Slashdot Mirror
How to Quash Firefox's Silent Requests
An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).
Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.
Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.
Thanks for the info! (And for putting it in the summary)
Help build the anti-software-patent wiki
Tired of keeping track of how to disable firefox new 'features'...
Now you don't even have to even click a link to get on A List!
Doesn't matter. The NSA considers all Firefox users to be extremists anyway.
*Another* setting I have to alter.
I can't trust FF any more. A little while back I looked around for a replacement, but no luck.
Chrome is obviously so far beyond the pale it's keeping New Horizons in good company. MS have jumped the shark on privacy, IE is out. Firefox you can't trust, every update makes changes I dislike and it's huge, fat, slow and bloated.
There is a security flaw in email where spammers can validate you're an active email if you have images turned on. I guess if you accidentally hover their link that they can see you're an active email too! I set my network.http.speculative-parallel-limi to 0 in the url: about:config.
God spoke to me
Upgrade to Windows 10 and use Microsoft Edge.
Firefox disappoints sometimes, but only because we have high expectations of it.
I disagree with a few things they've done in the last two or three years but it's still light years ahead of the rest in terms of respecting your privacy, not trying to lock you in, being free software, supporting open standards (and not just as part 1 of a bait-and-switch, which I suspect all other browsers of), and a few other metrics.
I've no idea how it compares for speed - I wouldn't even give the other browsers a test run.
Help build the anti-software-patent wiki
Looking at the bug request that was linked in the summary, it appears that "more recent versions" of Firefox means "all versions since 2012".
So... If you open a spam email via some webmail client, and hover over a link to see if it leads to where you expect (common thing to do if you're unsure if the email is legit or not)....
Then, Firefox will connect to that link??????
Their often unique hashes which identify exactly which email recipient the spam got to! It's not much different than actually clicking a link, and validates the email!
That's about the most evil scenario I can think of and I don't like it one bit.
I could see a nightmare scenario with poorly implemented "click to buy" or voting websites. Some nations, in the cases of stuff like CP, make it illegal to access websites containing banned material. Now mousing over links can look identical to accessing, according to log files. What a mess.
By default FF doesn't respect privacy. Having the option is nice but would be nicer if the default was to respect privacy.
Who is still using Firefox anyway.. ?
You mean downgrade to Windows 10 if you don't care about privacy
Thank you.
"If any question why we died, Tell them because our fathers lied."
The last version of Firefox that I used unmodified out-of-the-box was version 2. Worked fine. Ever since it's been a game of whack-a-mole. Cannot think of a single must-have feature that had been added; instead, it's been a down-hill slide of trying to undo all the stupid new "features" that ruin an otherwise fine product. An endless treadmill of installing add-on extensions and tweaking about:config. Please, STOP IT!
By default FF doesn't respect privacy. Having the option is nice but would be nicer if the default was to respect privacy.
What are the other things it does that are bad for privacy?
Does anyone have a link to a page with ways to configure Firefox to respect privacy better? I'm talking about during everyday browsing, not "private mode".
(In any case, I'm sticking with Firefox (or a derivative). It might have some spots on it but the alternatives are rotten to the core.)
Help build the anti-software-patent wiki
What idiot decided to do this?
I don't want to load a link just by hovering on it. I don't want to tell every damned link in a webpage that I've looked at it. If I click on it I'll click on it, but don't just load random shit you think I might fucking want to load.
I swear, Firefox is making some really stupid decisions of late. For a browser which used to be concerned with privacy they seem to have decided to do everything possible to reverse that.
It's like they're either suddenly staffed by morons.
Disappointing. Very disappointing.
Lost at C:>. Found at C.
I've always thought web accelerator was a dumb naming ... we'll waste your bandwidth by downloading a bunch of shit you haven't clicked on so that if you do want it, the it is cached.
It would load quicker if they weren't pre-fetching the entire fucking internet on the notion that I might want it at some point.
Sorry, Mozilla, but you're simply not getting the point here.
Lost at C:>. Found at C.
It should not, indeed it must not matter that Firefox loads data from a dodgy website. It has to be safe to read it, render it and run the Javascript.
Because if it isn't then the browser is doomed to be cracked and exploited anyway. Attackers can break into "safe" websites and put their scripts there. Or buy advertisements to their malware.
So all the worry over loading links from untrusted sites is foolish because you cannot trust ANY site on the Internet. Not really.
There's a better argument to be made over the privacy implications.
The only other major thing I can think of is that it (like other browsers) doesn't ask you for permissions for websites to use WebRTC, which means that sites can sniff your local IP addresses if they're clever. This is a spec issue, but unless you're in the know as to what debates are going on about this misfeature, it's easy to assume that Mozilla are dropping the ball on this (and people love to conveniently blame Mozilla when they aren't stopping bad things, but never thank them for the good they do).
I agree. I develop mostly intranet type web based applications and always recommend firefox to my clients. I code to standards, so any modern browser that respects those standards can use the application as expected.
When creating Delete controls (or any control that modifies something), I typically use a javascript based modal window to display a confirmation box that will POST to the target. If the user doesn't have javascript installed, it will load the target via GET request where I can then display the confirmation, requiring the POST to the target before actually processing the request.
Depending on the application, I use tags styled like tags. I set the href to the target page, and in the onclick trigger I reference this.href as the target that I pass to the modal to POST to. This makes failover simple when javascript is disabled. There is also a simple server-side validation method I use to ensure there are no easy ways to inject dangerous POST requests.
This should be standard practice, but some developers are lazy.
Slashdot at part of that post. See below for clarification:
Depending on the application, I use <a> tags styled like <button> tags. I set the href to the target page, and in the onclick trigger I reference this.href as the target that I pass to the modal to POST to. This makes failover simple when javascript is disabled. There is also a simple server-side validation method I use to ensure there are no easy ways to inject dangerous POST requests.
I miss Lynx!
Karma: Bad
The OP mentions iftop & resource monitor. I wonder if they're seeing the results of DNS Prefetching? That's something Firefox and Chrome have been doing forever. It doesn't hit the webserver, just resolves the domain name to an IP address in case you hit a link.
Or are they only looking at the new tab page? According to the docs they linked to, the speculative connect API is only used in a few spots in the Firefox UI, not on random webpages.
FF has gone down hill fast ever since they fired the president of mozilla for giving money to political causes that some people didn't like. Who wants to work in an "open" environment like that? I don't defend his views, I just defend his right to political speech unencumbered by punishment. Employees with half a brain and the ability to think outside the box probably started making plans to leave and that seems to have left a lot of weak people who can't think for themselves. Diversity must have limits!
I miss Lynx!
corrected link
Karma: Bad
X loads sites faster so I'll use that (even if they are prefetching everything).
Reminds me of the late 90s, everything wanted to be loaded at system startup so their bloated whatever appears to start as soon as you clicked their icon, instead of causing your computer to thrash about as it started loading everybodies preload libraries.
I don't understand the concern, at least if I'm reading the documentation for the speculative connect API correctly (first link in blurb).
All this seems to do is make the TCP connection (whether SSL or not) in anticipation of a link being clicked. The speculative connect API does not send any data in the TCP pipe it is creating. By opening the TCP link early, once the link is clicked, the TCP connection is probably ready to go, cutting down a bit on setup delay (which can sometimes be substantial if DNS is slow to resolve or the connection is using SSL), thus making the click seem more responsive to the user.
But nowhere in the docs is any mention of actual requests made to the server or any data downloaded from the server... until you click the link. Thus, the only information leaked by hovering over a link but not clicking on it is your externally-known IP address, which may show up in the error logs of the webserver as a dropped connection. There seems to be no danger of accidentally downloading a virus simply by hovering over a click.
If I'm missing something, please let me know.
Now just a Hover-by will do....
I consider this to be rather extreme, and people are putting up with this? I certainly hope not! If computer science is to become a part of primary education, network sniffing better be the first and most important thing to burn into the kid's mushy brain.
“He’s not deformed, he’s just drunk!”
What are the other things it does that are bad for privacy?
Phoning home every damn time you start it up to "check for updates" to plugins.
Having a mozilla website be the default home page, so you automatically visit mozilla.com before you can get to the point where you can set your home page to be about:blank.
Having a default where it shows you (and anyone who happens to be in eyeshot) thumbnails of sites you've visited.
I haven't found a way around the second issue, but the first can be stopped. Set plugins.update.url to "" using about:config.
Simply hovering --
Now my system will connect to things I would elect to not connect to.
It is clear that network connections and data in a cache are no
longer valid in a court of law.
With such a feature there is no reasonable expectation that anyone
looked at or was in fact interested in anything.
The good news is web sites that count will see their hit count
jump for joy... Ponder an email with
https://www.hillaryclinton.com...
https://23.235.47.75/
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
I don't. "yum install lynx" was all it took to put it on my system.
Gmail caches any images in an email, and serves them through their own servers, in order to prevent tracking bugs from having any effect.
The greater concern for me is what happens when you hover over a link that causes action by virtue of the URL being hit? I assume they must have done some filtering-out GET URLs, but...what about URLs that are prettified? Jesus, this is such a bad idea all around.
Please help metamoderate.
See: http://dilbert.com/search_resu...
Maybe. But, that's nothing compared to some of the Komrades at Mozilla having inkorrekt thoughts. That had to be end...
In Soviet Washington the swamp drains you.
In some sites I know all links are safe (e.g. my work homepage).
In other places, it's vital that the link is not fetched on mouseover (e.g. spam links -- that's the way they know you exist so they can pester you even more).
IOW there should be a whitelist.
Cleaned-up Firefox builds: Iceweasel and Palemoon
I hate to break it to you, but Chromium has done this for years.
Required reading for internet skeptics
The scenarios are entirely possible.
An SSL handshake bug ... which we've seen before is still entirely possible. You don't need to send a HTTP protocol request for an SSL bug to fuck you over.
Its also trivial to continue to leak information by setting up the connect to a particular host without sending the full request based on how the host link is configured.
Simply configure your spam email/site to point to individual IPs and port combos for every email you send, then when viewed in a browser, this presetting up of conditions can still be used for confirmation of email delievery as well as potentially exploiting bugs in the browser, which is a safe bet to exist based on the ignorance of this feature.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Phoning home every damn time you start it up to "check for updates" to plugins.
If the only data it's sending is "I'm version 39.0.1 (GNU/Linux i686)", I wouldn't call that "phoning home". Most people probably want this behaviour.
Having a mozilla website be the default home page, so you automatically visit mozilla.com before you can get to the point where you can set your home page to be about:blank.
Again, if all they know is that someone on your IP address has opened a browser while connected to the internet, it's barely a privacy issue.
Having a default where it shows you (and anyone who happens to be in eyeshot) thumbnails of sites you've visited.
I think most users want that behaviour. It's more useful than a blank page. It's no different to your file browser showing thumbnails and filenames of whatever's in the current working directory when it starts.
If there are pages you don't want showing up there, you can click the (x) on the thumbnail.
I do complain when I see a real issue, but I also have to say that Firefox gets it right 99.9% of the time.
Help build the anti-software-patent wiki
The Home page can be changed in the preferences window. For the tab thumbnails,
In about:config, create these Boolean settings, (right click on page)
name: browser.pagethumbnails.capturing_disabled with value: true
name: pageThumbs.enabled with value: false
Delete the thumbnails directory in your profile.
Alternatively, use SeaMonkey or one of the Firefox forks.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Still saves the thumbnails.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Use Palemoon. Looks ike classic Firefox including the plugins but without the recent bloat and anti-user behaviour. And without Australis too.
I'll add: there's also the
browser.pageThumbs.enabled
... boolean; I see references to both on the internet. /shrug
"browser.pageThumbs.enabled" just stops the tab preview from appearing, which is what many actually want. The other totally disables producing the page, which others are looking for.
As usual it comes down to individual preference and all we can do is give choices.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
What makes you think Iceweasel "cleans" things up? Most, if not all, of the Firefox behaviors are left as is in Iceweasel, with the exception of auto-updating being the major exception, as far as I can tell.
The prefetch setting in Iceweasel is exactly as described in the OP. I have just changed mine.
Sent from my ASR33 using ASCII
If you get your connection by tethering on a limited data plan, then this setting effectively constitutes theft.
Sent from my ASR33 using ASCII
Honestly, for the last four years or so, the only news I see about Firefox here on Slashdot is the "bad news". The foundation keeps introducing new features nobody asked for and keeps changing the familiar user interface. About the only time I thought something good is coming out of the Firefox is when they announced that Firefox will block third-party cookies by default, thus ending one of the biggest routes to privacy violation on the web.. then nothing happened. Firefox has already sold itself to commercial interests, but some how we continue using it by default as if there were no alternatives.
"Lynx" is quite good for detangling bad websites, and for reviewing privacy negligent or security suspicious websites: it's a purely text-only browser and does not run Javascript at all.
When Mozilla - the new browser - was becoming muddled with senseless features and cumbersome crap, someone forked it and created project Phoenix. It was lean, simple, fast and reliable. People loved it and switched to it en masse.
Due to trademark problems, Phoenix was renamed to Firebird, and later to Firefox.
Mozilla team mostly abandonned Mozilla, leaving only a slowly dying "Seamonkey" branch, and moved to Firefox. And they immediately began shitting it up just like they did with original Mozilla. Currently the shit-up is reaching its apogeum.
Someone needs to fork it again and start a new Phoenix. And don't let the current team touch it!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Give me Nautipolis or Orthodox any day.
Il n'y a pas de Planet B.
In the same sense that selling a less efficient car (than what? dunno) is theft of your fuel?
Vivaldi, maybe? It's a technical preview at the moment, but they're on the 4th release now since early in the year, so it's progressing steadily.
FF is open-source, is it not? Get the source, chop out all the stuff you don't like/want, and compile your own personal fork of it.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
What is the use-case for this sort of action? Was a link between hovering and going to a site established? What makes this a 'feature'?
"Consensus" in science is _always_ a political construct.
I changed to Pale Moon some time ago and it seems good. At least better than FF (it is a fork).
So they felt left-out and added this option to decrease security significantly _and_ make it hard for users to prevent that....
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Now you don't even have to even click a link to get on A List!
Doesn't matter. The NSA considers all Firefox users to be extremists anyway.
Given how unsecure firefox is I'd have thought the NSA would prefer everyone use it...
In the free world the media isn't government run; the government is media run.
Pale Moon is no longer a Firefox build, having diverged and fully forked the codebase well before Australis hit. It's now its own thing. Pretty much the only way to avoid the endless stream of crap going into the Firefox codebase these days.
== Jez ==
Do you miss Firefox? Try Pale Moon.
I never found the time to share and explain my firefox configuration, but this thread had the incentives to do it. Now you can check http://www.trek.eu.org/text/fi... with a downloadable user.js tuned just for security and privacy in mind.
Firefox disappoints sometimes, but only because we have high expectations of it.
The expectations we have of Firefox is no different from what they were actively achieving and delivering without issue many years ago.
They seem to be actively going out of their way to not meet expectations. I wouldn't consider that we have set the bar very high when all that needs to be done is not introduce some shitty new feature.
What about Pale Moon? /. a few months ago, I tried it, and was convinced...
Someone suggested it on
What do you mean, you miss it? Lynx is still actively developed.
Where can I donate?
speed does not disappoint to much. But the trust is broken again and again. If you do not configure A LOT, they send much data to different entities, before you even use it. For example generating an unique key and sending it to google to receive encrypted phishing-blacklists. sending telemetry to mozilla. Requesting advertisment tiles. and so on.
somebody should take gecko and some of the code and make a minimal browser. With addons. Like Phoenix.
The idea is, to predict what you will click on and use the time where you are idle (i.e. reading) and have a lot of unused bandwidth to have prefetched something when your bandwidth is used by loading other stuff of the site. So it's not too stupid, if you know it and if you want it and if it works in a reasonable way.
If the only data it's sending is "I'm version 39.0.1 (GNU/Linux i686)", I wouldn't call that "phoning home". Most people probably want this behaviour.
Yes, most people prefer convenience over privacy and will give up the latter for the former. Tell someone they'll get points or discounts for using the Safeway club card and they'll happily let a large corporation track everything they buy. Or Costco, where you MUST have the "loyalty card" (membership) to buy anything. It doesn't strike home how pervasive their monitoring is until a Costco employee walks up to you with a list of everything you've bought in the last year and tells you that you could save $16 if you paid $50 for the next higher level of membership.
To check for updates to plugins, it has to ask about the plugins you have, so you are telling someone what plugins you have installed.
Again, if all they know is that someone on your IP address has opened a browser while connected to the internet, it's barely a privacy issue.
It's not just that someone has opened a browser, even though that it technically a privacy violation (why should Mozilla get notices when that happens?), it's that the browser has been installed on another computer and whatever information is sent in the headers to help identify it (along with IP address).
I think most users want that behaviour.
You're confusing "most people want" with "privacy violation".
It's more useful than a blank page.
So? Now you don't understand the difference between "useful" and "privacy".
If there are pages you don't want showing up there, you can click the (x) on the thumbnail.
Great. Solution after the fact.
The Home page can be changed in the preferences window.
Of course. I know that. But how do you get to the preferences window before you've started the browser for the first time and it runs off to report to Mozilla that there's another installation?
The issue isn't just that it HAS a start page set to that, it is that the DEFAULT start page is set to that and you can't change it until you've already been to the start page. As far as I know, there isn't even a profile before you run it the first time, so you can't edit a profile file to change the behaviour.
The default home page could be set to a file:// that has a link that says "if you want Mozilla to be your home page, click here", for example.
And yes, I know how to turn off the thumbnails, but the fact that it is on by default is another example of Firefox getting privacy WRONG. They get it wrong but you can jump through hoops to fix it. They should get it right by default.
You're confusing "most people want" with "privacy violation".
You're making an "all-or-nothing" mistake, repeatedly.
Privacy can never be all-or-nothing. Leaving one's curtains drawn or leaving one's house increases the risk of being photographed, but I still recommend doing both. The trick is to get risks and violations down to acceptably low levels.
How low can you go? Depends on how much inconvenience/effort/cost you're willing to accept. In general, there's a law of diminishing returns, so it's best to make some effort to reduce risks somewhat in all aspects of life rather than putting a lot of effort into getting a small few problems down to zero.
If there are [Firefox tiles] you don't want showing up there [in new tabs], you can click the (x) on the thumbnail.
Great. Solution after the fact.
No. Wrong, wrong, wrong. It's a solution to all but the first occurence of the problem. If you open a browser a thousand times, but you click (x) the first time, then I've reduced the problem by 99.9%. If you can't see this then you don't understand privacy.
99.9% is acceptably low for most things. Do it, and move on to the next problem. Don't dwell on the 0.1% - this is time wasted that could be spent on reducing something else by 50, 90, or 99.9%.
Help build the anti-software-patent wiki
Perhaps just launch it pointed at a safe URL on first launch (untested without a profile), firefox http://127.0.0.1./ Other then that you will have to jump through hoops, even omni.ja is hard to unzip and rezip after manually editing the default preferences.
I do agree that Firefox gets much wrong which is why I don't usually run it, preferring the suite as it is actually lighter now, not as privacy invading and has a consistent interface.
https://en.wikipedia.org/wiki/Inverted_totalitarianism