Consider for example, that many pages use remotely loaded resources.
I would think things like Facebook/Twitter like buttons or Google Fonts might make it to assemble this history.
Sites like FB are said to maintain "Shadow Profiles" of people, even when those people aren't using their service directly.
I suppose in theory any sufficiently shared infrastructures such as AWS/Cloudflare could do so as well, but they are disincentivized to do so.
Would using Firefox's 'Containers' help prevent this? As far as I understand they quarantine the Facebook pages so they can't get data from other websites you visit.
I think only indirectly, but if they control the endpoint they can ping you back, subtract rtt from initial request response time and then the difference from that can tell them whether initial request was cached in dns or not.
Just so I understand correctly, does that mean you then need to control the end point of every site you want to use as part of fingerprinting?
If so, wouldn’t that drastically reduce the effectiveness of using DNS resolve times as a work around for Firefox containers?
Not trying to be argumentative here, just trying to understand how effective the sandboxing is, or whether I need to design more layers of indirection. :)
Have there been any indications that AWS broadly captures connection data between AWS tenants and their respective users for illegitimate purposes?
Some AWS services (such as TLS-terminating load balancers) do have access to sensitive cross-site information that could be fed into the adtech panopticon but I wonder if it would be cost-effective for AWS to gather.
I doubt it would be cost effective for AWS to do broad captures for all of its services, however. There's probably not much value in slurping up the IP and SNI data for all HTTPS requests to every EC2 instance, for instance.
Malicious extensions are a likely culprit. This is the ultimate irony of the whole WebExtensions debacle; browser vendors wanted to stop the extensions from interacting with the browser because maintaining that interface is work, so now the most trivial extensions will request full access to all websites so they can inject scripts. To bring back "backspace navigates back" I have an extension that needs just that.
Needing javascript that embeds in every page for basic mouse and keyboard behaviour is insane. No clue why they decided it should be the only viable option.
Fine, XUL had to go. But where is the replacement? How many more years should we expect Mozilla to need to implement configurable bindings? It doesn't even need to be extension-accessible, just give users a tab in the preferences menu like damn near any other application has been doing since the dawn of GUIs.
I am very much used to alt+left arrow to navigate back, in the unlikely case you were not aware of this shortcut and if you would like to drop this extension for whatever reason.
Hmm this is a bit of an interesting question. The original study (2012) exploited a security bug, which let anyone see which sites you had visited. (Basically, by checking the color of links with JS to see if :visited styling had been applied.) That bug doesn't exist anymore, and the new survey just uses opt-in data to "confirm" it.
So, I don't actually think this research is particularly relevant anymore? It can't really be exploited (and when it can, there's much better ways to track the person).
Anyone with a widely distributed analytics package or tracking beacon can track your hits on pages with that beacon. How many pages DON'T use Google Analytics or a Facebook 'like' button?
Does Mozilla Pocket get browsing history if it isn't disabled? Last I heard it's not using E2E encryption and Mozilla still hasn't open sourced the server side of it.
My understanding of pocket recommendations is that it gets a list of articles from a server every day and uses a local algorithm to match them to your browsing history so your history never leaves the device. Idk if any metadata about which decisions it made is leaked though.
I'm under the impression that syncing browsing history between instances of Firefox is a feature Mozilla provides through Pocket, but admittedly I don't have first-hand knowledge of this.
I think syncing is done with a Firefox account (Firefox Sync) and i can't find implementation details, but I did find:
"Firefox Accounts uses your password to encrypt your data (such as bookmarks and passwords) for extra security. When you forget your password and have to reset it, this data could be erased. To prevent this from happening, generate your recovery key before having to reset your password."[1]
So it appears they may be encrypting data locally and syncing encrypted data without having keys.
I think you are right though, there are more website saving features available through pocket other than recommendations and I'm not sure how any of that works.
