Matthew Ames

Category: Security

Revert tracking protection back to ON for all sites

Previously I discussed how to turn on Tracking Protection in Firefox, which has been a great boon to my browsing activity. The problem with this is that Firefox doesn’t have any way of letting you know what sites have had tracking protection disabled, so you can visit a site with tracking protaction turned off without realising it. Fortunately, Firefox stores a lot of it’s information in sqlite, which is an easily modifiable format.

The first thing you’ll need to do is find your Firefox profile path. You can do this by typing about:profiles in to your browser url bar. Look for the “root directory”, and that’ll be where you profile is stored. It is important that you now close firefox completely, otherwise the permissions will not take affect.

Now, with your favourite Sqlite3 editor, you simply need to open permissions.sqlite and run the following query:

select * from moz_perms where type = "trackingprotection" and permission=1;

This will list every site which has Tracking Protection switched off, and will look something like this:

3|http://independent.co.uk|trackingprotection|1|0|0|1458588325092
4|http://www.buzzfeed.com|trackingprotection|1|0|0|1458829675197

To then turn protection back on, you simply need to delete those lines. A command to do so will look a little like the below, where I have put the id from the first column of the above list in to the query.

delete from moz_perms where id=3;

Once that’s complete, you can load your firefox, and you’ll see all of the tracking protection permissions set back to normal.

Online advertising has to change

A couple of days ago, I posted about how to enable Tracking Protection in Firefox. While I understand the importance of blocking potentially bad ads, I’d never really been in a situation where I was likely to be caught out by any, especially because I avoid sites which have a greater chance of being susceptible to being compromised. However, today it was announced that many major websites, including the BBC and New York Times were targeted, and their adverts were compromised to server ransomware to US visitors.

Although these sites are not sites which I would normally visit often, they are sites which I would have previously deemed OK, and would have disabled all ad-blocking should the sites request that I do so. After all, these institutions are worthwhile and cannot continue without our support, and if that comes in the form of ads, then so be it.

Now the game has changed, and advertisers need to change their practices, or else browsers and ISPs are going to start blocking all ads by default, stripping them, and the sites that serve ads, all of their revenue. Mobile company Three have already been reported to be working on ad-blocking on the network level, so this technology is not far out.

If the advertising companies can work together with browser manufacturers Google, Mozilla, Microsoft and Apple, I’m sure they can come up with a harmless way of displaying ads. Firstly they need to show only ads which are not harmful to a user, and secondly they need to be able to adhere to user preferences.

Security

One of the major issues with advertising through browsers is that an advert is only as secure as the policies of the advertising company. While some of the big players will check for potential compromises, many do not. It should be a matter of process that any advert is checked for known security issues, especially those written in flash.

Secondly, there is no way of knowing if an advert has been modified somehow to include bad content. Because of this, I propose that all ads should be cryptographically signed. This means that no asset can be downloaded for an advert without it being passing checks, such as confirming the GPG signature. The advantage to such an approach is that a browser can be configured to only show signed adverts, and hide anything else which fails the checks.

User Preferences

A user should be able to chose on the following hierarchy which adverts they would like to see:

  • Video adverts with sound
  • Video adverts
  • Animated adverts
  • Image adverts
  • Text adverts

Such a hierarchy would help those users who are on metered internet, and cannot download too much without facing penalties. A desktop browser should default to Video adverts, and a mobile browser to Image. In my own personal experience, I have had two video ads try to download simultaneously on a site while I was using mobile data. I had checked just before to see my data usage, and was shocked to note that it had gone up by 10M after the page had finished loading. This is clearly not acceptable, and must be stopped. By setting the option it means that, rather than stopping all ads, we can reach a compromise which puts the user in charge again.

Conclusion

At the moment we are behind the attackers when it comes to security, and the weakest link in the chain is the one which is causing all of the problems. With more an more talk of ad-blockers being a protection racket, it’s about time the advertising companies took the time to understand the reasons for the shift in public attitudes — especially in the non-technical who are slower to pick up on technologies such as ad-blockers. Making changes to browsers stopped the scourge of pop-uips, and now it’s time we did the same for inline ads.

Firefox Tracking Protection

If you’re a user of Firefox, you may have already noticed that Tracking Protection is enabled in Private Window mode. This nice little feature will block any element on a web page which is likely to track your usage – something you definitely don’t want when you’re trying to keep as low-key as possible. However, if you go a look at the options you will find that Tracking Protection is only available in Private Windows. This is certainly not ideal, but it turns out that this can be enabled globally such that it is enabled in non-private windows.

Tracking Protection options in Firefox

Enabling Protection

To enable this feature, enter about:config in your URL bar, and you’ll be presented with a warning page as per the below. To continue, click on the “I’ll be careful, I promise!” button.

About Config Firefox Page

Now type “privacy.trackingprotection.enabled” into the search bar, and it will hunt down the options. All you need to now is double click the value so it changed from “false” to “true“.

Tracking Protection Enabled

Tracking is now enabled!

Toggling Protection

If you have any sites complaining about ad-blockers, or you want to enable ads on a page, you will now notice a little shield in the URL bar. Click that and click on “Disable protection for this site” to enable adverts and other tracking elements on that domain alone.

Sync

The good news is that this option is synced using Firefox Sync, so you only have to enable it once, and it will stay with you on whichever desktop you are syncing your browser settings.

Mobile

Unfortunately, this option does not sync to mobile versions of Firefox, however you can perform the same actions as the desktop and achieve the same results.

Copyright © 2019 Matthew Ames

Theme by Anders NorenUp ↑