Firefox Cracks Down on Supercookies to Improve User Privacy
Mozilla this week announced further improvements to user privacy in Firefox, through the isolation of network connections and caches, thus essentially cracking down on supercookies.
Used instead of ordinary cookies, supercookies collect information about users’ Internet browsing habits, are difficult to detect and block, and are often abused to follow users around the web. Trackers may store supercookies in Flash storage, ETags, and HSTS flags, to make them difficult to remove.
For years, browser makers have been looking for ways to improve user privacy, and Mozilla now says it has found a solution to ensure that users won’t be easily tracked cross-site: isolation.
Specifically, Firefox 85 is arriving with an updated network architecture, where network connections and caches are isolated to the website being visited.
“Trackers can abuse caches to create supercookies and can use connection identifiers to track users. But by isolating caches and network connections to the website they were created on, we make them useless for cross-site tracking,” Mozilla says.
[ RELATED: Google Details Chrome Cookie Replacement Plan ]
Firefox 85, Mozilla argues, should make cache-based supercookies largely useless, as it aims to prevent trackers from using these supercookies across websites.
Firefox relies on cache to reduce overhead, sharing some internal resources between websites, such as images, and reusing a single network connection for the loading of resources that come from the same party, even if they are embedded on multiple websites.
Trackers abuse these shared resources to create supercookies, through identifiers encoded in cached images, which are then retrieved on all websites on which the same images are embedded.
“To prevent this possibility, Firefox 85 uses a different image cache for every website a user visits. That means we still load cached images when a user revisits the same site, but we don’t share those caches across sites,” Mozilla says.
[ PREVIOUSLY: Mozilla Boosts Security in Firefox With HTTPS-Only ]
To prevent trackers from abusing caches to create supercookies, Firefox 85 isolates a range of caches by the top-level site: Alt-Svc cache, DNS cache, font cache, favicon cache, HSTS cache, HTTP Authentication cache, HTTP cache, image cache, OCSP cache, style sheet cache, and TLS certificate cache.
Furthermore, the browser aims to prevent connection-based tracking through partitioning preconnect, prefetch, pooled, and speculative connections, along with TLS session identifiers.
“This partitioning applies to all third-party resources embedded on a website, regardless of whether Firefox considers that resource to have loaded from a tracking domain,” Mozilla explains, adding that the changes will have a very low impact on page load time.