Safari in Arms Race Against Trackers - Criteo Feels the Heat
Criteo is an ad company. You may not have heard of them, but they do retargeting, the type of ads that pursue users across the web, beseeching them to purchase a product they once viewed or have already bought. To identify users across websites, Criteo relies on cross-site tracking using cookies and other methods to follow users as they browse. This has led them to try and circumvent the privacy features in Apple's Safari browserwhich protects its users from such tracking.
All popular browsers give users control over who gets to set cookies, but Safari is the only one that blocks third-party cookies (those set by a domain other than the site you are visiting) by default. (Safari's choice is important because only 5-10% of users ever change default settings in software.) Criteo relies on third-party cookies. Since users have little reason to visit Criteo's own website, the company gets its cookies onto users’ machines through its integration on many online retail websites. Safari’s cookie blocking is a major problem for Criteo, especially given the large and lucrative nature of iPhone's user base. Rather than accept this, Criteo has repeatedly implemented ways to defeat Safari's privacy protections.
It appears that Criteo’s response was to abandon cookies for Safari users and to generate a persistent identifier by piggybacking on a key user safety technology called HSTS. When a browser connects to a site via HTTPS (i.e. a site that supports encryption), the site can respond with an HTTP Strict Transport Security policy (HSTS), instructing the browser to only contact it using HTTPS. Without a HSTS policy, your browser might try to connect to the site over regular old unencrypted HTTP in the future—and thus be vulnerable to a downgrade attack. Criteo used HSTS to sneak data into the browser cache to produce an identifier it could use to recognize the individual's browser and profile them. This approach relied on the fact that it is difficult to clear HSTS data in Safari, requiring the user to purge the cache entirely to delete the identifier. For EFF, it is especially worrisome that Criteo used a technique that pits privacy protection against user security interests by targeting HSTS. Use of this mechanism was documented by Gotham City Research, an investment firm who have bet against Criteo’s stock.
In early December, Apple released an update to iOS and Safari which disabled Criteo’s ability to exploit HSTS. This led to Criteo revising down their revenue forecasts and a sharp fall in their share price.
- macOS High Sierra 10.13.2 Beta 4 Now Available Safari Jailbreak Released for 64-bit Devices on iOS 10-10.3.3 Electra iOS 11.3.1 Jailbreak Might be Released as Safari-Based JailbreakMe 5.0 iOS 11 Beta 2 Changes: Control Center Tweaks, Experimental Safari Settings and More Apple Releases iOS 11.2.2 Security Update with Spectre Mitigations for Safari Google Has Updated Chrome for iOS Safari Safari Not Able to Play New 4K Videos From YouTube Homepage Apple Says Hidden Safari Setting Led to Flawed