Security news that informs and inspires

Firefox Moves to Cut Off Supercookie Tracking

Browser makers are continuing their efforts to cut off the avenues that advertisers and other parties use to track people across the web, with the newest move coming from Mozilla, which is taking steps in Firefox 85 to stop cross-site tracking by reducing the effectiveness of supercookies.

Adtech companies employ a wide range of techniques to monitor peoples’ movements and interactions on individual websites and across the web. The goal of the monitoring, of course, is to get a better handle on their interests so that advertisers can show them more targeted ads. One of the more basic methods of tracking is the simple browser cookie, a small file that’s saved on a users’ computers by sites they visits and contains some information about them. Cookies have become less effective over the years as browser extensions and features in some browsers themselves have been added to block them. So adtech companies have adapted by finding new places in the browser to store so-called supercookies, which are very difficult to find and delete, making it much harder for people to protect themselves against tracking.

The back and forth between trackers and browser vendors on tracking occurs on several separate fronts, one of which is the use of shared resources in the browser. Browsers use caches to store commonly used elements that would likely appear on many websites, allowing them to load an image or other element from a local source on the user’s computer rather than from the site. This saves time and network resources, but those caches also present an opportunity for trackers.

“In the case of Firefox’s image cache, a tracker can create a supercookie by “encoding” an identifier for the user in a cached image on one website, and then “retrieving” that identifier on a different website by embedding the same image. To prevent this possibility, Firefox 85 uses a different image cache for every website a user visits. That means we still load cached images when a user revisits the same site, but we don’t share those caches across sites,” Steven Englehardt and Arthur Edelstein of Mozilla said in a post on the changes.

Pervasive tracking of users across the web makes it difficult for people to feel as if they have any control over their interactions with sites and the way that their data is collected and used. The techniques that trackers, both legitimate and malicious, use can be quite difficult to detect and defend against, especially for individual users. This makes protection at the browser level all the more important, and the changes in Firefox 85 put better defenses under the skin of the browser so individual users do not have to deal with it. Firefox is partitioning several caches, including HTTP cache, image cache, favicon cache, DNS cache, and many others.

In addition, the newest version of the browser will also introduce a feature that separates shared connections in Firefox, which also helps stop websites from getting around anti-tracking features.

“To further protect users from connection-based tracking, Firefox 85 also partitions pooled connections, prefetch connections, preconnect connections, speculative connections, and TLS session identifiers,” Engelhardt and Edelstein said.

“This partitioning applies to all third-party resources embedded on a website, regardless of whether Firefox considers that resource to have loaded from a tracking domain.”

Firefox 85 is out now.