Consider fixing the Mitigation guide for Firefox #58

Open
opened 9 months ago by Rupert · 14 comments
Rupert commented 9 months ago

First of all, sorry if this topic sounds harsh.

Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on.
You old guide was by far better than this.

Nowadaways, Mozilla is bloating its browser and it's almost impossible to mitigate it.

After trying dozens of user.js this is the best I found (from a forked arkenfox one)
https://git.nixnet.services/Narsil/desktop_user.js
However, we still have to add firefox.settings.services.mozilla.com to our host file.

This way, it seems there is no unsolicited connections, but what will be the next step? Will we have to continue adding more and more in the future in order to control Firefox?

To sum up I think you would consider even deleting that guide.

Thanks for your time.

First of all, sorry if this topic sounds harsh. Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on. You old guide was by far better than this. Nowadaways, Mozilla is bloating its browser and it's almost impossible to mitigate it. After trying dozens of user.js this is the best I found (from a forked arkenfox one) https://git.nixnet.services/Narsil/desktop_user.js However, we still have to add firefox.settings.services.mozilla.com to our host file. This way, it seems there is no unsolicited connections, but what will be the next step? Will we have to continue adding more and more in the future in order to control Firefox? To sum up I think you would consider even deleting that guide. Thanks for your time.
Owner

I'm unsure how being a bloated browser has to do with disabling spyware. If you feel as though using a user.js doesn't help, I'm not sure why you'd be using Firefox to begin with.

Using ghacks with a few tweaks helps a lot of people who are stuck on Firefox. Unless if there's a better way to mitigate Firefox, I prefer to leave the guide be.

I'll retest Firefox later on and show specific options to disable that isn't covered by ghacks.

I'll leave this up to @anonymous for the final decision.

I'm unsure how being a bloated browser has to do with disabling spyware. If you feel as though using a user.js doesn't help, I'm not sure why you'd be using Firefox to begin with. Using ghacks with a few tweaks helps a lot of people who are stuck on Firefox. Unless if there's a better way to mitigate Firefox, I prefer to leave the guide be. I'll retest Firefox later on and show specific options to disable that isn't covered by ghacks. I'll leave this up to @anonymous for the final decision.
baobab added the
wontfix
label 9 months ago
baobab removed the
wontfix
label 9 months ago
anonymous was assigned by baobab 9 months ago
Poster

Sorry for the pesimistic message.

Anyway, if would be nice if you add those specific options.

People come here looking for the connections of their browsers and how to mitigate them. However, arkenfox (new name for ghacks) isn't the best way.

On the other hand, Mozilla telling us we have to add some of them to the host file is a nefarious behaviour.

BTW, on mobile it appears the same connection.

Greetings.

Sorry for the pesimistic message. Anyway, if would be nice if you add those specific options. People come here looking for the connections of their browsers and how to mitigate them. However, arkenfox (new name for ghacks) isn't the best way. On the other hand, Mozilla telling us we have to add some of them to the host file is a nefarious behaviour. BTW, on mobile it appears the same connection. Greetings.
Owner

The guide needs to be updated.

https://git.nixnet.services/Narsil/desktop_user.js

Page doesn't seem to load, even with JS turned on?

And thank you for bringing the issue to our attention.

The guide needs to be updated. > https://git.nixnet.services/Narsil/desktop_user.js Page doesn't seem to load, even with JS turned on? And thank you for bringing the issue to our attention.
Poster

That Git instance seems to be quite erratic.

Reload the page once or even several times.

That Git instance seems to be quite erratic. Reload the page once or even several times.
Owner

Possibly worth investigation or adding into "further reading":
https://old.reddit.com/r/privacy/comments/d3obxq/firefox_privacy_guide/

Possibly worth investigation or adding into "further reading": https://old.reddit.com/r/privacy/comments/d3obxq/firefox_privacy_guide/
Owner

Also, you are correct in about

Will we have to continue adding more and more in the future in order to control Firefox?

Firefox continues to add more bloat and botnet, and switching to a different browser should be done by any user (im currently working on a page for this).

But at least for now we will provide the guide so long as it is doable.
Especially since there is a user.js out there that seems to get ~95% of the unwarranted connctions to stop (not that that is enough, if indeed it is only 95%).

Also, you are correct in about > Will we have to continue adding more and more in the future in order to control Firefox? Firefox continues to add more bloat and botnet, and switching to a different browser should be done by any user (im currently working on a page for this). But at least for now we will provide the guide so long as it is doable. Especially since there is a user.js out there that seems to get ~95% of the unwarranted connctions to stop (not that that is enough, if indeed it is only 95%).

@anonymous
"switching to a different browser should be done by any user"
I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing.

@Rupert
You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. probably and maybe opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.

@anonymous "switching to a different browser should be done by any user" I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing. @Rupert You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. *probably* and *maybe* opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.
Poster

@Rupert
You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. probably and maybe opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.

According to https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

*Login breach information

Firefox Monitor warns you if your online accounts were involved in a known data breach.
For more information, see Firefox Lockwise - Alerts for breached websites.

To get the latest login breach information and more, Firefox connects to **firefox.settings.services.mozilla.com **

> @Rupert > You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. *probably* and *maybe* opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address. According to https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections *Login breach information Firefox Monitor warns you if your online accounts were involved in a known data breach. For more information, see Firefox Lockwise - Alerts for breached websites. To get the latest login breach information and more, Firefox connects to **firefox.settings.services.mozilla.com ** *
Poster

This is a madness...
And now, we have to add aus5.mozilla.org to the host file.

This is a madness... And now, we have to add aus5.mozilla.org to the host file.
Owner

Yeah, I just tested the ghacks last night. Their user.js is horrible. I'm not sure why in my right mind I decided to use it in the guide. If I remember correctly, they didn't use to be like that. I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js.

I'm changing the title from "Consider deleting Mitigation guide for Firefox" to "Consider fixing the Mitigation guide for Firefox" for better accuracy of this issue.

Yeah, I just tested the ghacks last night. Their user.js is horrible. I'm not sure why in my right mind I decided to use it in the guide. If I remember correctly, they didn't use to be like that. I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js. I'm changing the title from "Consider deleting Mitigation guide for Firefox" to "Consider fixing the Mitigation guide for Firefox" for better accuracy of this issue.
baobab changed title from Consider deleting Mitigation guide for Firefox to Consider fixing the Mitigation guide for Firefox 9 months ago
baobab added the
bug
label 9 months ago
baobab self-assigned this 9 months ago

@baobab

I've never seen the profile manager being mentioned. Have a profile that disables telemetry, zaps fingerprinting and gets rid of other anti-features at its fullest and simply have another one that is less strict. Problem solved and no need to leave stuff in because of (x) not working properly.

@baobab I've never seen the profile manager being mentioned. Have a profile that disables telemetry, zaps fingerprinting and gets rid of other anti-features at its fullest and simply have another one that is less strict. Problem solved and no need to leave stuff in because of (x) not working properly.
baobab referenced this issue from a commit 9 months ago

@baobab
@RoloRolow
@Rupert
@anonymous
Are you sure it's gone?
In firefox Current there's a file "omni.ja" inside its installation folder (which can be opened by WinRar),
and inside I found a file "greprefs.js" "omni\modules\services-settings\Utils.jsm" and it had the setting firefox.settings.services.mozilla.com

https://wiki.archlinux.org/title/Firefox/Privacy
Editing the contents of omni.ja

This Mozilla-optimized zip file contains most of the default configuration settings used by Firefox. As an example, starting from Firefox 73, network calls to firefox.settings.services.mozilla.com and/or content-signature-2.cdn.mozilla.net cannot be blocked by extensions or by setting preference URLs to "");. Aside from using a DNS sinkhole or firewalling resolved IP blocks, one solution is to grep(1) through the extracted contents of omni.ja before removing all references to firefox.settings.services.mozilla.com and/or cdn.mozilla.net. Extraneous modules such as unused dictionaries and hyphenation files can also be removed in order to reduce the size of omni.ja for both security and performance reasons.

To repack/rezip, use the command zip -0DXqr omni.ja * and make sure that your working directory is the root directory of the files from the omni.ja file (eg. (...) -0DXqr omni.ja path/to/omni/* will not work) as stated at the Mozilla page.

> @baobab > @RoloRolow > @Rupert > @anonymous Are you sure it's gone? In firefox Current there's a file "omni.ja" inside its installation folder (which can be opened by WinRar), and inside I found a file "greprefs.js" "omni\modules\services-settings\Utils.jsm" and it had the setting firefox.settings.services.mozilla.com https://wiki.archlinux.org/title/Firefox/Privacy Editing the contents of omni.ja This Mozilla-optimized zip file contains most of the default configuration settings used by Firefox. As an example, starting from Firefox 73, network calls to firefox.settings.services.mozilla.com and/or content-signature-2.cdn.mozilla.net cannot be blocked by extensions or by setting preference URLs to "");. Aside from using a DNS sinkhole or firewalling resolved IP blocks, one solution is to grep(1) through the extracted contents of omni.ja before removing all references to firefox.settings.services.mozilla.com and/or cdn.mozilla.net. Extraneous modules such as unused dictionaries and hyphenation files can also be removed in order to reduce the size of omni.ja for both security and performance reasons. To repack/rezip, use the command zip -0DXqr omni.ja * and make sure that your working directory is the root directory of the files from the omni.ja file (eg. (...) -0DXqr omni.ja path/to/omni/* will not work) as stated at the Mozilla page.
Owner

@anonymous
"switching to a different browser should be done by any user"
I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing.

Artix has repos that have most of everything. Also makes a case for setting up a distro yourself (be it for you or your normie friend who is done with macOS or Windows).

Also I wrote a thing about browsers:
http://abrx6wcpzkfpwxb5eb2wsra2wnkrv2macdtkpnrepswodz5jxd4schyd.onion/browsers.xhtml

Since I have found out about a few other browsers too, so it could always use updates but whatever.

> @anonymous > "switching to a different browser should be done by any user" > I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing. Artix has repos that have most of everything. Also makes a case for setting up a distro yourself (be it for you or your normie friend who is done with macOS or Windows). Also I wrote a thing about browsers: http://abrx6wcpzkfpwxb5eb2wsra2wnkrv2macdtkpnrepswodz5jxd4schyd.onion/browsers.xhtml Since I have found out about a few other browsers too, so it could always use updates but whatever.

@anonymous
"switching to a different browser should be done by any user"
I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing.

Artix has repos that have most of everything. Also makes a case for setting up a distro yourself (be it for you or your normie friend who is done with macOS or Windows).

Also I wrote a thing about browsers:
http://abrx6wcpzkfpwxb5eb2wsra2wnkrv2macdtkpnrepswodz5jxd4schyd.onion/browsers.xhtml

Since I have found out about a few other browsers too, so it could always use updates but whatever.

Two connection could not be blocked anymore:
firefox.settings.services.mozilla.com
content-signature-2.cdn.mozilla.net

Are you sure it's gone?
In firefox Current there's a file "omni.ja" inside its installation folder (which can be opened by WinRar),
and inside I found two file "greprefs.js" "omni\modules\services-settings\Utils.jsm" and it had the setting firefox.settings.services.mozilla.com

> > @anonymous > > "switching to a different browser should be done by any user" > > I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing. > > > Artix has repos that have most of everything. Also makes a case for setting up a distro yourself (be it for you or your normie friend who is done with macOS or Windows). > > Also I wrote a thing about browsers: > http://abrx6wcpzkfpwxb5eb2wsra2wnkrv2macdtkpnrepswodz5jxd4schyd.onion/browsers.xhtml > > Since I have found out about a few other browsers too, so it could always use updates but whatever. Two connection could not be blocked anymore: firefox.settings.services.mozilla.com content-signature-2.cdn.mozilla.net Are you sure it's gone? In firefox Current there's a file "omni.ja" inside its installation folder (which can be opened by WinRar), and inside I found two file "greprefs.js" "omni\modules\services-settings\Utils.jsm" and it had the setting firefox.settings.services.mozilla.com
Sign in to join this conversation.
No Milestone
5 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.