I don't know about you or the general FF3 userbase, but I myself want my browser to _not_ do any
requests without my knowledge and consent - at best I want my browser only to perform those
requests that I tell it to do and *nothing* more.
This paradigm might not be what FF3 developers have in mind, thus I won't blame them for making all those annoying default settings. Still, to motify FF3 behavior in a way that I can live with it, it turns out there are quite a number of changes required.
note: following these settings might not really improve your security or performance, it just leads to less requests behind the curtain. as a matter of fact, it might even impose a higher risk to users unaware of the consequences of those changes!
Luckily, most of the FF3 annoyances can be changed in the usual FF way - about:config to the rescue!
Now, upon other annoyances, there are a number of features which perform background requests to mozilla or google servers:
Google has implemented the so called safebrowsing feature in Firefox. It compares every
domain you visit offline with a blacklist (n.b. this list can of course never be complete
and, even worse, it might very well contain false positives). If Firefox now finds the domain in
its blacklist, the safebrowsing feature will then send a request including the to-be-visited
URL to http://safebrowsing.clients.google.com and check whether the page is still marked as
bad or not. In case it's still flagged as bad, Firefox will display a huge warning page
instead of the target webpage.
The offline blacklist is updated on a daily basis, the last update timestamp is always saved in
You can either use the Preferences/Security panel to deactivate the checks or simply change both
falseto deactivate the daily d/l of the blocklist as well as the off- and online blacklist checks.
This is another blacklist, this time it's for known bad extensions. This list ist
downloaded daily from mozilla's Servers.
Deactivating to update this list might therefore incorporate a risk to your browser as you will no longer know which extensions are officially not safe to install.
Sadly there seems to be no option to trigger the download of the extension-blocklist manually (you can ofcourse leech it and drop it to the firefox-profile folder), so the only option to avoid background requests is to deactivate to whole thing by setting
Prefetching preloads links in a page, but only those links which are set via the not so
widely used link-Tag (<link ref='prefetch|next'..>). It's not very common
although f.e. google sometimes uses this, but might get more widespread used since it attracted
so much attention in the last couple of months.
Of course, most benefits for malware could just as well be achieved by an iframe etc. Alarming users of this feature is extremely overhyped, it's by far not as terrible as many make it to be, but still, it's kind of an annoying behavior and it's without a doubt fine to deactivate it, since I don't want any requests without my explicit knowledge,
network.prefetch-nextwill therefore be set to
Referers (btw, since the RFC spelled referrer wrong, almost everywhere you go it is - and often has to be - spelled
in that way) send the URL of the current page within the request to the new one when you
click on a link or when an image, iframe etc are loaded.
They are a minor inconvenience for some, for website owners they are always a very interesting pieces of information and some stupid folks actually rely on it as a phony security measure.
Therefore by deactivating it you can break some functionality, but only on very lame sites and you can blame their developers later on.
network.Http.sendRefererHeaderwill have to be set to
Somewhat like referrers, Pings are a way to track user-click-behavior. This is a rather
seldomly used feature which sends a HTTP Post Request when a user clicks on an anchor
with a ping="URI" attribute.
Thankfully, this still is deactivated by default in FF3. One might want to confirm this settings after future updates, though.
Thus, ensure that
browser.send_pingsis set to
falseand you probably might want to set
true, just in case.
Now lots of people will disagree, but I want to deactivate auto-update checks. For several reasons that is: One, I want to start them by hand and not have Firefox perform requests in the background which I do not have started, which is the whole purpose of these whole changes anyway. Two, I use the packagesystem of my distribution, so upgrading Firefox by itself won't happen anyway. Stil, deactivating auto-updates can of course be a security risk. To deactivate automatic update-checking for extensions, automatic update-checking for search plugins and automatic update-echecking and update-retrieval for the browser itself
extensions.update.enabled browser.search.update app.update.enableall have to be set to
This feature is without a doubt a major conveniance improvement. But since every keypress sends a request to Google even if I know in advance what words I am going to type, this shall be deactivated:
Browser.search.suggest.enabledwill have to be set to
Keywords are much the same as Suggestions, but IMHO even worse as they are in the location-bar
and while I can opt to not use the search bar, I can't really avoid using the location bar.
Keywords mean that when Firefox can't figure out a valid url from the word(s) you typed, it will ask Google what it finds for that word - before you hit enter - to display it as a suggestion.
Breakpad is another feature in FF3 developed by Google. It is the crash-report-agent used
by moderm Mozilla products. It sends crash reports automatically to Mozilla. Deactivating
it does obviously not really ensure product quality, still I do not want to send out
reports on its own.
Deactivating is not trivial, but there are several options:
you can either
setenv MOZ_CRASHREPORTER_DISABLE=1or, which should be easier for most users: modify the file application.ini (it is usually in /usr/lib/firefox-3.0/), look for the lines
[Crash Reporter]and make sure it is disbaled by append or changing the Enabled-line to
[Crash Reporter] Enabled=0You could of course also try to just set
breakpad.reportURLto something like
file:///dev/null, but I have not tested if that really works as one would anticipate.
Last but not least, this new FF3 certificate behavior is a huge pain. Self signed certificates are rendered
quite unusable in FF3 - and I do not see why having a selfsigned ssl certifcate should lead to so many more warning
dialogs than having no encryption at all.
And don't even get me started about those stupid 'Extended Validation' certificates which are the only remaining type leading to an obvious location-bar behavior change. As if it were not bad enough to support this at all, moreover they removed the yellow background of the location bar for all certificates completely - years of user-accomodation to 'yellow background means encrypted, white background means unencrypted' are gone down the drain, instead users might start to believe all connections are no longer encrypted.. And to top that, yellow icon now means 'unsafe'..
Thing is, I found no easy way to actually avoid this stupid and annoying ssl-certificate-warning for self-signed certificates. You can whitelist sites, but not deactivate it in general.
The only slight modification via about:config seems to be to activate automatic retrieval of the certificate (which is bogus anyway - the browser has already loaded the certificate to check for validity, why stop and ask for another required explicit retrieval after that..?)
To make life a bit less ugly, change
browser.ssl_override_behaviorand set it to
Having changed all these settings should lead to no more network activity of the browser without explicit request to do so. This list might very well not be complete yet, though..
Update: someone pointed me to a description of all unrequested connections from firefox at mozilla-support forums. nice page!