Firefox 85 has cracked down on so-called ‘supercookies’ by introducing cache partitioning that blocks cross-site tracking.
Like ordinary cookies, supercookies are small pieces of data stored on a computer by a web browser that can track a user’s internet footprint and remember information such as payment details or items in a shopping basket.
However, supercookies are much more difficult to delete and block.
“This makes it nearly impossible for users to protect their privacy as they browse the web,” says Mozilla in a blog post.
The latest update to the Mozilla browser will therefore now partition network connections and caches, isolating them to the website they were created on.
This will “greatly reduce the effectiveness” of cache-based supercookies by stopping a tracker from using them across websites, adds Mozilla.
Firefox 85 partitions all of the following caches by the top-level site being visited: HTTP cache, image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, font cache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLS certificate cache.
To further protect users from connection-based tracking, Firefox 85 also partitions pooled connections, prefetch connections, preconnect connections, speculative connections, and TLS session identifiers.”
This applies to all third-party resources embedded on a website, regardless of whether Firefox considers that resource to have loaded from a tracking domain.
Unwelcome visitors
Mozilla cited an example of how the changes will work in practice, pointing to changes in Firefox’s image cache.
Previously, Firefox initially loaded website images from the network, but if the same image was used on subsequent websites visited, it loaded the image from the browser’s local image cache rather than reloading from the network.
Mozilla wrote: “Unfortunately, some trackers have found ways to abuse these shared resources to follow users around the web.
“To prevent this possibility, Firefox 85 uses a different image cache for every website a user visits. That means we still load cached images when a user revisits the same site, but we don’t share those caches across sites.”
While the move is a positive addition for privacy-conscious users, there are concerns that partitioning will affect the browser’s performance.
Mozilla claims that its metrics show a “very modest impact” on page load time ¬– “between a 0.09% and 0.75% increase at the 80th percentile and below, and a maximum increase of 1.32% at the 85th percentile”.
The company says that the decrease in speed and bandwidth will be similar to that observed in Google Chrome 86 after it rolled out HTTP cache partitioning in October 2020.
Gone in a Flash
Firefox 85 has also removed Flash, following in the footsteps of Chrome and Microsoft Edge.
The Adobe Flash Player plugin will no longer be available for Firefox users in accordance with the industry-wide plan to deprecate the software.
Mozilla previously disabled Flash by default in 2019, due mainly to the fact that Adobe itself announced it was ceasing distribution.
The move was also made in part due to the fact that Flash is notorious for being riddled with security bugs.
Source: https://portswigger.net/daily-swig/firefox-85-protects-against-supercookie-tracking-removes-adobe-flash-player