Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't stop Firefox background connections #509

Open
emanruse opened this issue Feb 28, 2021 · 24 comments
Open

Can't stop Firefox background connections #509

emanruse opened this issue Feb 28, 2021 · 24 comments

Comments

@emanruse
Copy link

Using tcpdump I notice that Firefox continues to make background connections regardless of the fact that I use this user.js. I even tried the additional privacy settings suggested at https://wiki.archlinux.org/index.php/Firefox/Privacy (except those for omni.ja) but still, the moment I start Firefox (which shows nothing but about:blank tab) tcpdump shows:

...
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 31
IP mycomputer.53302 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 24
IP mycomputer.53302 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53302 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53302 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 0
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 0
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 513
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 0
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 0
...

Why is this happening? (even without extensions)

I don't want to announce to Amazon (or anyone else) "Hey, I have just started my browser, here is my IP address (personal data as per GDPR) for your purposes". I want to connect only to the websites I explicitly type in the URL bar.

@pyllyukko
Copy link
Owner

pyllyukko commented Mar 9, 2021

Have you manually disabled tracking protection? Even after that Firefox seems to make some automatic connections to places like detectportal.firefox.com. Are you sure those are from Firefox as tcpdump shows all connections from your host?

You can check the DNS queries made before those connections for more clues what are those particular connections.

@emanruse
Copy link
Author

emanruse commented Mar 10, 2021 via email

@emanruse
Copy link
Author

emanruse commented Apr 23, 2021 via email

@pyllyukko
Copy link
Owner

Can you provide the DNS requests happening before these connections so we can narrow down the culprits?

@emanruse
Copy link
Author

emanruse commented Apr 28, 2021 via email

@Atavic
Copy link

Atavic commented May 25, 2021

Hi, I can't see browser.selfsupport.url in current user.js
According to mozilla support that entry is responsible for startup persistent connections.

BTW for a non-backgorund connections setup, check about:networking while disconnected; then remove URLs via about:config

@emanruse
Copy link
Author

emanruse commented May 27, 2021 via email

@pyllyukko
Copy link
Owner

Could you explain how to do this?

tcpdump -i any -n 'port 53' or using Wireshark.

@emanruse
Copy link
Author

emanruse commented May 30, 2021 via email

@Atavic
Copy link

Atavic commented Jun 8, 2021

[https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2021-06-11-15-04-32.chain](The URI) lists 3 certificates:

remote-settings.content-signature.mozilla.org
Content Signing Intermediate/emailAddress=[email protected]
root-ca-production-amo

You can view source and check CRT with these services:
www.view-page-source.com/
www.sslshopper.com/certificate-decoder.html

You may get errors in the future when the Certificates expire.

@Atavic
Copy link

Atavic commented Jun 8, 2021

2nd CRT appears in autograph and everything is hosted by amazon

Reddit linked to this

@emanruse
Copy link
Author

emanruse commented Jun 13, 2021 via email

@Atavic
Copy link

Atavic commented Jun 16, 2021

Totally.
You can:

  • reduce the trustwothiness of the many certificates present by default. Same goes with systems as a whole, see here
  • The best source I have found about this is @ScottHelme , who says that revocation-checking-is-pointless
  • Lastly, obfuscasting the User Agent String has lost interst for most people, but it's still useful in limited cases. Check Eclipsed Moon addon for Palemoon/Mypal in Smart mode if interested.

@emanruse
Copy link
Author

emanruse commented Jul 17, 2021 via email

@Atavic
Copy link

Atavic commented Jul 28, 2021

Short answer: you can use firewall rules or modify hosts file, See:
https://github.com/arkenfox/user.js/issues/917#issuecomment-609007023

You may also look at athe aliases with the nslookup command:
uBlockOrigin/uBlock-issues#1641 (comment)

@Atavic
Copy link

Atavic commented Jul 28, 2021

@nodiscc
Copy link
Contributor

nodiscc commented Jul 28, 2021

you can use firewall rules or modify hosts file

DNS/hosts file level filtering is indeed the simplest way to prevent these connections. Firewall/IP-based level filtering is extremely hard to enforce unless you know in advance to which IP these names will resolve (frequently changing IP addresses/CDN)

How do I do this on Linux?

https://wiki.archlinux.org/title/Transport_Layer_Security#Certificate_authorities

I don't think Firefox uses the OS certificate store though? Trusted certificate authorities are hardcoded in https://github.com/mozilla/gecko-dev/blob/master/security/nss/lib/ckfw/builtins/certdata.txt

@Atavic
Copy link

Atavic commented Jul 31, 2021

How do I do this on Linux?

I was referring to the OS, incidentally Arch uses CA certificates from Mozilla CA Certificate Store as a default

On topic, these connections are security related as insure that the Mozilla services delivered to the browser are indeed legitimate and there's no man-in-the-middle. It's called Autograph

I personally have no use of any service within the broswer, so I'd like to stop all of this.
In Firefox Zero there's an entry related to this:

user_pref("services.settings.server", ""); // Disable contacting settings server

Sorry, but it's an old user.js applied on a non-updated firefox. Also, this entry is widely available with a search like this that focuses on kinto, the server used for global synchronization.

Devs insert a dummyServerURL instead. The orginal URL to a chain of certificates that link to a trusted root is called x5u

@nodiscc
Copy link
Contributor

nodiscc commented Aug 1, 2021

services.settings.server

This pref is still present for me (Firefox ESR 78.12.0esr-1~deb10u1, Debian 10), it is set to the default value https://firefox.settings.services.mozilla.com/v1/

It seems there is some related documentation at https://remote-settings.readthedocs.io/en/latest/ and https://docs.kinto-storage.org/en/latest/tutorials/synchronisation.html#polling-for-remote-changes

@emanruse does changing this pref to a dummy URL such as https://localhost change anything to the connections you are seeing in tcpdump/wireshark?

To make your research easier I suggest enabling logging of DNS queries. If you are using a Linux distribution with network-manager you can create /etc/NetworkManager/conf.d/localdns.conf:

[main]
dns=dnsmasq

(make NetworkManager use a local, caching DNS server, maybe it is already setup this way on your distribution, check with grep -r dns= /etc/NetworkManager)

Then setup dnsmasq to log queries in /etc/NetworkManager/dnsmasq.d/options:

log-queries

@travankor
Copy link

Is there a reason why there is no about:config setting for this? Is there an upstream bug for this, or was it rejected for some reason?

@emanruse
Copy link
Author

emanruse commented Sep 19, 2021 via email

@adrelanos
Copy link

As per:

Do you agree that pursuing the Radio Silence feature (no phone home, no background connections by default) is a laudable goal for a browser dedicated to enhancing user privacy?

In other words, can this ticket still being open be interpret as this being a good development goal, yet not done because it is difficult to implement?

@emanruse
Copy link
Author

emanruse commented Feb 16, 2024 via email

@nodiscc
Copy link
Contributor

nodiscc commented Apr 14, 2024

this may need source code patching, which seems beyond this project's scope.

definitely out of scope in my opinion

can this ticket still being open be interpret as this being a good development goal, yet not done because it is difficult to implement?

I think yes. It is likely we will need an automated test environment setup for this (e.g. start tcpdump and firefox with the latest user.js in parallel, investigate packet captures, improve user.js, rinse and repeat until there are no more unwanted outgoing connections in the capture)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants
@pyllyukko @adrelanos @nodiscc @Atavic @travankor @emanruse and others