Today we are pleased to announce Total Cookie Protection, a major privacy advance in Firefox built into ETP Strict Mode. Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site.
I don’t think anybody will be against this.
Really in a lot of ways this is not far enough. Anyone who has run cookie filtering for a long time will tell in in the majority of cases there is no need for cookies other than for the primary site. Lot of ways it should be opt in for third party cookies not opt out.
So…forcing the
privacy.firstparty.isolate
preference inabout:config
on when ETP is enabled?I’ve been running with that for everything for a long time now? It generally works, but that and my
browser.link.open_newwindow.restriction
setting mean II have to spin up a different profile if I want to comment on a site using Disqus or pay on a site using PayPal’s new popup-based checkout flow.…and why isn’t the site showing the Edit link? I noticed two typos immediately after posting that.
ssokolow,
I’ve blocked 3rd party cookies and scripts for a long time because I don’t want companies tracking my web usage across sites. Unfortunately though some websites rely on it. I’ve accepted that things like disqus are routinely broken, which I can live without. However some of the worst trackers (ie google captchas) are difficult to stop because of how many websites completely lock you out if you block google.
I just renewed my DMV registration documents, and the state government forces it’s users to unblock google or be denied service. Not only did I feel that it was invasive, but it gives google privileged access to run it’s own code in the context of the government webpages that contained lots of personal information. While I’m not asserting that google is secretly saving the personal details, the fact that the government technically gave them access to it is troubling enough. Secure websites should never run 3rd party scripts. It goes against best practices and violates the principal of least privilege.
I noticed this too, seems like a very recent update either broke or disabled the edit links.
It gets worse than that when you realize that a good majority of U.S state governments actually use Google for email directly.
darknexus,
I’m usually careful to give companies like google the benefit of doubt (ie “I’m not asserting that google is secretly saving the personal details”), but it does make you wonder how many times these tech companies have actually exploited their privileged access for commercial gain?
Some activities will increase their odds of getting caught by security researchers, reducing the likelihood they would try. However as the world increasingly moves to “cloud this” and “SaaS that”, the chances of getting caught becomes slimmer and slimmer because so much of the data is already going through their infrastructure. In many cases they’ll have even greater access than the legitimate users of the data, they just have to take a peak.
Google exploiting this information for commercial gain would be unnecessary. I’m sure their fat contracts with the state governments will keep that at bay. Now, how much other information are they giving to those self-same governments? No accusations of course, but the authoritarian leanings out of many states and the feds at this point, coupled with Google just being Google, it certainly makes one careful.
I am confused now. I was under the impression that the Same-origin policy doesn’t allow sites to retrieve/see cookies of another site?
There are mechanisms where a site like Facebook can explicitly tell the browser “This could should be accessible to resources loaded from my domain by other sites, like Like buttons”.
That way, a resource loaded from Facebook on a non-Facebook top-level domain can still access identifying cookies Facebook has whitelisted for cross-site access.
Total cookie protection overrides that by giving each top-level domain its own isolated cookie store so it doesn’t matter what the site says because, when it comes to cookies, the browser will behave as if each top-level domain is running in its own separate Firefox profile.
Correction: Not top-level domain. What term am I blanking out on?
…whatever the browser makers call the domain that’s currently appearing in your address bar.
tpreissler,
It has to do with 3rd party resources that are linked into the page. These are typically javascripts that have full access to the DOM like ads, like buttons, but it can also be a single image that is loaded from a foreign server (sometimes called a “tracking pixel”).
When the browser submits an HTTP request to the 3rd party, the browser uses the cookies for the 3rd party site (ie google-analytics.com). This gives google & pals the ability to build a tracking database on all websites that use their scripts. Companies like google have lots of trackers in play and can cross correlate them and some years ago updated their privacy policy to indicate they are doing this. So if you have a website like osnews that embeds youtube clips, a site that embeds google maps, an ecommerce site that uses captcha, or random sites using google ads & analytics, the cookies can all be used to create a profile of you even if you never explicitly visit a google property.
Note that in all such cases, the same origin policy is being enforced in the HTTP headers. An embedded youtube video will not send your osnews cookies to google, but without additional mitigations it does allow google to place it’s own tracking cookies when the youtube assets are loaded inside the page.
Thank you. Very good explained.
* Facebook and Google have entered the chat.
On a more serious note, I can’t see anyone except ad-based companies being against this. As for myself, I say it’s about time they get what’s coming to them.
Yes! At last.
This, in connection with the cache separation added in the last version, is probably the biggest browser improvement since the introduction of tabs. I may even put up with the mess Mozilla has done out of their Firefox for Android. The only question is, why now and not a decade ago?
It was possible to use multiple browsers, browser profiles, containers or a private mode to isolate websites but that was always cumbersome. Users had to be familiar with technology, care about privacy enough to put up with the inconvenience and it was still possible to accidentally leak information by e.g. reusing a container for different websites. Rejecting 3rd-party cookies was another solution that mostly worked. Until it didn’t, and the users were forced to accept a privacy leak (usually to one of the worst offenders) or not to use the website.
In contrast, this is an automatic mechanism that should just work for everyone and other than contents providers potentially trying to block Firefox it should be 100% accurate.
The next step is to do something with fingerprinting. HTTP servers and JS have access to way too much information about the browser and its environment. Most of it should be blocked (set to a common value or randomized in every session) but it has to be done for a large population all at once, or it itself becomes a fingerprint.
ndrw,
I don’t know the inside story, but for better or worse Mozilla’s main source of revenue has been the very same entities that they’d be protecting us from. There could be some tension there.
Fingerprinting should not provide minute details. But at the same time there is legitimate value in knowing what technology your users are using in a broad scense, it can help make the case for where to allocate resources and can be helpful for tracking down issues.
I read about it a bit more and I am now a bit confused and disappointed. It looks like this mechanism is bundled with “strict tracking protection” – what’s the point of partitioning 3rd party cookies when in this mode they are disabled anyway?
I guess it is good to have a wholesale approach to privacy but I’m concerned this feature will require a certain level of technical knowledge to be used. Many users will encounter problems with e.g. their online banking payments and as a consequence they will switch the strict mode off or switch to another browser.