Mozilla just released a new version of their Firefox web browser. The key new feature is something they’re calling Total Cookie Protection. This feature was accessible in earlier versions of Firefox, but now it’s supposedly on for everyone by default. But is it? The very fact that I have to ask the question should raise your eyebrows. But I’ll come back to that.
[Update! Turns out, the test Steve Gibson was using wasn’t actually testing for what TCP was trying to do. You can see his updated take here.]
Now It’s a Party
Cookies are just little chunks of data. Websites you visit drop these little bits of data when you visit their website when they want to note something about your visit. This could be to remember that you’ve already logged in. It could be to remember the contents of your shopping cart. Maybe they just want to remember when you were there last. These are first party cookies: data related to the actual website you intended to visit. This was the original purposes of cookies. First party cookies are almost always used for your benefit and are generally harmless.
But websites today are patchwork quilts of content including extras such as images, “Like” buttons, and (yes) ads. These extras come from websites that you didn’t actually directly visit. (If you want to see this in action, open the browser developer tools and watch the Network tab when you load a web page.) And it’s these third party sites dropping cookies that are the problem. These are the digital breadcrumbs that ad companies use to track you as you surf the web. In almost no case do you need these. Therefore you should almost always block them.
What is Total Cookie Protection
But Mozilla came up with a more interesting solution for preventing tracking by third party cookies. Instead of allowing all cookies to go into a single “cookie jar”, they created a separate jar for each site you visit.
Let’s take an example using Google as the third party tracking site. If you go to SiteA.com and Google supplies some part of that page, Google will drop a cookie onto your computer. Now you go to SiteB.com, where Google also provides third party content, and Google can then request all of its cookies. Even though you’re no longer on SiteA, the cookie Google dropped was from google.com, so it has access to all Google cookies as long as the site you’re visiting has some portion of its content provided by google.com. So now Google knows you’ve been to both SiteA and SiteB. That’s tracking.
However, by “sandboxing” cookies, Google can drop a cookie on SiteA, but when you go to SiteB and Google requests all of it’s cookies, it can’t put its hand in SiteA’s cookie jar. It would appear to the little bit of Google code running on SiteB that you’ve never been to any other sites where Google has third party content. No cookies were blocked here at all. All cookies were allowed. But it put blinders on Google to prevent it from seeing any Google cookies other than the ones it dropped on the site you’re currently visiting. This basically makes third party cookies act like first party cookies – the way they should be. That’s Total Cookie Protection (TCP) in a nutshell.
Is This Thing On?
Sound great. But I was rather shocked to find out that it doesn’t appear to be working. After hearing from someone else that they tested this and found that Firefox was not actually blocking third party cookies, I decided to test my own setup. And I found the same result, despite being on the latest version of Firefox (101.0.1) and having my privacy mode set to “Strict”, I failed this cookie forensics test. I had to switch to “custom” mode and block all third party cookies to pass the test. [Update: Steve’s test wasn’t actually testing the TCP solution… it was looking for any third party cookies, not testing that they were invisible across sites. See his update here.]
It could be that TCP just hasn’t “rolled out” to me yet. The first sentence of Mozilla’s blog post says “Starting today, Firefox is rolling out Total Cookie Protection by default to all Firefox users worldwide”. That phraseology usually means Mozilla is gradually enabling the feature. This is a common practice today with web-based software: send out the software update that includes latent functionality, but incrementally enable certain features across your users, to look for bugs or problems before turning it on for everyone.
Total Cookie Protection is not a silver bullet, but it’s an elegant and welcome solution to one of the most common tracking tricks. Let’s hope it “rolls out” quickly.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!