Online tracking is a whack-a-mole game between trackers who build and
monetize behavioral user profiles through intrusive data collection, and
anti-tracking mechanisms, deployed as a browser extension, built-in to the
browser, or as a DNS resolver. As a response to pervasive and opaque online
tracking, more and more users adopt anti-tracking tools to preserve their
privacy. Consequently, as the information that trackers can gather on users is
being curbed, some trackers are looking for ways to evade these tracking
countermeasures. In this paper we report on a large-scale longitudinal
evaluation of an anti-tracking evasion scheme that leverages CNAME records to
include tracker resources in a same-site context, effectively bypassing
anti-tracking measures that use fixed hostname-based block lists. Using
historical HTTP Archive data we find that this tracking scheme is rapidly
gaining traction, especially among high-traffic websites. Furthermore, we
report on several privacy and security issues inherent to the technical setup
of CNAME-based tracking that we detected through a combination of automated and
manual analyses. We find that some trackers are using the technique against the
Safari browser, which is known to include strict anti-tracking configurations.
Our findings show that websites using CNAME trackers must take extra
precautions to avoid leaking sensitive information to third parties.
Описание
The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion
%0 Generic
%1 dimova2021cname
%A Dimova, Yana
%A Acar, Gunes
%A Olejnik, Lukasz
%A Joosen, Wouter
%A Van Goethem, Tom
%D 2021
%K cname dns http security web
%T The CNAME of the Game: Large-scale Analysis of DNS-based Tracking
Evasion
%U http://arxiv.org/abs/2102.09301
%X Online tracking is a whack-a-mole game between trackers who build and
monetize behavioral user profiles through intrusive data collection, and
anti-tracking mechanisms, deployed as a browser extension, built-in to the
browser, or as a DNS resolver. As a response to pervasive and opaque online
tracking, more and more users adopt anti-tracking tools to preserve their
privacy. Consequently, as the information that trackers can gather on users is
being curbed, some trackers are looking for ways to evade these tracking
countermeasures. In this paper we report on a large-scale longitudinal
evaluation of an anti-tracking evasion scheme that leverages CNAME records to
include tracker resources in a same-site context, effectively bypassing
anti-tracking measures that use fixed hostname-based block lists. Using
historical HTTP Archive data we find that this tracking scheme is rapidly
gaining traction, especially among high-traffic websites. Furthermore, we
report on several privacy and security issues inherent to the technical setup
of CNAME-based tracking that we detected through a combination of automated and
manual analyses. We find that some trackers are using the technique against the
Safari browser, which is known to include strict anti-tracking configurations.
Our findings show that websites using CNAME trackers must take extra
precautions to avoid leaking sensitive information to third parties.
@misc{dimova2021cname,
abstract = {Online tracking is a whack-a-mole game between trackers who build and
monetize behavioral user profiles through intrusive data collection, and
anti-tracking mechanisms, deployed as a browser extension, built-in to the
browser, or as a DNS resolver. As a response to pervasive and opaque online
tracking, more and more users adopt anti-tracking tools to preserve their
privacy. Consequently, as the information that trackers can gather on users is
being curbed, some trackers are looking for ways to evade these tracking
countermeasures. In this paper we report on a large-scale longitudinal
evaluation of an anti-tracking evasion scheme that leverages CNAME records to
include tracker resources in a same-site context, effectively bypassing
anti-tracking measures that use fixed hostname-based block lists. Using
historical HTTP Archive data we find that this tracking scheme is rapidly
gaining traction, especially among high-traffic websites. Furthermore, we
report on several privacy and security issues inherent to the technical setup
of CNAME-based tracking that we detected through a combination of automated and
manual analyses. We find that some trackers are using the technique against the
Safari browser, which is known to include strict anti-tracking configurations.
Our findings show that websites using CNAME trackers must take extra
precautions to avoid leaking sensitive information to third parties.},
added-at = {2021-03-16T14:40:24.000+0100},
author = {Dimova, Yana and Acar, Gunes and Olejnik, Lukasz and Joosen, Wouter and Van Goethem, Tom},
biburl = {https://www.bibsonomy.org/bibtex/286756766c202098d35ed41aecb112647/mstarzinger},
description = {The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion},
interhash = {90b49e7f66ffa4ed922c9dc3628e4efc},
intrahash = {86756766c202098d35ed41aecb112647},
keywords = {cname dns http security web},
note = {cite arxiv:2102.09301Comment: To be published in PETS 2021. 21 pages, 7 figures},
timestamp = {2021-03-16T14:40:24.000+0100},
title = {The CNAME of the Game: Large-scale Analysis of DNS-based Tracking
Evasion},
url = {http://arxiv.org/abs/2102.09301},
year = 2021
}