Slashdot Mirror
How to Quash Firefox's Silent Requests
An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).
Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.
Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.
Thanks for the info! (And for putting it in the summary)
Help build the anti-software-patent wiki
Now you don't even have to even click a link to get on A List!
Tired of keeping track of how to disable firefox new 'features'...
*Another* setting I have to alter.
I can't trust FF any more. A little while back I looked around for a replacement, but no luck.
Chrome is obviously so far beyond the pale it's keeping New Horizons in good company. MS have jumped the shark on privacy, IE is out. Firefox you can't trust, every update makes changes I dislike and it's huge, fat, slow and bloated.
"Web accelerators" have been doing this for over a decade. It's why developers should really, really stick to GET = idempotent so that someone loading a page with "delete" links doesn't suddenly discover that everything has been deleted.
If I have been able to see further than others, it is because I bought a pair of binoculars.
The way the summary meandered around, repeated the same thing over and over, I was expecting it to go on and on and be about how Firefox were making a mistake with their API, and here's all the examples about other companies that made this mistake, and finally an oddball suggestion that was certain to fix the problem while also maintaining the functionality.
If so, that would explain why Chrome Jr., errr, Firefox won't be changed.
There is a security flaw in email where spammers can validate you're an active email if you have images turned on. I guess if you accidentally hover their link that they can see you're an active email too! I set my network.http.speculative-parallel-limi to 0 in the url: about:config.
God spoke to me
Upgrade to Windows 10 and use Microsoft Edge.
Firefox disappoints sometimes, but only because we have high expectations of it.
I disagree with a few things they've done in the last two or three years but it's still light years ahead of the rest in terms of respecting your privacy, not trying to lock you in, being free software, supporting open standards (and not just as part 1 of a bait-and-switch, which I suspect all other browsers of), and a few other metrics.
I've no idea how it compares for speed - I wouldn't even give the other browsers a test run.
Help build the anti-software-patent wiki
Looking at the bug request that was linked in the summary, it appears that "more recent versions" of Firefox means "all versions since 2012".
So... If you open a spam email via some webmail client, and hover over a link to see if it leads to where you expect (common thing to do if you're unsure if the email is legit or not)....
Then, Firefox will connect to that link??????
Their often unique hashes which identify exactly which email recipient the spam got to! It's not much different than actually clicking a link, and validates the email!
That's about the most evil scenario I can think of and I don't like it one bit.
I could see a nightmare scenario with poorly implemented "click to buy" or voting websites. Some nations, in the cases of stuff like CP, make it illegal to access websites containing banned material. Now mousing over links can look identical to accessing, according to log files. What a mess.
By default FF doesn't respect privacy. Having the option is nice but would be nicer if the default was to respect privacy.
+100 Freaking Hilarious!
Who is still using Firefox anyway.. ?
You mean downgrade to Windows 10 if you don't care about privacy
Thank you.
"If any question why we died, Tell them because our fathers lied."
The last version of Firefox that I used unmodified out-of-the-box was version 2. Worked fine. Ever since it's been a game of whack-a-mole. Cannot think of a single must-have feature that had been added; instead, it's been a down-hill slide of trying to undo all the stupid new "features" that ruin an otherwise fine product. An endless treadmill of installing add-on extensions and tweaking about:config. Please, STOP IT!
Fire fox
Gcc
Net beans
I like it won't fix.
What's up with that?
By default FF doesn't respect privacy. Having the option is nice but would be nicer if the default was to respect privacy.
What are the other things it does that are bad for privacy?
Does anyone have a link to a page with ways to configure Firefox to respect privacy better? I'm talking about during everyday browsing, not "private mode".
(In any case, I'm sticking with Firefox (or a derivative). It might have some spots on it but the alternatives are rotten to the core.)
Help build the anti-software-patent wiki
Seriously, every browser does these kinds of prefetching requests, especially for DNS. Firefox is actually behind the times in this regard, and it's one of the key reasons that people feel that other browsers feel "faster". It's alarming to think that people who care about this sort of thing aren't even aware of it. What other "deficiencies" in Firefox (from the perspective of casual users) are you going to be surprised by when they grudgingly finish implementing them in Firefox? Pre-rendering? A multi-process model? Support for modern HTML5 DRM?
"Speculative pre-fetching" sounds like a nice feature for a web app to implement, since it knows what activating a link within its own domain does. But it is a pretty bad idea for a browser to do it willy-nilly.
What idiot decided to do this?
I don't want to load a link just by hovering on it. I don't want to tell every damned link in a webpage that I've looked at it. If I click on it I'll click on it, but don't just load random shit you think I might fucking want to load.
I swear, Firefox is making some really stupid decisions of late. For a browser which used to be concerned with privacy they seem to have decided to do everything possible to reverse that.
It's like they're either suddenly staffed by morons.
Disappointing. Very disappointing.
Lost at C:>. Found at C.
This also covers Pale Moon.
All my Firefox and Pale Moon installs had it set to 6.
"Speculative pre-fetching" sounds like a nice feature for a web app to implement, since it knows what activating a link within its own domain does. But it is a pretty bad idea for a browser to do it willy-nilly.
Yes, it would be a bad idea, which is why it doesn't. It only acts on the new tab page and search bar.
It should not, indeed it must not matter that Firefox loads data from a dodgy website. It has to be safe to read it, render it and run the Javascript.
Because if it isn't then the browser is doomed to be cracked and exploited anyway. Attackers can break into "safe" websites and put their scripts there. Or buy advertisements to their malware.
So all the worry over loading links from untrusted sites is foolish because you cannot trust ANY site on the Internet. Not really.
There's a better argument to be made over the privacy implications.
The only other major thing I can think of is that it (like other browsers) doesn't ask you for permissions for websites to use WebRTC, which means that sites can sniff your local IP addresses if they're clever. This is a spec issue, but unless you're in the know as to what debates are going on about this misfeature, it's easy to assume that Mozilla are dropping the ball on this (and people love to conveniently blame Mozilla when they aren't stopping bad things, but never thank them for the good they do).
another reason for not using Firefox.
Chromium is nice enough.
I don't know what this person is talking about but it is pretty false. I opened up wireshark, browsed to an aggregator site and then moused over a bunch of the links. Not a single "silent request" was sent. And then actually reading the bugs that are linked to show that it is about the search bar or the new tab. And it isn't actual data but the beginning of a TCP request. This is just FUD.
Chrome caused an uproar years ago when it implemented something similar called "predict network actions". At least it was easy and intuitive to disable.
The OP mentions iftop & resource monitor. I wonder if they're seeing the results of DNS Prefetching? That's something Firefox and Chrome have been doing forever. It doesn't hit the webserver, just resolves the domain name to an IP address in case you hit a link.
Or are they only looking at the new tab page? According to the docs they linked to, the speculative connect API is only used in a few spots in the Firefox UI, not on random webpages.
FF has gone down hill fast ever since they fired the president of mozilla for giving money to political causes that some people didn't like. Who wants to work in an "open" environment like that? I don't defend his views, I just defend his right to political speech unencumbered by punishment. Employees with half a brain and the ability to think outside the box probably started making plans to leave and that seems to have left a lot of weak people who can't think for themselves. Diversity must have limits!
Who's the idiot(s) who came up with this? I'd like to kick him in the balls.
On the bright side at least FF will feel right at home in Windows 10 with this behaviour.
Jumpstart the tartan drive.
I don't understand the concern, at least if I'm reading the documentation for the speculative connect API correctly (first link in blurb).
All this seems to do is make the TCP connection (whether SSL or not) in anticipation of a link being clicked. The speculative connect API does not send any data in the TCP pipe it is creating. By opening the TCP link early, once the link is clicked, the TCP connection is probably ready to go, cutting down a bit on setup delay (which can sometimes be substantial if DNS is slow to resolve or the connection is using SSL), thus making the click seem more responsive to the user.
But nowhere in the docs is any mention of actual requests made to the server or any data downloaded from the server... until you click the link. Thus, the only information leaked by hovering over a link but not clicking on it is your externally-known IP address, which may show up in the error logs of the webserver as a dropped connection. There seems to be no danger of accidentally downloading a virus simply by hovering over a click.
If I'm missing something, please let me know.
Now just a Hover-by will do....
I'll just use Chrome. One just sucks less than the other.
I consider this to be rather extreme, and people are putting up with this? I certainly hope not! If computer science is to become a part of primary education, network sniffing better be the first and most important thing to burn into the kid's mushy brain.
“He’s not deformed, he’s just drunk!”
What are the other things it does that are bad for privacy?
Phoning home every damn time you start it up to "check for updates" to plugins.
Having a mozilla website be the default home page, so you automatically visit mozilla.com before you can get to the point where you can set your home page to be about:blank.
Having a default where it shows you (and anyone who happens to be in eyeshot) thumbnails of sites you've visited.
I haven't found a way around the second issue, but the first can be stopped. Set plugins.update.url to "" using about:config.
Quoting from one of the linked articles.
---
netwerk/base/public/nsISpeculativeConnect.idlScriptable
Lets non-networking code provide hints to the networking layer that an HTTP connection attempt to a particular site is likely to happen soon; this lets the networking layer begin setting up TCP and, if appropriate, SSL handshakes to save time when the connection is actually opened later.
1.0
28
Introduced
Gecko 15.0
Inherits from: nsISupports Last changed in Gecko 15.0 (Firefox 15.0 / Thunderbird 15.0 / SeaMonkey 2.12)
---
No, it does seem to be telling the network layer it might want to do a full on TCP connection and doing SSL handshakes as appropriate.
I'm not an expert on browser coding but I think this does mean it might not actually send an HTTP request. If so, then some of the nightmare scenarios are not possible.
It's still bad, though.
Simply hovering --
Now my system will connect to things I would elect to not connect to.
It is clear that network connections and data in a cache are no
longer valid in a court of law.
With such a feature there is no reasonable expectation that anyone
looked at or was in fact interested in anything.
The good news is web sites that count will see their hit count
jump for joy... Ponder an email with
https://www.hillaryclinton.com...
https://23.235.47.75/
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Just checked ver 40 and as soon as you hover over a link, Firefox does a DNS and then an HTTP or HTTPS request with full TLS handshake and negotiation. I'd file this in the "What could possibly go wrong?" bin.
Gmail caches any images in an email, and serves them through their own servers, in order to prevent tracking bugs from having any effect.
The greater concern for me is what happens when you hover over a link that causes action by virtue of the URL being hit? I assume they must have done some filtering-out GET URLs, but...what about URLs that are prettified? Jesus, this is such a bad idea all around.
Please help metamoderate.
It's crap like this from FF/Chrome/MS that has me sticking with FF10 ESL. There is only One (1x) bug in it that is plugged by installing NoScript and they hadn't fixed it as late as FF:25 (last I'd checked). I don't need HTML 5 crap, WebGL, Canvas and alternate codecs in my fucking browser. It's a browser for fucks sake not a god damn competitor to Windows.
It was the changes forced down everyone's throat in regards to bookmarks and such from FF 4 that pissed me off enough that I decided to look at how to get the Extended support version and stick with it. Sorry Mozilla but you'll have to pry the code from my dead machine before I'll give it up.
As long as he isn't using his position at work to lend credence to his political/etc views. Clear demarcation required.
I just checked in Pale Moon, the value was set to '6'. Not anymore!
Guess we need to check after updates to see if it gets changed back?
(And I'd like to echo my thanks for this alert as well. Cheers!)
See: http://dilbert.com/search_resu...
Maybe. But, that's nothing compared to some of the Komrades at Mozilla having inkorrekt thoughts. That had to be end...
In Soviet Washington the swamp drains you.
In some sites I know all links are safe (e.g. my work homepage).
In other places, it's vital that the link is not fetched on mouseover (e.g. spam links -- that's the way they know you exist so they can pester you even more).
IOW there should be a whitelist.
Cleaned-up Firefox builds: Iceweasel and Palemoon
Having a default where it shows you (and anyone who happens to be in eyeshot) thumbnails of sites you've visited.
I haven't found a way around the second issue, but the first can be stopped. Set plugins.update.url to "" using about:config.
about:config
browser.newtagpage.enabled FALSE
Firefox disappoints sometimes, but only because we have high expectations of it.
Since when is not expecting your browser to issue GET requests until you actually request a resource a "high expectation." This is basic shit, and Mozilla has been getting it wrong for a long time. They're paying for it with market share. I've watched Netscape sink themselves before, and for the same reasons. Never, ever, ever, let marketing have ANY say in product features. I don't mean mostly never, I mean never like the way you never allow your kids to stick metallic objects into electrical outlets. Just like last time they're too stupid and/or stubborn to listen to anyone begging them to stop being idiots.
The scenarios are entirely possible.
An SSL handshake bug ... which we've seen before is still entirely possible. You don't need to send a HTTP protocol request for an SSL bug to fuck you over.
Its also trivial to continue to leak information by setting up the connect to a particular host without sending the full request based on how the host link is configured.
Simply configure your spam email/site to point to individual IPs and port combos for every email you send, then when viewed in a browser, this presetting up of conditions can still be used for confirmation of email delievery as well as potentially exploiting bugs in the browser, which is a safe bet to exist based on the ignorance of this feature.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
No it's not basic shit.
GET requests are an implementation detail, not a goal. Goals are things like privacy, speed, standards compliance, transparency, convenience, and stability.
In some circumstances I want my browser to make GET requests without me clicking. In others, I don't. In this particular instance, it seems they traded off some privacy for some speed. And in this particular instance it sounds like they made a bad trade-off. But they got a thousand other trade-offs right.
Phoning home every damn time you start it up to "check for updates" to plugins.
If the only data it's sending is "I'm version 39.0.1 (GNU/Linux i686)", I wouldn't call that "phoning home". Most people probably want this behaviour.
Having a mozilla website be the default home page, so you automatically visit mozilla.com before you can get to the point where you can set your home page to be about:blank.
Again, if all they know is that someone on your IP address has opened a browser while connected to the internet, it's barely a privacy issue.
Having a default where it shows you (and anyone who happens to be in eyeshot) thumbnails of sites you've visited.
I think most users want that behaviour. It's more useful than a blank page. It's no different to your file browser showing thumbnails and filenames of whatever's in the current working directory when it starts.
If there are pages you don't want showing up there, you can click the (x) on the thumbnail.
I do complain when I see a real issue, but I also have to say that Firefox gets it right 99.9% of the time.
Help build the anti-software-patent wiki
response when I click on the Bookmarks tab, I would be grateful, since it takes about 10 seconds to open.
So slow I removed FireFox and re-installed Opera - ahhhh, speed restored.
The Home page can be changed in the preferences window. For the tab thumbnails,
In about:config, create these Boolean settings, (right click on page)
name: browser.pagethumbnails.capturing_disabled with value: true
name: pageThumbs.enabled with value: false
Delete the thumbnails directory in your profile.
Alternatively, use SeaMonkey or one of the Firefox forks.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Still saves the thumbnails.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
I can't trust FF any more.
Gads that's the truth. I want the aliens running the project X-Com'd so we get that open browser back. When did they start deciding what was best for the user? Back in version 26 or so I think?
And then they have the gall to complain about Windows 10. Just ... awesome.
Windows Ten Wallpaper
Just checked this copy of Pale Moon I'm using. The value is (was) set to '6'. Something the Pale Moon fork needs to change in future releases, methinks.
Use Palemoon. Looks ike classic Firefox including the plugins but without the recent bloat and anti-user behaviour. And without Australis too.
I'll add: there's also the
browser.pageThumbs.enabled
... boolean; I see references to both on the internet. /shrug
It is Putin's fult.
Why not use Opera 12 PRESTO
Or Apple Windows Safari
"browser.pageThumbs.enabled" just stops the tab preview from appearing, which is what many actually want. The other totally disables producing the page, which others are looking for.
As usual it comes down to individual preference and all we can do is give choices.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
What makes you think Iceweasel "cleans" things up? Most, if not all, of the Firefox behaviors are left as is in Iceweasel, with the exception of auto-updating being the major exception, as far as I can tell.
The prefetch setting in Iceweasel is exactly as described in the OP. I have just changed mine.
Sent from my ASR33 using ASCII
Huh? Just click on the machine wheel on the new tab screen and switch off the thumbnail speed dial page?
Switch the default page for new tabs to about:blank and you are good to go.
If you get your connection by tethering on a limited data plan, then this setting effectively constitutes theft.
Sent from my ASR33 using ASCII
Yeah, quite a pity.
I wouldn't mind an alternative Firefox, but the ugly old non-australis, hell no! From the first mockups of Australis I couldn't wait for it. Seriously.
Compared to all other browsers I've seen, Australis is the nicest theme overall (especially to fugly Chrome, which everyone claims looks exactly like Australis; it doesn't at all).
>One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc.
One should never fucking expect that.
Phoning home without permission is shady, and "Firefox doesn't phone home like Chrome does" is the #1 reason people tell me I shouldn't use Chrome - so the fact that people still think you "can expect Firefox to phone home" just tells me that there's still no reason to switch back to Firefox.
Use Fifth. Lean and privacy-focused.
http://fifth-browser.sf.net/
You know it doesn't actually issue a GET request on hover? It just sets up the TCP connection to the host.
Honestly, for the last four years or so, the only news I see about Firefox here on Slashdot is the "bad news". The foundation keeps introducing new features nobody asked for and keeps changing the familiar user interface. About the only time I thought something good is coming out of the Firefox is when they announced that Firefox will block third-party cookies by default, thus ending one of the biggest routes to privacy violation on the web.. then nothing happened. Firefox has already sold itself to commercial interests, but some how we continue using it by default as if there were no alternatives.
"Lynx" is quite good for detangling bad websites, and for reviewing privacy negligent or security suspicious websites: it's a purely text-only browser and does not run Javascript at all.
When Mozilla - the new browser - was becoming muddled with senseless features and cumbersome crap, someone forked it and created project Phoenix. It was lean, simple, fast and reliable. People loved it and switched to it en masse.
Due to trademark problems, Phoenix was renamed to Firebird, and later to Firefox.
Mozilla team mostly abandonned Mozilla, leaving only a slowly dying "Seamonkey" branch, and moved to Firefox. And they immediately began shitting it up just like they did with original Mozilla. Currently the shit-up is reaching its apogeum.
Someone needs to fork it again and start a new Phoenix. And don't let the current team touch it!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Give me Nautipolis or Orthodox any day.
Il n'y a pas de Planet B.
In the same sense that selling a less efficient car (than what? dunno) is theft of your fuel?
Vivaldi, maybe? It's a technical preview at the moment, but they're on the 4th release now since early in the year, so it's progressing steadily.
FF is open-source, is it not? Get the source, chop out all the stuff you don't like/want, and compile your own personal fork of it.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
How does one disable the warning about the old Sync service being shutdown?
It appears in every new window, and I don't want to setup my private server now, which should still work by downgrading to and old version and then upgrading
What is the use-case for this sort of action? Was a link between hovering and going to a site established? What makes this a 'feature'?
"Consensus" in science is _always_ a political construct.
I changed to Pale Moon some time ago and it seems good. At least better than FF (it is a fork).
So they felt left-out and added this option to decrease security significantly _and_ make it hard for users to prevent that....
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The option in "about:config" in Palemoon also has
network.http.speculative-parallel-limit
set to 6
should be changed to 0
Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).
Well, duh. It's not a bug if there is a solution. There's nothing to fix. Hence, WONTFIX.
Dude take your meds. That's some far-fetched stuff you're dreaming up just so some vigara spammer can track you.
A good many ISPs - especially cellular ISPs - have edge firewalls sensitive to concurrent transport sessions. This silliness is not going to help.
And on that topic, to all those who say 'so what?', cellular users are paying per-KB for all those zombie TCP sessions.
To make the connection, you have to make a dns lookup. That goes through your ISP and can be logged if they're interested. .onclick() to change it.
The link doesn't even have to be the one that the link goes to, since one can do
If you never run Firefox, you've go no problems
Pale Moon is no longer a Firefox build, having diverged and fully forked the codebase well before Australis hit. It's now its own thing. Pretty much the only way to avoid the endless stream of crap going into the Firefox codebase these days.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Try Palemoon [palemoon.org]
It's old school Firefox if that's what you like. All my plugins work great in it. I loves it.
I never found the time to share and explain my firefox configuration, but this thread had the incentives to do it. Now you can check http://www.trek.eu.org/text/fi... with a downloadable user.js tuned just for security and privacy in mind.
You know that the site admins that of the link you just hovered over know that you hovered over one of their links.
You prat.
Firefox disappoints sometimes, but only because we have high expectations of it.
The expectations we have of Firefox is no different from what they were actively achieving and delivering without issue many years ago.
They seem to be actively going out of their way to not meet expectations. I wouldn't consider that we have set the bar very high when all that needs to be done is not introduce some shitty new feature.
What about Pale Moon? /. a few months ago, I tried it, and was convinced...
Someone suggested it on
will end up in court and say "I only hovered over the link your honor!" lol
Where can I donate?
speed does not disappoint to much. But the trust is broken again and again. If you do not configure A LOT, they send much data to different entities, before you even use it. For example generating an unique key and sending it to google to receive encrypted phishing-blacklists. sending telemetry to mozilla. Requesting advertisment tiles. and so on.
somebody should take gecko and some of the code and make a minimal browser. With addons. Like Phoenix.
I don't see a problem with a status of WONTFIX.
This is the correct solution, as there already is a setting to disable speculative requests.
NOW you would open another ticket referencing this bug with the feature-request to add a button that toggles the setting on/off.
If the only data it's sending is "I'm version 39.0.1 (GNU/Linux i686)", I wouldn't call that "phoning home". Most people probably want this behaviour.
Yes, most people prefer convenience over privacy and will give up the latter for the former. Tell someone they'll get points or discounts for using the Safeway club card and they'll happily let a large corporation track everything they buy. Or Costco, where you MUST have the "loyalty card" (membership) to buy anything. It doesn't strike home how pervasive their monitoring is until a Costco employee walks up to you with a list of everything you've bought in the last year and tells you that you could save $16 if you paid $50 for the next higher level of membership.
To check for updates to plugins, it has to ask about the plugins you have, so you are telling someone what plugins you have installed.
Again, if all they know is that someone on your IP address has opened a browser while connected to the internet, it's barely a privacy issue.
It's not just that someone has opened a browser, even though that it technically a privacy violation (why should Mozilla get notices when that happens?), it's that the browser has been installed on another computer and whatever information is sent in the headers to help identify it (along with IP address).
I think most users want that behaviour.
You're confusing "most people want" with "privacy violation".
It's more useful than a blank page.
So? Now you don't understand the difference between "useful" and "privacy".
If there are pages you don't want showing up there, you can click the (x) on the thumbnail.
Great. Solution after the fact.
The Home page can be changed in the preferences window.
Of course. I know that. But how do you get to the preferences window before you've started the browser for the first time and it runs off to report to Mozilla that there's another installation?
The issue isn't just that it HAS a start page set to that, it is that the DEFAULT start page is set to that and you can't change it until you've already been to the start page. As far as I know, there isn't even a profile before you run it the first time, so you can't edit a profile file to change the behaviour.
The default home page could be set to a file:// that has a link that says "if you want Mozilla to be your home page, click here", for example.
And yes, I know how to turn off the thumbnails, but the fact that it is on by default is another example of Firefox getting privacy WRONG. They get it wrong but you can jump through hoops to fix it. They should get it right by default.
You're confusing "most people want" with "privacy violation".
You're making an "all-or-nothing" mistake, repeatedly.
Privacy can never be all-or-nothing. Leaving one's curtains drawn or leaving one's house increases the risk of being photographed, but I still recommend doing both. The trick is to get risks and violations down to acceptably low levels.
How low can you go? Depends on how much inconvenience/effort/cost you're willing to accept. In general, there's a law of diminishing returns, so it's best to make some effort to reduce risks somewhat in all aspects of life rather than putting a lot of effort into getting a small few problems down to zero.
If there are [Firefox tiles] you don't want showing up there [in new tabs], you can click the (x) on the thumbnail.
Great. Solution after the fact.
No. Wrong, wrong, wrong. It's a solution to all but the first occurence of the problem. If you open a browser a thousand times, but you click (x) the first time, then I've reduced the problem by 99.9%. If you can't see this then you don't understand privacy.
99.9% is acceptably low for most things. Do it, and move on to the next problem. Don't dwell on the 0.1% - this is time wasted that could be spent on reducing something else by 50, 90, or 99.9%.
Help build the anti-software-patent wiki
Perhaps just launch it pointed at a safe URL on first launch (untested without a profile), firefox http://127.0.0.1./ Other then that you will have to jump through hoops, even omni.ja is hard to unzip and rezip after manually editing the default preferences.
I do agree that Firefox gets much wrong which is why I don't usually run it, preferring the suite as it is actually lighter now, not as privacy invading and has a consistent interface.
https://en.wikipedia.org/wiki/Inverted_totalitarianism