Closed Bug 1432248 Opened 7 years ago Closed 7 years ago

Firefox privacy settings don't give actual privacy

Categories

(support.mozilla.org :: Knowledge Base Content, task)

Product:
support.mozilla.org
Component:
Knowledge Base Content
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: u596779, Unassigned)

References

Details

Attachments

(1 file)

tcpdump-logs.zip
978 bytes, application/zip
Details
Attached file tcpdump-logs.zip
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Steps to reproduce: 1. Download Linux 64-bit version of Firefox from https://www.mozilla.org 2. Run as root (to avoid parasite packets in log): # systemctl disable ntpd.service && systemctl stop ntpd.service 3. Reboot the system 4. Login to KDE Plasma 5. Run in as root in console: # tcpdump -i eth1 ip src host pc and dst host not router and dst host not pc -ltq > /tmp/tcpdump.log & tail -f /tmp/tcpdump.log 6. [~]: rm -rf ~/.mozilla/ 7. [~]: ~/---browsers/firefox/firefox --ProfileManager --no-remote 8. Check "Work offline" 9. Click "Create Profile..." > Next 10. Enter new profile name: test 11. Click "Choose Folder..." and create a folder ~/.mozilla/firefox/test.default While typing the name of the new folder in console many such messages appeared (perhaps another bug): (firefox:8179): Gtk-CRITICAL **: gtk_render_frame_gap: assertion 'xy1_gap <= width' failed 12. Having selected the newly created folder click "Open" 13. Click "Finish" in the "Create Profile Wizard" 14. Back in the "Choose User Profile" dialog ("Work offline" is still checked) - click "Start Firefox" 15. Firefox opens in "Offline mode". Till this moment: Nothing shows in tcpdump (as expected) 16. Close Firefox EXPECTED: No packets shown by tcpdump ACTUAL: Lots of packets sent to akamaitechnologies.com and amazonaws.com. See file 1-tcpdump.log 17. Stop tcpdump in root console, run 'rcnetwork restart' and repeat step 5 18. Start firefox: Repeat 7, 8, then directly 14 19. Uncheck "Always perform this check when starting Firefox" and click "Not now" 20. View > enable "Menu Bar"" and "Bookmarks Toolbar" 21. Delete all bookmarks from "Bookmarks Toolbar" and "Bookmarks Menu" 22. Add about:config and about:preferences in "Bookmarks Toolbar" So far: nothing in tcpdump output 23. Follow the steps from https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections ---------------------- Remarks ---------------------- The document says: - Add-on list prefetching Each time the Add-ons manager is opened, Firefox prefetches a list of add-ons to improve responsiveness of the Get Add-ons pane. This connection is not made if the add-ons manager is not opened. (There seems to be no setting for this) EXPECTED: No connection should be made unless the user initiates one. One may want to look at installed extensions only and that does not require connections to addons.mozilla.org ---------------------- The following settings don't seem to exist in about:config in FF 57.0.4: browser.selfsupport.url media.gmp-gmpopenh264.enabled browser.casting.enabled I am adding them manually with values specified in the documentation. ---------------------- 24. Close Firefox EXPECTED = ACTUAL: No packets sent 25. Start firefox as in 7 26. This time do _not_ check "Work offline" and click "Start Firefox" EXPECTED: No packets shown by tcpdump ACTUAL: Lots of packets sent although nothing but a blank page shows. 27. Close Firefox EXPECTED: No packets shown by tcpdump ACTUAL: Even more packets sent. For steps 26-27 see file 2-tcpdump.log Additional info: Similar background chattering is also noticed in Mozilla Thunderbird. However I can't find any guide or setting about how to disable it. -------------------------------- Final words: If Firefox is supposed to be truly privacy respecting upon first run it must: A. Start in offline mode B. Show a blank page with choices B1: "I want maximum privacy settings" (= No packets sent whatsoever) B2: "I want less private settings with more features" (with relevant policies shown prominently) C. Go online but _NOT_ open any site (especially company site such as that of Google or Mozilla or any) D. Then the user can type the URL he wants to visit On next runs steps A and B will not be needed and C will be based on preferences. Even if it is possible to fine tune settings through about:config (which even after all this travail doesn't seem to be the case) it should not be done this way. So please provide B1. As commented in a previous ticket I was able to reach state B1 by experimenting in Basilisk (Firefox clone) where I had to zero out all string values in about:config containing URLs. As all Firefox forks seem to have these issues I assume it is a common thing, so it should be possible in Firefox itself too. But that was a brute force test, just to see if it is possible. So please provide a more relevant set of settings (which don't break other functionality). Ideally - please attach a user.js file in this ticket so we can test. This will also help to report the issue to the other browsers. Please also provide the same for Android version of Firefox. (hopefully for Thunderbird too) Actual results: - Background communication exists without being explicitly initiated by the user. - There is no easy setting to provide that too - Documentation must be accurate (read the STR for details) Expected results: - There must be no background communication without the user having approved that - An easy, single-click setting for ensuring maximum privacy - Accurate documentation (read the STR for details)
To keep the scope a little more directed to support.mozilla.org, please allow me to rephrase: After following the instructions in kb https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections there were more connections being automatically made. This is a request to update the documentation with steps to disable the other services that automatic connections are being made to. The tcp dumps in the attachments are lists of outbound connections made by Firefox after following the kb's instructions, at various times during the STR.
Component: Untriaged → Knowledge Base Content
Product: Firefox → support.mozilla.org
Version: Trunk → unspecified
Summary: Firefox privacy settings don't give actual privacy → "How to stop Firefox making Automatic Connections" kb article is incomplete
You have edited the bug report in an incorrect way. It is not simply a request to fix documentation but an actual showcase that: - Firefox does not respect user privacy - by default. It starts and connects immediately with enabled telemetry and what not. - it does not even provide a convenient setting for one to receive privacy - practically this makes it very unlikely that anyone will even look for such setting - it seems impossible even for and advanced user to reach the desired level of actual privacy without breaking anything - as a whole: (forgive me but) this whole thing looks like "Let's make it so complicated that nobody would even care to look" Well, somebody did look. And somebody did spend quite some time to provide absolutely clear description of the issue (twice in another report and once here). So kindly, don't bury this and don't turn it into something else but pay the necessary attention to it. Users need safe privacy respecting programs. If the program starts by default with all kinds of background data leaking, telemetry, and what not - that is clearly not privacy respectful. In the other bug report you wrote: > You're right to expect us to treat your privacy carefully and keep user choice paramount. I never chose to connect to Amazon, Akamai and to have telemetry by default, to connect to web sites on first run without me asking for that explicitly. These are features serving Mozilla, not the user. Many would agree it reminds of the popular Ubuntu case. You also wrote: > No user should ever have to go into about:config to do anything as important as preserve their privacy. We take user control and user privacy too seriously to hide it away. But when a bug report like this asks for that - you turn it exactly into a documentation issue which describes how to fight for privacy through about:config and preferences. You also wrote: > In my opinion "reliable software which respects user privacy" describes Firefox exactly. Facts prove the opposite. And this report is meant to ask for change of those facts.
"Firefox does not respect user privacy - by default. [...] If Firefox is supposed to be truly privacy respecting upon first run it must:" This is false, and misunderstands a great deal of what is expected of - and the real-world threats you're being protected from by - modern web browsers. The connections you're observing provide our users with more protection, and better privacy, not less. Automatically verifying that your browser and Safe Browsing malware-protection blocklists are up to date, performing captive-portal detection, all of these and more are critical to providing our users with effective security and privacy protection, and they need to be done routinely to be effective. The anonymized telemetry data we collect informs our decisions to where to spend our engineering efforts to further improve the security and reliability of our product. We haven't deployed any of these processes or services lightly, or without long consideration and careful risk analysis, and disabling any of these services makes you less safe and exposes you to more privacy and security risks, not the other way around. If you believe need something more than what stock, up-to-date Firefox provides, you're welcome to talk to our friends at TOR. They do great work that we're proud to support. But what you're proposing here is will be ineffective, and - particularly when you operate the scale that we do - potentially far more harmful than you realize if we accepted this behavior as the default.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
While Mozilla has no obligation to change is policies at the behest of its users, broken documentation is a matter neither of policy nor opinion. I can confirm that the information on the page in question is inaccurate and/or incomplete, having just tested it with a fresh install of Firefox 58. As George reported, three about:config values referred to do not appear in my about:config, specifically browser.selfsupport.url media.gmp-gmpopenh264.enabled browser.casting.enabled Perhaps these values were present in older versions of Firefox. After completing all of the other instructions on this page, I attempted to replicate George's tcpdump test. Upon starting the browser I see connections including detectportal.firefox.com getpocket.cdn.mozilla.net r.cloudfront.net.https safebrowsing.googleapis.com I understand Mozilla has a security rationale for Firefox making some automatic connections, but that does not change the fact that a documentation page called "How to stop Firefox from making automatic connections" does not contain enough information to prevent Firefox from making automatic connections, and that some of the information (the missing about:config values) are inaccurate or out-of-date. I suggest that this documentation bug be reopened until the documentation page in question has been updated.
I agree with Mason (previous comment). Only yesterday I had to browse the international forum to discover the reason of the connection to detectportal.firefox.com.
Dear Mozilla, By repeatedly closing privacy related tickets which show actual observable and irrevocable facts about privacy issues and trying to justify that negligence with "real-world threats" you are not doing a favor to yourself. You have designed the software which locks the user within your network for "features" and telemetry stuff, your documentation is wrong and you deny the possibility for community feedback and control of a (supposedly) "privacy respecting" FOSS. This is not going to work. We are not stupid. This bug report has several important parts supported with actual STR and logs: - "Work offline" does not work offline (sends packets on exiting) - The documentation is wrong - There is no easy way to get the privacy (can be considered a feature request) First you renamed it in attempt to limit it only to the second part, then you closed it with "RESOLVED WORKSFORME" because of "real-world threats". I would like to remind you again that it was one of you who asked me to open this ticket. This is not only disrespectful but also lacks basic logic.
I've opened this bug to resolve the documentation sortcomings: https://bugzilla.mozilla.org/show_bug.cgi?id=1433494 and this one to add some transparency to the portal detection site: https://bugzilla.mozilla.org/show_bug.cgi?id=1433500 I've also reset this bug to its original title. The resolution can remain as is.
Summary: "How to stop Firefox making Automatic Connections" kb article is incomplete → Firefox privacy settings don't give actual privacy
And about "Work offline"?
That one will require some investigation and clarification. "Work offline" is, to the best of my knowledge, not intended to be a security or privacy feature at all - it's an extremely-legacy web developer's local-testing tool. That said, I'm not 100% confident in my understanding of the history or intent there, so I'll look into it.
See Also: → 1433494
Thanks for your attention to this Mike. I've done a little more testing re the documentation issue, but I'll keep that to the new bug report. Is "Work offline" no longer intended to be used? If so will it be removed in future versions of Firefox? If the feature is included in Firefox and does not work properly then perhaps that should be its own bug report, even if it is not related to privacy or security? I appreciate your looking into this.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: