I don't know about you or the general FF3 userbase, but I myself want my browser to _not_ do any
requests without my knowledge and consent - at best I want my browser only to perform those
requests that I tell it to do and *nothing* more.
This paradigm might not be what FF3 developers have in mind, thus I won't blame
them for making all those annoying default settings. Still, to motify FF3 behavior
in a way that I can live with it, it turns out there are quite a number of changes required.
note: following these settings might not really improve your security or performance, it just leads to less requests behind the curtain. as a matter of fact, it might even impose a higher risk to users unaware of the consequences of those changes!
Luckily, most of the FF3 annoyances can be changed in the usual FF way - about:config to the rescue!
Now, upon other annoyances, there are a number of features which perform background requests to mozilla or google servers:
Google has implemented the so called safebrowsing feature in Firefox. It compares every
domain you visit offline with a blacklist (n.b. this list can of course never be complete
and, even worse, it might very well contain false positives). If Firefox now finds the domain in
its blacklist, the safebrowsing feature will then send a request including the to-be-visited
URL to http://safebrowsing.clients.google.com and check whether the page is still marked as
bad or not. In case it's still flagged as bad, Firefox will display a huge warning page
instead of the target webpage.
The offline blacklist is updated on a daily basis, the last update timestamp is
always saved in urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey
You can either use the Preferences/Security panel to deactivate the checks or simply change both
browser.safebrowsing.enabled browser.safebrowsing.malware.enabledto
false to deactivate the daily d/l of the blocklist as well as the off- and online blacklist checks.
This is another blacklist, this time it's for known bad extensions. This list ist
downloaded daily from mozilla's Servers.
Deactivating to update this list might therefore incorporate a risk to your browser
as you will no longer know which extensions are officially not safe to install.
Sadly there seems to be no option to trigger the download of the extension-blocklist
manually (you can ofcourse leech it and drop it to the firefox-profile folder), so
the only option to avoid background requests is to deactivate to whole thing by
setting
Extensions.blocklist.enabledto
false.
Prefetching preloads links in a page, but only those links which are set via the not so
widely used link-Tag (<link ref='prefetch|next'..>). It's not very common
although f.e. google sometimes uses this, but might get more widespread used since it attracted
so much attention in the last couple of months.
Of course, most benefits for malware could just as well be achieved by an iframe etc. Alarming users of this feature is extremely
overhyped, it's by far not as terrible as many make it to be, but still, it's kind of an annoying
behavior and it's without a doubt fine to deactivate it, since I don't want
any requests without my explicit knowledge,
network.prefetch-nextwill therefore be set to
false.
Referers (btw, since the RFC spelled referrer wrong, almost everywhere you go it is - and often has to be - spelled
in that way) send the URL of the current page within the request to the new one when you
click on a link or when an image, iframe etc are loaded.
They are a minor inconvenience for some, for website owners they are always
a very interesting pieces of information and some stupid folks actually rely on it as a phony security
measure.
Therefore by deactivating it you can break some functionality, but only on very
lame sites and you can blame their developers later on.
network.Http.sendRefererHeaderwill have to be set to
0
Somewhat like referrers, Pings are a way to track user-click-behavior. This is a rather
seldomly used feature which sends a HTTP Post Request when a user clicks on an anchor
with a ping="URI" attribute.
Thankfully, this still is deactivated by default in FF3. One might want to
confirm this settings after future updates, though.
Thus, ensure that
browser.send_pingsis set to
false and you probably might want to set
browser.send_pings.require_same_hostto
true, just in case.
Now lots of people will disagree, but I want to deactivate auto-update checks. For several reasons that is: One, I want to start them by hand and not have Firefox perform requests in the background which I do not have started, which is the whole purpose of these whole changes anyway. Two, I use the packagesystem of my distribution, so upgrading Firefox by itself won't happen anyway. Stil, deactivating auto-updates can of course be a security risk. To deactivate automatic update-checking for extensions, automatic update-checking for search plugins and automatic update-echecking and update-retrieval for the browser itself
extensions.update.enabled browser.search.update app.update.enableall have to be set to
false
This feature is without a doubt a major conveniance improvement. But since every keypress sends a request to Google even if I know in advance what words I am going to type, this shall be deactivated:
Browser.search.suggest.enabledwill have to be set to
false
Keywords are much the same as Suggestions, but IMHO even worse as they are in the location-bar
and while I can opt to not use the search bar, I can't really avoid using the location bar.
Keywords mean that when Firefox can't figure out a valid url from the word(s) you typed, it will
ask Google what it finds for that word - before you hit enter - to display it as a suggestion.
keyword.enabledset to
false
Breakpad is another feature in FF3 developed by Google. It is the crash-report-agent used
by moderm Mozilla products. It sends crash reports automatically to Mozilla. Deactivating
it does obviously not really ensure product quality, still I do not want to send out
reports on its own.
Deactivating is not trivial, but there are several options:
you can either
setenv MOZ_CRASHREPORTER_DISABLE=1or, which should be easier for most users: modify the file application.ini (it is usually in /usr/lib/firefox-3.0/), look for the lines
[Crash Reporter]and make sure it is disbaled by append or changing the Enabled-line to
[Crash Reporter] Enabled=0You could of course also try to just set
breakpad.reportURL to something like file:///dev/null, but
I have not tested if that really works as one would anticipate.
Last but not least, this new FF3 certificate behavior is a huge pain. Self signed certificates are rendered
quite unusable in FF3 - and I do not see why having a selfsigned ssl certifcate should lead to so many more warning
dialogs than having no encryption at all.
And don't even get me started about those stupid 'Extended Validation' certificates
which are the only remaining type leading to an obvious location-bar behavior change. As if it were not bad enough to support this at all, moreover they removed the yellow background of the location bar for all certificates completely - years of user-accomodation to 'yellow background means encrypted, white
background means unencrypted' are gone down the drain, instead users might start to believe all connections are no longer encrypted.. And to top that, yellow icon now means 'unsafe'..
Thing is, I found no easy way to actually avoid this stupid and annoying ssl-certificate-warning for self-signed certificates. You can
whitelist sites, but not deactivate it in general.
The only slight modification via about:config seems to be to activate automatic retrieval of the certificate (which is bogus
anyway - the browser has already loaded the certificate to check for validity, why stop and ask for another required explicit retrieval after
that..?)
To make life a bit less ugly, change
browser.ssl_override_behaviorand set it to
2.
Having changed all these settings should lead to no more network activity of the browser without explicit request to do so. This list might very well not be complete yet, though..
Update: someone pointed me to a description of all unrequested connections from firefox at mozilla-support forums. nice page!