Subdomain Alias Potential Privacy Invasion Report

So you are concerned about your privacy. You disable 3rd party cookies. You use the most awesome privacy protection tool NoScript to protect yourself. You even use the the most excellent ABE component of NoScript to Deny or Anonymize 3rd party requests. Think that is enough? Think again. We have discovered a new practice that sites are using that gets around what concerned users like us are doing to protect ourselves. Worse, some that are doing this are leading banks, brokers, and financial institutions.

This page lists some sites that use what we call a Subdomain Alias. A Subdomain Alias on this page means that a Subdomain of a site is actually hosted on a 3rd party site. This is being done by using a CNAME record on the DNS server for the site, which redirects the IP lookup to the IP of the third party site. One reason that this MAY be done would be to bypass a user's security settings in their browser (Using NoScript, ABE, Request Policy, whatever) that block or anonymize requests to 3rd party sites. Worse, all cookies from the main site are now sent to the 3rd party site (even if you block 3rd party cookies) since the browser thinks that it is simply a Subdomain of the main site, not a 3rd party.

To be fair, when using a sudomain alias, only cookies stored under the main domain or aliased subdomain are sent to the aliased site, not any cookies saved under other subdmain aliases, or saved for the target site directly. In other words, if mysub.mysite.com redirects to eviltracker.com, eviltracker.com cookies are not sent to eviltracker.com, just mysite.com cookies and mysub.mysite.com cookies. Maybe this will be the excuse that sites will use for this subdomain alias practice.

If you are concerned about your privacy, this should concern you a great deal! Threat level is ONLY our opinion on the seriousness of the alias. An alias to Google, Adobe, or other third party tracking sites would be High. An Alias to another site that it would appear is simply providing a service would be MediumLow. But remember to see what cookies are being passed - for example, ScotTrade keeps it's cookies under the trading.scottrade.com Subdomain, so they would NOT be sent to research.scottrade.com (which is really wallst.com), but if cookies are kept under the main domain only, they would be sent to the Subdomain Alias site.

Note: This list only contains sites we know of that use a Sudomain Alias. There are most likely hundreds of others.

BusinessSubdomainSubdomain Alias redirects to:3rd PartyThreatDate added
FNBO Directsanalytics.fnbodirect.comfnbodirect.com.102.112.2o7.netAdobe (Omniture)High2015/05/04
Ameritraderesearch.ameritrade.comresearch.ameritrade.wallst.comMediumLow2015/05/04
Ameritraderesearch.ameritrade.comresearch.ameritrade.wallst.comMediumLow2015/05/04
Ameritradevalubond.ameritrade.comameritrade.valubond.comMediumLow2015/05/05
Ameritrademorningstar.ameritrade.commorningstar.ameritrade.com.3.web.morningstar.comMediumLow2015/05/05
Ameritradesstats.tdameritrade.comtdameritrade.com.102.112.2o7.netAdobe (Omniture)High2015/05/05
Scottraderesearch.scottrade.comresearch.scottrade.wallst.comMediumLow2015/05/05
e*Tradecdn.etrade.nete5375.b.akamaiedge.netAkamai TechnologiesMediumHigh2015/05/08
Fidelitypersonal.fidelity.coma445.b.akamai.netAkamai TechnologiesMediumHigh2015/05/08
Fidelitywww.fidelity.come11365.b.akamaiedge.netAkamai TechnologiesMediumHigh2015/05/08
Fidelitywww.fid-inv.come10141.b.akamaiedge.netAkamai TechnologiesMediumHigh2015/05/08
SciFi Book Clublink.sfbc.comlink-nj1.sailthru.com.SailthruUnknown2016/02/04

So what can you do?
1) Complain to the site using the subdomain alias
2) Quit using the site that uses the subdomain alias
3) Assuming the site won't change things, and you absolutely need to keep using it, we recommend using NoScript's ABE to Anonymize any requests to the Subdomain Alias that you require to allow the main site to run the functions that you need. Deny the rest.
4) Of course, this means you must use NoScript's ABE to Deny or Anonymize any domain or subdomain that you have not approved yet. You can no longer just allow a domain and assume the subdomains are actually part of that site. We use a catch all Anonymize rule in ABE, and use full addresses in NoScript which requires scripts to be allowed for domains and subdomains independently. When we use something new, we code a new ABE rule that meets our needs.

Good luck!

















































































Copyright © 2014-2016 Reality Matrix. All Rights Reserved.
Reality Matrix