Recent developments in browser technology have highlighted a growing concern over privacy and the tracking of user data by major tech players like Meta and Yandex. In response to these concerns, several Android browsers have taken significant steps to enhance user privacy by blocking abusive JavaScript associated with web trackers.
Notably, DuckDuckGo has been proactive in this arena, implementing measures to block domains and IP addresses linked to trackers. This initiative effectively prevents the browser from transmitting any identifiers to Meta, while also restricting access to many domains tied to Yandex Metrica. Following feedback from researchers regarding an incomplete blacklist, DuckDuckGo’s developers swiftly acted to include the missing addresses, reinforcing their commitment to user privacy.
Similarly, the Brave browser has leveraged its extensive blocklists to prevent the sharing of identifiers, employing existing mitigation strategies that block requests to localhost without explicit user consent. Vivaldi, another Chromium-based browser, has adopted a more nuanced approach by forwarding identifiers to local Android ports under default privacy settings. However, users can adjust these settings to block trackers, thereby minimizing the risk of browsing history leakage, as noted by researchers.
There’s got to be a better way
While the measures implemented by DuckDuckGo, Brave, Vivaldi, and others have proven effective thus far, researchers caution that these solutions may not be foolproof. Vallina Rodriguez, a leading voice in the field, emphasizes the ongoing challenge of maintaining effective blocklists. “Any browser doing blocklisting will likely enter into a constant arms race, and it’s just a partial solution,” he remarked. “Creating effective blocklists is hard, and browser makers will need to constantly monitor the use of this type of capability to detect other hostnames potentially abusing localhost channels and then updating their blocklists accordingly.”
“While this solution works once you know the hostnames doing that, it’s not the right way of mitigating this issue, as trackers may find ways of accessing this capability (e.g., through more ephemeral hostnames). A long-term solution should go through the design and development of privacy and security controls for localhost channels, so that users can be aware of this type of communication and potentially enforce some control or limit this use (e.g., a permission or some similar user notifications).”
In contrast, Chrome and most other Chromium-based browsers have executed the JavaScript as intended by Meta and Yandex. Firefox, too, followed suit, although it faced challenges in successfully performing the SDP munging specified in later code versions. Following the early May beta release, Chrome’s production version began blocking both STUN and TURN variants of SDP munging, with other Chromium-based browsers expected to follow suit in the coming weeks. As for Firefox, the company has yet to respond regarding its plans to address this behavior in its browser.
