SN 808: CNAME Collusion

Beep boop - this is a robot. A new show has been posted to TWiT…

https://twit.tv/shows/security-now/episodes/808

What are your thoughts about today’s show? We’d love to hear from you!

1 Like

AdGuard have released a list of 6000+ affected domains using CNAME masking/collusion. It is on their GitHub page and the list can be added to a hosts file or to PiHole or similar services, as well as AdGuard’s own services.

According to The Register, Brave has been able to track this cloaking since last October, and attempts to block the sites, and Firefox with uBlock Origin can also block it. As Steve stated in the show, uBlock Origin on Chrome/Chromium based browsers doesn’t have the access required to block, so the browser has to block it itself.

Safari can only limit the lifetime of CNAME derived cookies, but doesn’t stop the CNAME tracker from reading the host site cookies.

I’ll be adding the block lists to my PiHole tonight, when I get home.

Edit: I posted the Reg link twice the first time and updated the info on Brave, it has been coping with this since October 2020, not over a year. Also info on Safari.

2 Likes

this is about as sinister as they come. any hope for a list in a format pfsense can use?

1 Like

Yeah, I tried the list on PiHole and it didn’t like it either. I’ll need to reformat them. :frowning:

Fantastic show!

I think it would’ve helped to include a conversation about PiHole and PFSense and similar products that we can utilize across the network, i.e. through apps which don’t let us install uBlock.

1 Like