApp, and since both are Facebook companies, the data can be combined to track you across sites. The same is true with Google&#8217;s massive suite of products.<\/p>\n<p>Neither basic first-party tracking nor first-party-tracking across sites require the browser&#8217;s help to do what they do. It&#8217;s the servers capturing the data, and the organisations running those servers sharing it.<\/p>\n<p>Third-party tracking is different. Third-party tracking does require the browser&#8217;s help because it&#8217;s built on cookies.<\/p>\n<p>As a quick reminder, a cookie is a token handed to your browser by a web server that your browser is supposed to return to that same web server on all subsequent visits until the cookie expires. This lets the server recognise you as you. If you think about it \u2014 when I log in to Office365 and check my email I go to the identical URL to all the other Office365 users, and yet, I see my email, not anyone else&#8217;s. How does the server know it&#8217;s me? Cookies!<\/p>\n<p>Every web server your browser makes a request to can offer a cookie, and the browser is supposed to return that cookie to that server in subsequent requests. Note that cookies are site-specific.<\/p>\n<p>Another quick reminder that web pages are made up of multiple components, and they can be loaded from multiple servers. When you go to one website it gives your browser some HTML that your browser interprets. That HTML can embed references to images and other content on other web servers, and the browser then contacts those servers to fetch that content.<\/p>\n<p>The server you directly pointed your browser at is the first party, your browser the second, and each other server content is loaded from to compete the page is considered a third party. If your page embeds a YouTube video, a Tweet, and a Flickr image then there are three third parties involved.<\/p>\n<p>Third-party cross-site tracking depends on websites you visit all embedding content from the same third party, the tracking site. You go to your favourite photography blog and it embeds an image from <em>Evil Trackrs &#8216;R Us<\/em>, you go to your favourite puppy video aggregator and they also embed an image from <em>Evil Trackrs &#8216;R Us<\/em>, and then you go to your favourite news website for some doom scrolling and they also embed an image from <em>Evil Trackrs &#8216;R Us<\/em>. The first time your browser was asked to fetch an image from the <em>Evil Trackrs &#8216;R Us<\/em> server it generated a random ID for you and returned it with the image as a cookie. Every subsequent time your browser was asked to fetch an image from <em>Evil Trackrs &#8216;R Us<\/em> it returned their cookie, allowing them to recognise you. The final piece of the puzzle is that when a browser fetches media for embedding in a page, it includes the URL the media is being embedded in as part of the request. This allows web servers to prevent un-wanted embedding, or <em>hotlinking<\/em>, but it also allows trackers to know where you are each time you return their cookie to them, letting them track you from website to website to website.<\/p>\n<h3>It&#8217;s all About the Cookies<\/h3>\n<p>So, cross-site tracking where the website owners are not all collaborating behind the scenes depends on third-party cookies, and cookies depend on the browser retaining and returning them like the spec says they should.<\/p>\n<p>If it were not for the fact that there are very legitimate uses for third-party cookies (single-sign-on solutions for example), the obvious answer would be to block all of them. The only cookies that your browser would store would be those for the server the user directly visited, i.e., the one in the address bar. All other cookies would be ignored. This is what happens when you turn off third-party cookies in your browser&#8217;s settings. If you do that, quite a bit of the internet will work fine, but, some things will break.<\/p>\n<p>So, the answer is to somehow accept and return <em>good<\/em> cookies but refuse to cooperate with <em>bad<\/em> cookies. That&#8217;s what all cross-site tracking protection comes down to, telling the good third-party cookies from the bad.<\/p>\n<h3>Apple&#8217;s Approach<\/h3>\n<p>With Safari&#8217;s <em>Intelligent Tracking Protection<\/em> feature Apple accepts all cookies as normal, but it uses complex algorithms and AI to figure out which cookies to <em>forget<\/em> when making requests to third parties.<\/p>\n<p>Note that Apple&#8217;s technique still involves communicating with the tracking servers \u2014 they still see you, but they see you as a <em>fresh<\/em> browser each time Safari <em>forgets<\/em> the cookie it was previously given.<\/p>\n<p>Apple&#8217;s approach as the effect of shattering tracking profiles into pieces. The trackers still see everything you do, but they see you are lots of separate people. This means that if the trackers found a way to re-connect the pieces somehow, they could still track you.<\/p>\n<p>This is why trackers are starting to experiment with fuzzier approaches that allow them to say that these pieces are <em>probably<\/em> from the same person because they jumped from the same residential IP to the same mobile IP at about the same time. This is also where browser fingerprinting comes in. If they can somehow tell that two browsing sessions were carried out on the same exact copy of a browser, then they can re-connect those pieces.<\/p>\n<h3>FireFox&#8217;s Approach<\/h3>\n<p>What makes Mozilla&#8217;s approach different is that they want to attack the problem on the other side \u2014 they want to avoid ever communicating with the tracking servers at all! You can&#8217;t join the dots when there are no dots!<\/p>\n<p>Up to now, I&#8217;ve kept things a little simpler than they really are for the sake of clarity. Website owners don&#8217;t directly embed an image or something like that from a tracking server into their website. Instead, they embed some JavaScript code which then does something to cause the browser to need to fetch something from one or more tracking servers. Basically, there&#8217;s a layer of indirection that makes Mozilla&#8217;s job much harder.<\/p>\n<p>The tracking industry is very well motivated to make it as difficult as possible to block their tracking \u2014 their fiscal survival literally depends on it! So, the JavaScript they use to embed the tracking is also pro-actively trying to detect the presence of tracking prevention and let the website know its monetisation is being blocked.<\/p>\n<p>As a website owner, including a tracker in your website is a lot like making use of an open-source JavaScript API like <a href=\"https:\/\/momentjs.com\">moment.js<\/a> for time calculations, or <a href=\"https:\/\/is.js.org\">is.js<\/a> for data validation. It&#8217;s a Script tag that loads some JavaScript that has an API your code interacts with.<\/p>\n<p>If a browser blocks the tracker script from loading, then all calls to the API by the website&#8217;s own code will fail, causing the site to potentially break. FireFox has been doing this in Private tabs, and it does, in their words:<\/p>\n<blockquote><p>\n  &#8220;[sometimes] result in images not appearing, features not working, poor performance, or even the entire page not loading at all.&#8221;\n<\/p><\/blockquote>\n<p>What Mozilla have done now is found a way to block the tracking script without breaking websites. They do this by intercepting the calls to load the tracking JavaScript and replying with JavaScript of their own that emulates the tracker&#8217;s API. This means the site&#8217;s own JavaScript does not receive errors from the function calls it thinks its making to the tracker, it simply receives fictitious answers!<\/p>\n<p>Because the requests are intercepted before they leave the browser the tracking server sees <strong>nothing<\/strong>. There are no pieces to re-connect! And, because the browser returns emulations of the tracking API, the websites continue to function just fine too. The circle has been squared!<\/p>\n<p>Note that this approach requires pro-active development work by Firefox to emulate each tracking API, and, the emulation code has to be bundled into Firefox, so, this additional protection has a finite scope. It can never block all tracking, but, it can block the most commonly used APIs at any given time.<\/p>\n<p>Remember, for a tracker to be widely adopted its API needs to be stable and easy to use by website owners. If the trackers were to try to thwart this by regularly changing their APIs, then every website owner using that tracker would need to regularly update their websites too. If the trackers try to annoy FireFox by artificially making work for them, they&#8217;ll create the same work for the people they absolutely need to keep happy \u2014 website owners!<\/p>\n<p>Frankly, this is a master-stroke by Mozilla \u2014 hats off them I say! &#x1f642;<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Mozilla&#8217;s blog post announcing the feature: <a href=\"https:\/\/blog.mozilla.org\/security\/2021\/03\/23\/introducing-smartblock\/\">blog.mozilla.org\/\u2026<\/a><\/li>\n<li>A nice explanation from iMore: <a href=\"https:\/\/www.imore.com\/firefox-gets-its-own-intelligent-tracker-blocking-latest-version\">Firefox gets its own intelligent tracker blocking in latest version \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/you-should-definitely-get-latest-ios-14-update-heres-why\">You should definitely get the latest iOS 14 update, here&#8217;s why \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Avast found 204 <em>Fleece-ware<\/em> apps on the iOS AppStore and Google Play Store that together defrauded users of over $400M \u2013 <a href=\"https:\/\/www.imore.com\/fleeceware-apps-have-ripped-more-400-million-users\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2021\/03\/whistleblower-ubiquiti-breach-catastrophic\/\">Whistleblower: Ubiquiti Breach \u201cCatastrophic\u201d \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/facebook-announces-big-changes-comments-and-your-news-feed\">Facebook announces big changes to comments and your News Feed \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> &#x1f3a7; An excellent interview with form British deputy PM and current Facebook VP of Global Affairs Nick Clegg: <a href=\"https:\/\/overcast.fm\/+QLdvnnY04\">Decoder: Facebook\u2019s VP of Global Affairs doesn\u2019t think the platform is polarizing \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>From Android 11 onwards, most Google Play apps will be blocked from scanning your phone to detect the other apps you have installed (exceptions are being made for AV and file managers) \u2014 <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/04\/new-play-store-rules-block-most-apps-from-scanning-your-entire-app-list\/\">arstechnica.com\/\u2026<\/a><\/li>\n<li>Snapchat is experimenting with <em>probability matching<\/em> as a possible workaround for Apple&#8217;s upcoming App Tracking Transparency (ATT) feature. It promises to stop when ATT goes live \u2014 <a href=\"https:\/\/9to5mac.com\/2021\/04\/02\/workaround-to-app-tracking-transparency\/\">9to5mac.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/apple-blocks-adjust-sdk\/\">Apple Starts Blocking Apps That Use \u2018Adjust SDK\u2019 for Tracking \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The PHP project has responded very responsibly to an attack that appears to have been designed to highlight a problem in their infrastructure rather than to be genuinely malicious. The PHP project will stop running its own Git infrastructure, and host the project from GitHub instead \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/03\/30\/php-web-language-narrowly-avoids-dangerous-supply-chain-attack\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>(Via NosillaCastaway Allister Jenks): 1Password have improved their password generator to make it more secure and more human-friendly \u2014 <a href=\"https:\/\/blog.1password.com\/a-smarter-password-generator\/\">blog.1password.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>&#x1f3a7; Some wonderful insights into some major real-world breaches we&#8217;ve talked about in this segment over the years: <a href=\"https:\/\/overcast.fm\/+HZUedzRM0\">The Changelog: Big breaches (and how to avoid them) \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>NFTs are a hot topic ATM, and while they&#8217;re not strictly security-related they are definitely security-adjacent, depending as they do on cryptographic building blocks. This post explains how they fit in to the bigger picture from an artist&#8217;s POV, and also does an excellent job of debunking the myth that NFTs are necessarily spectacularly bad for the environment: <a href=\"https:\/\/jackrusher.com\/journal\/what-does-it-mean-to-buy-a-gif.html\">What Does It Mean To Buy a Gif? \u2014 jackrusher.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li>The Bank of England have revealed the design of their new \u00a350 note featuring mathematician, computer scientists, and cryptographer extraordinaire Alan Turing \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/03\/26\/alan-turings-50-banknote-officially-unveiled\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a7; A very interesting new podcast from VOX exploring the edges of our current scientific understanding: <a href=\"https:\/\/www.vox.com\/unexplainable\">Unexplainable \u2014 www.vox.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Security Bits \u2014 4 April 2021 Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1fa;&#x1f1f8; Following on from the excellent Motherboard reporting last time that showed how easy it was to hijack the SMS messages destined for a US cellphone number, the [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4559,4556,71,4557,50,569,4558],"class_list":["post-23350","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-3rd-party-cookies","tag-cross-site-tracking","tag-firefox","tag-firefox-smartblock","tag-security","tag-security-bits","tag-smartblock"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=23350"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23350\/revisions"}],"predecessor-version":[{"id":23354,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23350\/revisions\/23354"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=23350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=23350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=23350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}