93 lines
5.1 KiB
Markdown
93 lines
5.1 KiB
Markdown
# Geoffrey Frogeye's block list of first-party trackers
|
|
|
|
## What's a first-party tracker?
|
|
|
|
A tracker is a script put on many websites to gather informations about the visitor.
|
|
They can be used for multiple reasons: statistics, risk management, marketing, ads serving…
|
|
In any case, they are a threat to Internet users' privacy and many may want to block them.
|
|
|
|
Traditionnaly, trackers are served from a third-party.
|
|
For example, `website1.com` and `website2.com` both load their tracking script from `https://trackercompany.com/trackerscript.js`.
|
|
In order to block those, one can simply block the hostname `trackercompany.com`, which is what most ad blockers do.
|
|
|
|
However, to circumvent this block, tracker companies made the websites using them load trackers from `somestring.website1.com`.
|
|
The latter is a DNS redirection to `website1.trackercompany.com`, directly to an IP address belonging to the tracking company.
|
|
|
|
Those are called first-party trackers.
|
|
On top of aforementionned privacy issues, they also cause some security issue, as websites are usually configured to trust first-party scripts.
|
|
For more information, learn about [Cross-Origin Resource Sharing](https://enable-cors.org/).
|
|
|
|
In order to block those trackers, ad blockers would need to block every subdomain pointing to anything under `trackercompany.com` or to their network.
|
|
Unfortunately, most don't support those blocking methods as they are not DNS-aware, e.g. they only see `somestring.website1.com`.
|
|
|
|
This list is an inventory of every `somestring.website1.com` found to allow non DNS-aware ad blocker to still block first-party trackers.
|
|
|
|
### Learn more
|
|
|
|
- [CNAME Cloaking, the dangerous disguise of third-party trackers](https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a)
|
|
- [Trackers first-party](https://blog.imirhil.fr/2019/11/13/first-party-tracker.html) (french)
|
|
- [uBlock Origin issue](https://github.com/uBlockOrigin/uBlock-issues/issues/780)
|
|
|
|
## List variants
|
|
|
|
### First-party trackers (recommended)
|
|
|
|
- Hosts file: <https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt>
|
|
- Raw list: <https://hostfiles.frogeye.fr/firstparty-trackers.txt>
|
|
|
|
This list contains every hostname redirecting to [a hand-picked list of first-party trackers](https://git.frogeye.fr/geoffrey/eulaurarien/src/branch/master/rules/first-party.list).
|
|
It should be safe from false-positives.
|
|
Don't be afraid of the size of the list, as this is due to the nature of first-party trackers: a single tracker generates at least one hostname per client (typically two).
|
|
|
|
### First-party only trackers
|
|
|
|
- Hosts file: <https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt>
|
|
- Raw list: <https://hostfiles.frogeye.fr/firstparty-only-trackers.txt>
|
|
|
|
This is the same list as above, albeit not containing the hostnames under the tracking company domains (e.g. `website1.trackercompany.com`).
|
|
While those are technically third-party trackers, they cannot be blocked at once by some ad blockers (e.g. Pi-hole).
|
|
Use only with ad blocker able to import regular expressions and in conjuction with other block lists.
|
|
|
|
### Multi-party trackers
|
|
|
|
- Hosts file: <https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt>
|
|
- Raw list: <https://hostfiles.frogeye.fr/multiparty-trackers.txt>
|
|
|
|
As first-party trackers usually evolve from third-party trackers, this list contains every hostname redirecting to trackers found in existing lists of third-party trackers (see next section).
|
|
Since the latter were not designed with first-party trackers in mind, they are likely to contain false-positives.
|
|
In the other hand, they might protect against first-party tracker that we're not aware of / have not yet confirmed.
|
|
|
|
#### Source of third-party trackers
|
|
|
|
- [EasyPrivacy](https://easylist.to/easylist/easyprivacy.txt)
|
|
|
|
(yes there's only one for now. A lot of existing ones cause a lot of false positives)
|
|
|
|
### Multi-party only trackers
|
|
|
|
- Hosts file: <https://hostfiles.frogeye.fr/multiparty-only-trackers-hosts.txt>
|
|
- Raw list: <https://hostfiles.frogeye.fr/multiparty-only-trackers.txt>
|
|
|
|
This is the same list as above, albeit not containing the hostnames under the tracking company domains (e.g. `website1.trackercompany.com`).
|
|
While those are technically third-party trackers, they cannot be blocked at once by some ad blockers (e.g. Pi-hole).
|
|
Use only with ad blocker able to import regular expressions and in conjuction with other block lists, especially the ones in the previous section.
|
|
|
|
## Meta
|
|
|
|
In case of false positives/negatives, or any other question contact me the way you like: <https://geoffrey.frogeye.fr>
|
|
|
|
The software used to generate this list is available here: <https://git.frogeye.fr/geoffrey/eulaurarien>
|
|
|
|
## Acknowledgements
|
|
|
|
Some of the first-party tracker included in this list have been found by:
|
|
|
|
- [Aeris](https://imirhil.fr/)
|
|
- NextDNS and [their blocklist](https://github.com/nextdns/cname-cloaking-blocklist)'s contributors
|
|
|
|
The list was generated using data from
|
|
|
|
- [Rapid7 OpenData](https://opendata.rapid7.com/sonar.fdns_v2/), who kindly provided a free account
|
|
- [Cisco Umbrella Popularity List](http://s3-us-west-1.amazonaws.com/umbrella-static/index.html)
|
|
- [Public DNS Server List](https://public-dns.info/)
|