Ad blockers and tracking-cookie blockers don't work as well as you might think, researchers at Belgium's Catholic University of Leuven have determined.
"Virtually every browser or extension-enforced policy can be bypassed," reads the academic paper written by computer-science grad students Gertjan Franken and Tom Van Goethem along with their supervising professor Wouter Joosen. "We find that even built-in protection mechanisms can be circumvented by multiple novel techniques we discover."
MORE: Best Ad Blockers
The researchers tried to find various ways around each browser, tracker-blocking extension and ad-blocker extension, sometimes using new methods that haven't been implemented widely online. Not a single product stood up to every attack.
"We found that for every analyzed browser extension there exists at least one technique that can be used to circumvent the extension to send an authenticated third-party request," the paper says.
Browsers generally let tracking cookies operate if they come from the site being visited, although Apple Safari blocked a couple of kinds of these, but try to block cookies coming from third-party websites. In other words, if you visit the New York Times website, that site's cookies will be enabled, but cookies that come from WeLuvScamz.com but appear on the Times website shouldn't be.
The browsers' own protections were a mixed bag. Not so good were the PDF-display features in Google Chrome and Opera, which ignored JavaScript-based tracking cookies in PDFs, and Apple Safari and Microsoft Edge, which couldn't block many third-party cookies. (Safari 11 was better than Safari 10 in this respect, however.)
"For the Chromium-based browsers (Google Chrome and Opera), we found that because of the built-in PDF reader, an adversary or tracker can still initiate authenticated requests to third-parties," the paper said.
"Surprisingly, we found that the blocking of third-party cookies feature in Edge had no effect," it also said. "We believe that this is due to an oversight from the browser developers or a regression bug introduced when new functionality was added."
Edge did manage to block third-party cookies in PDFs, even though it displays them in the browser like the Chromium-based browsers do.
Firefox did well, but it failed to block cookies based on browser redirects (i.e., via links embedded in other pages), and its optional tracking protection largely failed. The best performer overall was the Firefox-based Tor browser.
The ad-blocking and tracking-blocking browser extensions didn't do so well either. The only ad blocker that came close to doing a thorough job on all browsers was Adblock Plus, although the performance of each extension differed from brower to browser. The Blur tracking blocker failed in all categories, while the Ghostery extension on Firefox did the best among tracking blockers.
The paper was presented yesterday (Aug. 15) at the USENIX Security Symposium in Baltimore, and there's a companion website called "Who Left Open the Cookie Jar?" that sums it all up.
