Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy issues with FF (and forks) (automatic connections) #365

Open
ghost opened this issue Jan 26, 2018 · 36 comments
Open

Privacy issues with FF (and forks) (automatic connections) #365

ghost opened this issue Jan 26, 2018 · 36 comments
Labels

Comments

@ghost
Copy link

ghost commented Jan 26, 2018

Hi,

In the last month I have tested many browsers. Here I think it is worth to mention only Firefox, WaterFox, IceCat, Basilisk. All of them make background connections even with this user.js applied and even with additional tightening of privacy settings.

I thought I should bring to your attention that Mozilla seems not to respect privacy at all and the attempts to report actual observable privacy issues. I have published the full testing procedure and results in these bug reports (second one being more recent):

https://bugzilla.mozilla.org/show_bug.cgi?id=1424781
https://bugzilla.mozilla.org/show_bug.cgi?id=1432248

Another thing which I found (during testing Basilisk). In about:config I did some brute force cleaning: I zeroed all variables which contained URLs. There were 2-3 for which it wasn't possible, I don't know why. Final result:

All this makes me think that such brute force cleanup in about:config may be possible for other Firefox clones. However as I haven't read what each setting does (and there isn't even documentation about everything), this may have some other (probably negative) effects feature-wise. Perhaps you could dig deeper and share if it is at all possible to receive the desired zero-packet background communication. As a whole after all the lengthy tests and the replies of Mozilla: I am questioning whether one should use even a fork of Firefox. It seems the whole browser framework is made in such a way that it really imprisons the user forcing him to sacrifice privacy for security which is a bad design as a whole.

@Atavic
Copy link

Atavic commented Jan 26, 2018

Here I think it is worth to mention only Firefox, WaterFox, IceCat, Basilisk.

Why not Palemoon?

By looking at ff-tcpdump-1 log from the first link, I see: tiles.r53-2.services.mozilla.com
and that means you haven't changed your homepage to: about:blank which won't start any connection whatsoever.

Other connections come from updates checks, either by addons/webextensions or other services. Are you checking for updates automatically?

akamai - amazon - cloudflare are CDN used by mozilla, microsoft, apple and more.

@ghost
Copy link
Author

ghost commented Jan 26, 2018

Why not Palemoon?

I have tested also Palemoon, Chromium, Konqueror, Midory, Brave, lynx. Palemoon (after some tuning of preferences) shows zero packets (= private) even without using your user.js. However Palemoon doesn't support WebExtensions and I am looking for a browser in which I can use the latest versions of uMatrix and uBO because I find those 2 extensions essential for additional browsing privacy and security.

Re. the rest of your comment: With home page set to blank and with all updates turned off there is still background chattering (unless all URLs are deleted from the about:config variables).

@pyllyukko
Copy link
Owner

pyllyukko commented Jan 26, 2018

Hi.

Thanks for bringing this up.

https://bugzilla.mozilla.org/show_bug.cgi?id=1424781
https://bugzilla.mozilla.org/show_bug.cgi?id=1432248

Just to clarify... these tests didn't include our user.js, but just the hand picked settings tweaked?

All this makes me think that such brute force cleanup in about:config may be possible for other Firefox clones. However as I haven't read what each setting does (and there isn't even documentation about everything), this may have some other (probably negative) effects feature-wise. Perhaps you could dig deeper and share if it is at all possible to receive the desired zero-packet background communication.

Interesting approach. I prefer the more traditional method of:

  • Observe a connection
  • Hunt down the setting
  • Rinse and repeat

One method to have more visibility into these connections is to:

  • Run Burp Suite
  • Install the Burp CA into Firefox (for TLS MITM)
  • Configure Firefox to use that proxy for all connections
  • Inspect the HTTP requests come and go

This project indeed also aims to disable most of the privacy invading automatic connections. With few exceptions:

  • Firefox update
  • Safe browsing

I'll look into this.

By looking at ff-tcpdump-1 log

Also #344 (comment)

@ghost
Copy link
Author

ghost commented Jan 26, 2018

Just to clarify... these tests didn't include our user.js, but just the hand picked settings tweaked?

The exact steps are described in the referenced bug reports. Perhaps some of the settings match your user.js. Additionally (apart from those 2 bug reports) I have made a separate test using your user.js and applying:

Preferences

  • When Firefox starts: show blank page
  • Check spelling as you type: OFF (I don't know if that includes any connections but just in case)
  • Allow Firefox to automatically install updates (recommended): OFF
  • Default search engine: DDG
  • Always use private browsing mode: OFF
  • Accept cookies from websites: OFF
  • Tracking protection block list: Disconnect.me 'strict'
  • Send "Do Not Track": always
  • Prevent accessibility services from accessing your browser: ON
  • Block dangerous and deceptive content: OFF
  • Query OCSP responder services: OFF

Further in about:config I have set:

browser.ping-centre.telemetry;false
toolkit.telemetry.archive.enabled;false
toolkit.telemetry.bhrPing.enabled;false
toolkit.telemetry.debugSlowSql;false
toolkit.telemetry.firstShutdownPing.enabled;false
toolkit.telemetry.newProfilePing.enabled;false
toolkit.telemetry.shutdownPingSender.enabled;false
toolkit.telemetry.updatePing.enabled;false

I also zeroed all safebrowsing related variables and left only browser.safebrowsing.allowOverride;true.

Testing with these settings applied on top of the downloaded user.js shows indeed zero communication with any host. But as soon as you open the Preferences page - some packet start to fly in the background.

I prefer the more traditional method of

I have done this but Firefox is the worst browser of all which I tested, i.e. - the least private one. I have already spent so much time with it that at certain point I simply decided to see if it is possible at all to put it in a state with zero packet communication. That's why I acted brute forcefully. But of course a more methodical approach would be more meaningfull. Unfortunately not all about:config settings are documented and Mozilla is uncooperative as you can see. So this is how I ended up here. I am not planning to use Firefox because I simply don't trust Mozilla with all their privacy direspecting "safety" features. But at least it may be useful to learn what proper settings to use with some of the forks (e.g. IceCat).

One method to have more visibility into these connections is to

That is too much trouble and unnecessary imo. If the browser doesn't do what I say but connects to Amazon, Akamai or whoever without even asking me - that is enough to know that the user IP address is already sent to Amazon and Amazon knows who has started their browser. I don't know if you have looked at the datareporting archives but they look like a complete fingerprint of the system - there is info about the CPU parameters, about the hard drive capacity, even the model of the video card. And that is obviously sent to company X, Y, Z... by default.

So far the only browsers which I have tested which can be fairly easily set to zero packet communication are:

Chromium (with the exception that it sends a single packet to translate.google.com on opening of preferences but that can be easily blocked through /etc/hosts)
Midori
Konqueror
Palemoon
lynx

FWIW I also tested Thunderbird - it chatters like Firefox. No idea about the Android version of FF but probably there are even uglier things there. Have you tested?

Also #344 (comment)

I see it mentions ghacks. I was planning to look at ghacks later but that is such a huge amount of info. Ideally one would like the best of your and their user.js. Any docs how to do that?

@fmarier
Copy link
Contributor

fmarier commented Jan 26, 2018

A lot of the automatic connections are documented here: https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

@ghost
Copy link
Author

ghost commented Jan 26, 2018

A lot of the automatic connections are documented here: https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

This is old stuff. The linked bug reports comment this.

@Atavic
Copy link

Atavic commented Jan 26, 2018

Palemoon doesn't support WebExtensions

Palemoon site lists the available addons:

the latest versions of uMatrix and uBO

Here uBo is listed 👍 as NoScript and Decentraleyes. Regarding uM, even Gorhill has it installed, see here

@Atavic
Copy link

Atavic commented Jan 26, 2018

@AnChEv

Default search engine: DDG

Never use the search bar in your browser, it's insta-tracking.

Tracking protection block list: Disconnect.me 'strict'

I personally don't use any protective service from within the browser. I turned both these services off. You can block malware sites with blacklists in uBo or with a tool running at system level as a local proxy.

Send "Do Not Track": always

Long time ignored, don't bother sending any DNT header.

Prevent accessibility services from accessing your browser: ON

I don't know what are those, but I turned off any single service provided, as sync.

Disconnect.me

Here you have a possible culprit, as this thing checks for updates at browser start.

@ghost
Copy link
Author

ghost commented Jan 27, 2018

Regarding uM, even Gorhill has it installed

I don't know what you mean by that. The last known non-WebExtension version of uMatrix is 1.1.4 from 17.Nov.2017:

https://github.com/gorhill/uMatrix/releases/tag/1.1.4

Today there is already uM 1.3.2 but it is a WebExtension. Additionally for uBO legacy gorhill writes:

I do expect users of legacy versions of Firefox to test and report any issues with uBO -- I can't afford the time needed to test all those versions.

https://github.com/gorhill/uBlock/wiki/Firefox-WebExtensions

which (if I read it correctly) means one could not expect everything to be up to date with the non-WebExt versions.

Considering all that: In case you know a way to use latest uBO and uM with Palemoon that would be very interesting for me.

Never use the search bar in your browser, it's insta-tracking.

How come?

Thanks for the additional tips. I just explained the steps used in the test when I made it (which was earlier than writing here).

I don't know what are those, but I turned off any single service provided, as sync.

I don't know either. And I believe that setting that to ON actually turns the service off?

Here you have a possible culprit, as this thing checks for updates at browser start.

I will test without it.

@Atavic
Copy link

Atavic commented Jan 27, 2018

Moonchild - Palemoon dev - has Basilisk browser that supports WebExtensions (Experimental).
There's also K-Meleon for a user friendly browser.

@ghost
Copy link
Author

ghost commented Jan 27, 2018

Basilisk devs don't seem concerned about privacy at all:

https://github.com/MoonchildProductions/moebius/issues/326

I will check K-Meleon, thanks.

@Atavic
Copy link

Atavic commented Jan 27, 2018

Regarding your point of having a browser that doesn't connect at startup: I can confirm that both k-meleon and Palemoon can achieve it. On windows, with TCPView by sysinternals I see that both connect only to the local proxy (set in their respective options). Same with Firefox 52.0 and Seamonkey 2.49.02 (pre-webext versions).

@ghost
Copy link
Author

ghost commented Jan 27, 2018

The point is much wider than not connecting on startup. As I explained earlier - I could achieve no startup communication with FF but as soon as Preferences are opened - packets start flying.

So the actual purpose of the tests is to check if browsers are privacy respecting or create connections with 3rd party hosts (on startup or at any time later) without explicit request from the user. If a program tells Amazon or Akamai what you do, that is a privacy issue, however clever arguments the vendors may provide to defend their "features".

@Atavic
Copy link

Atavic commented Jan 27, 2018

Some connections happen when you click on tools > addons menu as the page is populated.
Disable any addon update and manage the addons directly from their own icons to avoid starting those connections.

@ghost
Copy link
Author

ghost commented Jan 28, 2018

Can you please provide the full set of user.js entries which ensure full privacy (no 3rd party packets)?

@TriMoon
Copy link

TriMoon commented Jan 28, 2018

It might be worthy FYI, to mention this bug on bugzilla:

@Atavic
Copy link

Atavic commented Jan 28, 2018

@AnChEv I got some old ones here

@ghost
Copy link
Author

ghost commented Jan 28, 2018

Thanks @Atavic, I will look at that.

@ghost
Copy link
Author

ghost commented Jan 28, 2018

Ok, I have done some testing and I think I have found the zero packet privacy with a fairly good Panopticlick result (9.71). Here are the settings:

// convenience
user_pref("browser.startup.page", 0);
user_pref("general.warnOnAboutConfig", false);
user_pref("javascript.enabled", false);
user_pref("browser.tabs.warnOnClose", false);
user_pref("browser.cache.memory.max_entry_size", 512000);
user_pref("browser.uitour.enabled", false);

// overrides:
user_pref("services.blocklist.update_enabled", false);
user_pref("app.update.enabled", false);
user_pref("privacy.trackingprotection.enabled", false);
user_pref("privacy.trackingprotection.pbmode.enabled", false);
user_pref("security.OCSP.enabled", 0);
user_pref("security.csp.experimentalEnabled", false);

// additional privacy tightening:
user_pref("toolkit.telemetry.updatePing.enabled", false);
user_pref("toolkit.telemetry.shutdownPingSender.enabled", false);
user_pref("toolkit.telemetry.newProfilePing.enabled", false);
user_pref("toolkit.telemetry.firstShutdownPing.enabled", false);
user_pref("toolkit.telemetry.bhrPing.enabled", false);
user_pref("toolkit.telemetry.archive.enabled", false);
user_pref("devtools.onboarding.telemetry.logged", false);
user_pref("browser.ping-centre.telemetry", false);

// Testing more settings:
user_pref("privacy.firstparty.isolate", true);
user_pref("datareporting.policy.firstRunURL", "");

// Disable safebrowsing:

// overrides of existing pyllyukko user.js:
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);

// additional privacy tightening:
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false);
user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false);
user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
user_pref("browser.safebrowsing.provider.google.advisoryURL", "");
user_pref("browser.safebrowsing.provider.google.gethashURL", "");
user_pref("browser.safebrowsing.provider.google.lists", "");
user_pref("browser.safebrowsing.provider.google.pver", "");
user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.provider.google.updateURL", "");
user_pref("browser.safebrowsing.provider.google4.advisoryName", "");
user_pref("browser.safebrowsing.provider.google4.advisoryURL", "");
user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
user_pref("browser.safebrowsing.provider.google4.gethashURL", "");
user_pref("browser.safebrowsing.provider.google4.lastupdatetime", "");
user_pref("browser.safebrowsing.provider.google4.lists", "");
user_pref("browser.safebrowsing.provider.google4.nextupdatetime", "");
user_pref("browser.safebrowsing.provider.google4.pver", "");
user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", "");
user_pref("browser.safebrowsing.provider.google4.updateURL", "");
user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");
user_pref("browser.safebrowsing.provider.mozilla.lists", "");
user_pref("browser.safebrowsing.provider.mozilla.pver", "");
user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");

// Panopticlick optimizations
user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0");
user_pref("intl.accept_languages", "en-US, en");
user_pref("general.useragent.vendor", "");
user_pref("general.useragent.vendorSub", "");
user_pref("privacy.donottrackheader.enabled", true);

I am still trying to figure how to set default search engine to DuckDuckGo and remove all others through about:config. Is that possible?

What's left is to research further as per #367.

@ghost
Copy link
Author

ghost commented Jan 28, 2018

Note: The above settings need to be added to the end of the user.js from commit 456a2b7

@Atavic
Copy link

Atavic commented Jan 29, 2018

About:

// overrides:
user_pref("security.OCSP.enabled", 0);

both pyllyukko and pants have it set as 1

An explanation is here.

@ghost
Copy link
Author

ghost commented Jan 29, 2018

OCSP is of questionable value, especially if hard fail is not enforced (is it?). Google have disabled OCSP in Chrome because of its reduced effectiveness. An attacker can exploit even stapled OCSP (or a CRLSet update). So I am not quite sure whether the reduced privacy gives any actual additional security.

https://en.wikipedia.org/wiki/Ocsp#Privacy_concerns
https://en.wikipedia.org/wiki/Ocsp#Criticisms
http://www.zdnet.com/article/chrome-does-certificate-revocation-better/

@Atavic
Copy link

Atavic commented Jan 29, 2018

I agree. We had some discussions in this repo about it. Hard-Fail isn't enforced but it's set with:
user_pref("security.OCSP.require", true);

privacy... security: https is overused IMHO. I use this ninfty addon:
https://github.com/sanspace/add-https

@ghost ghost mentioned this issue Jan 29, 2018
@ghost
Copy link
Author

ghost commented Jan 29, 2018

I use HTTPS Everywhere by EFF.

@bitpixl
Copy link

bitpixl commented Jan 30, 2018

Just want to say I like what you're doing Anchev, keep up the great work!
I'm adding the extra lines to my custom user.js and hopefully pyllyukko will add any missing lines into the main user.js.

@TriMoon
Copy link

TriMoon commented Jan 31, 2018

@AnChEv
I am still trying to figure how to set default search engine to DuckDuckGo and remove all others through about:config. Is that possible?

Tried these?:

lockPref(	'browser.search.defaultenginename',	'DuckDuckGo'	)
lockPref(	'browser.search.order.1',		'DuckDuckGo'	)
lockPref(	'browser.search.order.2',		'DuckDuckGo'	)
lockPref(	'browser.search.order.3',		'DuckDuckGo'	)
clearPref(	'browser.search.defaultenginename.US'	)
clearPref(	'browser.search.order.US.1'	)
clearPref(	'browser.search.order.US.2'	)
clearPref(	'browser.search.order.US.3'	)
defaultPref(	'browser.search.defaultenginename.US',	'data:text/plain,browser.search.defaultenginename.US=DuckDuckGo'	)
defaultPref(	'browser.search.order.US.1',		'data:text/plain,browser.search.order.US.1=DuckDuckGo'	)
defaultPref(	'browser.search.order.US.2',		'data:text/plain,browser.search.order.US.2=DuckDuckGo'	)
defaultPref(	'browser.search.order.US.3',		'data:text/plain,browser.search.order.US.3=DuckDuckGo'	)

@ghost
Copy link
Author

ghost commented Jan 31, 2018

@TriMoon - this doesn't seem to change anything.

Ideally I am looking to have the non-JS version of DDG (duckduckgo.com/html/) as the one and only search engine.

@TriMoon
Copy link

TriMoon commented Jan 31, 2018

You can add the search engine on that page, or download it (link was inside the html of that page)

this doesn't seem to change anything.

What exactly did you expect to change and didn't?
Because the above settings seemed to work for me...

Note, those settings won't work in a regular user.js file, they need to be in an admin-cfg file as explained here: https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment#Configuration

@ghost
Copy link
Author

ghost commented Jan 31, 2018

What exactly did you expect to change and didn't?

I applied the settings you suggested in user.js and after starting the browser the default search engine (Google) and the others were there in preferences, i.e. no change.

I will check the other links you shared. Thanks.

@ghost
Copy link
Author

ghost commented Jan 31, 2018

I followed the instructions and now DDG is the default search engine. Thanks!

Any idea how to delete all the other search engines through prefs?

@TriMoon
Copy link

TriMoon commented Feb 1, 2018

You're welcome,
If the above didn't do it, you can try asking at https://support.mozilla.org/ 😉

@ghost
Copy link
Author

ghost commented Feb 1, 2018

Mozilla doesn't care much, even about fixing support docs, as you can see in the shared bug reports.

@TriMoon
Copy link

TriMoon commented Feb 1, 2018

That's a bit harsh if you consider the fact that "Mozilla" in your context is not a single person but a whole planet of volunteers like you and me 😉

@ghost
Copy link
Author

ghost commented Feb 1, 2018

Mozilla Corporation is a multi-million dollar company partnering with Google.
Actually I am quite mild compared to others: https://www.youtube.com/watch?v=qMALm1VthGY

@Atavic
Copy link

Atavic commented Feb 21, 2018

Old issue: #20

@Atavic
Copy link

Atavic commented Jun 13, 2018

There's a bugzilla discussion about privacy labels for addons/webextensions:
https://github.com/privacytoolsIO/privacytools.io/issues/485#issuecomment-397011893

@pyllyukko pyllyukko added the FYI label Jun 16, 2018
@pyllyukko pyllyukko changed the title Privacy issues with FF (and forks) Privacy issues with FF (and forks) (automatic connections) Jul 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants