PRIVACY: The Big Lie
You will tell me why Mozilla Firefox, a browser that claim to protect our privacy, is PERMANENTLY connected to Amazon servers.
Even If I try to block the connections with a Firewall, it's useless, because the next time I start it, it still connects to Amazon using diffferent IP address, even if the starting page is totally blank.
It is not about keeping firefox up-to-date, because when I manually start the search for an update, Firefox establish a new connection: Mozilla REALLY want my browser to SEND datas to Amazon, which is one of the worst company when we talk about collecting personnal informations, just like Google, which Firefox also use, but it's less dramatic since I can decide to not use that feature.
So, like I wrote, I try to block Amazon IP addresses: The result is that I can't access extensions store, but that's still not the use of these servers, since even If It's blocked, Amazon still appears in Established connections, and it's not about Search: Indeed, Amazon appears in a list of engines we can use ( if we want it ), but it's un-checked, and I use a different search engine, so what's left now, since there's apparently no reason at all for these connections to happen.
Here's my theory: Mozilla need money to survive, so it sell informations about its users to Amazon, and that's why it's so important to keep these connections alive.
The fact that we're forced to connect to Amazon servers shows that it's not necessary and that whatever the reason you ive me (update, protection...), it's probably (obviously) not the truth.
Waiting for a real answer !
I
الحل المُختار
You could try globally disabling push notifications (background/service worker communications) and see whether that makes any difference. I haven't tested this in recent years, so I don't know whether this is still a master preference:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
More info on about:config: Configuration Editor for Firefox. The moderators would like us to remind you that changes made through this back door aren't fully supported and aren't guaranteed to continue working in the future.
(2) In the search box in the page, type or paste push and pause while the list is filtered
Firefox should list numerous preferences starting with dom.push
(3) Double-click the dom.push.enabled preference to switch the value from true to false
Read this answer in context 👍 1All Replies (10)
I'm not really a geek, learning as I go so I'm not sure that I'd be able to do that, but I will try this tomorrow, if no one found the solution.
Thanks for the tip.
if this exact situation can be seen elsewhere, that would eliminate the malware possibility.
If Firefox is programmed to establish these connections, is there a way to see a kind of list of the connections Firefox is supose to make ? In the code, or in about:config, or elsewhere, Windows registry ?
Is there a way to edit this hypothetic list so firefox would be able to establish these connections without external software ?
In case a hacker wants to create this link between my browser and it's malicious server, how would he do that ?
Modified
SmilieX said
if this exact situation can be seen elsewhere, that would eliminate the malware possibility.
Do you mean if it happens for other Firefox users?
If Firefox is programmed to establish these connections, is there a way to see a kind of list of the connections Firefox is supose to make ? In the code, or in about:config, or elsewhere, Windows registry ?
The previously referenced support article is the most comprehensive list, but it's probably not 100% complete. The code should have all the relevant addresses, but I think they would be difficult to track down (i.e., I don't think they are stored together but instead would be in different files based on function).
Is there a way to edit this hypothetic list so firefox would be able to establish these connections without external software ?
I'm not sure what you mean by external software. The connections are between Firefox and servers on the web. The problem is that whatever software you are using to gather your list of connections can't tell what website is running on that server, which is really critical to know.
In case a hacker wants to create this link between my browser and it's malicious server, how would he do that ?
Connections need to be initiated from the browser by the browser, or by you, or by one of your add-ons. Your firewall prevents external people from initiating connections to programs running on your computer.
Yes, if this connections happens to other users: That would be easy to confirm, I don't understand how I got no answer about this yet
By external software, I mean virus / trojan or anything bad that could force firefox to create these connections.
A trojan been detected on my computer on July, it been there for a couple months before a full scan with Windows Defender, runned manually after noticed that computer went into sleep mode without any reason, but I deleted that trojan, and re-installed Windows many times, but weird things still happens: This morning I had to reset my router (I turned computer off before sleeping, which is rare) so maybe someone, or in that case a group of person, still have access to my computer in a way I don't know.
Maybe it's not linked with these connections, but maybe it is, and if it is, then retro-ingenerie would be the only way to find how to block them, so that's why I was asking if there is a way to edit this hypothetical list of connections that firefox is supose to make: That would certainly not fix the whole problem, but at least a part of it.
So, for sure I been infected, but if someone could confirm that these connections are legit, I'd know if there's two or only one problem.
Also, I forgot to mention that I use Windows Firewall to block the other legit connections happening in Firefox, like Akamai Technologies, etc.. so at the end, there's only that weird Amazon one.
All this story also pointed an other weird thing, but about Windows SearchApp.exe, that is connected 24h / 24h to MANY servers, maybe you will notice if you track connections with PowerShell... This has nothing to do with Mozilla, but it's scary, especially when you don't use this app and that its service is disabled, it can be blocked with Firewall tho.
The way Microsoft keeps control on what you can delete or disable and what they can do without your permission is also scary, but most of the users do not take care or do not investigate so deeply.
At least, now I know why the update to the newer version was free ;)
Modified
You should be able to see more detail about established connections on the about:networking page (HTTP and DNS).
If you are curious about r3.o.lencr.org, that appears to be an OCSP server used by Let’s Encrypt (letsencrypt.org) although a Google search links to a lot of malware reports.
Quote:
I haven’t examined this situation in particular, but I’ve seen before where security researchers examining malware mistakenly identified simple OCSP as being a botnet command-and-control vector. Basically, while the researcher is examining the actions of a piece of malware, the researcher is likely to scrutinize the list of all the hosts the malware connects to. If the malware for any reason validates OCSP for a Let’s Encrypt-issued certificate, the researcher would observe it connecting to lencr.org. Since OCSP is often done without transport encryption, it’s usually pretty straightforward to see it’s legitimate certificate validation, but certainly everyone makes mistakes, and as of yet lencr.org is not as well-known as letsencrypt.org.
After looking into about:networking, I been able to link what I see in PowerShell with an URL in that page, which is:
The use of this connection is still unknown to me:
Web Push is an optional feature that allows websites to send you messages even when the site is not loaded. Sites can use this feature to provide you with notifications or update data in the background.
That's cool, but updates are not published everyday, so in case this connection is about updating Firefox, which seems to be the most simple answer, it's absolutely NOT necessary to keep the browser permanently connected to this server.
Also, when I start a manual search for an update, Firefox seems to create a new connection, so why would it need to establish a new one if there's already one very special connection for that task.
So, I don't think this is linked with any malware, but I keep in mind that one of the prefered methods of hackers is about hiding their stuffs in contents users are familiar with.
Microsoft Windows ( 10 ) also got a Push service, but I can terminate that one with a simple click in Task Manager, so I don't understand why it's so hard to do the same with Mozilla's push service when it claims to give us control on our browsing experience.
In less than 2 minutes, what Mozilla named a push service already sent more data than it received, as seen in about:networking, and I was on a blank page.
If this is what I think it is, privacy, online, probably doesn't exist anymore, so I'll hope it's not.
If it is, tho, then it's possible that only a small amount of persons in this world still knows how to stay Anonymous.
Millions people thinks Firefox can protect a part of the small amount of privacy they still have when they use a connected device, but the big question is:
Is it true ?
Or are we just Google's, Facebook's, Microsoft's, Apple's and Amazon's puppets ?
Modified
الحل المُختار
You could try globally disabling push notifications (background/service worker communications) and see whether that makes any difference. I haven't tested this in recent years, so I don't know whether this is still a master preference:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
More info on about:config: Configuration Editor for Firefox. The moderators would like us to remind you that changes made through this back door aren't fully supported and aren't guaranteed to continue working in the future.
(2) In the search box in the page, type or paste push and pause while the list is filtered
Firefox should list numerous preferences starting with dom.push
(3) Double-click the dom.push.enabled preference to switch the value from true to false
Yes!
Haha xD I think I went too deep into conspiracy but that's exactly what I figured out, and it seems like it fixed the problem .
I have no explanation on why a push service is transmitting more than receiving, but since I can disable that feature, all good now.
Thanks to everyone who helped me with this.
We should add it to the article.
Solved.
Modified