Browser Tracking Protections - SuperWeek 2020
•
34 likes•4,596 views
My presentation titled "Browsers eat data quality for breakfast" from SuperWeek 2020. The presentation introduces the "tracking protection / prevention / blocking" mechanisms implemented in the major browsers. The information comes from the www.cookiestatus.com service.
More Related Content
What's hot
What's hot (20)
Similar to Browser Tracking Protections - SuperWeek 2020
Similar to Browser Tracking Protections - SuperWeek 2020 (20)
More from Simo Ahava
More from Simo Ahava (20)
Recently uploaded
Recently uploaded (20)
Browser Tracking Protections - SuperWeek 2020
- 1. Browsers Eat Data Quality For BREAKFAST @SimoAhava from @8_bit_sheep at #SPWK
- 5. Quick quiz
- 6. https://blog.superweek.hu/welcome.html SOURCE TARGET https://shop.superweek.hu/image.jpg HTTP request includes cookies written on which domain: SOURCE or TARGET? HTTP GET
- 7. https://blog.superweek.hu/welcome.html SOURCE TARGET https://shop.superweek.hu/image.jpg Is this an example of 3RD PARTY REQUEST or 1ST PARTY REQUEST? HTTP GET
- 9. Graphic adapted from https://web.dev/samesite-cookies-explained/ https://www.simoahava.com/
- 10. Graphic adapted from https://web.dev/samesite-cookies-explained/ Same-site === First-party context https://www.simoahava.com/
- 11. Graphic adapted from https://web.dev/samesite-cookies-explained/ https://image.cdn.com/image.gif https://www.simoahava.com/
- 12. Graphic adapted from https://web.dev/samesite-cookies-explained/ Cross-site === Third-party context https://image.cdn.com/image.gif https://www.simoahava.com/
- 13. Graphic adapted from https://web.dev/samesite-cookies-explained/ https://page.somedomain.com/ https://page.otherdomain.com/ https://page.thirddomain.com/ https://image.cdn.com/image.gif All pages include a request to the third-party resource, thus including all cookies written on the third-party domain, enabling cross-site tracking.
- 15. Leverage other script-writable storage.
- 16. Decorate outbound links with identifiers.
- 17. Decorate referring URL with identifiers.
- 18. Stateless tracking with fingerprints.
- 19. Third-party-to-first-party collusion, e.g. with CNAME.
- 20. Browsers take the initiative
- 30. ETP introduced -3P tracking cookies blocked ifactivated 10/2018 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 31. ETP introduced -3P tracking cookies blocked ifactivated ETP m odes introduced -Standard is the default 10/2018 1/2019 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 32. ETP introduced -3P tracking cookies blocked ifactivated ETP m odes introduced -Standard is the default ETP released -Standard seton fornew installs 10/2018 1/2019 6/2019 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 33. ETP introduced -3P tracking cookies blocked ifactivated ETP m odes introduced -Standard is the default ETP released -Standard seton fornew installs 10/2018 1/2019 6/2019 ETP setto Standard forallusers 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 34. 10/2018 1/2019 6/2019 Brave Shields released 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 35. 10/2018 1/2019 6/2019 Brave Shields released Restrictions to fingerprinting 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 36. 10/2018 1/2019 6/2019 Brave Shields released Restrictions to fingerprinting Im proved ad blockeralgorithm 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 37. 10/2018 1/2019 6/2019 Brave Shields released Restrictions to fingerprinting Rem ove know n tracking param eters from U RLs Im proved ad blockeralgorithm 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 38. 10/2018 1/2019 6/2019 Tracking prevention (Edge beta)blocks cookies from know n trackers 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 39. 10/2018 1/2019 6/2019 Tracking prevention (Edge beta)blocks cookies from know n trackers (Edge beta)adds additionalm itigations 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 40. 10/2018 1/2019 6/2019 Tracking prevention (Edge beta)blocks cookies from know n trackers (Edge beta)adds additionalm itigations 1/2020 N ew Edge released 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 41. 10/2018 1/2019 6/2019 1/2020 Cliqz introduces its ow n ad blocking tech 11/2019 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 42. 11/201910/2018 1/2019 6/2019 1/2020 Sam eSite enforcem ent* * not a tracking protection mechanism 2/20209/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 43. 11/201910/2018 1/2019 6/2019 1/2020 2/2020 Sam eSite enforcem ent 2022 N o m ore 3P cks 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 44. 11/201910/2018 1/2019 6/2019 1/2020 2/2020 2022 GDPR enforceable Collection #1 breach 773M unique emails verifications.io breach 763M unique emails People Data Labs breach 622M unique emails Zynga breach 172M unique emails Onliner Spambot breach 711M emails Exploit.ln breach 593M emails Finland wins hockey world championship 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 45. GDPR enforceable Collection #1 breach 773M unique emails verifications.io breach 763M unique emails People Data Labs breach 622M unique emails Zynga breach 172M unique emails Onliner Spambot breach 711M emails Exploit.ln breach 593M emails Finland wins hockey world championship 11/201910/2018 1/2019 6/2019 1/2020 2/2020 2022 Increasing amount of supply chain attacks (e.g. Magecart) and script hijacking 9/20192003 9/2017 3/2018 9/20182013 3/2019 4/2019 12/2019
- 46. Impact
- 47. Build graphs and comprehensive audience profiles
- 48. Build graphs and comprehensive audience profiles Target ads
- 49. Target ads Manage ad frequency Build graphs and comprehensive audience profiles
- 50. View-through attribution Manage ad frequency Build graphs and comprehensive audience profiles Target ads
- 51. Manage ad frequency Build graphs and comprehensive audience profiles Cookie matching/syncing View-through attribution Target ads
- 52. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads
- 53. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations
- 54. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows
- 55. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services
- 56. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts
- 57. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection
- 58. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management
- 59. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state
- 60. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
- 61. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
- 62. Manage ad frequency Build graphs and comprehensive audience profiles Cross-site tracking Cookie matching/syncing View-through attribution Target ads Analytics integrations SSO / login flows State in embedded services Multi-purpose scripts 1st party data collection Tag management Client-side state Data quality
- 63. Classification of "known trackers" Algorithmic, on-device Heuristic, global
- 65. Block Restrict Brave 3rd party context Strips all cookies from 3P requests. Blocks all requests to domains in filter lists. Strips cross-site referrers in navigational requests. Spoofs cross-site referrers in subresource HTTP requests. Strips fbclid, gclid, msclkid, mc_eid parameters from request URLs.
- 66. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz
- 67. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers Chrome - - Blocks cookies in 3P context if target domain is classified (on-device and/or globally), with mitigations (widget inter- actions, redirects, oAuth flows). Other cookies set to 1h expiration if no interaction with site in 1P context. Strips potential user identifiers from request URLs, unless in global safe set. Downgrades referrer to origin in cross-origin requests. Cliqz
- 68. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, referrers, request URLs Edge
- 69. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers Chrome - - Cliqz Cookies Cookies, request URLs Edge Blocks cookies in 3P requests if target domain in Trust Protection Lists, with mitigations for engagement and same-org. Blocks all script-writable storage with same conditions as above. Blocks requests to Fingerprinting and Cryptomining domains.
- 70. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Firefox Cookies, storage, requests - Cookies, referrers, request URLs
- 71. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Blocks cookies in 3P requests if target domain classified in Disconnect.me. Blocks requests to Cryptomining category. Blocks requests if domain in Fingerprinting and Tracking category. Blocks localStorage and IndexedDB for classified domains.
- 72. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies, referrers, request URLs
- 73. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Blocks cookies if no prior cookies set. Blocks cookies if no interaction with site in 1P. Blocks cookies if classified by ITP (except with Storage Access API). Blocks IndexedDB. Partitioned and ephemeral localStorage. Downgrade referrer to origin on subresource HTTP requests. Downgrade referrer to eTLD+1 if referring page classified with URL decoration.
- 74. Block Restrict Brave 3rd party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies, storage Referrers, storage Cookies, referrers, request URLs
- 76. Block Restrict Brave 1st party context Cookies set with JavaScript expire in 7 days. Cookies set with HTTP headers expire in 6 months.
- 77. Block Restrict Brave 1st party context - Cookies Chrome - - Cliqz
- 78. Block Restrict Brave 1st party context Cookies, requests, referrers Referrers Chrome - - Non-HttpOnly cookies expire in 7 days. HttpOnly cookies expire in 30 days. Cookies set on classified domains that are visited infrequently expire in 7 days. Cookies set on classified domains that are visited frequently expire in 30 days. Cliqz
- 79. Block Restrict Brave 1st party context - Cookies Chrome - - Cliqz - Cookies Edge - - Firefox - - Safari
- 80. Block Restrict Brave 1st party context Cookies, requests, referrers Referrers, request URLs Chrome - - Cliqz Cookies Cookies, request URLs Edge Cookies, storage, requests - Firefox Cookies, storage, requests - Safari Cookies set with JavaScript expire in 7 days. Cookies set with JavaScript when referring domain is classified and URL has link decoration expire in 24 hours. Other browser storage is expired in 7 days since last interaction if referring domain is classified and URL has link decoration.
- 81. Block Restrict Brave 1st party context - Cookies Chrome - - Cliqz - Cookies Edge - - Firefox - - Safari - Cookies, storage
- 82. Bubbling under
- 83. Brave Chrome Cliqz Edge Firefox Safari Cookies set to SameSite=Lax by default. Reject SameSite=None cookies that are not secure. Chrome 80, Feb 4!
- 84. Brave Chrome Cliqz Edge Firefox Safari Default referrer policy strict-origin-when-cross-origin. Chrome 80, Feb 4! ! !!
- 85. Cap lifetime of all script-writable storage. Brave Chrome Cliqz Edge Firefox Safari Technology Preview 99
- 86. Brave Chrome Cliqz Edge Firefox Safari Technology Preview 99 Block all cookies in 3P context - access only through Storage Access API. !
- 87. Brave Chrome Cliqz Edge Firefox Safari Technology Preview 99 The isLoggedIn API (experimental).
- 88. Brave Chrome Cliqz Edge Firefox Safari Private Click Measurement / Ad Click Attribution.
- 89. DO’s and DON’Ts
- 90. DO -Periodically audit the use of client-side state in your sites, services, and applications. Avoid over-reliance; use HttpOnly where possible, then HTTP headers, then JS. -Figure out how to incentivize logging in. -Set cookies you need in third-party context to SameSite=None;Secure, with fallbacks for unsupported browsers. - Utilize Storage Access API for access to third-party storage. -Consider the browser as a manifestation of the user’s desire and intent with regard to tracking. Err on the side of as much privacy as possible. -No evil.
- 91. DO NOT -Look at "server-side analytics" as a silver bullet. -Ignore small market share web browsers. -Expect tracking prevention development to settle / slow down. -Spread FUD about the impact of these measures without empirical data to back it up with. -Expect that browsers will handle the ethical / legal side of data collection for you. -Think that browsers have got tracking prevention "right"