Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Quash Firefox's Silent Requests

Posted by timothy on from the ping-ping-ping-bzzzzt dept.

An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).

Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.

11 of 294 comments (clear)

  1. Thanks anonymous reader! by ciaran2014 · · Score: 5, Insightful

    Thanks for the info! (And for putting it in the summary)

    --
    Help build the anti-software-patent wiki
    1. Re:Thanks anonymous reader! by ciaran2014 · · Score: 5, Informative

      And for anyone new to Firefox, to set that variable:

      1. Type "about:config" into the address bar (and you'll see a list of variables)
      2. Copy'n'paste "network.http.speculative-parallel-limit" into the search bar at the top of that page and hit Return
      3. You'll now just have that one line on the page. Double-click it (or right click on it and select "Modify")
      4. A box pops up, you change the value to 0, and hit OK.

      Done.

      (The first time you look at "about:config", Firefox might ask you "Are you sure you know what you're doing?" Obviously you say yes to this.)

      (Yes I know I've explained it as if talking to a ten year old, but protecting your privacy is important so it's important that absolutely everyone can do it.)

      --
      Help build the anti-software-patent wiki
    2. Re:Thanks anonymous reader! by drinkypoo · · Score: 5, Informative

      You think this'll change back when Firefox updates?

      I've always had good luck with explicitly set variables being carried forward successfully.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Tired... by Anonymous Coward · · Score: 5, Insightful

    Tired of keeping track of how to disable firefox new 'features'...

  3. Need a new browser. Not Chome, not IE, Not FF. by Anonymous Coward · · Score: 5, Insightful

    *Another* setting I have to alter.

    I can't trust FF any more. A little while back I looked around for a replacement, but no luck.

    Chrome is obviously so far beyond the pale it's keeping New Horizons in good company. MS have jumped the shark on privacy, IE is out. Firefox you can't trust, every update makes changes I dislike and it's huge, fat, slow and bloated.

  4. Re:Need a new browser. Not Chome, not IE, Not FF. by Anonymous Coward · · Score: 5, Funny

    Upgrade to Windows 10 and use Microsoft Edge.

  5. Webmail obvious security issue by Anonymous Coward · · Score: 5, Insightful

    So... If you open a spam email via some webmail client, and hover over a link to see if it leads to where you expect (common thing to do if you're unsure if the email is legit or not)....
    Then, Firefox will connect to that link??????
    Their often unique hashes which identify exactly which email recipient the spam got to! It's not much different than actually clicking a link, and validates the email!

    That's about the most evil scenario I can think of and I don't like it one bit.

  6. Bugs? by Stoutlimb · · Score: 5, Insightful

    I could see a nightmare scenario with poorly implemented "click to buy" or voting websites. Some nations, in the cases of stuff like CP, make it illegal to access websites containing banned material. Now mousing over links can look identical to accessing, according to log files. What a mess.

    1. Re:Bugs? by Kelson · · Score: 5, Informative

      According to the docs, this doesn't fire on just any random website's links, only in specific parts of the Firefox UI:

      To improve the loading speed, Firefox will open predictive connections to sites when the user hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar, or in the search field on the Home or the New Tab Page. In case the user follows through with the action, the page can begin loading faster since some of the work was already started in advance.

      That's fortunate, because firing it on any website's hover link would reach that nightmare scenario pretty quickly.

      Link prefetcing on websites only happens if the site explicitly marks the link for prefetch. (Example use case: prefetch page 2 of an article from page 1.) Firefox & Chrome have done this for years.

    2. Re:Bugs? by Kelson · · Score: 5, Informative

      And looking closer at the API description, speculative connect isn't supposed to actually make the HTTP request, just set up the TCP connection. No headers, no URL, just an IP address at the network layer.

      Still technically a connection, but hardly any information is sent, and it's not mistakable for an actual click.

  7. What's the problem? by today · · Score: 5, Informative

    I don't understand the concern, at least if I'm reading the documentation for the speculative connect API correctly (first link in blurb).

    All this seems to do is make the TCP connection (whether SSL or not) in anticipation of a link being clicked. The speculative connect API does not send any data in the TCP pipe it is creating. By opening the TCP link early, once the link is clicked, the TCP connection is probably ready to go, cutting down a bit on setup delay (which can sometimes be substantial if DNS is slow to resolve or the connection is using SSL), thus making the click seem more responsive to the user.

    But nowhere in the docs is any mention of actual requests made to the server or any data downloaded from the server... until you click the link. Thus, the only information leaked by hovering over a link but not clicking on it is your externally-known IP address, which may show up in the error logs of the webserver as a dropped connection. There seems to be no danger of accidentally downloading a virus simply by hovering over a click.

    If I'm missing something, please let me know.