Thrawn wrote:barbaz wrote:This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.
OK, but handling them works about the same way.
Both correct, but still a concern I am not sure most are aware of. Here is another example:
Brokers Ameritrade and Scottrade are doing this subdomain aliasing/redirecting. Ameritrade has several:
research.ameritrade.com is really research.ameritrade.wallst.com
valubond.ameritrade.com is really ameritrade.valubond.com
morningstar.ameritrade.com is really morningstar.ameritrade.com.3.web.morningstar.com
sstats.tdameritrade.com is really tdameritrade.com.102.112.2o7.net
Scottrade has the same redirect to wallst.com
research.scottrade.com is really research.scottrade.wallst.com
While investigating the above, it dawned on me that there is a bigger problem with what they are doing, which may have been obvious to the two of you. Normally, at least the way I have firefox set up, cookies are not sent to third party sites. So if I am on scottrade.com, and they have something that pulls content from wallst.com, no scottrade cookies or wallst.com cookies get sent to wallst.com. However, with the subdomain research.scottrade.com redirecting to research.scottrade.wallst.com, cookies for research.scottrade.com AND scottrade.com are now all sent to wallst.com. Potentially worse, since Ameritrade does the same thing, wallst.com now has the potential of seeing that I use both. However, since wallst.com may not be able to set their own wallst.com cookie when coming through the redirected subdomain, that may not be as bad is it seems - but I am now past my level of understanding of how all of this works.
Again, I am bringing this up for discussion to make this practice known to people, and to discuss what to do about it for those paranoids out there like me! My approach now is as follows:
1) Stop allowing base 2nd level domains (whatever.com) and only allow full domains or full addresses. Certainly full addresses for 2nd level domains (full address only allows
http://whatever.com)
2) Use ABE to anonymize all references that go through a redirected subdomain. Of course, this may not allow that content to work, but in many cases it still works fine.
3) Where anonymizing in 2) above doesn't work, and if I really need the functions, only allow session cookies for the main site and all subdomains. For the examples above, both scottrade and ameritrade actually use their own subdomains for most of their own content (trading.scottrade.com and invest.ameritrade.com) so if necessary those cookies could be kept beyond the session, since they would not be sent to research.scottrade.com or research.ameritrade.com.
3a) In case you are wondering why it is necessary to keep any cookies beyond the end of the session, several sites I use require extensive extra login steps (security questions) if you don't keep cookies. However, scottrade at least doesn't do that. Yet. (And if they do, hopefully the related cookies will be kept under trading.scottrade.com)
So the biggest problem I still have, is the amount of work it takes to do the above (which is fine), but more importantly how to identify when this activity is happening, which is a bigger problem. I did at least find a feature of noscript that I was not aware of that helps a bit: When you right click on the Allow or (Temporarily allow) menu item in the noscript icon menu, the site you would be allowing is copied to the clipboard so it can be pasted into whatever utility you use to examine the subdomain to see where it really goes.
Thanks for listening - and I look forward to whatever anyone else thinks or is doing. And special thanks to Giorgio for giving us noscript - and maybe even more important giving us ABE. They are the best defensive weapons in this war on privacy!
[quote="Thrawn"][quote="barbaz"]This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.[/quote]
OK, but handling them works about the same way.[/quote]
Both correct, but still a concern I am not sure most are aware of. Here is another example:
Brokers Ameritrade and Scottrade are doing this subdomain aliasing/redirecting. Ameritrade has several:
research.ameritrade.com is really research.ameritrade.wallst.com
valubond.ameritrade.com is really ameritrade.valubond.com
morningstar.ameritrade.com is really morningstar.ameritrade.com.3.web.morningstar.com
sstats.tdameritrade.com is really tdameritrade.com.102.112.2o7.net
Scottrade has the same redirect to wallst.com
research.scottrade.com is really research.scottrade.wallst.com
While investigating the above, it dawned on me that there is a bigger problem with what they are doing, which may have been obvious to the two of you. Normally, at least the way I have firefox set up, cookies are not sent to third party sites. So if I am on scottrade.com, and they have something that pulls content from wallst.com, no scottrade cookies or wallst.com cookies get sent to wallst.com. However, with the subdomain research.scottrade.com redirecting to research.scottrade.wallst.com, cookies for research.scottrade.com AND scottrade.com are now all sent to wallst.com. Potentially worse, since Ameritrade does the same thing, wallst.com now has the potential of seeing that I use both. However, since wallst.com may not be able to set their own wallst.com cookie when coming through the redirected subdomain, that may not be as bad is it seems - but I am now past my level of understanding of how all of this works.
Again, I am bringing this up for discussion to make this practice known to people, and to discuss what to do about it for those paranoids out there like me! My approach now is as follows:
1) Stop allowing base 2nd level domains (whatever.com) and only allow full domains or full addresses. Certainly full addresses for 2nd level domains (full address only allows http://whatever.com)
2) Use ABE to anonymize all references that go through a redirected subdomain. Of course, this may not allow that content to work, but in many cases it still works fine.
3) Where anonymizing in 2) above doesn't work, and if I really need the functions, only allow session cookies for the main site and all subdomains. For the examples above, both scottrade and ameritrade actually use their own subdomains for most of their own content (trading.scottrade.com and invest.ameritrade.com) so if necessary those cookies could be kept beyond the session, since they would not be sent to research.scottrade.com or research.ameritrade.com.
3a) In case you are wondering why it is necessary to keep any cookies beyond the end of the session, several sites I use require extensive extra login steps (security questions) if you don't keep cookies. However, scottrade at least doesn't do that. Yet. (And if they do, hopefully the related cookies will be kept under trading.scottrade.com)
So the biggest problem I still have, is the amount of work it takes to do the above (which is fine), but more importantly how to identify when this activity is happening, which is a bigger problem. I did at least find a feature of noscript that I was not aware of that helps a bit: When you right click on the Allow or (Temporarily allow) menu item in the noscript icon menu, the site you would be allowing is copied to the clipboard so it can be pasted into whatever utility you use to examine the subdomain to see where it really goes.
Thanks for listening - and I look forward to whatever anyone else thinks or is doing. And special thanks to Giorgio for giving us noscript - and maybe even more important giving us ABE. They are the best defensive weapons in this war on privacy!