Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation (bleepingcomputer.com)

Posted by msmash on from the great-marriage dept.

An anonymous reader writes: Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet. The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55. FPI works by separating cookies on a per-domain basis.

This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad. With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing. This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile. This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability. FPI was added to Firefox as part of the Tor Uplift project, an initiative to bolster the Firefox codebase with some of the Tor Browser's unique privacy-focused features. The feature is not enabled by default. Information on how to enable it is in the linked article.

12 of 93 comments (clear)

  1. Re:Another NSA Browser Feature Makes It Into FF by NicknameUnavailable · · Score: 2

    How does it feel to fail at even the most inane of tasks?

  2. Waterfox Is Better by NicknameUnavailable · · Score: 4, Informative

    This is just Firefox trying to be a source of telemetry. Waterfox is based on Firefox, but removes all the telemetry, sponsored ads, etc plus a bunch of security holes the Firefox team isn't addressing.

  3. Re:Private browsing by mspohr · · Score: 4, Insightful

    I naively thought that this was the default behavior for cookies. Why would anyone think it was a good idea to allow random people to read cookies from any domain?
    Cookies should be confined to a single domain where I am viewing content, not intrusive ad networks.

    --
    I don't read your sig. Why are you reading mine?
  4. Re:Is this how it works? by Luthair · · Score: 2

    Basically the tracking network would set a cookie header on the HTTP request for a JS coming from their server, then when the user visits some other page which also includes the tracking network the original cookie would be sent back to the tracking network connecting the user across the two sites.

    I presume with FPI firefox treats the third party cookie given on site-A and the third party cookie given on site-B as distinct and will only send them in the context of those particular sites which prevents the tracker from linking the user.

  5. Re:Private browsing by Luthair · · Score: 3, Informative

    I'm not sure you understand the scenario. These are third-party cookies that the browser would receive via headers when the tracking network was included on another site The tracking networks cookie would only appear on the headers to that network and could not be read by other sites.

  6. Seriously? by DontBeAMoran · · Score: 3, Insightful

    With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing.

    Why the fuck isn't that by design? Who's the moran who decided not to include that in the specifications?!

    --
    #DeleteFacebook
  7. Re:Private browsing by Fahrvergnuugen · · Score: 3, Informative

    It's trickier than that...

    What happens when you insert the facebook or adsense code on your website is that you are actually including content hosted by the ad network.

    Your browser is then loading that content from that ad network because in addition to loading mygreatwebsite.com, you are also loading ads.adcompany.com or whatever.

    The cookie from the ad network is linked to ads.adcompany.com. The same cookie is being set for every website that serves content from that same ad network, and so they are able to build a profile on you.

    The bigger an ad network gets, the more websites it is installed on, the more clear the profile becomes.

    I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

    --
    Kiteboarding Gear Mention slashdot and get 10% off!
  8. Re: Private browsing by mspohr · · Score: 2

    Thanks for the additional information. I guess my question now is why would a browser allow random third party domains set cookies when viewing a site?

    --
    I don't read your sig. Why are you reading mine?
  9. Re: Private browsing by Luthair · · Score: 2

    All but Safari which turned it off a few years ago iirc. There have been some legitimate uses like Google's login services.

  10. Re: Private browsing by Anonymous Coward · · Score: 5, Informative

    If the browser loads a resource from a domain, that domain can set a cookie for itself via HTTP headers (or if the resource is a script, through the script). That's normal, isn't it? But this is also true if that resource comes from a "third party" domain, i.e. one which is different from the domain of the web page itself. Example: You are looking at slashdot.org, which loads a script from taboola.com. Then the taboola.com script can set a cookie for taboola.com. Slashdot.org can not read that cookie, but if a page from a different domain also loads a script from taboola.com, that script can (normally) read the cookie for taboola.com. That cookie usually contains a tracking ID, so when many sites on the web load a taboola.com script, taboola.com can track you across web sites. With first-party isolation, the third party cookie can still be set, but it is only readable when the third party resource is loaded in the same first party domain context where it was set. Something else you can do (and probably should do) is disallow third party cookies altogether or at least make them expire when you close the browser. If you do the latter, first party isolation still helps by preventing in-session tracking.

  11. Re:Private browsing by sexconker · · Score: 5, Informative

    I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

    No, it's in the summary.

    This is isolation, not blocking. Plenty of sites won't work if you outright block 3rd party cookies.
    What this does is allow the cookie to be set and sent back in future requests, but it's one cookie per ad domain AND per visited site.

    If you go to pussy.com and it loads a tracking asset for ass.com, Firefox sets a cookie for ass.com.
    If you go to pussy.com again and it loads a tracking asset for ass.com, Firefox sends the same cookie back.
    So ass.com can track you on pussy.com.

    If you then go to titties.com and it loads a tracking asset for ass.com, Firefox sets a separate cookie for ass.com.
    This way, ass.com can't track you across pussy.com and titties.com as a single user by use of their cookies.

    They will still try (and generally succeed) at such tracking via browser fingerprinting, timing, meta analysis, and the good ol' IP address.

  12. Re:Is this how it works? by dissy · · Score: 2

    Is this how it works? My understanding that tracking cookies will be a) multi-domain and b) will also include add network domain. For example, Taboola cookie would be still accessible across all sites that use Taboola. Is this not the case?

    That is the case in IE, but in all other browsers no, a cookie can only be set for a domain if sent by a server on that domain.

    But look at slashdot as an example. When you go to slashdot.org, you are loading content from 4 separate host/domains.

    slashdot.org can set a cookie that gets sent back to slashdot.org
    But you are also loading content from other domains:
    a.fsdn.com content is loaded and can set a cookie, which gets sent back to a.fsdn.com
    gstatic.com content is loaded and can set a cookie, which gets sent back to gstatic.com
    etc

    If you went to another website owned by FSDN but isn't slashdot, odds are that site will also load content from a.fsdn.com and thus that domains cookie will be sent back to a.fsdn.com again.

    In this way a.fsdn.com can track you over all of the websites that load its content in, be it slashdot or freshmeat or whatever.

    Now add in the fact that most websites these days load content from the google ad network, or facebook, or twitter.
    Each of those sites can set a cookie on their content and it gets sent back when visiting any other website that also loads content from them.

    This is how facebook and such track you over most of the Internet, even if you never do or have visited facebook.com directly. It's almost guaranteed however that you have loaded content from facebook.com indirectly, and your browser happily sends the facebook cookies back to facebook.

    What this feature does is tag a cookie not just with the domain of the sending web server, but also with the domain in your address bar.

    That means the facebook cookie as loaded from slashdot is stored separately from the facebook cookie from random-other-site.
    Revisiting slashdot will only send the facebook cookie set with the slashdot domain, not the facebook cookie set by the random-other-site domain.