Slashdot Mirror
How to Quash Firefox's Silent Requests
An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).
Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.
Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.
Thanks for the info! (And for putting it in the summary)
Help build the anti-software-patent wiki
Tired of keeping track of how to disable firefox new 'features'...
*Another* setting I have to alter.
I can't trust FF any more. A little while back I looked around for a replacement, but no luck.
Chrome is obviously so far beyond the pale it's keeping New Horizons in good company. MS have jumped the shark on privacy, IE is out. Firefox you can't trust, every update makes changes I dislike and it's huge, fat, slow and bloated.
There is a security flaw in email where spammers can validate you're an active email if you have images turned on. I guess if you accidentally hover their link that they can see you're an active email too! I set my network.http.speculative-parallel-limi to 0 in the url: about:config.
God spoke to me
Firefox disappoints sometimes, but only because we have high expectations of it.
I disagree with a few things they've done in the last two or three years but it's still light years ahead of the rest in terms of respecting your privacy, not trying to lock you in, being free software, supporting open standards (and not just as part 1 of a bait-and-switch, which I suspect all other browsers of), and a few other metrics.
I've no idea how it compares for speed - I wouldn't even give the other browsers a test run.
Help build the anti-software-patent wiki
So... If you open a spam email via some webmail client, and hover over a link to see if it leads to where you expect (common thing to do if you're unsure if the email is legit or not)....
Then, Firefox will connect to that link??????
Their often unique hashes which identify exactly which email recipient the spam got to! It's not much different than actually clicking a link, and validates the email!
That's about the most evil scenario I can think of and I don't like it one bit.
I could see a nightmare scenario with poorly implemented "click to buy" or voting websites. Some nations, in the cases of stuff like CP, make it illegal to access websites containing banned material. Now mousing over links can look identical to accessing, according to log files. What a mess.
Who is still using Firefox anyway.. ?
What idiot decided to do this?
I don't want to load a link just by hovering on it. I don't want to tell every damned link in a webpage that I've looked at it. If I click on it I'll click on it, but don't just load random shit you think I might fucking want to load.
I swear, Firefox is making some really stupid decisions of late. For a browser which used to be concerned with privacy they seem to have decided to do everything possible to reverse that.
It's like they're either suddenly staffed by morons.
Disappointing. Very disappointing.
Lost at C:>. Found at C.
I've always thought web accelerator was a dumb naming ... we'll waste your bandwidth by downloading a bunch of shit you haven't clicked on so that if you do want it, the it is cached.
It would load quicker if they weren't pre-fetching the entire fucking internet on the notion that I might want it at some point.
Sorry, Mozilla, but you're simply not getting the point here.
Lost at C:>. Found at C.
See: http://dilbert.com/search_resu...
So right off the top of my head, two examples of things you're missing:
An SSL handshake bug ... which we've seen before is still entirely possible. You don't need to send a HTTP protocol request for an SSL bug to fuck you over. Unless of course you think Firefox is flawless and bug free ... which we are 100% certain will never be the case.
Its also trivial to continue to leak information by setting up the connection to a particular host without sending the full request based on how the host link is configured.
Simply configure your spam email/site to point to individual IPs and port combos for every email you send, then when viewed in a browser, this presetting up of conditions can still be used for confirmation of email delievery as well as potentially exploiting bugs in the browser, which is a safe bet to exist based on the ignorance of this feature.
And this is why just because YOU don't understand why security works the way it does, doesn't mean you've thought of all the actual scenarios.
Lets see what else: TCP connects cost bandwidth, not much, but some, this is just another example of speculative wastefulness typical with modern programmers who have no consideration about what the costs are of the operation they are performing because it happens so fast in their dev environment they don't notice the cost. On the other hand, a very popular website will now notice a many more idle connections, which are not free, maybe not even cheap, because Firefox is being retarded and forgetting Internet Security 101.
Throw in using a custom DNS hostname for every URL thrown into an email or web page, and now you can easily track hovered over links of the user without them clicking a thing.
You don't go connecting to random machines on the Internet without specific instruction to do so, #InternetSecurity101
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager