Sat Jul 26 16:20:27 CEST 2008

deactivating firefox3 behind-the-curtain requests

I don't know about you or the general FF3 userbase, but I myself want my browser to _not_ do any requests without my knowledge and consent - at best I want my browser only to perform those requests that I tell it to do and *nothing* more.
This paradigm might not be what FF3 developers have in mind, thus I won't blame them for making all those annoying default settings. Still, to motify FF3 behavior in a way that I can live with it, it turns out there are quite a number of changes required.

note: following these settings might not really improve your security or performance, it just leads to less requests behind the curtain. as a matter of fact, it might even impose a higher risk to users unaware of the consequences of those changes!

Luckily, most of the FF3 annoyances can be changed in the usual FF way - about:config to the rescue!

Now, upon other annoyances, there are a number of features which perform background requests to mozilla or google servers:

  • Safebrowsing

    Google has implemented the so called safebrowsing feature in Firefox. It compares every domain you visit offline with a blacklist (n.b. this list can of course never be complete and, even worse, it might very well contain false positives). If Firefox now finds the domain in its blacklist, the safebrowsing feature will then send a request including the to-be-visited URL to http://safebrowsing.clients.google.com and check whether the page is still marked as bad or not. In case it's still flagged as bad, Firefox will display a huge warning page instead of the target webpage.
    The offline blacklist is updated on a daily basis, the last update timestamp is always saved in urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey
    You can either use the Preferences/Security panel to deactivate the checks or simply change both

    browser.safebrowsing.enabled
    browser.safebrowsing.malware.enabled
    
    to false to deactivate the daily d/l of the blocklist as well as the off- and online blacklist checks.

  • Extension-blocklist

    This is another blacklist, this time it's for known bad extensions. This list ist downloaded daily from mozilla's Servers.
    Deactivating to update this list might therefore incorporate a risk to your browser as you will no longer know which extensions are officially not safe to install.
    Sadly there seems to be no option to trigger the download of the extension-blocklist manually (you can ofcourse leech it and drop it to the firefox-profile folder), so the only option to avoid background requests is to deactivate to whole thing by setting

    Extensions.blocklist.enabled
    to false.

  • Prefetching

    Prefetching preloads links in a page, but only those links which are set via the not so widely used link-Tag (<link ref='prefetch|next'..>). It's not very common although f.e. google sometimes uses this, but might get more widespread used since it attracted so much attention in the last couple of months.
    Of course, most benefits for malware could just as well be achieved by an iframe etc. Alarming users of this feature is extremely overhyped, it's by far not as terrible as many make it to be, but still, it's kind of an annoying behavior and it's without a doubt fine to deactivate it, since I don't want any requests without my explicit knowledge,

    network.prefetch-next 
    
    will therefore be set to false.

  • Referrers

    Referers (btw, since the RFC spelled referrer wrong, almost everywhere you go it is - and often has to be - spelled in that way) send the URL of the current page within the request to the new one when you click on a link or when an image, iframe etc are loaded.
    They are a minor inconvenience for some, for website owners they are always a very interesting pieces of information and some stupid folks actually rely on it as a phony security measure.
    Therefore by deactivating it you can break some functionality, but only on very lame sites and you can blame their developers later on.

    network.Http.sendRefererHeader
    
    will have to be set to 0
  • Pings

    Somewhat like referrers, Pings are a way to track user-click-behavior. This is a rather seldomly used feature which sends a HTTP Post Request when a user clicks on an anchor with a ping="URI" attribute.
    Thankfully, this still is deactivated by default in FF3. One might want to confirm this settings after future updates, though.
    Thus, ensure that

    browser.send_pings
    
    is set to false and you probably might want to set
    browser.send_pings.require_same_host
    
    to true, just in case.

  • Update-checks

    Now lots of people will disagree, but I want to deactivate auto-update checks. For several reasons that is: One, I want to start them by hand and not have Firefox perform requests in the background which I do not have started, which is the whole purpose of these whole changes anyway. Two, I use the packagesystem of my distribution, so upgrading Firefox by itself won't happen anyway. Stil, deactivating auto-updates can of course be a security risk. To deactivate automatic update-checking for extensions, automatic update-checking for search plugins and automatic update-echecking and update-retrieval for the browser itself

    extensions.update.enabled 
    browser.search.update 
    app.update.enable
    
    all have to be set to false
  • Suggestions

    This feature is without a doubt a major conveniance improvement. But since every keypress sends a request to Google even if I know in advance what words I am going to type, this shall be deactivated:

    Browser.search.suggest.enabled
    
    will have to be set to false

  • Keywords

    Keywords are much the same as Suggestions, but IMHO even worse as they are in the location-bar and while I can opt to not use the search bar, I can't really avoid using the location bar.
    Keywords mean that when Firefox can't figure out a valid url from the word(s) you typed, it will ask Google what it finds for that word - before you hit enter - to display it as a suggestion.

    keyword.enabled
    
    set to false

  • Breakpad

    Breakpad is another feature in FF3 developed by Google. It is the crash-report-agent used by moderm Mozilla products. It sends crash reports automatically to Mozilla. Deactivating it does obviously not really ensure product quality, still I do not want to send out reports on its own.
    Deactivating is not trivial, but there are several options:
    you can either

    setenv MOZ_CRASHREPORTER_DISABLE=1
    
    or, which should be easier for most users: modify the file application.ini (it is usually in /usr/lib/firefox-3.0/), look for the lines
    [Crash Reporter] 
    
    and make sure it is disbaled by append or changing the Enabled-line to
    [Crash Reporter]
    Enabled=0
    
    You could of course also try to just set breakpad.reportURL to something like file:///dev/null, but I have not tested if that really works as one would anticipate.

  • Certificate Annoyance

    Last but not least, this new FF3 certificate behavior is a huge pain. Self signed certificates are rendered quite unusable in FF3 - and I do not see why having a selfsigned ssl certifcate should lead to so many more warning dialogs than having no encryption at all.
    And don't even get me started about those stupid 'Extended Validation' certificates which are the only remaining type leading to an obvious location-bar behavior change. As if it were not bad enough to support this at all, moreover they removed the yellow background of the location bar for all certificates completely - years of user-accomodation to 'yellow background means encrypted, white background means unencrypted' are gone down the drain, instead users might start to believe all connections are no longer encrypted.. And to top that, yellow icon now means 'unsafe'..
    Thing is, I found no easy way to actually avoid this stupid and annoying ssl-certificate-warning for self-signed certificates. You can whitelist sites, but not deactivate it in general.
    The only slight modification via about:config seems to be to activate automatic retrieval of the certificate (which is bogus anyway - the browser has already loaded the certificate to check for validity, why stop and ask for another required explicit retrieval after that..?)
    To make life a bit less ugly, change

    browser.ssl_override_behavior
    
    and set it to 2.

Having changed all these settings should lead to no more network activity of the browser without explicit request to do so. This list might very well not be complete yet, though..

Update: someone pointed me to a description of all unrequested connections from firefox at mozilla-support forums. nice page!