Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Firefox Mozilla Software Technology

How to Quash Firefox's Silent Requests 294

An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).

Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.
This discussion has been archived. No new comments can be posted.

How to Quash Firefox's Silent Requests

Comments Filter:
  • by ciaran2014 ( 3815793 ) on Friday August 14, 2015 @06:43PM (#50319827) Homepage

    Thanks for the info! (And for putting it in the summary)

    • by ciaran2014 ( 3815793 ) on Friday August 14, 2015 @06:51PM (#50319857) Homepage

      And for anyone new to Firefox, to set that variable:

      1. Type "about:config" into the address bar (and you'll see a list of variables)
      2. Copy'n'paste "network.http.speculative-parallel-limit" into the search bar at the top of that page and hit Return
      3. You'll now just have that one line on the page. Double-click it (or right click on it and select "Modify")
      4. A box pops up, you change the value to 0, and hit OK.

      Done.

      (The first time you look at "about:config", Firefox might ask you "Are you sure you know what you're doing?" Obviously you say yes to this.)

      (Yes I know I've explained it as if talking to a ten year old, but protecting your privacy is important so it's important that absolutely everyone can do it.)

      • You think this'll change back when Firefox updates?

        • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday August 14, 2015 @07:18PM (#50319971) Homepage Journal

          You think this'll change back when Firefox updates?

          I've always had good luck with explicitly set variables being carried forward successfully.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          Most likely not. But you can create a file called user.js in your Firefox profile folder with the line

          user_pref("network.http.speculative-parallel-limit", 0); // no connections on link hover

          IMO keeping your GUI-less settings in this file is the easiest way to manage them and remember what you've changed. Be aware though that support for it might be removed one day: https://bugzilla.mozilla.org/show_bug.cgi?id=672630

      • Privacy is important, indeed, but I wonder if this will also break functionality on some websites. What if the final "Buy Now" function in one of your apps is a link rather than a button? You hover over it, thinking about it; but little do you know, your browser has already made the decision for you. When you realize your bank account doesn't have enough money for the purchase, you decide not to place the order, but then you check your email and have an order confirmation ID from the vendor.

        Ouch.

    • by Lennie ( 16154 )

      To bad that it's misleading.

      It doesn't send any requests. It just opens a connection.

      Which means it will do a DNS-lookup, open a TCP-connections and maybe set up a SSL/TLS-connection.

      There are no HTTP-requests being send.

      • Nothing misleading. The story says "requests", and DNS lookups are called "requests" in a lot of documentation. TCP connections are opened by sending "requests". SSL/TLS too probably.

        Even if you personally think "requests" should only be used for HTTP requests (which the story didn't claim), Firefox is sending something to a third-party server, so the substance of the story is accurate. (The substance of the story is that third party servers get notified when you hover over a link.)

  • Tired... (Score:5, Insightful)

    by Anonymous Coward on Friday August 14, 2015 @06:47PM (#50319843)

    Tired of keeping track of how to disable firefox new 'features'...

    • Then again these 'features' aren't limited to FF. My current pieve is later 'fad' of 'simplified URLs' in the address bar that strip the protocol and other useful information.

      • by Desler ( 1608317 )

        My current pieve

        You have a rural church from the Middle Ages?

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Yeah that's a pain, fix it by flipping "browser.urlbar.formatting.enabled" to false.

        • Tack så mycket! Danke schön! Xiexie ni! Gracias!

          That has irritated the holy hell out of me for ages.

          Sorry I don't have mod points today, but you have my gratitude. THANK YOU.

  • by Anonymous Coward on Friday August 14, 2015 @06:49PM (#50319849)

    *Another* setting I have to alter.

    I can't trust FF any more. A little while back I looked around for a replacement, but no luck.

    Chrome is obviously so far beyond the pale it's keeping New Horizons in good company. MS have jumped the shark on privacy, IE is out. Firefox you can't trust, every update makes changes I dislike and it's huge, fat, slow and bloated.

    • by Anonymous Coward on Friday August 14, 2015 @06:56PM (#50319875)

      Upgrade to Windows 10 and use Microsoft Edge.

    • by ciaran2014 ( 3815793 ) on Friday August 14, 2015 @06:56PM (#50319877) Homepage

      Firefox disappoints sometimes, but only because we have high expectations of it.

      I disagree with a few things they've done in the last two or three years but it's still light years ahead of the rest in terms of respecting your privacy, not trying to lock you in, being free software, supporting open standards (and not just as part 1 of a bait-and-switch, which I suspect all other browsers of), and a few other metrics.

      I've no idea how it compares for speed - I wouldn't even give the other browsers a test run.

      • by Burz ( 138833 )

        Cleaned-up Firefox builds: Iceweasel and Palemoon

        • by Raenex ( 947668 )

          What makes you think Iceweasel "cleans" things up? Most, if not all, of the Firefox behaviors are left as is in Iceweasel, with the exception of auto-updating being the major exception, as far as I can tell.

        • by jez9999 ( 618189 )

          Pale Moon is no longer a Firefox build, having diverged and fully forked the codebase well before Australis hit. It's now its own thing. Pretty much the only way to avoid the endless stream of crap going into the Firefox codebase these days.

    • by johanw ( 1001493 )

      Use Palemoon. Looks ike classic Firefox including the plugins but without the recent bloat and anti-user behaviour. And without Australis too.

    • FF is open-source, is it not? Get the source, chop out all the stuff you don't like/want, and compile your own personal fork of it.
    • I changed to Pale Moon [palemoon.org] some time ago and it seems good. At least better than FF (it is a fork).
  • Thank you (Score:5, Insightful)

    by GoodNewsJimDotCom ( 2244874 ) on Friday August 14, 2015 @06:54PM (#50319867)
    There is a security flaw in email where spammers can validate you're an active email if you have images turned on. I guess if you accidentally hover their link that they can see you're an active email too! I set my network.http.speculative-parallel-limi to 0 in the url: about:config.
    • I guess if you accidentally hover their link that they can see you're an active email too!

      If you use a web browser as an email client, yes. That's one of the many good reasons not to overload web browers with unnecessary functions. Another is that you don't clutter the net with HTML-ized email without knowing it, and don't create unreadable email for people who use real email clients.

      • I've used webmail for about 15 years, and most people do the same. Configure the webmail to not show images, biggest issue is gone.
        I tried a mail client recently but I would rather leave the 8000 useless unread mails and other crap out of my PC than bog it down with it, lest bother with it on other PC or computers I can possibly use to check or write mail.

    • I thought that Gmail actually circumvented this with an image caching service, but when I (just) researched it, it doesn't (it only does proxying):
      "Also, no caching is performed server-side, every time I downloaded that URL, a request showed up on my server." ( https://filippo.io/how-the-new... [filippo.io] )

      "In some cases, senders may be able to know whether an individual has opened a message with unique image links. As always, Gmail scans every message for suspicious content and if Gmail considers a sender or message

  • by Anonymous Coward on Friday August 14, 2015 @06:57PM (#50319879)

    Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link.

    Looking at the bug request [mozilla.org] that was linked in the summary, it appears that "more recent versions" of Firefox means "all versions since 2012".

  • by Anonymous Coward on Friday August 14, 2015 @06:59PM (#50319887)

    So... If you open a spam email via some webmail client, and hover over a link to see if it leads to where you expect (common thing to do if you're unsure if the email is legit or not)....
    Then, Firefox will connect to that link??????
    Their often unique hashes which identify exactly which email recipient the spam got to! It's not much different than actually clicking a link, and validates the email!

    That's about the most evil scenario I can think of and I don't like it one bit.

    • by SuperBanana ( 662181 ) on Friday August 14, 2015 @08:53PM (#50320315)

      Gmail caches any images in an email, and serves them through their own servers, in order to prevent tracking bugs from having any effect.

      The greater concern for me is what happens when you hover over a link that causes action by virtue of the URL being hit? I assume they must have done some filtering-out GET URLs, but...what about URLs that are prettified? Jesus, this is such a bad idea all around.

    • Expand that scenario ...

      What about the one where a Firefox bug is exploited because you just moved your mouse and during the process it hovered over a malicious link, which then Firefox tried to fetch and then was exploited in the process ...

      Oh thats right, Mozilla completely and utterly forgot about the nature of writing a secure browser.

      Firefox: Netscape Navigator 50.0 - Same crappy devs, same crappy management, same ignorant development that ran them out of business the first time ... new browser name.

    • That's much like the old "webbug" problem, which relied on one pixel sized, transparent images downloaded from the desired upsteam advertiging and usage This sort of behavior was well described by the Electronic Frontier Foundation at https://w2.eff.org/Privacy/Mar... [eff.org]. That problem still exists.

      The failure to reject such default optimization on the purely privacy basis is a troubling one. It means that, for example, I can track the location of people who read my email sent through anonymizing services, sim

  • Bugs? (Score:5, Insightful)

    by Stoutlimb ( 143245 ) on Friday August 14, 2015 @07:00PM (#50319891)

    I could see a nightmare scenario with poorly implemented "click to buy" or voting websites. Some nations, in the cases of stuff like CP, make it illegal to access websites containing banned material. Now mousing over links can look identical to accessing, according to log files. What a mess.

    • Re:Bugs? (Score:5, Informative)

      by Kelson ( 129150 ) on Friday August 14, 2015 @07:24PM (#50319995) Homepage Journal

      According to the docs [mozilla.org], this doesn't fire on just any random website's links, only in specific parts of the Firefox UI:

      To improve the loading speed, Firefox will open predictive connections to sites when the user hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar, or in the search field on the Home or the New Tab Page. In case the user follows through with the action, the page can begin loading faster since some of the work was already started in advance.

      That's fortunate, because firing it on any website's hover link would reach that nightmare scenario pretty quickly.

      Link prefetcing on websites only happens if the site explicitly marks the link for prefetch. (Example use case: prefetch page 2 of an article from page 1.) Firefox & Chrome have done this for years.

      • Re:Bugs? (Score:5, Informative)

        by Kelson ( 129150 ) on Friday August 14, 2015 @08:08PM (#50320145) Homepage Journal

        And looking closer at the API description [mozilla.org], speculative connect isn't supposed to actually make the HTTP request, just set up the TCP connection. No headers, no URL, just an IP address at the network layer.

        Still technically a connection, but hardly any information is sent, and it's not mistakable for an actual click.

    • OTOH it could be an out: "I just passed the mouse cursor over the link, your Worship; I didn't actually access the page. Firefox's default behaviour just makes it look like I did and the Crown cannot prove otherwise."
  • by sk999 ( 846068 )

    The last version of Firefox that I used unmodified out-of-the-box was version 2. Worked fine. Ever since it's been a game of whack-a-mole. Cannot think of a single must-have feature that had been added; instead, it's been a down-hill slide of trying to undo all the stupid new "features" that ruin an otherwise fine product. An endless treadmill of installing add-on extensions and tweaking about:config. Please, STOP IT!

  • Holy crap ... (Score:4, Insightful)

    by gstoddart ( 321705 ) on Friday August 14, 2015 @07:19PM (#50319973) Homepage

    What idiot decided to do this?

    I don't want to load a link just by hovering on it. I don't want to tell every damned link in a webpage that I've looked at it. If I click on it I'll click on it, but don't just load random shit you think I might fucking want to load.

    I swear, Firefox is making some really stupid decisions of late. For a browser which used to be concerned with privacy they seem to have decided to do everything possible to reverse that.

    It's like they're either suddenly staffed by morons.

    Disappointing. Very disappointing.

    • For a browser which used to be concerned with privacy they seem to have decided to do everything possible to reverse that.

      They should separate the actual browser part from the current behemoth, in good Unix style. I suggest the name 'Phoenix'.

    • by narcc ( 412956 )

      Wow, you should really read the posts above yours.

      How this got marked insightful is beyond me.

  • It should not, indeed it must not matter that Firefox loads data from a dodgy website. It has to be safe to read it, render it and run the Javascript.

    Because if it isn't then the browser is doomed to be cracked and exploited anyway. Attackers can break into "safe" websites and put their scripts there. Or buy advertisements to their malware.

    So all the worry over loading links from untrusted sites is foolish because you cannot trust ANY site on the Internet. Not really.

    There's a better argument to be made ove

  • The OP mentions iftop & resource monitor. I wonder if they're seeing the results of DNS Prefetching [blogspot.co.at]? That's something Firefox and Chrome have been doing forever. It doesn't hit the webserver, just resolves the domain name to an IP address in case you hit a link.

    Or are they only looking at the new tab page? According to the docs they linked to, the speculative connect API is only used in a few spots in the Firefox UI, not on random webpages.

  • What's the problem? (Score:5, Informative)

    by today ( 27810 ) on Friday August 14, 2015 @07:54PM (#50320111) Homepage

    I don't understand the concern, at least if I'm reading the documentation for the speculative connect API correctly (first link in blurb).

    All this seems to do is make the TCP connection (whether SSL or not) in anticipation of a link being clicked. The speculative connect API does not send any data in the TCP pipe it is creating. By opening the TCP link early, once the link is clicked, the TCP connection is probably ready to go, cutting down a bit on setup delay (which can sometimes be substantial if DNS is slow to resolve or the connection is using SSL), thus making the click seem more responsive to the user.

    But nowhere in the docs is any mention of actual requests made to the server or any data downloaded from the server... until you click the link. Thus, the only information leaked by hovering over a link but not clicking on it is your externally-known IP address, which may show up in the error logs of the webserver as a dropped connection. There seems to be no danger of accidentally downloading a virus simply by hovering over a click.

    If I'm missing something, please let me know.

    • by Arkh89 ( 2870391 )

      It's more of a tracking problem, I think. Anyone monitoring your access will see that you connected to some site even though (a) you did not transfer data and (b) you do not want to actually browse the destination.
      For instance, you could see a link without knowing it to be NSFW, or potentially harmful. You would, as usual, hover to check the actual address and decide not to browse it. Yet your browser has already opened a channel which was recorded by your corporate IT department proxy/firewall, your ISP, e

    • by BitZtream ( 692029 ) on Friday August 14, 2015 @11:43PM (#50320811)

      So right off the top of my head, two examples of things you're missing:

      An SSL handshake bug ... which we've seen before is still entirely possible. You don't need to send a HTTP protocol request for an SSL bug to fuck you over. Unless of course you think Firefox is flawless and bug free ... which we are 100% certain will never be the case.

      Its also trivial to continue to leak information by setting up the connection to a particular host without sending the full request based on how the host link is configured.

      Simply configure your spam email/site to point to individual IPs and port combos for every email you send, then when viewed in a browser, this presetting up of conditions can still be used for confirmation of email delievery as well as potentially exploiting bugs in the browser, which is a safe bet to exist based on the ignorance of this feature.

      And this is why just because YOU don't understand why security works the way it does, doesn't mean you've thought of all the actual scenarios.

      Lets see what else: TCP connects cost bandwidth, not much, but some, this is just another example of speculative wastefulness typical with modern programmers who have no consideration about what the costs are of the operation they are performing because it happens so fast in their dev environment they don't notice the cost. On the other hand, a very popular website will now notice a many more idle connections, which are not free, maybe not even cheap, because Firefox is being retarded and forgetting Internet Security 101.

      Throw in using a custom DNS hostname for every URL thrown into an email or web page, and now you can easily track hovered over links of the user without them clicking a thing.

      You don't go connecting to random machines on the Internet without specific instruction to do so, #InternetSecurity101

  • by niftymitch ( 1625721 ) on Friday August 14, 2015 @08:37PM (#50320267)

    Simply hovering --
    Now my system will connect to things I would elect to not connect to.
    It is clear that network connections and data in a cache are no
    longer valid in a court of law.

    With such a feature there is no reasonable expectation that anyone
    looked at or was in fact interested in anything.
    The good news is web sites that count will see their hit count
    jump for joy... Ponder an email with
        https://www.hillaryclinton.com... [hillaryclinton.com]
        https://23.235.47.75/ [23.235.47.75]

  • by chrism238 ( 657741 ) on Friday August 14, 2015 @09:25PM (#50320403)
  • There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.'

    Maybe. But, that's nothing compared to some of the Komrades at Mozilla having inkorrekt thoughts. That had to be end [slate.com]...

  • by guacamole ( 24270 ) on Saturday August 15, 2015 @04:46AM (#50321299)

    Honestly, for the last four years or so, the only news I see about Firefox here on Slashdot is the "bad news". The foundation keeps introducing new features nobody asked for and keeps changing the familiar user interface. About the only time I thought something good is coming out of the Firefox is when they announced that Firefox will block third-party cookies by default, thus ending one of the biggest routes to privacy violation on the web.. then nothing happened. Firefox has already sold itself to commercial interests, but some how we continue using it by default as if there were no alternatives.

    • Pale Moon.

    • by Alsee ( 515537 )

      I haven't used it much yet, but Pale Moon [palemoon.org] may be what you're looking for. It's a fork of Firefox. The development design choices favor privacy, user-control, and improving speed&stability by dumping rarely-wanted code. Examples: They removed the Parental Controls code, they're excluding the new Firefox DRM support, they dumped support code for obsolete CPUs, they dumped some of the code for handicap-accessibility, and they currently removing phone-home code for crash reports and other potentially privac

  • by SharpFang ( 651121 ) on Saturday August 15, 2015 @06:12AM (#50321473) Homepage Journal

    When Mozilla - the new browser - was becoming muddled with senseless features and cumbersome crap, someone forked it and created project Phoenix. It was lean, simple, fast and reliable. People loved it and switched to it en masse.

    Due to trademark problems, Phoenix was renamed to Firebird, and later to Firefox.

    Mozilla team mostly abandonned Mozilla, leaving only a slowly dying "Seamonkey" branch, and moved to Firefox. And they immediately began shitting it up just like they did with original Mozilla. Currently the shit-up is reaching its apogeum.

    Someone needs to fork it again and start a new Phoenix. And don't let the current team touch it!

  • What is the use-case for this sort of action? Was a link between hovering and going to a site established? What makes this a 'feature'?

  • So they felt left-out and added this option to decrease security significantly _and_ make it hard for users to prevent that....

Hackers are just a migratory lifeform with a tropism for computers.

Working...