TL;DR
This paper presents a large-scale analysis of DNS-based tracking evasion using CNAME records, revealing its rapid adoption among high-traffic websites and exposing associated privacy and security risks.
Contribution
It provides the first comprehensive longitudinal study of CNAME-based tracking evasion and uncovers inherent privacy and security vulnerabilities in this technique.
Findings
CNAME tracking is rapidly increasing among popular websites.
Some trackers exploit CNAMEs to bypass browser anti-tracking measures.
CNAME-based tracking can leak sensitive information to third parties.
Abstract
Online tracking is a whack-a-mole game between trackers who build and monetize behavioral user profiles through intrusive data collection, and anti-tracking mechanisms, deployed as a browser extension, built-in to the browser, or as a DNS resolver. As a response to pervasive and opaque online tracking, more and more users adopt anti-tracking tools to preserve their privacy. Consequently, as the information that trackers can gather on users is being curbed, some trackers are looking for ways to evade these tracking countermeasures. In this paper we report on a large-scale longitudinal evaluation of an anti-tracking evasion scheme that leverages CNAME records to include tracker resources in a same-site context, effectively bypassing anti-tracking measures that use fixed hostname-based block lists. Using historical HTTP Archive data we find that this tracking scheme is rapidly gaining…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
