Web tracking has long been in the cross-hairs of privacy advocates, who say that marketers know entirely too much about individuals’ online activities. And to add insult to injury, the ubiquitous cookie system used to enable tracking also presents potential security threats, including cross-site request forgeries (CSRF). To combat these bugbears, Mozilla is planning to disable cross-site tracking by default in its Firefox browser.
The company said that it will “in the near future” start blocking tracking, while rolling out tools for users to better control the information they share with sites.
Cookies: Pros and Cons
Tracking has plenty of upsides: For instance, it enables a concierge-style experience when it comes to the ads one sees on the web. Ads are a necessary part of the internet economy – free access to content is never really “free” – we of course pay with our eyeballs. And targeted ads are much more palatable than random offers, according to almost every consumer survey.
Cookies also make life much more convenient – websites will remember us so we can “pick up where we left off,” be automatically signed in to our accounts or have the site remember our user name. They also enable one-click access to receipts, travel details and account data from things like email confirmations; and, they allow us to be trusted if we’re already signed into another, trusted website (for instance, this is how the “Sign in with Facebook” function works).
The downside is, for one, that tracking slows down the web. In related analysis this week from Ghostery, a staggering 55.4 percent of the total time required to load an average website was spent loading third-party trackers.
It’s also true that cookies allow companies to collect an inordinate amount of data about user preferences and surfing habits. And the amount of data a website seems to know about any given individual can start to feel a bit creepy.
“In the physical world, users wouldn’t expect hundreds of vendors to follow them from store to store, spying on the products they look at or purchase,” Mozilla’s Nick Nguyen pointed out, in a posting on Thursday. “Users have the same expectations of privacy on the web, and yet in reality, they are tracked wherever they go.”
Also, allowing third-party (i.e., cross-site) tracking cookies opens up a privacy hole in the browser that may be much larger than most people realize. According to Ghostery’s analysis, on many sites, just visiting a popular page will implant cookies into a user’s browser for over 50 different third-party domains. Each of these are built specifically to give visibility to someone outside of the website itself – likely a marketer – into what a person looks at on that site over days, months or even years.
“For example, when you visit any page with a Facebook widget (or visit Facebook itself), they will set a cookie which will only expire in two years’ time,” Ghostery researchers explained. “Some google.com cookies expire in 20 years. The facebook.com and google.com domains are present as a third-party to 24 percent and 30 percent of page-loads on the web respectively, allowing these services to track this proportion of the average user’s web browsing history.”
Meanwhile, many of the convenience-based cookie functions mentioned above can be benign, and not used for outside tracking. However, it’s important to point out that many of these too are opened up to third-party scripts that may be running on the page. More often than not, the service provider running the website has added tracking scripts to their websites and apps to provide analytics, advertising and other plug-in functionality. And, Ghostery told Threatpost that a large part of the time, these scripts aren’t carefully implemented, and can capture the unique URLs loaded on the site originating from emailed user confirmations with personal information, along with other cookie-based functionality – meaning that these third parties now potentially have access to all that data.
From a data security perspective, all of this harvesting and collection can have profound implications.
“Many of the harms of unchecked data collection are completely opaque to users and experts alike, only to be revealed piecemeal by major data breaches,” Mozilla pointed out in its posting.
And finally, tracking cookies opens up an expanding cyber-attack threat surface. For instance, CSRF attacks are based on the idea that users can make a third-party request to a site that the browser has previously authenticated with, and the browser will send the credentials with the request. Software vulnerabilities can allow a bad actor to spoof that third-party request, gaining access to the credentials and allowing him or her to perform unwanted actions.
“If browsers did not allow third-party cookies these attacks would be much harder to exploit than they currently are,” Ghostery said. These kinds of attacks have been around for over 15 years, and methods to mitigate them are still being proposed, while browser-side protection, such as first-party isolation, have very limited distribution.”
Mozilla’s Anti-Tracking Plans
While in the beginning web browsers disabled cookies by default, most of today’s internet sites require cookies to be enabled before they deliver content. As a result, Google Chrome, Internet Explorer and others now enable cookies automatically in order to provide a streamlined web experience – leaving it up to users to manually disable them.
Mozilla has decided to buck the norm with a few new features that will be rolling out in the coming months.
To boost performance, the company has added a feature in Firefox Nightly that blocks trackers that slow down page loads – initially in a beta trial form for September. If the feature performs as expected, Mozilla will start blocking slow-loading trackers by default in Firefox 63.
On the privacy front, Mozilla is giving Firefox Nightly users the option of stripping cookies and blocking storage access from third-party tracking content, with a feature that will also be offered to beta users in September. The blocking option will then roll out to all users in Firefox 65.
On a related note, the firm also said that it will block cryptomining scripts – malicious or not – by default in an unspecified future version of its browser, along with trackers that “fingerprint” users’ devices.
“Some sites will continue to want user data in exchange for content, but now they will have to ask for it, a positive change for people who up until now had no idea of the value exchange they were asked to make,” Mozilla said.