Privacy issues with FF (and forks) (automatic connections) #365
Comments
Why not Palemoon? By looking at ff-tcpdump-1 log from the first link, I see: Other connections come from updates checks, either by addons/webextensions or other services. Are you checking for updates automatically? akamai - amazon - cloudflare are CDN used by mozilla, microsoft, apple and more. |
I have tested also Palemoon, Chromium, Konqueror, Midory, Brave, lynx. Palemoon (after some tuning of preferences) shows zero packets (= private) even without using your user.js. However Palemoon doesn't support WebExtensions and I am looking for a browser in which I can use the latest versions of uMatrix and uBO because I find those 2 extensions essential for additional browsing privacy and security. Re. the rest of your comment: With home page set to blank and with all updates turned off there is still background chattering (unless all URLs are deleted from the about:config variables). |
|
Hi. Thanks for bringing this up.
Just to clarify... these tests didn't include our user.js, but just the hand picked settings tweaked?
Interesting approach. I prefer the more traditional method of:
One method to have more visibility into these connections is to:
This project indeed also aims to disable most of the privacy invading automatic connections. With few exceptions:
I'll look into this.
Also #344 (comment) |
The exact steps are described in the referenced bug reports. Perhaps some of the settings match your user.js. Additionally (apart from those 2 bug reports) I have made a separate test using your user.js and applying: Preferences
Further in I also zeroed all Testing with these settings applied on top of the downloaded user.js shows indeed zero communication with any host. But as soon as you open the Preferences page - some packet start to fly in the background.
I have done this but Firefox is the worst browser of all which I tested, i.e. - the least private one. I have already spent so much time with it that at certain point I simply decided to see if it is possible at all to put it in a state with zero packet communication. That's why I acted brute forcefully. But of course a more methodical approach would be more meaningfull. Unfortunately not all about:config settings are documented and Mozilla is uncooperative as you can see. So this is how I ended up here. I am not planning to use Firefox because I simply don't trust Mozilla with all their privacy direspecting "safety" features. But at least it may be useful to learn what proper settings to use with some of the forks (e.g. IceCat).
That is too much trouble and unnecessary imo. If the browser doesn't do what I say but connects to Amazon, Akamai or whoever without even asking me - that is enough to know that the user IP address is already sent to Amazon and Amazon knows who has started their browser. I don't know if you have looked at the datareporting archives but they look like a complete fingerprint of the system - there is info about the CPU parameters, about the hard drive capacity, even the model of the video card. And that is obviously sent to company X, Y, Z... by default. So far the only browsers which I have tested which can be fairly easily set to zero packet communication are: Chromium (with the exception that it sends a single packet to translate.google.com on opening of preferences but that can be easily blocked through /etc/hosts) FWIW I also tested Thunderbird - it chatters like Firefox. No idea about the Android version of FF but probably there are even uglier things there. Have you tested?
I see it mentions ghacks. I was planning to look at ghacks later but that is such a huge amount of info. Ideally one would like the best of your and their user.js. Any docs how to do that? |
|
A lot of the automatic connections are documented here: https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections |
This is old stuff. The linked bug reports comment this. |
Never use the search bar in your browser, it's insta-tracking. I personally don't use any protective service from within the browser. I turned both these services off. You can block malware sites with blacklists in uBo or with a tool running at system level as a local proxy. Long time ignored, don't bother sending any DNT header. I don't know what are those, but I turned off any single service provided, as sync.
Here you have a possible culprit, as this thing checks for updates at browser start. |
I don't know what you mean by that. The last known non-WebExtension version of uMatrix is 1.1.4 from 17.Nov.2017: https://github.com/gorhill/uMatrix/releases/tag/1.1.4 Today there is already uM 1.3.2 but it is a WebExtension. Additionally for uBO legacy gorhill writes:
https://github.com/gorhill/uBlock/wiki/Firefox-WebExtensions which (if I read it correctly) means one could not expect everything to be up to date with the non-WebExt versions. Considering all that: In case you know a way to use latest uBO and uM with Palemoon that would be very interesting for me.
How come? Thanks for the additional tips. I just explained the steps used in the test when I made it (which was earlier than writing here).
I don't know either. And I believe that setting that to ON actually turns the service off?
I will test without it. |
|
Basilisk devs don't seem concerned about privacy at all: https://github.com/MoonchildProductions/moebius/issues/326 I will check K-Meleon, thanks. |
|
Regarding your point of having a browser that doesn't connect at startup: I can confirm that both k-meleon and Palemoon can achieve it. On windows, with TCPView by sysinternals I see that both connect only to the local proxy (set in their respective options). Same with Firefox 52.0 and Seamonkey 2.49.02 (pre-webext versions). |
|
The point is much wider than not connecting on startup. As I explained earlier - I could achieve no startup communication with FF but as soon as Preferences are opened - packets start flying. So the actual purpose of the tests is to check if browsers are privacy respecting or create connections with 3rd party hosts (on startup or at any time later) without explicit request from the user. If a program tells Amazon or Akamai what you do, that is a privacy issue, however clever arguments the vendors may provide to defend their "features". |
|
Some connections happen when you click on tools > addons menu as the page is populated. |
|
Can you please provide the full set of user.js entries which ensure full privacy (no 3rd party packets)? |
|
It might be worthy FYI, to mention this bug on bugzilla: |
|
Thanks @Atavic, I will look at that. |
|
Ok, I have done some testing and I think I have found the zero packet privacy with a fairly good Panopticlick result (9.71). Here are the settings: I am still trying to figure how to set default search engine to DuckDuckGo and remove all others through about:config. Is that possible? What's left is to research further as per #367. |
|
Note: The above settings need to be added to the end of the |
|
OCSP is of questionable value, especially if hard fail is not enforced (is it?). Google have disabled OCSP in Chrome because of its reduced effectiveness. An attacker can exploit even stapled OCSP (or a CRLSet update). So I am not quite sure whether the reduced privacy gives any actual additional security. https://en.wikipedia.org/wiki/Ocsp#Privacy_concerns |
|
I agree. We had some discussions in this repo about it. Hard-Fail isn't enforced but it's set with: privacy... security: https is overused IMHO. I use this ninfty addon: |
ghost
mentioned this issue
|
I use HTTPS Everywhere by EFF. |
|
Just want to say I like what you're doing Anchev, keep up the great work! |
Tried these?: lockPref( 'browser.search.defaultenginename', 'DuckDuckGo' )
lockPref( 'browser.search.order.1', 'DuckDuckGo' )
lockPref( 'browser.search.order.2', 'DuckDuckGo' )
lockPref( 'browser.search.order.3', 'DuckDuckGo' )
clearPref( 'browser.search.defaultenginename.US' )
clearPref( 'browser.search.order.US.1' )
clearPref( 'browser.search.order.US.2' )
clearPref( 'browser.search.order.US.3' )
defaultPref( 'browser.search.defaultenginename.US', 'data:text/plain,browser.search.defaultenginename.US=DuckDuckGo' )
defaultPref( 'browser.search.order.US.1', 'data:text/plain,browser.search.order.US.1=DuckDuckGo' )
defaultPref( 'browser.search.order.US.2', 'data:text/plain,browser.search.order.US.2=DuckDuckGo' )
defaultPref( 'browser.search.order.US.3', 'data:text/plain,browser.search.order.US.3=DuckDuckGo' ) |
|
@TriMoon - this doesn't seem to change anything. Ideally I am looking to have the non-JS version of DDG (duckduckgo.com/html/) as the one and only search engine. |
|
You can add the search engine on that page, or download it (link was inside the html of that page)
What exactly did you expect to change and didn't? Note, those settings won't work in a regular |
I applied the settings you suggested in I will check the other links you shared. Thanks. |
|
I followed the instructions and now DDG is the default search engine. Thanks! Any idea how to delete all the other search engines through prefs? |
|
You're welcome, |
|
Mozilla doesn't care much, even about fixing support docs, as you can see in the shared bug reports. |
|
That's a bit harsh if you consider the fact that "Mozilla" in your context is not a single person but a whole planet of volunteers like you and me 😉 |
|
Mozilla Corporation is a multi-million dollar company partnering with Google. |
|
Old issue: #20 |
ghost
mentioned this issue
|
There's a bugzilla discussion about privacy labels for addons/webextensions: |
pyllyukko
changed the title
Hi,
In the last month I have tested many browsers. Here I think it is worth to mention only Firefox, WaterFox, IceCat, Basilisk. All of them make background connections even with this user.js applied and even with additional tightening of privacy settings.
I thought I should bring to your attention that Mozilla seems not to respect privacy at all and the attempts to report actual observable privacy issues. I have published the full testing procedure and results in these bug reports (second one being more recent):
https://bugzilla.mozilla.org/show_bug.cgi?id=1424781
https://bugzilla.mozilla.org/show_bug.cgi?id=1432248
Another thing which I found (during testing Basilisk). In about:config I did some brute force cleaning: I zeroed all variables which contained URLs. There were 2-3 for which it wasn't possible, I don't know why. Final result:
All this makes me think that such brute force cleanup in about:config may be possible for other Firefox clones. However as I haven't read what each setting does (and there isn't even documentation about everything), this may have some other (probably negative) effects feature-wise. Perhaps you could dig deeper and share if it is at all possible to receive the desired zero-packet background communication. As a whole after all the lengthy tests and the replies of Mozilla: I am questioning whether one should use even a fork of Firefox. It seems the whole browser framework is made in such a way that it really imprisons the user forcing him to sacrifice privacy for security which is a bad design as a whole.
The text was updated successfully, but these errors were encountered: