{"id":27349,"date":"2019-11-25T12:59:55","date_gmt":"2019-11-25T17:59:55","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=27349"},"modified":"2019-11-26T13:33:44","modified_gmt":"2019-11-26T18:33:44","slug":"cname-cloaking","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/11\/25\/cname-cloaking\/","title":{"rendered":"CNAME Cloaking"},"content":{"rendered":"<p><a href=\"https:\/\/medium.com\/nextdns\/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a\">Romain Cointepas<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=21604825\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/medium.com\/nextdns\/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a\">\n<p>A suitable name for this method would be CNAME Cloaking, and it is used to disguise a third-party tracker as first-party tracker. In this case, they are also purposely obfuscating this behind a random subdomain, with a CNAME to a generic and unbranded domain.<\/p>\n<p>With CNAME Cloaking, many problems arise that makes it realistically impossible to block this:<\/p>\n<ol>\n<li>Browser extensions are not allowed access to the DNS layer of the request &mdash; i.e., they can&rsquo;t see the CNAMEs.<\/li>\n<li>When each website loads third party trackers by calling something like a3ksbl.website.com, privacy-protection tools now have to figure out which subdomain is a front for CNAME Cloaking, for tens of thousands of websites. [&#8230;]<\/li>\n<li>With each website now having its own subdomain cloaking the third-party tracker, those tools need to include as many rules as there are websites using this CNAME Cloaking method. Blocking a third-party tracker went from one rule to thousands.\n<\/li>\n<\/ol>\n<\/blockquote>\n<p>And <a href=\"https:\/\/mjtsai.com\/blog\/2019\/09\/26\/safari-13-and-extensions\/\">newer browsers<\/a> have relatively low limits for the number of allowed rules.<\/p>\n\n<p>See also: <a href=\"https:\/\/twitter.com\/WolfieChristl\/status\/1198702205148258306\">Wolfie Christl<\/a>.<\/p>\n\n<p id=\"cname-cloaking-update-2019-11-26\">Update (2019-11-26): <a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1199031632562458624\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1199031632562458624\">\n<p>The endgame has to be disabling JavaScript.<\/p>\n<p>As long as sites can execute arbitrary code in your browser, you&rsquo;re doomed. Web programmers will continue to find more clever and evil hacks.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/howardnoakley\/status\/1199037479950725120\">Howard Oakley<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/howardnoakley\/status\/1199037479950725120\">\n<p>I continue to be frustrated that, while most others things in Safari can be controlled by site, JavaScript is just a single control - on or off for everything.<\/p>\n<p>Would it be too much to have finer control?<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Romain Cointepas (Hacker News): A suitable name for this method would be CNAME Cloaking, and it is used to disguise a third-party tracker as first-party tracker. In this case, they are also purposely obfuscating this behind a random subdomain, with a CNAME to a generic and unbranded domain. With CNAME Cloaking, many problems arise that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-11-25T17:59:58Z","apple_news_api_id":"0ebf26f2-1382-47a3-8663-73b79dd07a51","apple_news_api_modified_at":"2019-11-26T18:33:49Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/ADr8m8hOCR6OGY3O3ndB6UQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[447,354,728,346,355,103,96],"class_list":["post-27349","post","type-post","status-publish","format-standard","hentry","category-technology","tag-adobe","tag-advertising","tag-domain-name-system-dns","tag-javascript","tag-privacy","tag-safari","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=27349"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27349\/revisions"}],"predecessor-version":[{"id":27372,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27349\/revisions\/27372"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=27349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=27349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=27349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}