Mozilla goes a step further to helping protect its users from being tracked


The latest version of Firefox has shipped with a revised edition of the web browser’s Enhanced Tracking Protection (ETP) service.

Mozilla enabled the original ETP privacy feature by default in 2019. The technology protects users by blocking third-party cookies according to the Disconnect list.

The current version, ETP 2.0, comes enabled by default in the newly-launched Firefox 79 goes further by blocking a technique called ‘redirect tracking’ that’s used by certain unscrupulous sites.

“To protect your privacy ETP 1.0 blocks trackers from using cookies when they are embedded in a third-party context, but still allows them to use cookies as a first party because blocking first-party cookies causes websites to break,” a blog post from Mozilla reads.

According to the browser maker, redirect tracking takes advantage of this loophole to circumvent third-party cookie blocking.

Redirect trackers force a user to make an “imperceptible and momentary stopover” to another website while navigating to another page.

For example, a user browsing a review website may click on a link to a retailer which actually takes them to another site first.

“This means that the tracker is loaded as a first party and therefore is allowed to store cookies,” Mozilla explains.


RELATED Firefox spoofing bug row rumbles on two years after first report


“The redirect tracker associates tracking data with the identifiers they have stored in their first-party cookies and then forwards you to the retailer.

“Once every 24 hours ETP 2.0 will completely clear out any cookies and site data stored by known trackers. This prevents redirect trackers from being able to build a long-term profile of your activity.”

Only known trackers will be blocked, and Firefox will not clear cookies for sites a user frequently interacts with, such as email or social media sites.

Cookie cutter

The move comes after Google introduced SameSite cookie labeling to block third-party trackers.

If a cookie label matches the website address, this is deemed a SameSite, or first-party, cookie. However, if they are from a third-party website, they are deemed ‘cross-party’.

Google argues that cross-party cookies increase the risk of cross-site-request-forgery and other attacks, and so Chrome 84 introduces a new cookie classification scheme.


READ MORE When TLS hacks you: Security friend becomes a foe