Abrowser - What dangers in removing all HTTPS web addresses from "about:config"

28 replies [Last post]
mr.r
Offline
Joined: 07/16/2018

Hello,
What would be the dangers of removing all (except for dns resolvers, certificate verifications?) http(s) web addresses in Abrowser's "about:config"?

Will the web browser still function?

Because I would like to weigh the risk of not being protected from unknown bad actors, versus the submission to having every action I take when using the browser being subjected to the various more benevolent actors' HTTPS.... sights viewed in "about:config".
When I see those addresses, I naturally assume data collection. And when I see data collection, I assume that bad actors could be lurking to abuse access to that collected data.
(Between EFF and that Stallman, that seems reasonable. They seem knowledgeable.)

Please point out the obvious that I am bound to be missing and misunderstanding.

andyprough
Offline
Joined: 02/12/2015

> What would be the dangers of removing all (except for dns resolvers, certificate verifications?) http(s) web addresses in Abrowser's "about:config"?

Can you give us an example? I don't see web addresses in about:config in abrowser.

mr.r
Offline
Joined: 07/16/2018

Hello andyprough,
Thanks.
Yes, there are also www(s) in my abrowser's about:config, so I await this opportunity to learn more about something I misunderstand, based upon your question to my query. I guess regarding the (mis-)characterization of the www(s) versus the other addresses.

Here are some example addresses that resolve when entered into the abrowser address bar.
https://nightly.mozilla.org ;
https://safebrowsing.google.com/safebrowsing/diagnostic?site= ;
https://monitor.firefox.com/user/breach-stats?includeResolved=true ;

There are so many, so I apologize for just trying a few randomly.

I do not know how those that do not resolve from the address bar are processed by the servers, as that is hidden to me. That were part of the concern and purpose of query as well.
However, if you can tell me how my sense is not common that those addresses are not just there to look important, but for purposes of use, I would much appreciate the relief.

Also, I can't expect to be able to catch up with the members' vast knowledge on these subjects, I find it difficult. So if there is any way you could explain it to me that I as a novice (who barely understands how you turn electricity into an instruction and mechanical actuator) might understand, I would much appreciate that as well.

andyprough
Offline
Joined: 02/12/2015

OK, I see. I studied this last April and found an answer to how to handle the situation.

A group of researchers from Ireland studied the web addresses that Firefox communicates with and gave a list of them in this research article: "Web Browser Privacy: What Do Browsers Say When They Phone Home?" Douglas J. Leith, School of Computer Science & Statistics, Trinity College Dublin, Ireland 24th Feb 2020

They listed 17 URL's that Firefox tries to contact. You cannot force Firefox to not contact them by changing your settings, but you can put them in your /etc/hosts file and send them to localhost, which basically means that any communication Firefox (or abrowser) tries to make with these URLs will be thrown in the trash.

So you would want to edit /etc/hosts with your favorite editor, and add the following lines to it:

# Block Mozilla telemetry
127.0.0.1 incoming.telemetry.mozilla.org
127.0.0.1 push.services.mozilla.com
127.0.0.1 location.services.mozilla.com
127.0.0.1 accounts.firefox.com
127.0.0.1 safebrowsing.googleapis.com
127.0.0.1 accounts.firefox.com
127.0.0.1 snippets.cdn.mozilla.net
127.0.0.1 content-signature-2.cdn.mozilla.net
127.0.0.1 shavar.services.mozilla.com
127.0.0.1 mozilla.org
127.0.0.1 www.mozilla.org
127.0.0.1 firefox.settings.services.mozilla.com
127.0.0.1 search.services.mozilla.com
127.0.0.1 detectportal.firefox.com
127.0.0.1 blocklists.settings.services.mozilla.org
127.0.0.1 services.addons.mozilla.org
127.0.0.1 aus5.mozilla.org

Save the /etc/hosts file, and that's it. abrowser won't be able to communicate with those sites.

This may cause you some trouble with proper functioning of abrowser. In my testing, I did not have any serious difficulty with it. See if it works OK for you. If you find additional sites that abrowser is trying to communicate with, add them to the bottom of that list in /etc/hosts and send them to 127.0.0.1 (the localhost address, or the "trash bin").

mr.r
Offline
Joined: 07/16/2018

Hello andyprough,
Thanks.
I'll have to read the paper. I think I found some copy.

One thing I didn't get. If I were to go into about:config and either removing those addresses, or altering them in a way that made them unresolvable, would that not work?
Or, are some of those abrowser files in /.mozilla, /etc and elsewhere also initiating contacting those servers as you listed above?
It is interesting that there is the hosts.deny file and that that won't do the denying.

Not having read the article yet, that list you've highlighted suggests there is a valid question to be asked about why the contacting is in force in the first place. This especially with the well observed widespread discussions on 'opting in' rather than having to opt out.

And more, who would suspect that this condition exists when privacy (and security) is being touted as a feature?

mr.r
Offline
Joined: 07/16/2018

Hello andyprough,

I have read the research study document, "Web Browser Privacy: What Do Browsers Say When They Phone Home?" Douglas J. Leith, School of Computer Science & Statistics, Trinity College Dublin, Ireland 24th Feb 2020, that you referenced.

It would seem that yes, Mozilla (Firefox, etc.) is collecting data on its users' behaviors, and that even typing in the address bar results in transmission.
That relates to another thread topic regarding my attempt to block the Abrowser from searching from the address bar, as well.

I go out on a limb and speculate that the list of servers' and sites' addresses that you referenced from the paper cited could change (via developers, version and other updates, etc.), and that a non-expert would not be readily able to detect the additional server(s) being connected to, nor the nature and purpose of the connections.

Aside: Open Source originally instilled confidence that all code was checked by a community and thereby safety in usage was secured. That questionable assumption could cause un-safe behavior by users experiencing a false sense of assuredness that someone else has done the work which they themselves for reason(s) have not done. There is too much to check and it is constantly changing, not to mention varying levels of competence of the individual checkers themselves.

The authors of the paper suggest, and I support the suggestion, that autocomplete ought to either be turned off by default, or ought to be an opt-in immediately after first launch of the new instance of a browser. I would add that a brief explanation regarding the loss of privacy should be attached to the option.

Further, safe-browsing and other 'safety' devices open the door for user behavior data accumulation. Is that paradoxical or oxymoronic?

I don't feel as 'free' as I did before I read the paper.

andyprough
Offline
Joined: 02/12/2015

> autocomplete ought to either be turned off by default, or ought to be an opt-in immediately after first launch of the new instance of a browser. I would add that a brief explanation regarding the loss of privacy should be attached to the option.

> Further, safe-browsing and other 'safety' devices open the door for user behavior data accumulation.

Agreed. I turn off all auto-complete, spell checking, "top sites", browser password managers, safe-browsing checks (which simply send all your browsing to Google), telemetry, etc.

One good thing about Trisquel's abrowser web browser is that many of those things are turned off already and/or are not compiled into the package. If you want greater privacy, I would recommend that you use abrowser and tweak the settings for greater privacy, rather than using firefox which has some privacy violating practices compiled directly into the package.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Safe Browsing does not "send all your browsing to Google".

That feature aims to warn a user who is about to access a page that is known for phishing or about to download known malware. Let us agree it is a useful feature.

https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ explains how it works in Firefox. And anybody can check whether it is true, thanks to freedom 1. In the case of phishing:

  1. Every 30 minutes, Firefox downloads, from a Safe Browsing server, a list of 4-byte hashes of URLs, which were deemed unsafe since the last update;
  2. Whenever the user is about to visit a page, the hash of its URL (excluding what is following a possible "?" in the URL) is compared with those in the local lists (no outgoing connection here);
  3. If it is not found, the page is displayed; otherwise the 4-byte hash is sent to a Safe Browsing server which returns all unsafe URLs matching the hash (there may be several: hashes suffer from collisions) and Firefox locally checks whether one of them is the URL to be accessed (if so, the warning is displayed; otherwise the page);
  4. To enhance privacy, Firefox requests, from time to time, the URLs of random hashes taken in the list.

So, through Safe Browsing, Google only knows:

  1. every 30 minutes, that an IP address has a Web browser opened;
  2. that the user may (or not: because Firefox adds noise) have visited a URL whose hash was sent: it may be one of the unsafe pages having this hash or a safe page with the same hash.

Not the privacy nightmare a naive implementation would yield. Safe Browsing's protection against malware is more intrusive. To block malware, even if it comes from unlisted pages, metadata about all binaries Firefox is about to download are sent to a Safe Browsing server. The risk of installing malware for GNU/Linux is probably not worth the privacy loss.

andyprough
Offline
Joined: 02/12/2015

Good points. The Dublin University researchers did find that Firefox's random hash's were not foolproof.

lutes
Offline
Joined: 09/04/2020

Nobody would want to be dependent on a monopolistic company for any sort of protection anyway.

"Yo do not want anything bad to happen to your family, do yo?"

EDIT: my point is not about being tracked, but about being dependent on a centralized, monopolistic service and thus giving the operator of that service far too much power.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Where did you read that in https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf ? (Pseudo)randomly drawing integers (the positions in the list of the hashes to randomly pick) in a uniform way is not hard.

EDIT: Well, proper pseudorandomness may be hard to achieve but Firefox's certainly relies on an existing library such as sys/random.h so that drawing the integer must be a couple of lines in Firefox's code.

The section IV.A on Safe Browsing reports an investigation on whether the so-called "state value" encoded in the "req" parameter, sent when fetching the hashes of URLs that were deemed unsafe since the last update, may allow to identify the device (in addition to the IP address). Again: that has nothing to to with visited pages. The result of the investigation is that "multiple clients share the same state value, including clients with the same IP address", that "the same state value is shared by multiple clients with different IP addresses" (as a consequence, a device cannot be tracked in space, when it moves from one WiFi network to another one, for instance) and that "presumably this approach is used to facilitate server load balancing". The authors add that they "saw no examples of cookies being set by safebrowsing.googleapis.com (and the API documents make no mention on them)". Their conclusion on Safe Browsing is: "Use of the Safe Browsing API therefore appears to raise few privacy concerns".

mr.r
Offline
Joined: 07/16/2018

Hello andyprough,
Thanks.

In another thread (Abrowser - Address Bar - Preference to use as search: Button unchecked, but still insists on search), I expressed concern that Abrowser's address bar was contacting the 'default' search engine when any thing was typed into the address box.
The Abrowser exhibited dropping down a search engine choice box as the letters were being typed, while indicating the default choice, which is mandatory to choose in settings.

Although I made some changes as you had suggested, and that the DuckDuckGo logo now disappears after continuing to type more letters into the address bar, after reading the above cited study paper, I do believe Abrowser is still regularly 'phoning' home to some server(s).

" ...Trisquel's abrowser web browser is that many of those things are turned off already..."

Unfortunately, I can't know which ones are turned off or are turned on.

That again was brought into question by the abrowser's address box behavior, which is constistent with the cited study showing that Firefox (Mozilla) is watching and listening for activity and collecting data and modelling behavior patterns, and etc.

As the study showed, many server contacting behaviors built in to the browser are very difficult to change if even possible, and others are completely hidden with no obvious way to change. This is by the experts, which I am not.
Further, the study tells that they only tested for cetain 'problems'. There are many more potential liabilities that require separate study techniques to test and reveal personal information and data theft.

This entire discussion goes directly to the question of avoiding bad actors such as a government, because there is no guarantee that a server or a company is not working with any given government. Big tech does not seem to have a problem doing the bidding of even certain big governments' censoring and tracking. Otherwise, how could they be permitted to operate at all in those countries? It begs, where does big government end and big tech begin, or?

And, there is no reason to believe that any country's defense departments would not want to use all technology at hand to secure their own existences.

It would be easier for me if I were knowledgeable enough to know the answers to my many questions.

andyprough
Offline
Joined: 02/12/2015

Tor Browser is also a viable option. I've been having much better browsing experiences with Tor Browser this year than ever before. The browser and the Tor network both seem to have matured enough that the browsing is now relatively fast, and even video works quite well. Most of the concerns you have with privacy and phoning home have already been stripped out of Tor Browser.

SwissScientist
Offline
Joined: 10/29/2020

Here is a guide to disable safebrowsing and more tracking features on FireFox:

https://privacytools.io/browsers/#about_config

Jorah Dawson
Offline
Joined: 12/13/2020

The best way to "clean" unsolicited hosts is by using a user.js that clears all automatic connections.

A couple of examples:
https://pastebin.com/raw/d6PDPK8v
(https://old.reddit.com/r/privacy/comments/d3obxq/firefox_privacy_guide/)

https://git.nixnet.services/Narsil/desktop_user.js/raw/branch/master/user.js
(https://git.nixnet.services/Narsil/desktop_user.js)

Other users.js are not recommended (like arkenfox) due to they maintain several connections with Mozilla and Google.

So if you write about:networking you'd see this way:

Abrowser.png
mr.r
Offline
Joined: 07/16/2018

Hello,
In fairness to the authors of the cited study, here are a few quoted statements from the introduction and conclusion sections.

"Chrome, Firefox and Safari all share details of web pages visited with backend servers."

"In addition, Firefox includes identifiers in its telemetry transmissions that can potentially be used to link these over time."

"Firefox also maintains an open websocket for push notifications that is linked to a unique identifier and so potentially can also be used for tracking and which cannot be easily disabled."

"Chrome, Firefox and Safari all tag requests with identifiers that are linked to the browser instance (i.e. which persist across browser restarts but are reset upon a fresh browser install). All three share details of web pages visited with backend servers."

This is one study on some potential hazards, not an exhaustive study on all potential hazards built in to the browsers, and then there are the extensions and other apps associated, not to mention Are there potential consequences?

"An important dimension to privacy that we do not consider here is the issue of giving and revoking consent for data use. Our measurements do raise questions..... However we leave this to future work."

"In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex."

This is interesting in that Brave seems to acknowledges by their business model (via their web site) that they need to profit to function and have chosen to allow the user to determine the extent of participation (or contribution). It is the only one in this study to be put in the top group. There are only three groups by this study's design, so being in the top group is better than being in the middle group of only three (for those that don't have time to read it).

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I believe Abrowser (Trisquel's default Web browser) would be in "the first (most private) group" too.

andyprough
Offline
Joined: 02/12/2015

Agreed. abrowser is compiled and packaged in such a way to not do many of the problematic things that are pointed out in the study.

Jorah Dawson
Offline
Joined: 12/13/2020

If you write about:networking you'll only see detectportal and shavar.

mr.r
Offline
Joined: 07/16/2018

Hello andyprough,
Thanks again. Your and others' assistance is highly accommodating. That allows me to stick with Trisquel and Abrowser.

"Agreed. I turn off all auto-complete, spell checking, "top sites", browser password managers, safe-browsing checks (which simply send all your browsing to Google), telemetry, etc."

I ask, should you really have to?

"One good thing about Trisquel's abrowser web browser is that many of those things are turned off already..."

Again, I can not know what those many things are and whether or not they are on by default or not.

Nothing that spies on or reports on or profiles me should be turned on by default. That would be freedom.

mr.r
Offline
Joined: 07/16/2018

Hello,
Thanks.

I can not speak for the authors of the study so here is what they found.

"Chrome, Firefox and Safari all share details of web pages visited with backend servers. For all three this happens via the search autocomplete feature, which sends web addresses to backend servers in realtime as they are typed."

Which behavior Abrowser (derived from mozilla firefox?) it appears exhibits out of the box by default. That ought to be changed and not ignored. (Stallman is back, maybe I can ask him)
Apparently, if you accidentally type (paste) your password, bank account, credit card number, or other in that address (search) box, it is already revealed. That ought to be changed and not ignored.

"Firefox includes identifiers in its telemetry transmissions that can potentially be used to link these over time. Telemetry can be disabled, but again is silently enabled by default."

Is this turned off by default in Abrowser?

"Firefox also maintains an open websocket for push notifications that is linked to a unique identifier and so potentially can also be used for tracking and which cannot be easily disabled."

Is this turned off by default in Abrowser?

Is Abrowser better than other browsers in a hundred different ways? I have heard that. That does not negate remaining security concerns.
So even though I give some thumbs up, and I obviously like it, I am still appropriately concerned.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I let andyprough replies: he knows better and, because of tweaks, extensions, ..., I am not sure what are the defaults anymore. Anyway, https://gitlab.trisquel.org/trisquel/package-helpers/-/blob/etiona/helpers/make-firefox strongly suggests that telemetry is disabled by default. As for the autocomplete features, are you sure you are not simply seeing completions based on local data? Your history, your bookmarks, the previous searches you typed, etc.

lutes
Offline
Joined: 09/04/2020

Safe Browsing was definitely turned on by default on my Trisquel 9 Abrowser version.

I learned about it thanks to your posts here and andy's replies to them.

Google is slowly finishing eating us. The only remaining question is which stage of digestion we are exactly in.

On a more positive note: I agree about Tor Browser and Brave. They might allow users to somehow hop from the reticulum back to the rumen.

EDIT: my mistake, I got lost in config. In Abrowser, resetting safe browsing related options to defaults appears to turn it OFF. There is still hope in Abrowser - to the extent that the rumen can be considered a nice place to dwell of course.

andyprough
Offline
Joined: 02/12/2015

Yes, I'm pretty sure that telemetry is turned off by default in abrowser. I haven't installed a new version in a few weeks, so I don't recall for certain what the defaults were, but I don't recall needing to turn off telemetry.

On the open websocket for push notification, I don't know what that is, that would take a bit of exploring. I see a bunch of settings in about:config - it would be worth trying to turn these off to see if it causes any problem:
dom.push.connection.enabled - toggle to "False"
network.http.spdy.allow-push - toggle to "False"
dom.push.serverURL - delete the 'wss://push.services.mozilla.com/' server URL

It would be worth trying those changes and see if any problems result from it. I don't know what Firefox is using push for - maybe for webmail notification?

mr.r
Offline
Joined: 07/16/2018

Hello,
It remains unclear to me as to the security and privacy considerations discussed as they pertain to Abrowser.

While I would like to see vulnerabilities resolved, I certainly would not be justified in demanding it be done.

However, if security and privacy issues exist in Abrowser, and of those that are known or suspected, I believe Abrowser (and Trisquel) should then come with appropriate specific warnings.

It is also even more imperative to do so where it has been suggested or advertised that certain security and privacy measures have been implemented, but while others not mentioned have not. Because, a false sense of security could arise from bad assumptions, e.g. dangerous things have been taken care of.
Thanks.

andyprough
Offline
Joined: 02/12/2015

> I would like to see vulnerabilities resolved

You have not shown us any actual security vulnerabilities.

> However, if security and privacy issues exist in Abrowser, and of those that are known or suspected, I believe Abrowser (and Trisquel) should then come with appropriate specific warnings.

That would be true if actual security vulnerabilities were truly suspected. But we have access to all the actual security CVE's for firefox, and I see no reason to believe that abrowser is doing anything to make users more vulnerable to them.

You and I might like for some of the default privacy protecting settings to be tightened down more where possible, but those are not actual security vulnerabilities. And ultimately, securing your privacy is not something that someone else can do for you. You have to educate yourself and take steps for yourself.

.............................................

By the way, I turned off everything related to "push" in about:config, and have not noticed any bad effects for abrowser:
dom.push.connection.enabled - toggle to "False"
network.http.spdy.allow-push - toggle to "False"
dom.push.serverURL - delete the 'wss://push.services.mozilla.com/' server URL

There is also a setting in Preferences to turn off the ability for websites to ask to place notifications. Preferences-Privaty & Security-Settings Notification Permissions- check the box that says "Block new requests asking to allow notifications".

mr.r
Offline
Joined: 07/16/2018

Hello andyprough,
Thanks.

> "You have not shown us any actual security vulnerabilities. "

Are you saying that the Study has not shown any actual security vulnerabilities? Or are you saying that you disagree with the study?

I thought I was plain in that I do not have the expertise to prove out these things one way or the other. To reassert, I do not.

> "...I see no reason to believe that abrowser is doing anything to make users more vulnerable to them."

Do you suggest that Firefox is not vulnerable and coincidentally that Abrowser is equally not vulnerable? Or, is Firefox vulnerable and Abrowser equally as vulnerable?

> "You and I might like for some of the default privacy protecting settings to be tightened down more where possible, but those are not actual security vulnerabilities. And ultimately, securing your privacy is not something that someone else can do for you. You have to educate yourself and take steps for yourself. "
and
> "Preferences-Privaty & Security-Settings..."

I have no reason to consider Privacy and Security as separate issues. Compromising vulnerabilities in eithers' catagorizations opens the windows to the other's. Would you dispute that potential?

> "...securing your privacy is not something that someone else can do for you."

I disagree wholeheartedly. e.g. I would not like to hear that from the engineers and builders of airplanes or automobiles. Neither would I like to find out that the engineers or builders took a popularity vote to see which way things ought be done. I prefer it to be done the best way and in a way that makes things work perfectly. This for obvious reasons.

mr.r
Offline
Joined: 07/16/2018

Hello,

After changes in Abrowser's about:config attempting to disallow various servers being contacted without notice, at least one web site,

Amazon.com now demands completion of a "captcha" in order to proceed to its main page.

Amazon.com claims the verification is needed to prove Abrowser is not a bot. (Bots aid Amazon and others to increase web presence, so I don't 'buy it'.)

This indicates to me that Abrowser was previously communicating information about my system that Amazon.com, for one, at least, feels it has an absolute right to.
Abrowser is doing this without notification to the user.
And I thought I was already blocking Amazon and others from knowing anything about me other than my ISP location, and of course the current series of searches and clicks.

I have not run into this demand for proof of life while using another of the mozilla browsers also having removal of server addresses from about:config. That is, not while merely perusing a site, as opposed to sending to the site or receiving guarded information.

Abrowser, with its birth in the 'free' software movement, illuminates the need to answer the question: Can there be "libre" without privacy?

Thanks.

andyprough
Offline
Joined: 02/12/2015

> After changes in Abrowser's about:config attempting to disallow various servers being contacted without notice, at least one web site,

> Amazon.com now demands completion of a "captcha" in order to proceed to its main page.

Could easily be a coincidence - websites like amazon demand captchas for all kinds of reasons, such as "adblocker detected" or "it's Tuesday".

> This indicates to me that Abrowser was previously communicating information about my system that Amazon.com, for one, at least, feels it has an absolute right to.

That does not sound accurate to me. What is probably happening is that amazon is having a hard time fingerprinting you because of some heightened privacy measures you've taken, and they've decided you are acting "suspicious" and they need to "punish" you.

If you want to trace all the network connections to and from your machine, get the wireshark program.