CNAME Uncloaking
CNAME Uncloaking
Are there any plans to implement CNAME uncloaking like uBlock Origin since version 1.25.0?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Re: CNAME Uncloaking
At the moment, changing the preset for a domain may have effects that are very implicit and often not wanted. For example, by setting a domain to trusted you may implicitely set Eulerian, Criteo and the like to trusted as well. CNAME uncloaking would make that more visible and offer more granular control over what to allow and what not to allow.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Re: CNAME Uncloaking
Good point, optional CNAME uncloaking would be useful as purely informational for the user, to help user decide what to allow and not. Especially if the Full Domains option gets re-introduced.
No. NoScript would be worse off if it actually block/allow based on CNAME uncloaking.
uBlock Origin has that feature for user control reason. NoScript's permissions are domain-based already; CNAME uncloaking doesn't provide any additional control or granularity. And the feature in uBlock Origin caused my filters to break the internet. I had to disable it.
The real-world use cases I've seen for this are privacy-related. NoScript is a security tool, not a privacy tool. In terms of security, attackers compromising DNS records use IP addresses, not CNAME's, so this won't help.
Also, in the case of NoScript, this will make it much harder to browse without having CDNs like Akamai, Cloudfront etc. always set to TRUSTED, thereby allowing more content from lots of sources and making some users' browsing less secure.
Last edited by barbaz on Fri May 29, 2020 4:56 pm, edited 1 time in total.
*Always* check the changelogs BEFORE updating that important software!
-
Re: CNAME Uncloaking
Thanks for your insightful answer!
After thinking through your answer I think you are right. Nevertheless, I'd still prefer to have more information than there is at the moment. To see what is blocked (script, media, frame, ...) certainly has the higher priority, but I'd really be interested in seeing the CNAMEs as well.
I would not activate it as default because it makes things too complicated indeed. I share your experience with uBlock Origin in that regard. But I'd like to have the information and eventually be able to activate blocking domains based on CNAME uncloaking optionally. At least that's what I thought until reading and thinking through your comment.
After thinking through your answer I think you are right. Nevertheless, I'd still prefer to have more information than there is at the moment. To see what is blocked (script, media, frame, ...) certainly has the higher priority, but I'd really be interested in seeing the CNAMEs as well.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Re: CNAME Uncloaking
No, I added this feature in uBO for informed consent and control reason. uBO is not a "privacy tool", this is reductive, uBO is a wide spectrum content blocker which features and especially advanced features has both privacy and security benefits. That someone decides to trust `liberation.fr` does not mean that trust extend to `eulerian.net` -- and this is the sort of advanced control I decided to put in user hands, they get to decide whether they block for privacy, security or whatever else reason they chose.
Last edited by barbaz on Fri May 29, 2020 5:17 pm, edited 1 time in total.
Reason: Remove distracting straw man
Reason: Remove distracting straw man
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Re: CNAME Uncloaking
Thanks, I edited my post to correct this.
*Always* check the changelogs BEFORE updating that important software!
-