Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Firefox Cracks Down on Supercookies to Improve User Privacy

Mozilla this week announced further improvements to user privacy in Firefox, through the isolation of network connections and caches, thus essentially cracking down on supercookies.

Mozilla this week announced further improvements to user privacy in Firefox, through the isolation of network connections and caches, thus essentially cracking down on supercookies.

Used instead of ordinary cookies, supercookies collect information about users’ Internet browsing habits, are difficult to detect and block, and are often abused to follow users around the web. Trackers may store supercookies in Flash storage, ETags, and HSTS flags, to make them difficult to remove.

For years, browser makers have been looking for ways to improve user privacy, and Mozilla now says it has found a solution to ensure that users won’t be easily tracked cross-site: isolation.

Specifically, Firefox 85 is arriving with an updated network architecture, where network connections and caches are isolated to the website being visited.

“Trackers can abuse caches to create supercookies and can use connection identifiers to track users. But by isolating caches and network connections to the website they were created on, we make them useless for cross-site tracking,” Mozilla says.

[ RELATED: Google Details Chrome Cookie Replacement Plan ]

Firefox 85, Mozilla argues, should make cache-based supercookies largely useless, as it aims to prevent trackers from using these supercookies across websites.

Firefox relies on cache to reduce overhead, sharing some internal resources between websites, such as images, and reusing a single network connection for the loading of resources that come from the same party, even if they are embedded on multiple websites.

Advertisement. Scroll to continue reading.

Trackers abuse these shared resources to create supercookies, through identifiers encoded in cached images, which are then retrieved on all websites on which the same images are embedded.

“To prevent this possibility, Firefox 85 uses a different image cache for every website a user visits. That means we still load cached images when a user revisits the same site, but we don’t share those caches across sites,” Mozilla says.

[ PREVIOUSLY: Mozilla Boosts Security in Firefox With HTTPS-Only ]

To prevent trackers from abusing caches to create supercookies, Firefox 85 isolates a range of caches by the top-level site: Alt-Svc cache, DNS cache, font cache, favicon cache, HSTS cache, HTTP Authentication cache, HTTP cache, image cache, OCSP cache, style sheet cache, and TLS certificate cache.

Furthermore, the browser aims to prevent connection-based tracking through partitioning preconnect, prefetch, pooled, and speculative connections, along with TLS session identifiers.

“This partitioning applies to all third-party resources embedded on a website, regardless of whether Firefox considers that resource to have loaded from a tracking domain,” Mozilla explains, adding that the changes will have a very low impact on page load time.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...