In recent years, the issue of privacy online has become an increasingly important concern for internet users. With data breaches and surveillance becoming more prevalent, many individuals are questioning privacy-focused browsers to protect their personal information. One such browser that stands out is Firefox.
Privacy Reputation
Firefox has long been known for its stated commitment to user privacy. Unlike some other browsers, Firefox does not rely on targeted advertising as its primary revenue source. This means that it has less incentive to collect and sell user data. This is important because choosing the organization which appears to steal the least personal data is a common strategy for consumers seeking privacy.
One of the key features of Firefox that sets it apart from other large market browsers is its strict anti-tracking measures. Firefox blocks a wide range of tracking technologies used by advertisers, such as cookies and fingerprinting. This seems to mean that many websites are unable to track users across multiple sites and create detailed profiles of their online behavior, however, with other techniques, tracking is alive and well. (See this browser privacy test.) Nevertheless, anti-tracking features alone make Firefox a popular choice for those who prioritize privacy.
Privacy Loopholes: Doxing Mandatory for Use?
In practice, Mozilla wants to know all they can about you, at least it can sure seem that way when you peek under the hood. In fact, starting Firefox requires secretly going to several of web sites in the background first, in order for Firefox to go to ANY web site. If you block these web sites, Firefox will just stay blank! That’s right, at least that was our experience. It refused to connect to any web sites when we blocked a few mozilla.com sites. Firefox must ID you first, it seemed, before you use the web. Sites Firefox secretly visits in the background thta we found include, but are not limited to:
detect.portal.firefox.com (Cool it if on a portal to not annoy Starbucks, etc? )
incoming.telemetry.mozilla.org ("Telementry" translates to real-time spying)
location.services.mozilla.com (They know where you live, eventually)
push.services.mozilla.com (For putting stuff on your computer)
shavar.services.mozilla.com (Checks every url you visit for your "protection" )
firefox.settings.services.mozilla.com (Monitors your online accounts, bank, etc!)
aus5.mozilla.org (Checks for updates, verifies version settings are unchanged)
www.google-analytics.com (Your secret life diary kept by Google)
safebrowsing.googleapis.com (Financial safety for GooGle is in tracking you)
digicert.com / ocsp.digicert.com (Verifying web sites are legit/signed)
tracking-protection.cdn.mozilla.net (Tracking you for their profit protection)
content-signature-2.cdn.mozilla.net (Knowing what content you view?)
normandy.cdn.mozilla.net (Reference to a famous WWII mass invasion?)
Shavar (the “mighty”) was originally an anti-phishing system that also monitored every web site you visited, but now it has be rebranded as tracking protection. The way it works is this: They track you to protect you from being tracked?
The big tracking sites very likely will identify your location, your computer, your identity, photo id, age, gender, ethnicity, economic status, health status, religion, sexual orientation, shoe size, and perhaps what you had for breakfast. Many websites include embedded content or scripts from third-party sources, which can track users’ activities across different sites. Luckily, Firefox automatically blocks these third-party trackers, preventing them from monitoring your online activities and collecting information about you without your consent. This means Mozilla can do that more exclusively, to sell your data to only the higher bidders.
One hint about this is the hidden Add-Ons that can be seen. Why are there add-ons for Amazon, Wikipedia, Twitter, “Screenshots”, and DuckDuckGo, in Firefox which are not visible to users?
System add-ons are similar to add-ons that you install. The main difference is that they are not installed by the user but ship with Firefox or are pushed to Firefox when the need arises.
System add-ons are a method for shipping extensions to Firefox that:
- are hidden from the about:addons UI
- cannot be user disabled
- can be updated restartlessly based on criteria Mozilla sets
(See this)
This means Mozilla can change what the Firefox browser does at any time by adding new code to it, as long as you keep letting it talk to push.services.mozilla.com and the rest, which you must do to run the browser. They can add new code to Firefox, then later take that code away. That allows sneaky moves like gathering data from your computer when operating system zero-day exploits become known.
This article does not claim these things are all happening, but the fact that they technically could should be sobering. What might Mozilla want on your computer? Well, one easy target, if they don’t already have it from tracking protection, would be your database of visited web sites.
Stopping Background Connections
Mozilla, does, to their credit, tell you how to turn this background checking off in Firefox. They writes: “Some people are concerned about the connections Firefox makes to the Internet, especially when those connections are made for no apparent reason (see Mozilla’s Firefox Browser Privacy Notice – Effective July 27, 2023 – for additional information). This article explains various reasons why Firefox may make a connection to the Internet and how you can stop it from doing so, if you wish.” (See this Article for details)
Does it work? Let’s try it! They have a typo on the page, or something changed, because “Reset All Add-ons to Update Automatically.” should be “Reset All Add-ons to Update Manually.” at step 2 of Auto-update checking.
Note:
Firefox Monitor warns you if your online accounts were involved in a known data breach. For more information, see Firefox Password Manager – Alerts for breached websites.
To get the latest login breach information and more, Firefox connects to
firefox.settings.services.mozilla.com
You can’t turn this off, it seems. Wait, yes you can, the instructions are just on a different page. Follow the link and the instructions.
To see if your email address was part of a breach, sign up for Firefox Monitor. Note: Firefox never sends your logins or passwords to third-party services or servers. It keeps all data regarding logins and breaches anonymous. (See this)
Right, so if you like to be monitored, never block monitor.firefox.com, say with a personal firewall or something, because then Mozilla couldn’t tell you if you were hacked. Uhhhh.
Here’s something else interesting:
Speculative pre-connections
To improve the loading speed, Firefox will open predictive connections to sites when the user hovers their mouse over thumbnails on the New Tab page or the user starts to search in the Search Bar, or in the search field on the Home or the New Tab page. In case the user follows through with the action, the page can begin loading faster since some of the work was already started in advance.
If you think about it, many people move their mouse over different links they might be considering clicking, so this is quite an insidious kind of data that could be mined. “We think you might like this, but you have some hesitations about it. Let us sell it to you.” Yeah, you can turn off “Speculative pre-connections” if you don’t like sites popping up little previews all the time. Some like that.
Addons Web Site Only If You Open Addon Manager
Firefox going to addons.mozilla.org cannot be turned off, but supposedly it only happens if you open the add-ons manager.
Add-on list prefetching
Each time the Add-ons manager is opened, Firefox prefetches a list of add-ons to improve responsiveness of the panel. This connection is not made if the add-ons manager is not opened.
Let’s test that. We clicked the three lines and went to settings, but did not click the Add-ons Manager. Firefox did not connect within a few minutes to addons.mozilla.org, but yes, clicking Extensions and Themes caused Firefox to connect to services.addons.mozilla.org.
At this time, we restarted Firefox and … it is hosed. It will not open any web sites at all. Is that the truth of Firefox now (October 2023), that we must allow spying, or it will NOT work at all? Well, after going to the Help menu, then entering troubleshoot mode, Firefox again worked, and after exiting troubleshoot mode, it still worked, until it was quit, and then it was broken again.
NS_ERROR_FAILURE
This turned out to be a firewall issue with a lower level local firewall suddenly blocking this new version of Firefox, for some unknown reason. Perhaps it misbehaved when I started turning off the parts that phone home?
Did it work?
I mean, except for addons.mozilla.org? Nope. Starting Firefox still goes right away to:
push.services.mozilla.com
content-signature-2.mozilla.com
detectportal.firefox.com
Rechecking about:config for network.captive-portal-service.enabled, it was set to true
Stopping visits to push.services.mozilla.com
Disclaimer: Remember, this is all just an exercise for privacy, but if you do these things, you will end up with outdated software and more vulnerabilities. So only do this if you have safeguards in place: backups, offsite backups, out of country backups, and if you can afford it, off-world backups.
Continuing… Changing network.captive-portal-service.enabled to false gives me only the mandatory visit to push.services.mozilla.com left each time I start Firefox. Remember, each web site visit is a timestamp of where you where and when. So, for privacy, how do I turn off Firefox connection attempts to push.services.mozilla.com ?
In about:config I next set dom.push.serverURL to (blank) and with that field empty, I quit the browser. On restarting it, bingo, finally! It only goes to my default web site. Good. Now …
How do I set my default Firefox web site to be a blank page? I’ve tried several times.
Answer: Under about:preferences#home enter about:blank in Homepage and new windows and in New tabs then, when you restart Firefox, what happens?
Damn it, it opens firefox.settings.services.mozilla.com again. Mozilla, you snooping snakes, can you just stop? Must you know every time I open a web browser, even if I don’t go to a web site? Well, what seems to have been going on, after quitting and restarting several other times, is that they just make note of your last browser configuration changes. Which is, why, because I do not have Sync service on and I don’t want them to monitor every setting change I make on software on my own computer, but anyway, I finally have what I want, what we all deserve to have: A web browser that goes ONLY to the sites we put in the bar or click on!
Okay, what about web history?
Local Web Site History Database
Every web site you visit is also, by default stored in a database known as “places.sqlite” in your User profile. This is the location of your Firefox web browser history, which can tell much more about consumers than most realize. Good think your history can be cleared. Of course, if you do, it’s a lot harder to get around the web from day to day. Browsing your own history is super convenient.
Can Mozilla read your places.sqlite data? Well you can. Here’s how on MacOS if you are familiar with the command line. Start up sqlite3 to open the places.sqlite database, then look at the url field in the table moz_places. Below you can see the actual fields in the table from Firefox 115.3.1esr (64-bit).
$ sqlite3 /<path to profile>/places.sqlite
$ sqlite> SELECT url FROM moz_places;
Result: 0|id|INTEGER|0||1 1|url|LONGVARCHAR|0||0 2|title|LONGVARCHAR|0||0 3|rev_host|LONGVARCHAR|0||0 4|visit_count|INTEGER|0|0|0 5|hidden|INTEGER|1|0|0 6|typed|INTEGER|1|0|0 7|frecency|INTEGER|1|-1|0 8|last_visit_date|INTEGER|0||0 9|guid|TEXT|0||0 10|foreign_count|INTEGER|1|0|0 11|url_hash|INTEGER|1|0|0 12|description|TEXT|0||0 13|preview_image_url|TEXT|0||0 14|site_name|TEXT|0||0 15|origin_id|INTEGER|0||0 16|recalc_frecency|INTEGER|1|0|0 17|alt_frecency|INTEGER|0||0 18|recalc_alt_frecency|INTEGER|1|0|0
Did you know the frequency, the number of times you visit a web site was recorded? Notice that they purposefully misspelled the word frequency as frecency. You can actually see this in your history, but it is normally hidden (See this). It is an amazing gem of anti-privacy if Mozilla were able to exfiltrate this data, that is, steal it from your computer during routine updates. Combine web site visit history with the last_visit_date and you could do some interesting tricks of apparent mind reading, for the purpose of selling to advertisers, and consumers would probably never know.
Opening in a Private Window
Firefox offers users the ability to use its Private Browsing mode, also known as the “Firefox Private Window.” When using this mode, Firefox does not store any browsing history, cookies, or site data (in the normal places.) It also prevents some websites from tracking users and it blocks potentially harmful content. This feature is particularly useful for users who want to ensure believe that their online activity is kept private.
Mozilla, the organization behind Firefox, also actively advocates for internet privacy rights. They have been vocal supporters of stronger privacy legislation and have taken steps to ensure that the browsing experience in Firefox remains secure and private. Firefox regularly releases updates to address known vulnerabilities and implement additional privacy features, making it a browser you can trust. You can now likely understand why this is so important for Mozilla.
The disclaimer they have is this: “No browser can provide complete privacy. While Firefox takes strong measures to protect user privacy, it is still essential for users to be cautious and mindful of their online activities. Users should be careful about the websites they visit, use strong and unique passwords, and consider using additional privacy tools such as VPNs for added security.”
Fingerprinting
Even if you think you’ve plugged most of the leaks in your browser, you can still be identified from your browser’s unique fingerprint. One site found the following information from a browser to generate a rather unique fingerprint, which may have surprised the security consultant using the system:
0.01% of observed browsers run (OS_VERSION), as yours.
62.95% % of observed browsers have set en as their primary language, as yours.
3.46% of observed browsers have UTC -07:00 as their timezone, as yours.
Lesson: If you are going to fake an operating system by tweaking your settings, make it something very generic. But is that possible? No.
“the task of preventing the general type of operating system from being known is currently impossible, even on Tor Browser. A list of whitelisted fonts is provided in order to prevent font rendering exploitation or font fingerprinting, but the whitelist is different for Linux, OSX, and Windows due to needing to use system fonts. There is currently no way around this. Until you find a way to provide system fonts without revealing what type of operating system you are using, you’ll have no [luck].”
Nevertheless, with a plugin to toggle “Resist Fingerprinting” enabled, upon re-running the check above, it gave me some different random values for timezone, and OS version. Not bad. Perhaps as good as it can get for now.
- 42.35% of observed browsers are Firefox, as yours.
- of observed browsers are Firefox 115, as yours.
- 13.24% of observed browsers run Mac, as yours.
- 0.00% of observed browsers run Mac 10.15, as yours.
- 62.95% % of observed browsers have set “en“as their primary language, as yours.
- 0.00% % of observed browsers have UTC-00:00 as their timezone, as yours.
In conclusion, Firefox stands out as a strong advocate for privacy in the browser market. Its commitment to user privacy, anti-tracking measures, and regular updates make it an attractive choice for those who value their online privacy. By using Firefox, users can enjoy a browsing experience that is more secure and less visibly invasive than other invasive web browsers. Mozilla has with Firefox, except for mandatory visits to their settings (addons) web site when you look at your add-ons manager, given us a browser that can be, with considerable effort, tuned for much better privacy.
We hope you found this article informative and useful in your own privacy efforts.
