Facebook Is Now Encrypting Links to Prevent URL Stripping

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.

Facebook has responded by encrypting the entire URL into a single ciphertext blob.

Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.

Tags: , , ,

Posted on July 18, 2022 at 9:49 AM43 Comments

Comments

Dio Gratia July 18, 2022 10:08 AM

Well, you could always refuse to play and not use Facebook. Sooper sekret handshakes to allow them to spy on you for profit seems a bit extreme.

kiwano July 18, 2022 11:28 AM

Maybe nothing technical to be done about it, but if we move to the realm of policy instead, this seems like it’d make pretty decent evidence in an antitrust suit. (I say this as someone who’s already quit facebook, but who still struggles to get my friends to move various group chats to signal.)

Who? July 18, 2022 12:05 PM

I agree with other people here—we can either do URL stripping or Facebook stripping. I would do the later.

The only social network we should care is the one in real life.

lurker July 18, 2022 12:33 PM

Users who don’t sign into Facebook and clear cookies and site data regularly, may avoid most of the company’s tracking. [my bold added]

Not much consolation to those of us who find it’s no longer possible to avoid the pages with the sneaky blue f.

And on a related subject, what’s with the sites that offer a popup to manage cookies, with a button
[Save My Preferences]
but next time you visit the site the whole procedure must be repeated?

Clive Robinson July 18, 2022 1:05 PM

Is this “really true” though,

Facebook has responded by encrypting the entire URL into a single ciphertext blob.

Facebook has a history of doing things on the less than technically sound, as have many other Web Sites.

Whilst it is almost certain it is a reversable transform for obfuscating data,

1, Is it what we would call “encryption”?
2, Is it really a “single blob”?

I have a feeling that for various financial and resource reasons it’s more “show” than cryptographic “strength”. Also that what might be called the “key” may either be included in the blob or used as more of a “salt” with a weak system key.

I guess we are going to have to wait a little while, but Facebook may have just set what is currently,

“The Worlds Greatest Bragging Rights Challenge”

And a lot of keen minds will as with games consoles and similar, want to have their name associated with cracking this puppy wide open.

Ted July 18, 2022 1:06 PM

Yet another reason never to use or link to Facebook

Unfortunately it doesn’t necessarily matter if you have a Facebook account. Facebook is still getting people’s data.

A class action lawsuit was filed against Meta last month for using Meta Pixel on hospital websites. In one example, when a user clicked the “Schedule Online Now” button, the Meta Pixel sent the user’s IP address, the doctor’s name, and the condition that was selected from a dropdown menu.

lurker July 18, 2022 1:41 PM

@Ted

…when a user clicked the “Schedule Online Now” button, the Meta Pixel sent the user’s IP address, the doctor’s name, and the condition…

Isn’t there a law against that in some countries? Oh, wait, it’s FB . . .

EvilKiru July 18, 2022 3:30 PM

Why bother with stripping out only some parameters? Just strip EVERYTHING from the ? onwards.

RapidGeek July 18, 2022 3:45 PM

I can see this as a way to have political problems. “See the problems with encryption” says the clueless politicians. Only the government should have access to encryption. It is a slippery slope to ask politicians to “help” with anything encryption related. Please use the voice of the people with discretion and valor.

Frank B. July 18, 2022 4:39 PM

It’s almost like the internet should have been regulated as a commodity years ago.

Oh well, onward towards fascism and big brother we go.

Clive Robinson July 18, 2022 5:32 PM

@ RapidGeek, ALL,

It is a slippery slope to ask politicians to “help” with anything encryption related.

Encryption is just one of very many surface symptoms, of an underlying problem.

The real problem is those with a mental deficiency, who believe themselves to be better in some way thus more entitled than others.

That “entitlement” comes through as a series of steps of

1, Harming (sadism)
2, Status (narcissism)
3, Money (sociopathy)
4, Power (psychopathy)
5, Control (Machiavellism)

You see these in all “heirarchics” the first two are often clearly visable in “Guard Labour” that protect those at the higher levels.

The thing is to have “control” you need not just “information” but “knowledge” to put it the correct context.

For instance if you have the information I have bought 100kg of sugar, am I making preserves such as jam/jelly, or unauthorised whisky/moonshine, or am I going to do something “revolutionary” such as add it to peopples vehicle fuel tanks, or use it with some kind of oxadizing agent as a proplent or more rapid energy release and gas expansion.

To know this you need not just the information but also the “knowledge” of what sugar can be used for. Then further information and knowledge to home in on my intentions.

Idealy you need to sit in my personal interaction or private space. To see what I see, hear what I hear, hear what I say and see what I do. To do this needs considerable resources which makes it prohibitive in the traditional sense of things. Which acted as a limit on how much power and control etc were possible.

However forcing people to use technology channels where the ability to monitor is easy, automated, and effectively low cost, gives both information and knowledge. Realistically this use of technology to surveille started with the earliest of publicly available communications back two or three centuries ago, but came to the fore in the Victorian era, which caused the rapid rise of cryptography in non millitary or diplomatic uses.

Because these “official” channels were not just limited, but controled at the “end points”, surveillance on everyone who uses the channels in either an open way (plaintext), or even a closed way (ciphertext monitored by traffic analysis) was possible. Thus “official public” channels have always been subject to surveillance by those who in effect control them.

For your “ciphertext” to be private / secure you need to be able to deny anyone but the intended recipients of your communications.

What this boils down to is for privacy in communications, you need as a minimum,

1, A “root of trust”/”shared secret”.
2, An already existing private/secure channel (to communicate 1).

If a third party gets access or control of either then you have no privacy / security.

Thus nearly all attacks on individuals privacy by the self entitled and thair agents has involved maintaining access in some way to the “Root of Trust” / “Shardd secret”.

Which is why the attacks on the use of “End to End Encryption”(E2EE) has been so intense.

Politicians, Corporates and civil servants will grudgingly let citizens have privacy from other citizens because that helps limit criminality. But they will fight tooth and nail to stop you having privacy from them as they need access to maintain status, money, power and control.

The obvious answer to the problem is to stop the “entitled” having any kind of access to heirarchical structures. But the only way to do that is unacceptable to most, for obvious reasons (not moral or ethical). So failing that the ordinary citizen needs communications free from “official control” and all the surveillance that comes with it. At the moment high quality and robust E2EE is a necessary minimum for citizens to have privacy.

vas pup July 18, 2022 5:38 PM

New documents reveal ‘huge’ scale of US government’s cell phone location data tracking
https://news.yahoo.com/documents-reveal-huge-scale-us-141255083.html

“The bulk of the data that CBP obtained came from its contract with Venntel, a location data broker that aggregates and sells information quietly siphoned from smartphone apps. By purchasing this data from data brokers, officials are sidestepping the legal process government officials would typically need to go through in order to access cell phone data.

Documents also detail the government agencies’ efforts to rationalize their actions. For example, cell phone location data is characterized as containing no personally identifying information (PII) in the records obtained by ACLU, despite enabling officials to track specific individuals or everyone in a particular area. Similarly, the records also claim that this data is “100 percent opt-in” and that cell phone users “voluntarily” share the location information. But many don’t realize that apps installed on their phones are collecting GPS information, let alone share that data with the government.

The ACLU says these documents are further proof that Congress needs to pass the bipartisan Fourth Amendment Is Not For Sale Act, proposed by Senators Ron Wyden (D-OR) and Rand Paul (R-KY), which would require the government to secure a court order before obtaining Americans’ data, such as location information from our smartphones, from data brokers.”

ASB July 18, 2022 6:20 PM

>Why bother with stripping out only some parameters? Just strip EVERYTHING from the ? onwards.

@EvilKiru — except that now, there is no ?

The entire post identifier is one big blob, rather than a destination + ?

For instance, I just posted this blog entry on my Facebook page, and here’s what that destination link looks like:

https://www.facebook.com/MyUserName/posts/pfbid02XxPugPbMfpm6Dw7hT7YvHNVFMqJdZCr1QzNjLe3n2SAQgLYRbTMRuq58t7ufnDB3l

There are no visible parameters to filter out, in part or in whole.

SpaceLifeForm July 18, 2022 6:33 PM

@ EvilKiru

Just strip EVERYTHING from the ? onwards.

I believe that is the entire reason FB is doing this, so that you can not strip those parameters, because they are no longer required for tracking purposes.

lurker July 18, 2022 7:04 PM

@vas pup

…many don’t realize that apps installed on their phones are collecting GPS information…

I’ve checked some of the links in that story, and there’s no confirmation that it is GPS data being collected. Cell tower ID could be extracted from the radio; some apps scan for BT beacons. I have GPS off mostly because it’s a battery hog.

When I was in China I left GPS on to verify my location on a map app. The authorities knew where I was from their cameras and humint agents.

I also have that NYC Subway map: every time it loads it asks for location, and every time I say No. If I click yes, and then it never asks again, is that Opt-in? Would they know or care a NYC Subway map user is located in the South Pacific Ocean?

Ted July 18, 2022 7:59 PM

@lurker

Isn’t there a law against that in some countries? Oh, wait, it’s FB . . .

There are 7 causes of action in the medical privacy lawsuit, including Breach of Contract, Negligent Misrepresentation, Constitutional Invasion of Privacy (CA), and so on.

https://regmedia.co.uk/2022/06/20/meta_class_action_propsoed_suit.pdf

From the lawsuit:

In reality, Facebook does not actually verify publishers have obtained adequate consent per the contract…Facebook’s contract with medical providers for use of the Facebook Pixel does not mention HIPAA at all. Facebook does not take any action to discourage medical providers from using the Facebook Pixel. Facebook actively encourages medical providers to use the Facebook Pixel for their marketing campaigns. (edited to remove line numbers)

SpaceLifeForm July 18, 2022 10:13 PM

@ ASB

In your example, yes there are no ? parameters.

But in the ghack article (first link), they specifically show an example that still has ? parameters. But, if you were to strip that off, then functionality is lost.

Noting the URL here for clarity:

‘https://www.ghacks.net/2022/07/17/facebook-has-started-to-encrypt-links-to-counter-privacy-improving-url-stripping/

The main issue here is that there it is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address. Removing the entire construct after the ? would open the main Facebook page of Ghacks Technology News, but it won’t open the linked post.

Deon July 18, 2022 11:44 PM

Bing recently started doing this too. I guess now I know why. Sometimes the full URL is displayed but not linked; other times it’s abbreviated with “…”, in which case the only way to access it is via the tracking link. The tracking link leads to a page that appears blank; disabling stylesheets reveals the invisible text “Please click here if the page does not redirect automatically …”, with yet another encrypted-looking link that actually works.

Jurgen July 19, 2022 4:46 AM

… So, when one has security-enhancing controls in place (and obviously, no clear, active opt-in consent given), Facebook disables them for their commercial benefit? Sounds like hacking for monetary gain, which would make said company a criminal organization?

Erick July 19, 2022 8:19 AM

Apropos Facebook, I just read they have agreed to pay $90 million to resolve claims alleging unlawful user tracking on non-Facebook websites.

The settlement benefits people who were Facebook users between April 22, 2010, and Sept. 26, 2011, inclusive, and visited non-Facebook websites that displayed the Facebook “Like” button.
[…]
Facebook does not admit to wrongdoing and denies that it violated any law but has agreed to pay $90 million to settle the litigation to avoid the costs and risks associated with continuing the case.

hxxp://topclassactions.com/lawsuit-settlements/open-lawsuit-settlements/facebook-external-site-user-tracking-90-class-action-settlement/

Erick July 19, 2022 8:23 AM

@Fiberduck
Maybe use the facebook onion site? Can they tamper with that url?

A Facebook site for privacy conscious onion users sounds extra fishy.

Erick July 19, 2022 8:32 AM

@TheUnderdog
Sue them for GDPR violations given it is pre-emptive tracking without consent.

There could be something to that. It better be under GDPR because otherwise there is a risk that the only winner is the litigating law firm. As with the “like” button issue where they collected data, paid to settle the law suit, and afterwards may have continued in the same manner.

JonKnowsNothing July 19, 2022 11:31 AM

@Deon, @All

re: reveals the invisible text “Please click here if the page does not redirect automatically …”,

It’s not just on page jumps, the same hidden directives are added to “email validation messages”.

If your email is set to HTML with all the doodads active, and you get the “we are sending you a validation email: click the link to validate your account”, you see a jump link active and in theory, that link takes you to a hidden webpage that allows you to validate your account and login.

If your mail is set to Plain Text and no doodads, you see the message but no link and in some cases View Source will truncate the jump link so you cannot copy paste it.

Recently, I ran into one of these hidden validation jump links and couldn’t collect the jump link until I’d done a fair bit of hunt n pecking. You are at the mercy not only of the code in the link but also by the text display method in use.

Anonymous July 19, 2022 12:56 PM

@Leon Theremin

Anyone can do simple experiments to confirm this.

I can attest that ad blockers, ghostery uBlock origin etc do keep you largely free of ads in the browser.

Not having Twitter or Facebook helps too and I do not watch YouTube much. When I watch YouTube, my tastes and history seem to make me not eligible for ads, as I see them rarely.

Winter July 19, 2022 12:56 PM

@Leon Theremin

Anyone can do simple experiments to confirm this.

I can attest that ad blockers, ghostery uBlock origin etc do keep you largely free of ads in the browser.

Not having Twitter or Facebook helps too and I do not watch YouTube much. When I watch YouTube, my tastes and history seem to make me not eligible for ads, as I see them rarely.

EvilKiru July 19, 2022 2:00 PM

@SpaceLifeForm: I did attempt to follow the first ghacks example link after stripping off the ? and everything after, but abandoned the attempt when facebook asked me to log in.

SpaceLifeForm July 19, 2022 3:24 PM

@ EvilKiru

Thank you for testing. I was not going to test it myself as I have never been to the cesspool that FB is and will not go there.

Note that ghacks had different results because ghacks WAS logged in.

And, it was still broken for them, the creator of the post.

lurker July 19, 2022 4:19 PM

@Apokrif
I looked at Stallman’s page and followed a couple of links. There seems to be an insistence that FB is collecting “GPS” location data. I must be on the wrong planet, but I cannot understand why people in modern urban environments would need GPS always on.

If they cannot walk a kilometre and return to their start point – ah, they cannot walk. Driving around in a motorcar, or worse in the back seat of a taxi, obscures the ability to make a mental trail and note landmarks. And those who cannot read a paper map shouldn’t be allowed on the streets alone.

JonKnowsNothing July 19, 2022 5:22 PM

@lurker, @All

re: “GPS” location data always on

There are 2 reasons (at least 2) for GPS to always be ON. The first you identified: built in lack of knowledge.

It was historically, and even in recent years, that some maps or even having a map, was considered a high level military secret and if you were not authorized to have one, you were labeled a spy and executed.

By reducing the area of knowledge for a particular spot, it reduces or is supposed to reduce military threat. I know how to navigate to my market but I don’t know how to navigate to yours. The less I know about your place, the lower the threat level.

Even the ability to read a paper map can be considered a Military Secret. Some countries never teach anyone how to read a compass or a map. Navigation games like Dead Reckoning or Orienteering are not appreciated in those locations. Folks tend to wander into serious bother with or without knowing the accuracy of their position and if someone else doesn’t like where you are standing, end of life bother can happen too.

It is similar to the effect of a major disaster or hurricane, where all the landmarks are blown down or destroyed. Locals navigate by visual land cues and if those are destroyed it causes difficulties (see missile strikes that don’t make sense).

The other reason for it to be On All the time is the USA+Google+3Ls GPS global mapping program designed to map every identifiable object in any image at any time of day or season.

This Google+NSA project scrapes all images from the internet with or without GPS markers and builds a ginormous cross reference to every identifiable object in the picture (stones, stairs, trees, coastline, mountain range). With this cross reference system they can take any image that has had the GPS stripped from it and if there is any identifiable object at all, they can stamp a GPS on it.

A recent MSM story about this cross GPS mapping was about a USA big game hunter taking a trophy animal in Alaska. Nice picture of hunter + dead animal + fabulous landscape. The Canadians were not convinced that this animal was in Alaska but was instead in Canada. Using the above techniques, they matched the skyline, trees, rocks and surrounding brush lands, hiked in, took a confirmation image with GPS tag showing, that the animal was inside Canadian borders. The hunter confessed that he shot it across the boundary (1).

So 2 parts:

1, to make average people ignorant
2, to make it impossible to be anywhere on the plant where you cannot be found.

===

1) A corollary to the cross the border shot. The US Courts have ruled that US Border Patrol and other LEAs may shoot and kill people on the other side of the border and face no penalties. It is not illegal to kill citizens of another country (Mexico/Canada) while they are standing inside their own country by US LEAs standing on the USA side of the border.

lurker July 19, 2022 6:54 PM

@JonKnowsNothing, “USA+Google+3Ls GPS global mapping”

I still have the liberty to believe that’s them, not us.

Tom S July 21, 2022 12:10 AM

The only social media that I use, in a highly restricted manner, is linkedIn. I figure that using any other social media could impair the ability to obtain/maintain a clearance.

Savita July 24, 2022 7:37 PM

Tom S

You may wish to look up the history and practices of Linked In. I’m sure this site will be a good place to start. Assuredly at least as bad as any social media site

So, typically, we get the usual voices from 60+ year old experts in computer security with highly specialised knowledge unavailable to the majority, who scoff and say, oh well, doesn’t matter, not me, I’m too elite and too good for facebook.

What about everyone else?
What about those who dislike it just as much as you but certain responsibilities such as being a single parent, force them to participate for access to certain services

Privacy and security belong to everyone

Agreed, the world would be better off with facebook. It would be better if people didn’t use it.
But a very small percentage of the whole that is FB, also provides a service, for some people and some groups. And that small percentage is extremely necessary until a replacement arrives.

( And until it gets broken up and nationalised, which is inevitable if we wait long enough)

harden the broswer
use u block origin in your browser
don’t use facebook on the phone
close the browser immediately after using FB
and run bleach bit

that will all go a long way

Filoberto August 15, 2022 3:14 AM

Maybe FB and others should be considered as external political entities. What if other nations collect this data? What would be your and your country reaction?

Tim August 15, 2022 10:16 AM

For most of my Internet browsing, I use Brave.

If I have to go to FB, I use Chrome. When I am done with my FB session and sign out of FB, I delete the history and cookies in Chrome before exiting Chrome (and I do this after I close the tab that I used for FB). And while using FB, I do not open any other tabs in Chrome and go to non-FB sites.

Also, my FB account is locked down (meaning no one can find me, no one I do not know can message me, etc.).

In this scenario, I much info is FB getting from me?

Paul Kosinski August 15, 2022 1:34 PM

I have recently started worrying that the move to encrypting the Web (i.e., HTTPS) can decrease security and privacy as well as increase them. My particular concern is that it is now difficult to detect Javascript malware or spyware, or dangerous links, since simple tools like HAVP no longer can examine content delivered via HTTPS.

In the past I was leery of short, indirect URLs, but I had not thought of encrypted link targets. Given Facebook’s long history of shady practices (such as one reported by John Dvorak over 20 years ago), this new one shouldn’t surprise me though,

Clive Robinson August 15, 2022 6:34 PM

@ Paul Kosinski, ALL,

Re : Who and where do they attack.

You note that as with many things in life “security has a perversity” in this case with traffic,

“I have recently started worrying that the move to encrypting the Web (i.e., HTTPS) can decrease security and privacy as well as increase them.”

The old communications security model was that the first party in the communications “Alice” had a level of trust in the second party “Bob” and the untrusted third party “Eve” was trying to “eavesdrop” on the communications between Alice and Bob.

If you ignore meta-data and traffic analysis, then the simple solution to protect a message was to use end to end encryption past the endpoints of the communications “Shannon Channel”. Logic then indicates that as long as the innermost Shannon communications channel remains encrypted / secure, it matters not how many Shannon Channels, secure or otherwise you send the message down the message contents remain private to Alice and Bob.

However Eve has meta-data to fall back on, She can see

1, Where the TX occurs (Position).
2, When the TX occurs (Time).
3, The TX length (max message Size).
4, The pattern of TXs (Tempo).
5, TX party behaviour (Actions).

Eve might also be able to see,

6, Where the RX occurs (Position).
7, Which TX’s are RX’d (Relevance).
8, RX party behaviour (Actions).

From this meta-data a supprising amount can be learnt in near real time without any need to break the encryption, key schedual or OpSec errors.

Importantly it becomes easier to collect the TX meta-data and more meaningful in a traditional network environment the Internet is, as opposed to a broadcast environment, where nothing may be known about the RX party if there even is one (look up Number Stations and Traffic padding).

That was the old communications security model.

However today the Alice to Bob parties nolonger trust each other, and it’s not message security that is so much the concern as first party privacy from the second party.

That is within the traditional innermost Shannon Channel, there are now more Shannon channels the purpose of which is to obtain Private Information from the first party Alice, that she does not want to disclose in particular or in general.

Without going into long tedious explanations it is clear that Alice is going to have Private Information disclosed and can not avoid so doing. Because the second party content suppliers such as Google and the like,

1, Control servers at the plaintext level.
2, Control the content providers.
3, Control the Web Client developers
4, Control the Web Standards organisations.
5, Control the network services Standards organisations.
6, Increasingly control Open Source development.
7, Increasingly control Operatong System development.

That is they can,

1, Create shannon chanals the first party is unaware of.
2, Download code to run on the first parties computer they are unaware of.
3, Ensure “sand boxes” are ineffective.

And a whole lot more.

Oh and in the case of Google and Android OS,

4, Make security products to limit these activities “unavailable” through their “walled gardens”.

So yes you have good reaaon to be concerned, and in many cases there is little or nothing a user can do, because there is no effective “trust relationship” and appaling legislation and non existant regulation to stop them.

To stop such behaviour requires an inline gateway that stops JavaScript and simular, as well as the vast egregious nonsense in HTML 5.

To do this means breaking the traditional end to end security model and for obvious reasons becomes very quickly problematical.

The only ways to stop this nonsense are,

1, Break hold on standards
2, Break hold on OS
3, Break hold on App development

And a few other things. However the big problem is the US Government amongst orhers sees advantages to commercial organisations collecting Private Information on users for them. Thus have put in place legislation that not just alows but positively encorages as much Private Information as possible.

Obviously legislation needs to be “cleaned up” but that is not going ro happen any time soon…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.