WingNews logo WingNews
top | item 39166801

Firefox built-in spyware that cannot be disabled

60 points| gamertime | 2 years ago

Looking at about:networking I can see connections to pocket (despite me disabling pocket in about:config) as well as connections to "firefox.settings.services.mozilla.com".

And after research, it appears some of these are hard-coded into the source code on purpose for "security reasons" which is ridiculous.

Mind you, my browser is hardened to it's best.. just felt like sharing this for anyone unaware that even if you harden Firefox, even if you go the extra 10 miles and edit about:config, it will still spy on you!

40 comments

order

k8svet|2 years ago

I swear there must be one person at Mozilla with power and a massive sunk cost complex surrounding their pocket acquisition. if they actually cared, it wouldn't be built-in and so offensively un-disableable.

wkat4242|2 years ago

Yeah pocket is such a useless tool.

I love a lot of their stuff like the containers and local translation but pocket is just spam.

logicprog|2 years ago

This is why I use LibreWolf, which is a patched version of Firefox that removes pocket and stuff like this entirely, instead of regular Mozilla Firefox with something like arkenfox to harden it. There's only so much a config, no matter how extensive, can really do for you against what's been hard-coded into a program itself, and configs need personal maintenance, whereas a patch version of a piece of software can pull things out at the root, and will generally be maintained by people other than me. Yes, since it's a patched version there is some delay in receiving updates from upstream, but it's very small and they're extremely consistent about keeping up with new Firefox versions, since I believe most of their system is automated and it's basically the same set of patches every time. So it's no more of a risk than using a distro packaged version of Firefox instead of a Flatpak version, since distro packages add the same sort of patching by a third party delay. And most people are fine with distro packages for browsers, so there's no reason to balk here either.

countWSS|2 years ago

I use libreworf and it it spends few minutes of startup connecting to some mozilla server on AWS. Then all webpages start loading. I tried removing every single setting related to telemetry, replacing servers and it still doesn't work, perhaps its indeed hardcoded somewhere deep.

CTOSian|2 years ago

I am on firefox 122 , binary from Mozilla, not from my distro's repos (debian) and I don't see any connection to pocket - at least some domain that has the name 'pocket' on it.

Bender|2 years ago

I noticed this as well and blocked it in my local DNS. I also disable DoH.

    grep firefox /etc/unbound/override/combined.conf 
     local-zone: "firefox-settings-attachments.cdn.mozilla.net" always_nxdomain
     local-zone: "firefox.settings.services.mozilla.com" always_nxdomain

josephcsible|2 years ago

> I also disable DoH

Why? DoH is good for privacy.

jruohonen|2 years ago

Or even good old hosts or whatever.

punkybr3wster|2 years ago

Is pocket actually spyware / telemetry or is this just conjecture?

jacquesm|2 years ago

Either way you wouldn't know. Anything that phones home could be spyware, the difference is on the far side. So it could start out as not spyware and then become spyware. Or it may sometimes be spyware and at other times it is not.

Browsers should only do what their users tell them to do. In fact: that goes for computers as a whole.

ilikenwf|2 years ago

Here's your solution

https://librewolf.net/

Keeps version parity but removes all the nastiness with a lot of other beneficial config changes...and the ability to further customize in persistent js files.

Cachy Browser in CachyOS/Archlinux is more or less Librewolf with some other tweaks to make it faster.

hayst4ck|2 years ago

That does sound appealing, but I don't see any information on who owns or maintains it.

You click "@ohfp" and it leads you to an incredibly empty github-ish thing with 7 total followers? That is not a good sign at all.

"About us" is completely missing, and that is extremely important to me.

I would need a bit more trust, maybe even something like EFFs blessing, to use this.

If you were being skeptical, would you trust them? Why?

FractalHQ|2 years ago

I wonder how much hidden telemetry is in Brave browser, if any. Has anyone with wireshark chops looked into it?

rasz|2 years ago

Mozilla CEO needs this for that sweet Google payout. This is how you prove to advertisers number of active installs.

wkat4242|2 years ago

Hmm I wonder if it's possible to generate fake callbacks to this to mess up the data >:-] A bit like ad nauseam that tries to mess up advertisers' by taking a click on each ad without actually showing it to the user.

thisislife2|2 years ago

This is the right answer. (The Vivaldi browser company too say the same thing in their forums when asked why "phoning home" cannot be completely disabled). It's also a bit frightening because this means Firefox collects enough data to fingerprint and uniquely identify every browser / user.

hknmtt|2 years ago

yes, ff does a ton of background connections. use wireshark to see what it is doing. i tried to block all that crap once but after a while i just gave up.

it is still my primary browser because it is now the only alternative to google's monopoly(even though mozilla is de facto living off of google's money).

gamertime|2 years ago

They're not only living off google money, they also fired all their engineers, and google is required by court of law to supply money and engineers to help maintain Firefox, ridiculous!

yuhong|2 years ago

[deleted]