Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation (bleepingcomputer.com)

Posted by msmash on from the great-marriage dept.

An anonymous reader writes: Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet. The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55. FPI works by separating cookies on a per-domain basis.

This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad. With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing. This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile. This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability. FPI was added to Firefox as part of the Tor Uplift project, an initiative to bolster the Firefox codebase with some of the Tor Browser's unique privacy-focused features. The feature is not enabled by default. Information on how to enable it is in the linked article.

42 of 93 comments (clear)

  1. Private browsing by Anonymous Coward · · Score: 1

    This seems like the kind of feature that should be enabled by default when using a private browsing window, or using the "never remember history" option in the settings page.

    1. Re:Private browsing by mspohr · · Score: 4, Insightful

      I naively thought that this was the default behavior for cookies. Why would anyone think it was a good idea to allow random people to read cookies from any domain?
      Cookies should be confined to a single domain where I am viewing content, not intrusive ad networks.

      --
      I don't read your sig. Why are you reading mine?
    2. Re:Private browsing by fustakrakich · · Score: 1

      Private browsing? Maybe on your local network... On the internet there's no such thing.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:Private browsing by Luthair · · Score: 3, Informative

      I'm not sure you understand the scenario. These are third-party cookies that the browser would receive via headers when the tracking network was included on another site The tracking networks cookie would only appear on the headers to that network and could not be read by other sites.

    4. Re:Private browsing by Fahrvergnuugen · · Score: 3, Informative

      It's trickier than that...

      What happens when you insert the facebook or adsense code on your website is that you are actually including content hosted by the ad network.

      Your browser is then loading that content from that ad network because in addition to loading mygreatwebsite.com, you are also loading ads.adcompany.com or whatever.

      The cookie from the ad network is linked to ads.adcompany.com. The same cookie is being set for every website that serves content from that same ad network, and so they are able to build a profile on you.

      The bigger an ad network gets, the more websites it is installed on, the more clear the profile becomes.

      I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

      --
      Kiteboarding Gear Mention slashdot and get 10% off!
    5. Re: Private browsing by mspohr · · Score: 2

      Thanks for the additional information. I guess my question now is why would a browser allow random third party domains set cookies when viewing a site?

      --
      I don't read your sig. Why are you reading mine?
    6. Re: Private browsing by Luthair · · Score: 2

      All but Safari which turned it off a few years ago iirc. There have been some legitimate uses like Google's login services.

    7. Re: Private browsing by Anonymous Coward · · Score: 5, Informative

      If the browser loads a resource from a domain, that domain can set a cookie for itself via HTTP headers (or if the resource is a script, through the script). That's normal, isn't it? But this is also true if that resource comes from a "third party" domain, i.e. one which is different from the domain of the web page itself. Example: You are looking at slashdot.org, which loads a script from taboola.com. Then the taboola.com script can set a cookie for taboola.com. Slashdot.org can not read that cookie, but if a page from a different domain also loads a script from taboola.com, that script can (normally) read the cookie for taboola.com. That cookie usually contains a tracking ID, so when many sites on the web load a taboola.com script, taboola.com can track you across web sites. With first-party isolation, the third party cookie can still be set, but it is only readable when the third party resource is loaded in the same first party domain context where it was set. Something else you can do (and probably should do) is disallow third party cookies altogether or at least make them expire when you close the browser. If you do the latter, first party isolation still helps by preventing in-session tracking.

    8. Re:Private browsing by sexconker · · Score: 5, Informative

      I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

      No, it's in the summary.

      This is isolation, not blocking. Plenty of sites won't work if you outright block 3rd party cookies.
      What this does is allow the cookie to be set and sent back in future requests, but it's one cookie per ad domain AND per visited site.

      If you go to pussy.com and it loads a tracking asset for ass.com, Firefox sets a cookie for ass.com.
      If you go to pussy.com again and it loads a tracking asset for ass.com, Firefox sends the same cookie back.
      So ass.com can track you on pussy.com.

      If you then go to titties.com and it loads a tracking asset for ass.com, Firefox sets a separate cookie for ass.com.
      This way, ass.com can't track you across pussy.com and titties.com as a single user by use of their cookies.

      They will still try (and generally succeed) at such tracking via browser fingerprinting, timing, meta analysis, and the good ol' IP address.

    9. Re: Private browsing by mspohr · · Score: 1

      I understand how this helps advertisers but I really don't want to help advertisers. I can't think of a legitimate use for this "feature".
      When I'm viewing a website such as cnn.com, I don't want random ad networks to be able to set or read their cookies. If I'm on cnn.com the only cnn.com should be able to set and read cookies.
      I'd like to disallow third party cookies ...
      For instance, Chrome doesn't have this option. They do have a "do not track" option which I have set but that doesn't seem to do anything. It should prevent third parties from setting and reading cookies but it doesn't. There is no option to exclude third party cookies.
      I just checked Opera and it does have an option to exclude third party cookies so I'll try this and see how it works.
      I do have the new Firefox (57) and it does have the option to "Never" accept third party cookies (set by default) so it looks like a good option.

      --
      I don't read your sig. Why are you reading mine?
    10. Re: Private browsing by EndlessNameless · · Score: 1

      I can't think of a legitimate use for this "feature".

      It wasn't a feature per se. It was simply how things worked under the same-origin policy. The browser loads what it's told to load, and each cookie is accessible to its parent domain. Advertisers started abusing this default security posture.

      Blocking third-party cookies and first-party isolation are responses to that abuse.

      Both of those options are far simpler than fundamentally changing the same-origin policy. There would need to be a consensus on an alternative security model across the whole ecosystem: browsers, web servers, and web app developers. It's not worth the effort when a simple user option can accomplish the same thing.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    11. Re: Private browsing by mspohr · · Score: 1

      Google searches you.

      --
      I don't read your sig. Why are you reading mine?
  2. Re:Another NSA Browser Feature Makes It Into FF by NicknameUnavailable · · Score: 2

    How does it feel to fail at even the most inane of tasks?

  3. Waterfox Is Better by NicknameUnavailable · · Score: 4, Informative

    This is just Firefox trying to be a source of telemetry. Waterfox is based on Firefox, but removes all the telemetry, sponsored ads, etc plus a bunch of security holes the Firefox team isn't addressing.

    1. Re:Waterfox Is Better by mikael · · Score: 1

      What about the security risk from: Allow running of all 64-Bit NPAPI plugins

      Those were the biggest security risk. You could have a secure browser, but one dodgy plugin allows all that spyware crud to creep back in.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    2. Re:Waterfox Is Better by NicknameUnavailable · · Score: 1

      Actually, it runs any addon - it was designed that way so the Firefox team couldn't control a whitelist of approved addons. The security holes patched are literally on their site.

    3. Re:Waterfox Is Better by NicknameUnavailable · · Score: 1

      It's up to the user to decide what is and isn't safe to install on their machine. That part was put in place specifically because Firefox blocked "unapproved" AdBlockers (all the ones not sending telemetry back themselves or who blocked Firefox partner sites.)

  4. Is this how it works? by sinij · · Score: 1

    Is this how it works? My understanding that tracking cookies will be a) multi-domain and b) will also include add network domain. For example, Taboola cookie would be still accessible across all sites that use Taboola. Is this not the case?

    I configure browser to wipe all my cookies on browser close, and frequently close it. I recommend others to do the same.

    1. Re:Is this how it works? by JaredOfEuropa · · Score: 1

      From what I’m reading, this change will address those multi domain cookies. One site will add a Taboola cookie and will be able to read it, but if another site attempts to access the Taboola cookie, Firefox will pretend it isn’t there, and the second site will the proceed to create its own Taboola cookie. So cookies for 3rd party domains are still allowed, but they are sandboxed per domain in the browser.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:Is this how it works? by Luthair · · Score: 2

      Basically the tracking network would set a cookie header on the HTTP request for a JS coming from their server, then when the user visits some other page which also includes the tracking network the original cookie would be sent back to the tracking network connecting the user across the two sites.

      I presume with FPI firefox treats the third party cookie given on site-A and the third party cookie given on site-B as distinct and will only send them in the context of those particular sites which prevents the tracker from linking the user.

    3. Re:Is this how it works? by dissy · · Score: 2

      Is this how it works? My understanding that tracking cookies will be a) multi-domain and b) will also include add network domain. For example, Taboola cookie would be still accessible across all sites that use Taboola. Is this not the case?

      That is the case in IE, but in all other browsers no, a cookie can only be set for a domain if sent by a server on that domain.

      But look at slashdot as an example. When you go to slashdot.org, you are loading content from 4 separate host/domains.

      slashdot.org can set a cookie that gets sent back to slashdot.org
      But you are also loading content from other domains:
      a.fsdn.com content is loaded and can set a cookie, which gets sent back to a.fsdn.com
      gstatic.com content is loaded and can set a cookie, which gets sent back to gstatic.com
      etc

      If you went to another website owned by FSDN but isn't slashdot, odds are that site will also load content from a.fsdn.com and thus that domains cookie will be sent back to a.fsdn.com again.

      In this way a.fsdn.com can track you over all of the websites that load its content in, be it slashdot or freshmeat or whatever.

      Now add in the fact that most websites these days load content from the google ad network, or facebook, or twitter.
      Each of those sites can set a cookie on their content and it gets sent back when visiting any other website that also loads content from them.

      This is how facebook and such track you over most of the Internet, even if you never do or have visited facebook.com directly. It's almost guaranteed however that you have loaded content from facebook.com indirectly, and your browser happily sends the facebook cookies back to facebook.

      What this feature does is tag a cookie not just with the domain of the sending web server, but also with the domain in your address bar.

      That means the facebook cookie as loaded from slashdot is stored separately from the facebook cookie from random-other-site.
      Revisiting slashdot will only send the facebook cookie set with the slashdot domain, not the facebook cookie set by the random-other-site domain.

  5. That's a nice feature by H3lldr0p · · Score: 1

    Wonder what would be the work around for the trackers and advertisers. I've already done a lot to keep my footprint as small as possible but I know I'm still getting tracked in some ways I can't stop if I want to be able to do useful things online. Like paying my bills. And I personally question the usefulness of things outside of the plain browser identifier. I don't get why any site I visit would need to probe what addons or if javascript has been executed. Maybe I don't do enough site programming to "get it". But something like this, as much as I think it's nice is just going to escalate the battle against advertisers more.

    Like forcing more websites to have signins to be useful. Or greater sharing of metacookies or whatever it's call when the server sending out the ads does the tracking itself.

    1. Re:That's a nice feature by Baron_Yam · · Score: 1

      >Wonder what would be the work around for the trackers and advertisers.

      You answered your own question! "or whatever it's call when the server sending out the ads does the tracking itself."

      They'll do their best to get a decent fingerprint of your system, and their tracking accuracy will be reduced (probably by far less than we'd hope or expect).

    2. Re:That's a nice feature by AHuxley · · Score: 1

      Re "Like forcing more websites to have signins to be useful."
      Sites will just have a members section. Pay by CC.
      Dont want to pay with a CC?
      Run some code on the gpu/cpu for some time and get a one time, a day, month, year or much longer account.
      Running a gpu/copu for some time for a site will get around the needs for ads, tracking, the policy connected to using social media ads.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:That's a nice feature by mikael · · Score: 1

      They will go back to using whatever unique ID's are available on the system. Remember CPU-ID? Where special CPU instructions mapped onto web-browser script keywords allowed a website to know your CPU. Now they could access the UUID of your file system.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  6. Re:What about the data Firefox collects and sends? by GuB-42 · · Score: 1

    Well, that's irrelevant! The fact remains that data can be collected and can be sent. "Can" is just as bad as "will".

    I disagree. A privacy policy doesn't mean much, except for lawyers.
    Saying they can do something bad don't mean they will do something bad. For example, if they provide a bug report feature, they will collect some data with it, and even though the user ultimately decide to send the report or not, and that it is really only used for debugging, it has to be mentioned in the policy, and considering the amount of data that may end up in a bug report, the terms can be scary.
    OTOH, just because something isn't written in the privacy policy doesn't mean it can't be done. It just means it is illegal to do it. Most importantly, nothing in the privacy policy says that the software isn't full of exploitable bugs.

  7. Seriously? by DontBeAMoran · · Score: 3, Insightful

    With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing.

    Why the fuck isn't that by design? Who's the moran who decided not to include that in the specifications?!

    --
    #DeleteFacebook
    1. Re:Seriously? by Actually,+I+do+RTFA · · Score: 1

      I imagine this was from before the web became a spying/ad mess. The idea back than was you were loading third-party content because it didn't make sense for everyone to have a huge copy of those images/a javascript library (probably predates JS).

      --
      Your ad here. Ask me how!
    2. Re:Seriously? by Dracos · · Score: 1

      Cookies were added in HTTP/1.1 (RFC 2068) in 1997 after two years of specification development. Lots of things about cookies were naively permissive, but it took years to realize this. HTTP/2 (in 2015) did nothing to address cookie flaws.

    3. Re:Seriously? by mikael · · Score: 1

      Sometimes the cookies are used to store your username/password so that you can log in automatically in on the website, even though you have opened a new window.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    4. Re:Seriously? by DontBeAMoran · · Score: 1

      But it's still the same domain name.

      --
      #DeleteFacebook
    5. Re:Seriously? by swillden · · Score: 1

      With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing.

      Why the fuck isn't that by design? Who's the moran who decided not to include that in the specifications?!

      It is by design and it is in the specification, always has been. Sites can only set cookies for the domain that serves the content.

      sexconker posted a good explanation: https://news.slashdot.org/comm...

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. Where is he? by DontBeAMoran · · Score: 1

    I'm surprised we haven't heard about hosts files yet...

    --
    #DeleteFacebook
  9. Cookie isolation... by viperidaenz · · Score: 1

    They'll just link the separate cookies together with ETags. Unless you're also going to have a separate file cache for each domain too.... not a bad idea actually.

  10. Make It Default by Elixon · · Score: 1

    That is a cool feature that won't break anything (except the sites tracking you across multiple domains - which is the point here).

    Why do they hide it? To don't piss off Yahoo/Yandex/Baidoo sponsors? I guess (sane/informed) people love it so make it DEFAULT!

    --
    Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
    1. Re:Make It Default by Luthair · · Score: 1

      It could break logins for some site, e.g. Google

  11. Re:What about the data Firefox collects and sends? by Anonymous Coward · · Score: 1

    Way to miss the point, and more importantly, wait to miss the hypocrisy of Firefox apologists, including yourself.

    Again and again we're sold this myth by Firefox apologists that Firefox somehow "respects the privacy" of its users.

    Again and again we're told by Firefox apologists that Chrome is so awful because it might send data to Google.

    Yet even a cursory reading of Firefox's privacy policy makes it very clear that Firefox is just as capable of sending personal data to Google, along with numerous other external parties!

    Then instead of waking up to the fact that your beloved Firefox browser really isn't any better than Chrome, and may actually be worse, you Firefox apologists throw this hypocritical denialist gibberish at us!

    Firefox's privacy policy just goes to show, in my opinion, that Firefox and its creators don't give a damn about user privacy.

    If they did care about user privacy, then Firefox's privacy policy wouldn't be full of warnings about all of the data it collects and sends to various places because Firefox wouldn't even support any of this data collection and transmission to begin with!

    Firefox apologists need to wake up to the fact that their browser of choice isn't the saint that they wrongly portray it as.

    Then those Firefox apologists should do some proper apologizing by apologizing to the rest of us who have been subjected to your babble for so long!

  12. FPI add-on is poorly designed by iliketrash · · Score: 1

    The add-on, First Party Isolation, linked from the article, to

    https://www.bleepingcomputer.c...

    is something of a turd. There is no indication that it is doing anything. The preference page has no controls. The icon that is placed in the menu bar shows no state information—supposedly if you click on it, the FPI feature will be disabled for five minutes. There is absolutely no indication that anything happens when you click on it. plus, the icon is so hard to see that at first I thought there was no icon at all. The linked article mentions that you can also edit two entries in the about:config page. Nice if a little obscure. But you might think that the add-on would simply toggle these items, but installing the add-on does not affect these about:config items. So, again, the FPI add-on is poorly designed.

    1. Re:FPI add-on is poorly designed by pr0nbot · · Score: 1

      Later in the article:

      The second method of enabling FPI is by modifying parameters in the about:config settings page. To access this page, users must type about:config in the address bar and press Enter.

      Once they reached the about:config page, they can search for "firstparty," and the two FPI parameters will appear.

      To enable FPI, users must set "privacy.firstparty.isolate" to true by double-clicking it. The second parameter — "privacy.firstparty.isolate.restrict_opener_access" — works by lowering some of the "isolation" rules. Users can set this parameter to false if they're having problems logging into websites.

  13. Ghostery by PhantomHarlock · · Score: 1

    Ghostery does basically the same thing, and probably better. It works with the new version of firefox. (it's a WebExtension)

    https://www.ghostery.com/

  14. Re:Brave is best by NicknameUnavailable · · Score: 1

    Chromium is garbage, it freezes up on page loads for 1-2 minutes every time you hit a website.

  15. Re:Make TOR default by ArmoredDragon · · Score: 1

    Many websites will break if you do this; USAA is broken with this, for example. My preferred method, without addons, is to set third party cookies to session only, something that no browser can do except for firefox.

    My opinion? Combine privacy badger, cookie autodelete, and third party cookies session only, as FPI can break some websites, but the combination above should not break anything. For good measure, also add searchonymous2 and a redirect bypassing addon (redirect bypasser was the best, but I'm not sure which is right now.) Unfortunately, at the present time, extensions can't do anything about localstorage, which sites can and do use to track you. FPI effectively sandboxes localstorage from site to site, but it wastes disk space. Mozilla is extending the webextension API to allow manipulation of localstorage and will probably be the only browser to do so. The cookie autodelete developers plan on using it as soon as it's available, so that will be a complete solution.

    That's the nice thing about firefox going forward: Mozilla continues to add new features to the webextension API and is very responsive to requests, but Chrome usually doesn't, and you can pretty much count on Edge only going so far as to always remain a subset of what Chrome does, as Microsoft just copies the Chrome API verbatim, but doesn't implement everything. Microsoft also uses a "whitelist only" model in Edge, which involves paying a fee to Microsoft and requesting that they review your extension, which they ignore in most cases, even if you own a very popular chrome extension.

    I'm betting that in about a year, Firefox will be the browser with all of the best addons, just like it was before the switch to webextensions, and Edge will remain king at its job of being the tool everybody uses to download firefox.