Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Quash Firefox's Silent Requests

Posted by timothy on from the ping-ping-ping-bzzzzt dept.

An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).

Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.

44 of 294 comments (clear)

  1. Thanks anonymous reader! by ciaran2014 · · Score: 5, Insightful

    Thanks for the info! (And for putting it in the summary)

    --
    Help build the anti-software-patent wiki
    1. Re:Thanks anonymous reader! by ciaran2014 · · Score: 5, Informative

      And for anyone new to Firefox, to set that variable:

      1. Type "about:config" into the address bar (and you'll see a list of variables)
      2. Copy'n'paste "network.http.speculative-parallel-limit" into the search bar at the top of that page and hit Return
      3. You'll now just have that one line on the page. Double-click it (or right click on it and select "Modify")
      4. A box pops up, you change the value to 0, and hit OK.

      Done.

      (The first time you look at "about:config", Firefox might ask you "Are you sure you know what you're doing?" Obviously you say yes to this.)

      (Yes I know I've explained it as if talking to a ten year old, but protecting your privacy is important so it's important that absolutely everyone can do it.)

      --
      Help build the anti-software-patent wiki
    2. Re:Thanks anonymous reader! by drinkypoo · · Score: 5, Informative

      You think this'll change back when Firefox updates?

      I've always had good luck with explicitly set variables being carried forward successfully.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Thanks anonymous reader! by Zero__Kelvin · · Score: 3, Interesting

      "And I'll be a monkey's buttplug if I can make sense of the FireFox build process."

      So you are saying that you can make sense of the FireFox build process. Good for you!

      "Make sure you've read and understood the whole comment before replying."

      I've been writing code for more than 30 years, and I can assure you that no even moderately competent software professional would claim that "It's a hell of a lot easier to make changes in binaries at this point in time." Claiming #ifdefs are a problem just cuts to the core of how completely incompetent you are.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re:Thanks anonymous reader! by ciaran2014 · · Score: 3, Insightful

      RMS was right.

      Hmmm, a nugget of sense in your second load of nonsense. Or is it just a case of a stopped clock being right twice a day...

      --
      Help build the anti-software-patent wiki
    5. Re:Thanks anonymous reader! by Anonymous Coward · · Score: 3, Informative

      Most likely not. But you can create a file called user.js in your Firefox profile folder with the line

      user_pref("network.http.speculative-parallel-limit", 0); // no connections on link hover

      IMO keeping your GUI-less settings in this file is the easiest way to manage them and remember what you've changed. Be aware though that support for it might be removed one day: https://bugzilla.mozilla.org/show_bug.cgi?id=672630

    6. Re:Thanks anonymous reader! by Zontar+The+Mindless · · Score: 3, Funny

      (No, we're just mightily surprised that you'd admit to trying to follow the link.)

      --
      Il n'y a pas de Planet B.
    7. Re:Thanks anonymous reader! by Rockoon · · Score: 2

      maybe he just hovered over the link and his firefox failed to connect

      --
      "His name was James Damore."
    8. Re:Thanks anonymous reader! by TheRaven64 · · Score: 2

      Unless Firefox is using a different API to other browsers that use this service, they do *not* send the URL to Google, they send a hash. If there is a match with the blacklist, then Google returns the URL. This means that Google is only aware of the URL that you're accessing if they are in the blacklist. I turn it off too, because it's a bit more information leaking than I'm comfortable with, but it's not the same as sending every URL to Google.

      --
      I am TheRaven on Soylent News
    9. Re:Thanks anonymous reader! by ciaran2014 · · Score: 3, Interesting

      AFAIK, it's actually better still: only a *portion* of the hash is sent. Google then sends you its matching hashes and their corresponding classification (malware, not malware), and your computer compares the full has to the list received.

      So Google doesn't even know if you accessed a blacklisted URL.

      --
      Help build the anti-software-patent wiki
  2. Tired... by Anonymous Coward · · Score: 5, Insightful

    Tired of keeping track of how to disable firefox new 'features'...

    1. Re: Tired... by Desler · · Score: 2

      My current pieve

      You have a rural church from the Middle Ages?

    2. Re: Tired... by Anonymous Coward · · Score: 2, Informative

      Yeah that's a pain, fix it by flipping "browser.urlbar.formatting.enabled" to false.

    3. Re:Tired... by Alsee · · Score: 2

      In the next release or two, Firefox is going to start blocking you from loading any extension that hasn't been approved and signed by them. People have been SCREAMING on their message boards for a way to disable/override this, but they flat out refuse. The only way to get around it is to install a non-standard browser executable.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  3. Need a new browser. Not Chome, not IE, Not FF. by Anonymous Coward · · Score: 5, Insightful

    *Another* setting I have to alter.

    I can't trust FF any more. A little while back I looked around for a replacement, but no luck.

    Chrome is obviously so far beyond the pale it's keeping New Horizons in good company. MS have jumped the shark on privacy, IE is out. Firefox you can't trust, every update makes changes I dislike and it's huge, fat, slow and bloated.

  4. Thank you by GoodNewsJimDotCom · · Score: 4, Insightful

    There is a security flaw in email where spammers can validate you're an active email if you have images turned on. I guess if you accidentally hover their link that they can see you're an active email too! I set my network.http.speculative-parallel-limi to 0 in the url: about:config.

    --
    God spoke to me
  5. Re:Need a new browser. Not Chome, not IE, Not FF. by Anonymous Coward · · Score: 5, Funny

    Upgrade to Windows 10 and use Microsoft Edge.

  6. Re:Need a new browser. Not Chome, not IE, Not FF. by ciaran2014 · · Score: 4, Insightful

    Firefox disappoints sometimes, but only because we have high expectations of it.

    I disagree with a few things they've done in the last two or three years but it's still light years ahead of the rest in terms of respecting your privacy, not trying to lock you in, being free software, supporting open standards (and not just as part 1 of a bait-and-switch, which I suspect all other browsers of), and a few other metrics.

    I've no idea how it compares for speed - I wouldn't even give the other browsers a test run.

    --
    Help build the anti-software-patent wiki
  7. "more recent" means since 2012... by Anonymous Coward · · Score: 4, Informative

    Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link.

    Looking at the bug request that was linked in the summary, it appears that "more recent versions" of Firefox means "all versions since 2012".

  8. Webmail obvious security issue by Anonymous Coward · · Score: 5, Insightful

    So... If you open a spam email via some webmail client, and hover over a link to see if it leads to where you expect (common thing to do if you're unsure if the email is legit or not)....
    Then, Firefox will connect to that link??????
    Their often unique hashes which identify exactly which email recipient the spam got to! It's not much different than actually clicking a link, and validates the email!

    That's about the most evil scenario I can think of and I don't like it one bit.

  9. Bugs? by Stoutlimb · · Score: 5, Insightful

    I could see a nightmare scenario with poorly implemented "click to buy" or voting websites. Some nations, in the cases of stuff like CP, make it illegal to access websites containing banned material. Now mousing over links can look identical to accessing, according to log files. What a mess.

    1. Re:Bugs? by Kelson · · Score: 5, Informative

      According to the docs, this doesn't fire on just any random website's links, only in specific parts of the Firefox UI:

      To improve the loading speed, Firefox will open predictive connections to sites when the user hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar, or in the search field on the Home or the New Tab Page. In case the user follows through with the action, the page can begin loading faster since some of the work was already started in advance.

      That's fortunate, because firing it on any website's hover link would reach that nightmare scenario pretty quickly.

      Link prefetcing on websites only happens if the site explicitly marks the link for prefetch. (Example use case: prefetch page 2 of an article from page 1.) Firefox & Chrome have done this for years.

    2. Re:Bugs? by Kelson · · Score: 5, Informative

      And looking closer at the API description, speculative connect isn't supposed to actually make the HTTP request, just set up the TCP connection. No headers, no URL, just an IP address at the network layer.

      Still technically a connection, but hardly any information is sent, and it's not mistakable for an actual click.

  10. Re: Need a new browser. Not Chome, not IE, Not FF. by ciaran2014 · · Score: 3

    By default FF doesn't respect privacy. Having the option is nice but would be nicer if the default was to respect privacy.

    What are the other things it does that are bad for privacy?

    Does anyone have a link to a page with ways to configure Firefox to respect privacy better? I'm talking about during everyday browsing, not "private mode".

    (In any case, I'm sticking with Firefox (or a derivative). It might have some spots on it but the alternatives are rotten to the core.)

    --
    Help build the anti-software-patent wiki
  11. Holy crap ... by gstoddart · · Score: 3, Insightful

    What idiot decided to do this?

    I don't want to load a link just by hovering on it. I don't want to tell every damned link in a webpage that I've looked at it. If I click on it I'll click on it, but don't just load random shit you think I might fucking want to load.

    I swear, Firefox is making some really stupid decisions of late. For a browser which used to be concerned with privacy they seem to have decided to do everything possible to reverse that.

    It's like they're either suddenly staffed by morons.

    Disappointing. Very disappointing.

    --
    Lost at C:>. Found at C.
    1. Re:Holy crap ... by TeknoHog · · Score: 2

      For a browser which used to be concerned with privacy they seem to have decided to do everything possible to reverse that.

      They should separate the actual browser part from the current behemoth, in good Unix style. I suggest the name 'Phoenix'.

      --
      Escher was the first MC and Giger invented the HR department.
    2. Re:Holy crap ... by fustakrakich · · Score: 3, Insightful

      It doesn't send anything besides the basic TCP headers.

      Do anybody here understand the implications of *simply making the connection*? What the hell is the matter with you? Unless I click, I don't want to send anything at all. Is there something here that is difficult to comprehend about this?

      --
      “He’s not deformed, he’s just drunk!”
  12. Re:Ancient news by gstoddart · · Score: 4, Insightful

    I've always thought web accelerator was a dumb naming ... we'll waste your bandwidth by downloading a bunch of shit you haven't clicked on so that if you do want it, the it is cached.

    It would load quicker if they weren't pre-fetching the entire fucking internet on the notion that I might want it at some point.

    Sorry, Mozilla, but you're simply not getting the point here.

    --
    Lost at C:>. Found at C.
  13. Re: Need a new browser. Not Chome, not IE, Not FF. by Anonymous Coward · · Score: 2, Interesting

    The only other major thing I can think of is that it (like other browsers) doesn't ask you for permissions for websites to use WebRTC, which means that sites can sniff your local IP addresses if they're clever. This is a spec issue, but unless you're in the know as to what debates are going on about this misfeature, it's easy to assume that Mozilla are dropping the ball on this (and people love to conveniently blame Mozilla when they aren't stopping bad things, but never thank them for the good they do).

  14. What's the problem? by today · · Score: 5, Informative

    I don't understand the concern, at least if I'm reading the documentation for the speculative connect API correctly (first link in blurb).

    All this seems to do is make the TCP connection (whether SSL or not) in anticipation of a link being clicked. The speculative connect API does not send any data in the TCP pipe it is creating. By opening the TCP link early, once the link is clicked, the TCP connection is probably ready to go, cutting down a bit on setup delay (which can sometimes be substantial if DNS is slow to resolve or the connection is using SSL), thus making the click seem more responsive to the user.

    But nowhere in the docs is any mention of actual requests made to the server or any data downloaded from the server... until you click the link. Thus, the only information leaked by hovering over a link but not clicking on it is your externally-known IP address, which may show up in the error logs of the webserver as a dropped connection. There seems to be no danger of accidentally downloading a virus simply by hovering over a click.

    If I'm missing something, please let me know.

    1. Re:What's the problem? by BitZtream · · Score: 4, Insightful

      So right off the top of my head, two examples of things you're missing:

      An SSL handshake bug ... which we've seen before is still entirely possible. You don't need to send a HTTP protocol request for an SSL bug to fuck you over. Unless of course you think Firefox is flawless and bug free ... which we are 100% certain will never be the case.

      Its also trivial to continue to leak information by setting up the connection to a particular host without sending the full request based on how the host link is configured.

      Simply configure your spam email/site to point to individual IPs and port combos for every email you send, then when viewed in a browser, this presetting up of conditions can still be used for confirmation of email delievery as well as potentially exploiting bugs in the browser, which is a safe bet to exist based on the ignorance of this feature.

      And this is why just because YOU don't understand why security works the way it does, doesn't mean you've thought of all the actual scenarios.

      Lets see what else: TCP connects cost bandwidth, not much, but some, this is just another example of speculative wastefulness typical with modern programmers who have no consideration about what the costs are of the operation they are performing because it happens so fast in their dev environment they don't notice the cost. On the other hand, a very popular website will now notice a many more idle connections, which are not free, maybe not even cheap, because Firefox is being retarded and forgetting Internet Security 101.

      Throw in using a custom DNS hostname for every URL thrown into an email or web page, and now you can easily track hovered over links of the user without them clicking a thing.

      You don't go connecting to random machines on the Internet without specific instruction to do so, #InternetSecurity101

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  15. Nice... which TLA wanted this... by niftymitch · · Score: 2

    Simply hovering --
    Now my system will connect to things I would elect to not connect to.
    It is clear that network connections and data in a cache are no
    longer valid in a court of law.

    With such a feature there is no reasonable expectation that anyone
    looked at or was in fact interested in anything.
    The good news is web sites that count will see their hit count
    jump for joy... Ponder an email with
        https://www.hillaryclinton.com...
        https://23.235.47.75/

    --
    Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
  16. Re:Welcome to 2008, grandpa! by Obfuscant · · Score: 2

    I don't. "yum install lynx" was all it took to put it on my system.

  17. Not in Gmail; images are cached by SuperBanana · · Score: 3, Interesting

    Gmail caches any images in an email, and serves them through their own servers, in order to prevent tracking bugs from having any effect.

    The greater concern for me is what happens when you hover over a link that causes action by virtue of the URL being hit? I assume they must have done some filtering-out GET URLs, but...what about URLs that are prettified? Jesus, this is such a bad idea all around.

    --
    Please help metamoderate.
  18. This was predicted some time ago by chrism238 · · Score: 3, Insightful

    See: http://dilbert.com/search_resu...

  19. Mozilla and Korrekt Thoughts by mi · · Score: 2

    There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.'

    Maybe. But, that's nothing compared to some of the Komrades at Mozilla having inkorrekt thoughts. That had to be end...

    --
    In Soviet Washington the swamp drains you.
  20. Re:Are they actually seeing HTTP requests or just by BitZtream · · Score: 2

    The scenarios are entirely possible.

    An SSL handshake bug ... which we've seen before is still entirely possible. You don't need to send a HTTP protocol request for an SSL bug to fuck you over.

    Its also trivial to continue to leak information by setting up the connect to a particular host without sending the full request based on how the host link is configured.

    Simply configure your spam email/site to point to individual IPs and port combos for every email you send, then when viewed in a browser, this presetting up of conditions can still be used for confirmation of email delievery as well as potentially exploiting bugs in the browser, which is a safe bet to exist based on the ignorance of this feature.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  21. Re: Need a new browser. Not Chome, not IE, Not FF. by dryeo · · Score: 2

    The Home page can be changed in the preferences window. For the tab thumbnails,
    In about:config, create these Boolean settings, (right click on page)
    name: browser.pagethumbnails.capturing_disabled with value: true
    name: pageThumbs.enabled with value: false
    Delete the thumbnails directory in your profile.
    Alternatively, use SeaMonkey or one of the Firefox forks.

    --
    https://en.wikipedia.org/wiki/Inverted_totalitarianism
  22. Re: Need a new browser. Not Chome, not IE, Not FF. by dryeo · · Score: 2

    "browser.pageThumbs.enabled" just stops the tab preview from appearing, which is what many actually want. The other totally disables producing the page, which others are looking for.
    As usual it comes down to individual preference and all we can do is give choices.

    --
    https://en.wikipedia.org/wiki/Inverted_totalitarianism
  23. Re:Need a new browser. Not Chome, not IE, Not FF. by Anne+Thwacks · · Score: 2

    The prefetch setting in Iceweasel is exactly as described in the OP. I have just changed mine.

    --
    Sent from my ASR33 using ASCII
  24. Why hasn't anybody forked Firefox already? by guacamole · · Score: 2

    Honestly, for the last four years or so, the only news I see about Firefox here on Slashdot is the "bad news". The foundation keeps introducing new features nobody asked for and keeps changing the familiar user interface. About the only time I thought something good is coming out of the Firefox is when they announced that Firefox will block third-party cookies by default, thus ending one of the biggest routes to privacy violation on the web.. then nothing happened. Firefox has already sold itself to commercial interests, but some how we continue using it by default as if there were no alternatives.

    1. Re:Why hasn't anybody forked Firefox already? by Alsee · · Score: 2

      I haven't used it much yet, but Pale Moon may be what you're looking for. It's a fork of Firefox. The development design choices favor privacy, user-control, and improving speed&stability by dumping rarely-wanted code. Examples: They removed the Parental Controls code, they're excluding the new Firefox DRM support, they dumped support code for obsolete CPUs, they dumped some of the code for handicap-accessibility, and they currently removing phone-home code for crash reports and other potentially privacy-violating telemetry.

      I haven't seen specific mention of it, but I'm certain there's no way in hell they will implement Mozilla's new policy of *prohibiting* you from loading any extension that hasn't been reviewed&approved&signed by Mozilla.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  25. We need a new Phoenix. by SharpFang · · Score: 2

    When Mozilla - the new browser - was becoming muddled with senseless features and cumbersome crap, someone forked it and created project Phoenix. It was lean, simple, fast and reliable. People loved it and switched to it en masse.

    Due to trademark problems, Phoenix was renamed to Firebird, and later to Firefox.

    Mozilla team mostly abandonned Mozilla, leaving only a slowly dying "Seamonkey" branch, and moved to Firefox. And they immediately began shitting it up just like they did with original Mozilla. Currently the shit-up is reaching its apogeum.

    Someone needs to fork it again and start a new Phoenix. And don't let the current team touch it!

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  26. Re:Need a new browser. Not Chome, not IE, Not FF. by jez9999 · · Score: 2

    Pale Moon is no longer a Firefox build, having diverged and fully forked the codebase well before Australis hit. It's now its own thing. Pretty much the only way to avoid the endless stream of crap going into the Firefox codebase these days.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.