Hacker News new | past | comments | ask | show | jobs | submit login
Cname cloaking, a disguise of third-party trackers (medium.com)
264 points by nextdns 21 days ago | hide | past | web | favorite | 196 comments

The easiest way for site-owners to delegate control has been to include third-party javascript. With new browser restrictions, we're starting to see companies switching to loading JS via CNAMEd subdomains, because that's nearly as easy. The next step is probably reverse proxies, though, where the third-party JS comes from the same server that gives you the rest of the site's JS.

(Disclosure: I work in ads; speaking only for myself)

Or we could make all of that illegal and have an ad ecosystem that works for publishers and consumers as it does in every field except for the web (print, broadcast, podcasts, billboards—all work without JS and are great for consumers). Web is the one weirdo market with tracking. Make that illegal and it will be good like all the other markets.

> Or we could make all of that illegal

I don't see a good way to do that, at least.. a way that's practical to actually enforce. As it is, the FTC is fairly toothless and is better at offering guidelines than policing.

> as it does in every field except for the web

Well.. that's just because they have dedicated account executives and sell advertising through a combination of direct solicitation and much smaller amount of "walk-in" business, that's not practical for all creators or formats.

> Web is the one weirdo market with tracking.

This has always been the holy grail for advertising, the other industries put up with statistical "audience modelling" only because they have to; however, working in one of those 'other fields' I can tell you.. our account executives will take as much direct tracking data as they can get. e.g. "Have you installed our Radio App?!"

> Make that illegal and it will be good like all the other markets.

I feel like we lost the fight a long time ago.. I remember when the 'Flash Blocker' plugin was a great tool. Unfortunately, too many modern sites are entirely reliant on JS in a way they never really were for Flash and the idea of using 'Script Blocker' that's on by default makes navigating the web exceptionally difficult.

It's too bad, because it's probably the right solution.. why should the sites we visit have the right to execute programs on my computer by default?

Offline isn't as different as you might think:

2012-02-19: Almost every major retailer, from grocery chains to investment banks to the U.S. Postal Service, has a “predictive analytics” department devoted to understanding not just consumers’ shopping habits but also their personal habits, so as to more efficiently market to them. “But Target has always been one of the smartest at this,” says Eric Siegel, a consultant and the chairman of a conference called Predictive Analytics World. “We’re living through a golden age of behavioral research. It’s amazing how much we can figure out about how people think now.” -- http://www.nytimes.com/2012/02/19/magazine/shopping-habits.h...

2016-02-28: Pass a billboard while driving in the next few months, and there is a good chance the company that owns it will know you were there and what you did afterward. Clear Channel Outdoor Americas, which has tens of thousands of billboards across the United States, will announce on Monday that it has partnered with several companies, including AT&T, to track people’s travel patterns and behaviors through their mobile phones. -- https://www.nytimes.com/2016/02/29/business/media/see-that-b...

2019-03-07: Location-tracking technology can now monitor people so precisely that retailers know, for instance, which customers visited a fitting room but never made it to the cash register. -- https://www.cnbc.com/2019/03/08/how-retailers-can-track-your...

Oh, that is coming to non-web as well, there are already billboards with cameras. Although for now, one 'test' in the Netherlands was declared illegal (for now) due to privacy concerns.

The GDPR does that. It doesn't matter if you have the data in your own DB, you can't utilize it for purposes you haven't secured informed consent for.

GDPR is a good first step.

California's version, CCPA, should take effect starting January.

Do you think ad companies will really trust reverse-proxied ad traffic? Seems like a tremendous opportunity for fraud. Right now with user agents hitting ad servers directly, there's much less opportunity for content publishers to fake impressions and clicks.

Instead of websites deploying reverse-proxies to tunnel ads through, Google has entire websites tunnel through their edge via AMP. Wouldn't surprise me if BigTech gets together and introduces standards that open up more avenues for CDNs to take away even more control and monetize the traffic they serve, on their terms.

Google has pretty much checkmated content-blockers in that they control the servers, the OS, and the clients used by an overwhelming majority internet users and service providers, alike.

TBF, Google is probably going to be broken up in the next five years and AMP will be exhibit A at the trial.

I guess we get to the point where the content blockers load the scripts, and run heuristics on them before loading them, and perhaps running an adaptive real-time blacklist?

I hate AMP but maybe it is ad blockers, but I believe I can count on my fingers how many times I visited an AMP page.

They already do - Instart Logic is one of the reverse proxies dedicated to serving ads first-party.

For tracking and invasive device tracking (WebGL, plugin enumeration, Canvas, audiocontext, WebRTC, WebSocket-based portscanning of your LAN CIDR acquired from WebRTC, ...) there's Shape and Distil that both do inline reverse proxying.

Though, WebRTC tracking is becoming severely limited with the current mDNS initiative that hides all the local IP addresses and other measures to hide available devices.

Is this form of aggressive identification without consent not going against the GDPR?

When I browse European sites I'm always having to click through permissions - I imagine most folks are on autopilot by now in terms of saying "yes" especially in Europe - how can you even browse the web if you don't click yes one everything in Europe?

What's the data on folks actually saying no to these popups / clickthrough alerts?

I used to skim the relatively few permission / yes agreements (ie, this will auto sign you up for XX), but now they are showing up so many places it's not practical anymore I don't think?

Even https://europa.eu/ (the official EU website) has a cookie banner at the top of the very first page you hit. And instead of the website asking me - I normally just block cookies if I don't want to share them.

The Europe site is compliant. They allow you to refuse nonessential cookies. Most sites are not. I'm pretty sure eventually those cases will be handled.

I might be wrong, but GDPR was supposed to force businesses to provide a DNT option unless completely vital to the business. If that is true, most sites are liable for forcing you to click "yes".

Update: I went and found this[1]:

> this provision means that companies will process only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject

[1] https://www.techrepublic.com/article/the-eu-general-data-pro...

If your business model involves keeping statistics on users use of your site is that necessary for the business?

"involves" doesn't mean "would be dead without"

Can you run ad supported businesses in Europe? What does would be dead without? Analytics are used to refine / target site design etc

When user agent clicks the ad, that's how the ad companies know it's real.

Honest question, and I'm not making any value judgements: Do you have any moral issues working an adtech?

I've written some about this here: https://www.jefftk.com/p/value-of-working-in-ads

I work in ad-tech too, so I'm not judging you. The donations you've made are awesome, and I can see you've clearly thought a lot about how to best direct your money. But I think you're missing a few downsides.

The digital marketing/analytics industry doesn't spend a lot of time thinking about how to secure all that data they're collecting, and data breaches are happening more and more frequently. A lot of this data is supposedly anonymized, but often can be tied back to identifying information.

I would consider Google to be an exception here, as they have some of the best security people in the world working for them. But they are just that: an exception. Don't forget that the industry that Google enables is a lot less ethical (and a lot less competent) than Google itself.

There are other downsides too (e.g. the impact of advertising on editorial integrity, and the ethics of using political ads to tip the scales in an election).

You could argue that display ads in general are a positive. (I personally disagree, but that I can see how reasonable people might see it differently.) But tracking is not close to being ethical. The difference is between someone handing out pamphlets for a new baby care product because you are walking into a baby clothing store, and one handing you the same pamphlet because he has gone through your trash and found your pregnancy test results.

Unpersonalized ads can still serve the same democratic funding model you're identifying as the main positive reason for online advertising's existence. You present a false choice between obnoxious (visibility intrusive) ads versus these odious information gathering schemes. Since the latter make more money and people hate obnoxious ads we must choose personalization. Thankfully we're now fully aligned with how Google has implemented their ad targeting.

Hypothetically if congress could ban both obnoxious and targeted ads (somehow) leaving us with the unpersonalized newspaper model of ads would you be for or against that bill?

As a developer in publishing, I would support that bill in a heartbeat. Tracking means you can target a niche market without paying for niche content. It’s terrible for publishers and consumers. It’s good for ad people.

> Tracking means you can target a niche market without paying for niche content. It’s terrible for publishers and consumers.

This only seems partly right to me. Let's say someone wants to sell fishing equipment. The traditional way of doing this is to buy ads on fishing sites. So now my fishing equipment purchases make there be more writing about fishing; yay!

Then one of the fishing websites decides to put a tracking pixel on their site to drop "fishing website visitor" cookies. They make a deal with a third party provider and get paid a small amount per visitor. Then fishing retailers have a new choice: instead of buying ads on fishing sites they can instead buy ads on any site for users who have one of the "fishing website visitor" cookies. If there were a monopoly fishing site, then this would increase their earnings: while the ad space on their site isn't as valuable, they will set the pixel price high enough that they come out ahead. It's not a monopoly, though, so the price of the pixel gets driven down through competition, and money that would go to fishing sites instead goes to the publishers that people who spend money on fishing equipment visit.

In this case I see how it's worse for fishing sites, but not how it's bad for consumers: their willingness to buy fishing equipment translates into support for all the sites they visit, and not just the fishing sites.

But there are also many niches that don't have economic tie-ins, or have ones that are far weaker than "writing about fishing" and "buying fishing equipment". In a world with targeted advertising, these niches do better, because of overlap between audiences. A "let's have better housing policy" blog can show ads for fishing equipment, vacations, HVAC supplies, or whatever else visitors have shown interest in on other sites.

Additionally, targeted advertising increases the total amount of funding available for online content, because people with niche interests are available to be advertised to in more places. Seeing ten fishing ads once a week when you visit a fishing site vs seeing twenty fishing ads spread over the course of the week, etc.

So, yes, niche publishers in lucrative niches would make more money if we only had context-based advertising, but I don't think niche publishers overall, publishers overall, or consumers would be better off.

(Disclosure: still speaking only for myself)

Good argument. I will think about it more.

As a consumer I vastly prefer targeted ads. I don't like badly targetted ads much though.

(I don't work in adtech, but I have sold technology to adtech companies.)

"It is difficult to get a man to understand something, when his salary depends on his not understanding it."

I do the work I do because it allows me to donate: https://www.jefftk.com/donations

I would not do this work if I thought it was harmful, and if I decided it was harmful there are many jobs I could take instead.

I'm open to being convinced that my work is net negative! I've quit Google before: https://www.jefftk.com/p/leaving-google-joining-wave

You're contributing to tech that erodes people's privacy, even when they actively fight against it. Don't delude yourself with net positives. The harm your employer causes still affects people, regadless of the useful things you may work on at Google, or the donations you give.

Not everyone shares your moral sentiments. I find your view elitist and unfair towards jefftk, who has been extremely open and amiable.

On the one hand, you’re right jefftk has been cordial. On the other.. where does that argument stop holding water? Just because someone is polite about their views doesn’t really justify them any more or less.

I appreciate your engagement in this, Jeff, but I’ve read the post and I agree that it’s rather light in its evaluation of the negative value of ads.

Anyway I guess it’s getting too far off track at this point. Thanks for at least engaging in the conversation, unlike basically everyone. I would love to chat further in private if you have the time. my contact is in my profile.

> when they actively fight against it

While this is definitely true for some adtech vendors, none of the work I do is in that category, and to my knowledge none of the work at my employer is either.

(Still speaking only for myself)

I glanced over the article you linked on your homepage, and you said you worked for google.

Google is and was actively fighting privacy laws[1] (e.g. seeking exemptions allowing them to even track people who consciously opt out of data collection), had a CEO that made no secret about his anti-privacy stance[2], was repeatedly fined[3], also also for violating the privacy of children[4], etc. etc.

How do you reconcile this with your assertion that google and yourself are good players?

[1] https://www.latimes.com/business/story/2019-09-04/google-and...

[2] https://www.eff.org/de/deeplinks/2009/12/google-ceo-eric-sch...

[3] https://www.nytimes.com/2019/01/21/technology/google-europe-...

[4] https://www.nytimes.com/2019/09/04/technology/google-youtube...

If you're going to trot out Upton Sinclair's beaten-to-death horse, you might as well attribute it to him. But then there are also less pretentious ways of pointing out mundane conflicts of interest.

From what I've seen on HN, this quote is one of the top offenders when it comes to commenters just dropping it in without further engagement. On well-moderated subreddits like /r/askhistorians, commenters are required to critically engage with their citations instead of just linking them. Likewise I feel we should put a moratorium on responding exclusively with (well worn) quotations on HN.

To be specific: the way you've responded here is trite, dismissive of someone else's perspective by way of judging them for their occupation, and generally lacking in nuance. It's middle brow posturing of insight without the substantive analysis to back it up.

What have we learned as a result of this solemn reminder that some people get paid to do things we disagree with? People are explicitly calling out their affiliations with adtech in this thread; should we abandon discussion with them because you think their paycheck precludes them from being able to be persuaded?

Here's a riposte for you: "The mark of an educated mind is the ability to entertain an idea without accepting it."

Nice write-up. What is your opinion on the following: Ads make people buy stuff they don't need.

So if we would stop with ads everywhere, we can save the planet.

I don't think "ads make people buy stuff they don't need" is a large part of what's going on. One way to think about this would be, what would the world be like if we didn't allow advertising? Not just internet ads, but magazine ads, affiliate links, sponsored posts, product placement, everything. And assume that enforcement is perfect ;)

Here's my speculation about how this would change people's purchasing:

* Products would be a lot stickier. A lot of advertising is about trying to move people between competitors, or keep them from moving. Sometimes it's an explicit "here's a way we're better" (ex: company advertises that they don't charge unpopular fee X), other times it's a more general "you should think positively of our company" (ex: we agree with you on political issue Y).

* Relatedly, it would be much harder to get many new products started. Say a startup makes a new credit card that keeps your purchase history private: right now a straightforward marketing approach would be (a) show that other credit cards are doing something their target audience doesn't like, (b) build on their sense that this isn't ok, and (c) present the new card as a solution. Without ads they would likely still see uptake among people who were aware of the problem and actively looking for a solution, but mostly people would just stick with the well-known companies.

* Reviewers would be much more trustworthy. There's a long history of reviewers getting 'captured' by the industry they review, ex: https://www.fastcompany.com/3065928/sleepopolis-casper-blogg...

* Purchases of things people hadn't tried before would decrease, both things that people were in retrospect happy to have bought and things they were not. One of the roles of advertising is to let people know about things that, if they knew about them they would want to buy. But "buy stuff they don't need" isn't a great gloss for this, since after buying the products people often like them a lot.

This is just my guesses; I work on the technical side of ads and don't have a great view into their social role, and even if I was in a role like that it would still be very hard to predict how the world would be different with such a large change. Where does your picture differ from mine?"

(For 'saving the planet' I think a carbon tax would make a lot more sense.)

I get that you have the caveat and all, but seriously? The tech industry has widespread cooperation with a regime in China that is brutalizing Hong Kong and committing ethnic cleansing of the Uigurs--and you want to know if he can sleep at night because he codes software to show ads for socks to people that don't want to see ads (but somehow can't bring themselves to live without content that's ad supported)?

> (but somehow can't bring themselves to live without content that's ad supported)?

Every day that becomes less and less of an option and presenting it as an option is disingenuous. Are you seriously suggesting that people live without search engines?

I think it's valid to question the role of cars in our society even if the critic took a car to the meeting, for example.

There’s a difference between questioning the role of cars in our society and morally condemning car engineers while riding around in a car.

As for living without a search engine, people have gone through much worse for their moral beliefs. I personally don’t see the moral issue at all, but if you feel so strongly about it—-then yes I expect you to sacrifice your own interests for those beliefs and not just go around making cheap condemnatory statements.

False dichotomy. Other options might be paid search. Personal search engines. Peer to peer search. Or new business models. Yes, it's possible to imagine a world without Google et al screwing everyone out of their privacy.

Can you list any of these exciting alternatives? As a layman, I don't know of anything besides Google, Bing and DDG.

I'm not sure... I think I'd be more comfortable working for a weapons shop than for (tracking) adtech. Ethics is a spectrum, so there can be many opinions on the topic.

Going back to adtech, I more or less equate it to the tech you alluded to, as well as global tracking, NSA-sized surveillance, and a complete disregard for "privacy", regulations and civility. Would any self-respecting person follow their neighbors around, write their every moves on a notebook, and sell that to the highest bidder? It's literally what is being done by those tracking giants, on a much bigger scale (and Google does track your every move, or does its best to do so).

I feel like I'm distancing myself more and more from conventional Internet platforms as a result.

As the host of a few web properties, I've always been very discriminating when it comes to third party content (including trackers). In fact my broad rule of thumb is to avoid it. You don't need it to have a successful business model.

I'm disappointed at webmasters who push garbage from their sites.

They might yes, but it is orders of magnitude harder to setup and maintain than this, and as a website owner, you have to put even more trust in your ad serving solution than today.

Reverse proxying is a little harder, but not much. In NGINX, for example:

    location /adtech/ {
        proxy_pass https://adtech.example/;
What additional trust are you thinking about? HttpOnly cookies are already sent when you use the subdomain approach.

js running on your domain can read eg login cookies

at least if you cname definitelynotads.yourdomain.com to js.ads.com, the javascript running on definitelynotads... can't read host-only login cookies on yourdomain.com.

In the vast majority of cases integration is by the including a script controlled by the advertising network in the page they are advertising on.

So for the purposes of the browser security model, the script already runs in the domain of the host site. It can directly read any non-HttpOnly cookies, and can make any request it likes using XMLHttpRequest to APIs on the host site using the user's cookie without relying on CORs.

The only very minor difference between first and third party script inclusion is access to HttpOnly cookies (depending on the cookie scoping).

Both of the first party script inclusion approaches have mitigations available to the host site: in the proxy approach, the server could filter the cookies before proxying. In the CNAME approach, taking care with cookie scoping could solve the problem. Careless adoption is likely to open security flaws under both techniques.

> The only very minor difference between first and third party script inclusion is access to HttpOnly cookies

That’s not a minor difference, http only is used for authentication.

Correct. Authentication should always be via cookies with "HttpOnly" set, since (a) the cookie is not needed client side and (b) it somewhat limits the damage XSS can do.

Sites generally set Domain= on their cookies, and so include subdomains. For example, if you click "sign in" on apple.com it brings you to secure2.store.apple.com and after entering your password it sets a cookie with "Path=/; Domain=apple.com; Secure; HttpOnly".

You're right that this does reduce security on some sites: if domain.example doesn't set Domain= on their cookies then ads.domain.example (CNAMED to js.ads.example) won't see the cookies but domain.example/ads would. This is pretty rare, though, because sites you log into generally do need their cookies to work across subdomains.

Except this problem is easier to handle with reverse proxies than with subdomains: with subdomains the cookies are sent whether you want to or not, while with a reverse proxy the site owner can configure it to strip cookies.

I can see AD publishers offering CDN like services to help them get around blockage.

Only solution is criminalizing this behavior. In no other context is stalking a person against their will and consent permissible in a "free" society.

Use a Pihole + your adblocker of choice - defense in depth. It's easy to set up, brainless to keep updated, and helps to protect all devices on your network, not just the things that can run uBlock. I've got mine running in a Docker container, which upstreams to a stubby container, which gets DNS-over-TLS, so I get adblocking and DNS query encryption out to Cloudflare for the whole network, and it's really not all that hard to set up. (Edit: Here's the bash script I used. docker-compose would probably be better, but whatever. https://gist.github.com/cheald/23da384908404b0757eadda74124a...)

If you're unwilling to do that, just set your DNS servers to the Adguard servers (https://adguard.com/en/adguard-dns/overview.html) and you get most of the same benefit, though obviously without the control that the Pihole offers you. On Android devices, you can go to Settings - > Wifi & Internet - > Private DNS and set "Private DNS provider hostname" to dns.adguard.com (or your own exposed Pihole server, if you're so inclined) and get the same benefit when you're on LTE.

I don't think you understood the article. Pihole or any blocking DNS server based on blacklists won't help here (thats the point).

By using random, frequently updating CNAME's it effectively defeats the mechanism Pihole uses.

You could still block IP addresses of the advertisers, but often time's they don't do BGP, so they aren't going to have blocks under the same ASN you can simply block.

It's a nuanced and challenging problem for sure.

It's surprising to me that dnsmasq doesn't provide the ability to override the returned names in the chain. I'd just assumed it did. Seems like it shouldn't be _that_ hard to solve, though. I've written my own bespoke DNS server before on top of miekg/dns - I might have to take a crack at my own pihole-like with CNAME interception. :)

Check this article, pi-hole can’t block this yet: https://medium.com/nextdns/nextdns-added-cname-uncloaking-su...

I personally setup nextdns for 30+ people. It is that simple and useful. Thanks.

I've a couple of questions, though:

1. Do you run one unbound instance per configuration, or share among multiple configurations per user or...? The reason I ask is, sometimes the latencies are too high, 2000ms+. Should I be creating less configurations per account?

2. How could nextdns combat ad-networks resorting to DoH:

1. Check https://github.com/nextdns/nextdns 2. JS can’t set a custom resolver, I don’t think DoH can help with that. If yes, source please

Thanks Olivier.

Re: nextdns-cli: I think you may have misunderstood my question. I was more curious abt how the backend worked: Do you run one unbound instance per nextdns-configuration?

Re: DoH: I was pointing to the fact that XHR request to (or any DoH provider that supports application/dns-json) can now resolve domain names. In this case, there's no reliance on either browser's DoH resolver or resolver set by OS / AccessPoints / VPNs.

Oh sorry. We have developed a custom DNS solution that sites in front of unbound. We only use unbound for standard recursion and caching, all custom configuration management is operated in this home made DNS proxy.

For trackers to use DoH, they could certainly perform XHR requests to resolve a domain, but they won't be able to use it to perform a request from the browser. You may use http://<ip> instead of http://<domain>, but this has two issues:

1. You won't be able to use virtual hosting (the Host header is gone), and thus you need one IP per "service", which is doable but harder, more custom and more expensive.

2. You won't be able to use HTTPS, except with an expensive certificate that is somewhat harder to setup.

As most websites are HTTPS now, a non HTTPS tracker would rase mixed content errors. Not to mention that this IP would quickly be blocked by browser based ad blockers, and IPs are harder than domains to change.

And all this is doable without DoH, you just embed the IP the ad library embedded by the site.

Thanks a lot for taking time to respond. Really appreciate it.

I guess, XHR aside, mobile or desktop apps making DoH requests (to https://ipaddress) is something that can't be blocked by DNS based ad-blockers? A firewall might do the trick.

For DoH there are some problems in addition to what poitrus said.

In order to make an XHR to you need to be running javascript. But the whole goal of these CNAME and other evasions is to run javascript (aka not get blocked by browser extensions and such). So they already need to achieve their goal before they can make the XHR. Since they've already achieved their goal, why are they bothering with additional complexity?

Adblocking browser extensions could probably block XHR DoH requests that have adcompany.com in the query parameters.

This isn't really specific to DoH. Any database that can be queried by an XHR could be used instead of DoH for this purpose.

I missed that! I'll have to look at tweaking my setup!

In general though, DNS filtering + client filtering is an awesome combo.

sticking OPNSense on one of these [1] was probably the best LAN decision i've made, besides a Synology backup NAS.

it acts as a pihole and a lot more (firewall, device vlan isolation, vpn termination, etc). i have these hosts files [2] loaded into its DNSmasq config.

[1] https://www.amazon.com/dp/B072ZTCNLK

[2] https://github.com/StevenBlack/hosts

DNS-based blacklisting is not effective against an effectively infinite, rapidly-iterated, DNS namespace on domains that you otherwise trust.

My experience is with DNSMasq, but should apply to PiHole.

I'd noticed that several ads networks were utilising massive numbers of hosts at a specific domain (limited to advertising). If you're using a simple /etc/hosts blocklist, you'd have to individually block these. The alternative DNSMasq affords is to block entire domains or subdomains. This is remarkably effective.

But ...

... if ads and content are being served from the same domain, you'd have to switch to a DEFAULT DENY plus EXPLICIT ALLOW rule. So you'd have to blacklist all of "example.com" except for the valid hosts, say, "webserver.example.com", "css.example.com" and "nonhostile-js.example.com", to enable assets from those specific hosts.

Another alternative, which would probably work reasonably well against CNAME attacks, is to simply deny all traffic at the IP level to the CNAMEs' targets.

Since the goal of the advertiser is to make a small number of hosts or hostnames appear as a large number of their client domains, you still have an effective lever to apply in blocking access. But you'll need to use IP-level blocking (firewall), rather than the until-now useful and largely effective DNS-based blocklists that have become popular.

As a technical countermeasure.

Regulating the everloving hell out of these practices, and/or suing both tracking firms and their clients, is another possible approach. And I think it's going to take both technical and collective social and legal methods to address this.

I do this personally and it's great. I've even set this up for extended family. But any real solutions to the problem will not be technological, they will have to be legislative...

Given that no reasonable legislation will likely pass against adtech, I'll be stuck buying rpis as gifts again for the next several years.

That will only work for so long, as more and more browsers are forcing DoH for "privacy" on users, making them bypass traditional DNS in-favor of DNS over HTTPS to a provider selected by the Browser removing user control

Mozilla for example is going to force everyone to use CloudFlare as a Resolver

> Mozilla for example is going to force everyone to use CloudFlare as a Resolver

Do you have any evidence that they're going to force anyone to do that?

You can change your DoH resolver, so you could setup a raspberry pi as a DoH server theoretically, and still keep the benefits of a PiHole. Mozilla is making CloudFlare the default but they aren't forcing it, you can use another server.

My Browser should not be doing this at all in the first place,

I should not have to dig deep into the internals of Firefox to opt-out of sending all my traffic to CloudFlare, a company proven time and time again to be pro-censorship and anti-competitive

You can change it on web browsers, for now, but not on IoT devices.

What sort of IoT device uses Firefox???

I'm not aware of any IoT devices with non-configurable DoH.

It's coming in the future, likely soon we'll see it in Google hardware since they all auto-update.

While I agree that Mozilla's by default decision is wrong, this is not actually true of other browsers. Chrome will check your existing DNS provider to see if they support DoH and if they do, query that way. If not DNS proceeds as normal. Microsoft are adding the ability to use DoH in windows, but they won't change your DNS settings, so you'll need to configure it. So other than Firefox there's no "use DoH by default" anywhere.

Firefox's choice isn't the best but you can disable it. Set network.trr.mode to 5 in about: config, which means disabled and deliberately configured as such. Then Firefox won't ever try to use DoH.

As others have pointed out, you can also use other resolvers than cloudflare's, through network.trr options.

Then run your own DoH server, the same way you run your own pihole.

Shameless plug: https://GitHub.com/yegle/your-dns

That's usually easy to opt out of and if bootstrapping fails (e.g. Outbound dns query for DoH provider fails//direct connection by IP is blocked) it falls back to the network/OS defined resolvers.

Even still filtering based on SNI will work for a long time yet. Yes, ESNI is on track to becoming to a standard but support for legacy devices/browsers means it to will rely on network tests for support - so it can also be disabled.

Physical devices already do this: https://mailarchive.ietf.org/arch/msg/dnsop/WCVv57IizUSjNb2R...

At least a browser might have a user setting to disable it.

This isn't the same thing. That's just a hard-wired DNS server, which can be easily forced to use your own servers at the firewall. GP is talking about DNS over HTTPS, which can't be fixed in this way.

Just use iptables on your firewall/router to reroute all traffic on port 53 to your DNS server.

I can assure you that the general population has no idea what half the nouns in that sentence mean, let alone how to do any of that.

I mean the game of controlling 3rd-party devices that we don’t really own via side channels is always gonna be a cat-and-mouse of ever more elaborate hacks.

The next game will probably be mitming these devices by flashing a new CA store.

There is no general solution to running an openly adversarial app/device in your network.

> I can assure you that the general population has no idea what half the nouns in that sentence mean, let alone how to do any of that.

Keep in mind you're on HN-- we tend to be a more technical population :). If you're interested I found this on StackOverflow via Google: https://unix.stackexchange.com/questions/144482/iptables-to-...

You'll have to Google how to set up iptables/telnet or ssh on your router yourself, assuming it supports it.

Pi-Hole has a fix for this going by Mozilla staff


I knew something like this would come up. I always wondered why ad/tracking companies never proxied through the first-party domain (or in a more extreme case, the first-party server itself) to skirt adblock.

Suppose you load example.com/article. Ad Agency serves ad/tracking assets from example.com/article/Zqj7MOm.js. When you reload, it serves from example.com/article/llc9h76.js. How do you block it? You can't. Getting this to work in a pluggable fashion is an implementation detail (maybe some on-the-fly statistical generation of URLs + passing nonces to and from Ad Agency as a mitigation for spoofing by example.com). Another way to implement it is a custom URL router that dynamically reverse proxies to Ad Agency on the generated ad trojan horse URL. The only reason this hasn't happened yet is because still very few people use adblock, esp. on mobile.

P.S. please don't do this.

As I understand it, ad companies and the people who sell their websites to ad companies have some base level of distrust of one another, which has kept them from integrating like this. Ad companies want to serve the code to be sure that no click fraud is occurring, and people who run websites don't want to completely hand over their domain. But it's easy to see them forging this alliance if ad delivery depended on it.

This may be tremendously ignorant but...

What is to stop ad tech companies creating a cryptographically secured reverse proxy device[1] that clients can install in their network between the web server and requests from the internet?

The ad tech company only has to trust that their device is secure and the company that sells their website doesn't have to give up control of their domain or anything else.

They would have to isolate the ad tech device from the rest of the network and only allow it to communicate to the web server inside the network and the ad tech server outside their network. If something goes wrong with the device then it is trivial for the web serving company to bypass it.


As is mentioned in the grandparent comment, this allows anything to be done to the content being served from the website and not only domains cannot be trusted, individual URLS cannot either. Ad blockers will have to rely on examining the content directly even more than they already do. This would make it much less scalable for the ad blockers to deal with, they have to identify ad content individually, by their signatures or page structure in the best case, or examining arbitrary code behaviour in a worse case. Ad blockers may then have to deal with identifying ad content which changes as fast or faster than new ads appear, which is a lot worse than the relatively few(and relatively static) domains, URLS, bits of HTML and Javascript that are there now. Ad blockers may lose eventually due to incomputability, but who knows.


[1] Using a TPM is one possibility

This would have to be a reverse proxy on the AdTech's infrastructure itself to make sure no rewriting is being done after-the-fact, as you can't trust your AdTech customer (the person that owns example.com) to not run a reverse proxy in front of that.

Thanks for making me realise the most obvious thing, that it doesn't stop click fraud if it is on the ADTech customers network as they can connect to the device and pretend to be any device on the internet.

What if they didn't need to trust the website operators because they only pay them if users click? When the user clicks, it goes through the ad company's domain with the Referrer who would be paid for it.

Most ad fraud is the referrer owner faking clicks on ads on their own site. To trust a click you need to trust that the ad was displayed to a legitimate user. That's the hard bit.

Ad companies could move to only paying when ads result in a sale, but that only works if there's a sale that can be tracked. If I click a BMW ad and then buy one in the showroom that's really hard to track.

I can think of a couple mitigations against this future:

- Disable JavaScript

- Render SPAs off-site (or in some sandbox with a different network interface) and return the static HTML and CSS

Good enough to read news articles

> "Please enable JavaScript to view this content"

I've been wondering the exact same thing for a long time. However, browser extensions could probably still use good enough heuristics. It's the pihole category of solutions that would be defeated.

no. the reason it hasn’t happened is because a) it’s very very hard (ie even harder) to detect click fraud. and b) you can’t track the user.

Adguard is also starting to tackle this[0].

Found on [1]

(not affiliated with any of those in any way, I'm just a user of Adguard home)

[0] https://adguard.com/en/blog/disguised-trackers.html [1] https://www.reddit.com/r/pfBlockerNG/comments/e0bsto/defence...

Add this[1] host list for first-party trackers for those who don't want to use these dns solutions or/and they use a Chromium based browser.

[1] https://git.frogeye.fr/geoffrey/eulaurarien

With third-party trackers: https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt

First-party trackers only: https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts....

The way to counter this is to know the IP a given CNAME resolves to, and to block “rogue” (read: tracking) IPs.

As an open-source DNS implementer, I know this has already been done, since my DNS server (MaraDNS’s Deadwood recursive resolver) has the ability to refuse to resolve DNS names with bad IPs via ip_blacklist.

The reason I implemented this is to block NXDOMAIN redirects (when using an ISP’s DNS server and mistyping a domain name, instead of getting “nothing there”, it goes to an ad-filled “search” page provided by the ISP), but the implementation scales and it should work for blocking a large number of rogue CNAME redirects like this one.

I’m sure others have implemented something similar out there (I will let someone who knows the pihole ad-blocking DNS server, not to mention NextDNS, better than me tell us how they do this), and I’m sure Firefox, if they do not do so already, will allow ad/privacy blockers to know the IP of a given name to allow blocking at the browser level.

A dead response notes that IPv6 makes blocklists intractable as IPs can be rotated at will until doomsday with few consequences.

The response in this case will all but certainly be an increasing tendency to apply IP-level whitelists, and deny or at least limit traffic until it's demonstrated trustworthyness.

Much as port-based firewalling progressively closed off virtually all service access other than HTTP/HTTPS, and a few other exceptions, bad actors will likely limit the effectively-reachable scope of IP address space itself.

> block “rogue” (read: tracking) IPs.

With IPv6 that's as impractical as blocking "rogue" FQDNs.

Why? Just block ranges.

Exactly. If I were to update this code, for IPv4 blocking, I would allow it to block /32 (single IP) and /24 networks. For IPv6 blocking, I would allow blocking a single IPv6 address, a /64 range, and (for extreme offenders) a /48 range.

One way to do this is to have multiple hash tables: One for single IPv4 addresses, one for IPv4 /24 ranges, one for single IPv6 addresses, one for /64 IPv6 ranges, and one for /48 IPv6 ranges. Note that while the hashes have (generally speaking) a “big O” of 1, we need to perform one additional operation per range size. IPv4 /32 and /24 blocking requires two lookups, and IPv6 /128, /64, and /48 blocking requires three lookups.

Online advertisement are constantly using the same exploits that malware and can be seen as part of the progression ladder when walking from being zero-day to universally patched.

A while back ago malware started to use a scheme similar to fast flux, but rather than changing the IP address they used a chain of cnames to hide the malware network. In order to combat this researchers developed detection tools to find algorithmic generated domain names and flag them as suspicious at the resolver layer. I would expect to see the same mitigation method to travel into ad-blocking.

I can’t believe Ars Technica would do this. Do they not realize who their audience is?

That also means most of their audience blocks ads. What are they to do?

I think simple ads most people are OK with however you start to lose people when those ads track your movements like a creepy stalker, sell that data without your knowledge or consent, and tax your system with resource hungry js that adds precious seconds to your wait only to be served with a zero day or other malware.

Sites and ad networks have being engaged in a abusive relationship with users for a long time now and it's wrong to expect them to not try to protect themselves. If you want users to stop blocking your ads then stop serving them ads worth blocking.

Slightly unrelated but I don't see how people justify ad blocking on mobile YouTube, the ads these are all native (video ads) and take up at most 30 seconds. If you don't want to wait for the ads, don't watch YT and burn Google's bandwidth.

if their audience blocks ads this isn’t going to help, it’ll only make people mad. I know I’m upset.

Browse those sites with js blocked. If not js blocked, then third-party cookies blocked. If not that, then ublock to block all cookies and allow only specific cookies.

This is my recipe for browsing the web. Blocking specific cookies. Blocking all third-party cookies. A1llowing specific third-party cookies. Still, in recent months, I have noticed some have started getting smarter. So I block js there.

But every browser is different with ease of use. Love brave browser capabilities. Like Chrome ease. Hate Firefox features. So using extensions to fill in those gaps.

The answer I keep returning to: if shady ads is what keeps your business running, stop running your business. Switch off the lights and the servers and go home.

That’s too simplistic a take: they aren’t running shady ads and unlike many sites they allow you to you subscribe and not see ads at all. Unfortunately, large chunks of the public — especially tech site visitors — have been conditioned to think of content as free, and the adtech bubble hasn’t pooped yet so we can’t reverse that trend.

What people are willing to pay for content is I think almost zero.

If we get rid of these privacy invading ads and micropayments/subscriptions don’t take off in a big way (I don’t think they will) then one or two things must happen

1) advertising money remains even though ads are dumber (less narrowly targeted, more fraud etc)

2) there is a lot less money to go around so there must simply be less content.

I think the answer is somewhere in between. I don’t think it’s a pessimistic view that maybe 75% of sites not only risks disappearing but perhaps should. The abundance of “free” content is what makes people unwilling to pay for quality.

I definitely think you’re right on the conclusion: a lot of content sites are going to need to dramatically scale back their size or simply fold. It feels a lot like when VCs pile money into an area and it takes longer for viable business models to win out, only with a much longer run time since the advertising market is so much larger.

easy for you to say when you're not financially involved in said company.

Exactly yes. I don’t care if 80% of content online would disappear, or the thousands of jobs making that content, or the billions invested in it. It seems irrelevant in comparison.

Start providing content that users are willing to pay for?

The problem is that subscription models are flawed, at least for things like Ars Technica.

In most cases, people don't want to commit a portion of their monthly budget to a specific website for the rest of their life. I don't know how often I read Ars Technica, but it's probably a couple of articles a month. That is worth maybe $0.10 to me, so they can never collect that profitably. They use ads because then I "pay" whenever I visit, without having to approve any payment. More people visit, they automatically get more money.

I wish there were some sort of globally-accepted micropayment system. With the billions of cryptocurrencies floating around, it surprises me that nobody has attempted this yet. I buy $10 of cryptocurrency. It gets loaded into my web browser. The webserver says "hey, you have to pay for this". My browser asks me if I want to do that. If I pick yes, then the server sends me the rest of the HTML after it agrees that the money was in fact transferred.

(The closest thing I've seen to this are Twitch "bits". That is a micropayment platform that seems to be working pretty well, but it's used by the same people that want to pay their favorite content creators a stipend and so real-money recurring subscriptions are just as good. For that reason, I'm not sure we can infer much from that model, except that people will buy value in bulk and then dole it out to individuals at random intervals... which is pretty interesting if you think about it.)

I think what is stopping this from being a thing is not any technical issue, but rather just greed from the content creators. I am sure that anyone that sells a subscription service is making money from people that have forgotten to cancel or don't get the maximum value out of their subscription, and it's probably a lot of money. Nobody is going to give that up.

I also think advertisers pay too much for ads. I bet the "brand awareness" ads aren't worth nearly as much money as they pay. Meanwhile, publishers are making a lot of money off of selling impressions, and are probably hesitant to turn off free money from dumb people. Remember, serving an ad requires no input or investment from the end user; the website loads, they get money. If there were "brakes" applied every so often ("are you sure you want to pay the content creator using your real-world hard-earned cash?") revenue would go down.

So I think the problems here are:

1) Advertisers want to advertise. If you remove your publication from the list of places where they can get something advertised, they'll go elsewhere. The money won't be removed from the ecosystem, and your competition will be enriched. That's not strictly a PROBLEM, but your investors will not be making happy faces at you when you leave money on the table. Only some sort of law could change that, and there will never be any such law.

2) Publishers are making a lot of money on unused subscriptions, so they continue to push subscriptions over micropayments.

A lot of people are making content worth paying for. It's just that we can't afford it, but the advertisers can.

On top of using Firefox as my default browser everywhere because I want to see it have more than the 5% user share mentioned at the end of the article, I've additionally replaced Chrome itself with Brave when I need Chromium rendering. I have no idea if BAT coins will be a thing, but the idea is neat (and relevant to your comment) and the care towards privacy plus the ability to turn all the BAT stuff off is satisfactory.

More broadly, though, I agree with your comment and think there are additional unlisted problems.

I pay for Ars Technica because they offer an amazing cross-format (HTML, RSS, PDF, etc) clean browsing experience for paying customers plus sent a branded Yubikey plus had clear online cancel buttons instead of hoops like other publishers. In my personal utopia, every news site would be served in this cross-format ad-free fashion.

I honestly wish they'd send a new branded Yubikey every year so I'd always have an important branded physical reminder of their existence as its the best and most useful tschotske I've received as a thank-you-for-subscribing gift (and probably likely so for others in the HN crowd).

Ars Technica is one of the few sites I regularly visit directly (just like I visit hckrnews.com to often and directly). Just like here on HN, I directly visit for the content curation and occasional comment (both of which is better than social media algorithms).

Which lead me to the consideration of a third problem...

3) Users try before the buy. You can only begin the process of receiving money after they've read enough content.

I'm surprised I haven't seen more cryptocurrency-based $1/week type subscriptions to unlock the content/features/etc for a week at a time (or perhaps forever, if a user sent enough cryptocurrency).

Brave is doing that exact thing, or so I hear. I've even made $1 or something from them.

There is also Scroll, which disables ads on participating sites. They don't stop tracking, though, as far as I know. In fact, Scroll itself tracks everything you read while logged in since they use it to reimburse the content providers proportionally out of your subscription revenue.

Flattr has been around for years now.

In particular case of liberation.fr, anyone who has access to the value of ‘djazsession’ cookie can log in to the users’ account. This is one of the cookies being sent to Eulerian.

Here is a demo video:


I worked in ad space 7 years ago. Companies that provide content need to get paid for the content one way or another, either paying a fee or ads, nobody can argue with this.

There needs to be an organization that imposes ad guidelines(like only specific formats, not being intrusive, etc) for both websites and ad companies. They should verify the ads/websites based on user reports and if they find something, to kick the company out.

All companies that follow those guidelines should be whitelisted by ad blockers, probably something implemented at browser level.

Otherwise is just a useless chase.

https://eyeo.com, home to the world's most installed ad-blocker, AdBlock+, has an acceptable ads policy already in place; whilst Google is trying to tackle the data-collection problem via the controversial privacy-sandbox proposal [0]. Safari [1] and Firefox [2] seem to have the right idea abt it all, whilst Brave is trying a radically new approach [3].

As for the online services needing ads to keep lights on:

1. The pervasive dragnet that the online ad-industry has birthed is a massive reason behind content-blocking.

2. Ads are freq used to spread source of malware, scareware, spyware, ransomware, fake-news among other totally unreasonable things.

3. The end-users should be free to chose what they want to view and what they don't. The service providers are free to refuse service.

4. The tracking that goes on is so covert that it seems to me that it is borderline unethical [4].

5. The online ads business is a scam [5]?


[0] https://news.ycombinator.com/item?id=20767891

[1] https://news.ycombinator.com/item?id=20700914

[2] https://news.ycombinator.com/item?id=21497488

[3] https://news.ycombinator.com/item?id=21525592

[4] https://news.ycombinator.com/item?id=20336762

[5] https://news.ycombinator.com/item?id=13992576

> All companies that follow those guidelines...

If we want to push for guidelines on acceptable ads, how about starting with these?


(Yes, I have brought these up recently elsewhere.)

There are other alternatives. Alternative monetization schemes, such as those offered by Patreon or Twitch or Kickstarter can be found.

Also, ads can be placed teh same way they were in newspapers - the ad company would submit ads to the content creator, who would manually chose which ads to include, and where.

It's not that easy as you may think. Also, small companies won't benefit from that, nobody will submit an ad to websites with lower traffic. Besides this, there's the issue with the tracking server and so on.

I didn't say it was easy. But perhaps it is important enough that it should even be regulated.


I suppose we are going back to the roots

White lists in hosts file with ips and good sites

You can also use uMatrix or NoScript to disable all JS/XHR (or even CSS and images) from third-party domains by default; and whitelist those you need.


How can I block cookies with uMatrix for sub domains like *.domain.com for any site?

PS: I assume that just temporary solution. Because nextsstep is just hosting some js from "analytics" on main domain and/or solutions like cloudflare for e-commerce / google news / etc.

And for filtering that bs we need deep filtering and api inside JS VM

You can't block an IP address with a hosts file; you can't even use wildcards in them. You will need a firewall rule.

>You will need a firewall rule.



The article explains that trackers traditionally loaded some external JS which then phoned home and tracked users via third-party cookies.

I would like to point out that it has never been the case for Google Analytics and possibly other trackers. The developers of a website are supposed to copy/paste the Google Analytics snippet directly into their own JS, such that GA has access to first-party cookies. And then GA phones home some tracking data leveraged by this first-party cookie.

Blocking third-party cookies never blocked this kind of tracking. You needed to block the domains that the script requested via AJAX. But it is indeed made difficult with CNAME Cloaking, because the domains requested are subdomains of the current domain, and can be changed regularly as explained by the article.

There is no end-game solution against tracking. It will all come down to tracking companies ordering websites to install some library directly in their back-end and pass it user data as well as behavioral data captured from some other library installed in the front-end. Tracking data will pass through applicative pipes and it will be impossible to block reliably.

How does the centralized ad server track the user as they move from site A to site B, since no cross-domain cookies can be used? Without resorting to fingerprinting which could be circumvented by the client. Absent behavioral profiles and persistent tracking, most ad formats are worth very little. Isn’t limiting all communication to the first party domain a form of sandboxing?

Javascript executed from site's own scripts does not give more or less rights to access first party cookies than Javascript executed from an externally loaded URL. Any Javascript executed on a page as the same access to all those.

> It also only takes 2 minutes to change dg3fkn.website.com to 3j4vdl.website.com (Hell, you can probably automate this). We mentioned above how much work it takes to gather all subdomains being used as a front for CNAME Cloaking. Now imagine they change every week, every day, or every hour. It’s just impossible to keep track.

That's fear mongering. The ad company can't pester their clients to make changes to the DNS on a regular basis. I'd say that anything beyond initial setup would be unaccepted to most clients. And clients won't give control of their DNS to ad company, so automation is also not really possible.

Also, because this setup is substantially more friction than a simple 3rd party tracking "just copy-paste this code", I'd guess it will only be used by high profile clients.

This all means that while annoying, it shouldn't be too hard to find and add these subdomains to the ever-updating ad url blacklists.

>The ad company can't pester their clients to make changes to the DNS on a regular basis.

Many DNS providers have APIs.

>And clients won't give control of their DNS to ad company, so automation is also not really possible.

Sure they will. Or they'll use another party that does it. They already add JS from the ad provider that does god knows what to all their pages, and give full control over their content to Cloudflare. So why wouldn't they give an ad provider API access to their DNS?

Something is missing here: HTTPS links and SSL. Either website.com hands over its certificate to dnsdelegation.io (which is unlikely and definitely not a 2 min trust-less process) or dnsdelegation.io has the ability to generate any certificate like a certificate authority which is really terrible (and also unlikely).

DV certificate (cheapest, most common one) does require only proof of control over the domain.

So dnsdelegation.io can just request certificate for the domain you've delegated via cname from any CA.

With ACME enabled CAs like letsencrypt, having a domain pointing to an IP you control is all you need to obtain a valid certificate.

They are (ab)using let’s encrypt.

Pihole has an "audit" feature that can be used here: https://pi-hole.net/2017/12/06/pi-hole-v3-2-introduces-long-...

More info on NextDNS solution to this problem here: https://medium.com/nextdns/nextdns-added-cname-uncloaking-su...

I don't get one thing. Isn't CNAME also bad for "them". I mean with CNAME, they can serve adds, cookies ... from site subdomain, bypassing blockers. But how will they track users on different sites, like user vising website1 and then website2? Since their tracking cookies are now part of website1, they won't be sent to website2.

I mean is there any replacement for them, not using cookies? Because cookies seems to be the only global storage for user identification data. Since tracking script was hosted on their domains (and included into websites with script tag), cookies were shared across all site, that included that tracking script. IMO when they switch to CNAME trick, they will loose this capability.

With fingerprinting.

What's the difference between this and what Instart Logic has been doing for years now? https://github.com/gorhill/uBO-Extra#purpose

Wow it goes even further: https://github.com/gorhill/uBO-Extra/wiki/Sites-on-which-uBO...

> Instart Logic will detect when the developer console opens, and cleanup everything then to hide what it does. I had to trick IL's script into thinking the dev console was not open to take the pic above.

How does it do this?

Page resize events in one dimension by the size range commonly used by devtools, measure reduction in JS perf are two ways that come to mind

Shouldn't neglect to discuss the proposed Signed HTTP Exchanges by google who will make this kind of thing far worse. Not just for the tracking implications, but how easy it will become for some countries to outright fake the news.

So block content, as always? That's not possible for NextDNS, which I guess is their concern, but then DNS blocking was always going to be a very very blunt instrument.

"NextDNS is proud to announce that all your blocklists are now applied to each intermediate CNAMEs in addition to the queried domain name.": https://medium.com/nextdns/nextdns-added-cname-uncloaking-su...

At home I'm using it in addition to ad blocking in the browser, for apps and other things that might slip through.

Currently it's just dnsmasq with a huge blacklist, and I guess it doesn't support checking the whole CNAME chain against that list, which would be really cool.

It doesn't need to have every cname in it. The cname resolves to the actual "bad" domain, which should be in your list already. That's why DNS blocking can still combat this method easily, while it's much harder at the browser level. uBlock Origin for Firefox beta has a "run all non-local domains back through and check for cname redirection" feature, which can also block the cname trick, but it will increase DNS latency because it has to check each external domain again for the "true" domain.

> [uBO] will increase DNS latency because it has to check each external domain again for the "true" domain.

The browser API used by uBO returns the last CNAME in the chain. I consider the DNS lookup itself to be an non-issue overhead-wise in uBO because:

- The browser would need to do it anyways

- DNS lookup results are cached at both the browser and uBO level

> It doesn't need to have every cname in it. The cname resolves to the actual "bad" domain, which should be in your list already.

That doesn't help if dnsmasq only checks the incoming request against the list, and not the whole cname chain of the result.

the NextDNS people are really smart; I just submitted a request for the ability to blacklist replies (for any hostname) that match a given IP/mask or originating AS number. This would solve the problem, especially if it is supported in blocking lists.

>Security implications of CNAME Cloaking

>While this is considered bad practice for a website to set cookies as accessible to all subdomains (i.e., *.website.com), many do this.

>In that case, those cookies are automatically sent to the cloaked third-party tracker.

So website.com decided to sellout and now the cookies you send to website.com that betrayed your trust are also sent to it's chosen third-party tracker?

That is a distinction without difference. The security implication is storing any data with website.com!

Yes, but www.website.com cookies won't be sent. But you'll have to crack open devtools to figure out which one each website is doing.

Yes, the cookies of the website that installed a third-party tracker to spy on you will be sent to the website and the tracker. They could always do that.

Please correct me if I am wrong, but would not such a tracking be circumvented by enabling first party isolation in the browser? As far as I know, Firefox has such feature implemented: https://www.ghacks.net/2017/11/22/how-to-enable-first-party-...

I was also wondering about the that. Sadly, it is still not enabled by default in the latest Firefox release (version 70).

Furthermore would the Firefox Multi-Account Containers https://addons.mozilla.org/en-US/firefox/addon/multi-account... with container per site prevent such tracking (has to be done manually ATM) ?

I wonder if it would be possible to make a whitelist blocker instead of just blacklist? I mean, if a certain domain is in the whitelisted list, you show only responses from whitelisted subdomains. If not, you fall back to blacklist.

By possible I do not mean technically possible, but feasible in the resources required maintaining the list as well as good enough user experience.

How does this work with SSL certification? The 3rd party server needs to be in possession of a certificate for eir63gd.mywebsite.com

Let’s Encrypt makes this trivial and automatic if foobar.example.com has been CNAMEed to the tracking provider.

I have done something similar as an experiment. I wanted mixpanel analytics on a site for element interaction. I proxied mixpanel through a URL endpoint (maybe it was a subdomain). I had it not load analytics if DNT was set. It was a fun hack but more work than it was worth for my low traffic site.

I don't get it, why ad-blockers can't request a DNSBL managed by them to know if that CNAME is authorized or not? Granted, it requires a bit more network request, but completely breaks the CNAME cloacking method.

What if there were restrictions on these with regards to ttl, it would put the burden back on the trackers, they wouldn't be able to swap and change them as quick and very quickly run out of options.

Cute, but now they can’t use their cookies to track you around the web because on every site their page has a different domain name. So this is actually an improvement.

I don’t want to name any companies here, but CNAME cloaking is also commonly used in ad-tech for conversion tracking pixel urls.

At what point does adblocking need to start taking IP address reputation and/or originating AS number into account?



We can use that to add the domains to 'spam' lists as they host a lot of ads/spy subdomain.

I'm back on the Noscript train & just white-listing stuff on the sites I frequent

Ok, so how to we kill the ad industry? This is ridiculous.

At some point why shouldn't the (US) government step in?

Then we'll just get more pointless legislation that led to the cookie banner and ads/trackers will be trivially cloaked/proxied to the point where any publisher has full deniability.

We'll look back at the good old days when ads were mostly just banner ads.

Idea: Start paying for content and support the sites that offer this option. The entire concept of adblocking lives on borrowed time: hoping your content creators are making enough money off the suckers that don't use adblockers.

It's hard for me to envision legislation that wouldn't just be a clusterfuck as the government encroaches further onto our internet.

Abusing cname is an old trick.

You used to have domain.com and declare ns1.domain.com pointing to your host so it would show domain.com instead of host.com

There are many banks to choose from. Put your money elsewhere. Then explain to the bank why you did.

Every bank I've used has had a pretty absurd amount of trackers that I've blocked, often 5-10+ third party javascript domains. I don't know of any that don't have any, but I'm sure some small ones exist somewhere.

There doesn't appear to be a huge market for services that do little/no tracking, as users are all unaware of the tracking that services do to begin with, so they would not even notice the difference.

Contact the regulators, perhaps? To me, allowing untrustworthy third-party scripts on a bank website sounds like a huge security risk.

As a US citizen I don't see much that can be done. Although I don't trust the third-party scripts, the bank obviously does, given they're all large analytics platforms.

im sure it's buried in their volume-long bulshit ToS as "business partners"

Banks rely on a very small number of software vendors, so that the apparent abunance of bank options is all but eliminated at the middleware tier.

"What Is Your Bank’s Security Banking On?"

FIS, Fiserv or Jack Henry ... collectively control approximately 70 percent of the market for bank core processors (according to FedFIS.com, Fiserv is by far the largest).


Covered at HN:


At some point, having a cloud instance acceessed by VPN and proxing all traffic through that could be good.

Until your proxy is hacked, I suppose.

Resistance is feudal.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact