Firefox 85 crumbles cache-abusing supercookies with potent partitioning powers

The Mozilla Foundation has scorched a pair of monstrosities in the new version 85 of its Firefox browser.

The big target is supercookies which, as explained by Mozilla privacy engineer Steven Englehardt and senior product manager for Firefox privacy and security Arthur Edelstein, are very nasty trackers indeed because they exploit best-practice browser behaviour to offer tracking that goes beyond both that allowed by “official” Cookies and privacy laws.

“Like all web browsers, Firefox shares some internal resources between websites to reduce overhead,” the pair explain, before offering up the Firefox cache as an example of this approach at work. “If the same image is embedded on multiple websites, Firefox will load the image from the network during a visit to the first website and on subsequent websites would traditionally load the image from the browser’s local image cache (rather than reloading from the network).”

Trackers have found ways to abuse these shared resources to follow users around the web

So far, so sensible. But also, so exploitable by the cynical.

“Unfortunately, some trackers have found ways to abuse these shared resources to follow users around the web. In the case of Firefox’s image cache, a tracker can create a supercookie by ‘encoding’ an identifier for the user in a cached image on one website, and then ‘retrieving’ that identifier on a different website by embedding the same image,” the pair write.

Firefox 85 fights back by using “a different image cache for every website a user visits.”

This approach preserves the benefit of caching because files are still stored locally. But critically Firefox no longer shares caches across sites.

Englehard and Edelstein identify eleven caches - HTTP cache, image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, font cache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLS certificate cache – that they needed to address.

But that’s not all they needed to change. “Firefox would reuse a single network connection when loading resources from the same party embedded on multiple websites,” the pair wrote. While this approach would avoid the need for extra TCP handshakes as browsers reach for different resources, sustaining a single network session enabled user tracking.

Firefox 85 therefore “partitions pooled connections, prefetch connections, preconnect connections, speculative connections, and TLS session identifiers.”

The two Mozillans admit that this new approach does impact page load time but rate the hit as “very modest” as it delivers “between a 0.09% and 0.75% increase at the 80th percentile and below, and a maximum increase of 1.32% at the 85th percentile.” The pair say that’s about the same as similar protections coming real soon now to Chrome.

Indeed, the two authors sign off by thanking “colleagues in the Brave, Chrome, Safari and Tor Browser teams” for their own supercookie-crumbling efforts.

The second nasty killed in Firefox 85 is Adobe Flash, which release notes state has been so thoroughly dispelled that “There is no setting available to re-enable Flash support.”

Which is a fine idea because on top of Flash being a security nightmare, it was one more tool that supercookie-bakers used to create their evil trackers. ®