Ad-blocking companies block ‘unblockable’ tracker

Credit to Author: Danny Bradbury| Date: Mon, 25 Nov 2019 12:45:02 +0000

Ad-blocking companies have figured out a way to block the unblockable – a pernicious tracker technique that hides advertising networks from your browser in plain sight.

Whenever your browser visits a website supporting third-party advertisers, the site shows it tracking pixels or IFRAME tags that cause it to make extra requests. These requests go to ad companies that use various techniques to identify your browser and track it across multiple sites.

Ad-blocking companies are in a constant battle with the advertisers to block these trackers.

The latest weapon in this fight exploits a long-established web concept called a CNAME record. CNAME stands for Canonical Name. It’s an alias that the owner of a domain (say, example.com) can use to describe a subdomain (like innocent.example.com). You could set the CNAME for ads.example.com to resolve to an entirely different domain, like dedicated-tracker.eviladcompany.com. When your browser reaches out to innocent.example.com, it’ll send a query to the name server, which will look up the second domain instead.

That’s a problem for people that don’t want advertisers to track them. Ad-blocking software tends to trust cookies sent by the same domain that you’re visiting. If innocent.example.com sends you a cookie, it could contain session information that helps the site remember who you are. Blocking it would break the site’s functionality.

So companies that use CNAMEs to hide third-party trackers behind their own domains can fool ad blockers into waving through cookies from their advertising friends.

Those companies reportedly include French marketing outfit Eulerian, which according to a post on ad blocker uBlock Origin’s GitHub site used this ‘unblockable tracker’ approach on a subdomain at liberation.fr, pointing to liberation.eulerian.net. Any company trying to seem innocuous would use a random subdomain – in Eulerian’s case, f7ds.liberation.fr.

Sneaky.

According to another poster who searched for the inline code, the company is doing it on several other sites, too.

This is a simple workaround for advertisers eager to understand what you’re doing online. If you don’t want them doing that, then how can you stop them?

UBlock found an application programming interface (API) in Firefox, which is a way for its browser extension to interact with the underlying browser engine. dns.resolve() looks up the real domain behind a CNAME record (known as the canonical CNAME).

Firefox uBlock users will be protected, but what about users of Chromium-based browsers, which encompasses most other browsers? Chromium doesn’t support this API, meaning that uBlock can’t take the same approach using this browser framework as it does with Firefox. One alternative would be to send the browser’s request data to an online service to have it check for the canonical CNAME record, but uBlock’s developer Raymond Hill doesn’t want to send user information to other online services. He explained:

This would require uBO to send browsing history information to a remote server, this is anti-uBO.

Other ad blockers are jumping into the conversation. In a blog post that was low on detail, Adguard said that it would address the problem because:

On DNS level, it’s trivial to figure that a domain is actually a disguised tracker.

It indicated that it wouldn’t rely on a specific browser framework:

The beauty of this solution is that it’s not limited to any browser or even a single product, and in the end will help everyone.

Adguard’s CTO and co-founder Andrey Meshkov said on 22 November that the company had already started blocking disguised trackers:

http://feeds.feedburner.com/NakedSecurity

Leave a Reply