user.js: Can't stop Firefox background connections
Using tcpdump I notice that Firefox continues to make background connections regardless of the fact that I use this user.js. I even tried the additional privacy settings suggested at https://wiki.archlinux.org/index.php/Firefox/Privacy (except those for omni.ja) but still, the moment I start Firefox (which shows nothing but about:blank tab) tcpdump shows:
...
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 31
IP mycomputer.53302 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 24
IP mycomputer.53302 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53302 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53304 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.53302 > server-143-204-209-52.fra53.r.cloudfront.net.https: tcp 0
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 0
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 0
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 513
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 0
IP mycomputer.38710 > server-52-85-121-65.bud50.r.cloudfront.net.https: tcp 0
...
Why is this happening? (even without extensions)
I don’t want to announce to Amazon (or anyone else) “Hey, I have just started my browser, here is my IP address (personal data as per GDPR) for your purposes”. I want to connect only to the websites I explicitly type in the URL bar.
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 24 (6 by maintainers)
Thanks for the links. The main issue remains though:
I don’t want to tell Amazon (or anyone else) each and every time I run my browser “Hey, I am online, here is my IP address and the exact time I connected for your needs”. That’s personal data and as per GDPR I have the legal right NOT to give it to Amazon without that affecting the way I use my browser to connect to non-Amazon hosts. A browser like Ungoogled Chromium (or lynx) does not connect to anything in order to function without any errors due to expiry of a certificate. Why should the “privacy respecting” (and additionally fine tuned by this user.js) Firefox made by the “non-profit” Mozilla Foundation do the opposite? There must be a way to avoid that without privacy or security compromises. Would you agree?
Short answer: you can use firewall rules or modify hosts file, See: https://github.com/arkenfox/user.js/issues/917#issuecomment-609007023
You may also look at athe aliases with the nslookup command: https://github.com/uBlockOrigin/uBlock-issues/issues/1641#issuecomment-865151876
definitely out of scope in my opinion
I think yes. It is likely we will need an automated test environment setup for this (e.g. start tcpdump and firefox with the latest user.js in parallel, investigate packet captures, improve user.js, rinse and repeat until there are no more unwanted outgoing connections in the capture)
DNS/hosts file level filtering is indeed the simplest way to prevent these connections. Firewall/IP-based level filtering is extremely hard to enforce unless you know in advance to which IP these names will resolve (frequently changing IP addresses/CDN)
I don’t think Firefox uses the OS certificate store though? Trusted certificate authorities are hardcoded in https://github.com/mozilla/gecko-dev/blob/master/security/nss/lib/ckfw/builtins/certdata.txt
2nd CRT appears in autograph and everything is hosted by amazon
Reddit linked to this