Tor Browser phoning home to "firefox.settings.services.mozilla.com"

Hi.

I did a little research and found out that Tor Browser sometimes phoning home to “firefox.settings.services.mozilla.com”. Moreover, I backport “Icecat” browser patch to fix this, but it didn’t help. Patch fully work on Icecat 91.13.0 and Firefox 91.13.0 ESR, but does not work on Tor Browser 11.5.2, although the code and files are the same. I do not understand what the problem is and why the developers have not yet fix thes connections.

This is patch to disable phoning home “firefox.settings.services.mozilla.com” for Icecat and Firefox.

https://git.savannah.gnu.org/cgit/gnuzilla.git/commit/?id=1435cb8dca37307979ed9cb17b8c33e589580128

Is there any way to tell what data its handing over? Mozilla are becoming less trustworthy by the second

1 Like

Many data. They even take measurements of how many seconds behind/fast your system clock is. Who knows what else they’re taking. You may look in about:config all pref with “clock” words. When browser never connect to firefox.settings.services.mozilla.com, there is only 3 prefs. The fourth (with data in seconds) is being created after first remote connection to they service. Sorry I`m lost site url with full list.


Ok. Little more research. Patch work fine if clean startupCache directory after aplying. Or just delete this directory and create empty file with name “startupCache”. Nothing change in Tor Browser work.
Developers should definitely implement it.

Hello, and thanks!

Would you consider upstreaming it to Mozilla, too?

Also, notice that 102 contains Nimbus for experiments, and we’ll need to audit and remove all its stuff.
If you are managing a fork, you will probably need to do the same.

2 Likes

So should TBB usage be kept to non important activities until the 102 change and audit has finished? I imagine that would be a few months perhaps?
@PieroV

So should TBB usage be kept to non important activities until the 102 change and audit has finished?

We’ll try to fix this for next 11.5.x (Moz will not release any more update for 91.x, but we’re going to cherry-pick CVE fixes at every Firefox release).

I imagine that would be a few months perhaps?

102 is scheduled in November

1 Like

Thank you, if possible try maybe fixing the http/https/onion icon thing because its starting to scare people away Http only on tor browser android still no onion icon - #4 by Sefty40

Is there any way of voluntarily directing personal donations specifically to the TBB developers? And more importantly, if they had more money would it improve the software or would it ensure sustainability of further future development? Thanks

Is there any way of voluntarily directing personal donations specifically to the TBB developers

Tor Project donations can unfortunately not be directed to a specific cause.

And more importantly, if they had more money would it improve the software or would it ensure sustainability of further future development

With enough money they can of course hire more developers.

And otherwise, ensuring that the Tor Projects funding is diverse allows it to continue with less disruption if something were to happen to one source. In the past, if the grants/government money stopped being given, the Tor Project would loose nearly 100% of their funding. It’s much better today with only 55% coming from “governmental agencies” in 2019-2020 (2020 Audit, page 16). And only ~43% coming from governments (~38% being the U.S. Gov) in 2020-2021 (2021 Annual report, page 13).
It also allows the Tor Project to use more money on what they want to use it on, grants are generally earmarked for specific things and can therefore only be spent on that. General maintenance and bug-fixing is one thing where donations are important.

https://donate.torproject.org

2 Likes

It’s one of the top priority issues for Android, at the moment.
Android is a difficult beast to deal with: we are working to update it on 102, which seems to work. But we’d like to solve some problems with our local dev builds, as they make new developments much easier. So stay tuned :smile: .

Thank you for thinking of donating, currently any donation to Tor Project would help the TBB team and the whole project :heart:. You can pick how you would like to donate and how much on donate.torproject.org.

The TBB team right now has resources from grants and donations like that. We just added 3 new members to the team so we have more capacity now than we had 6months-1year ago. Donations help us not only keep up with the team but possibily consider growing it over time. If you would like to have more information, feel free to reach out at isabela@torproject.org.

2 Likes

They will never go for it.

v.102 its a latest alpha? Nimbus its a normandy replacement? Ok.
In your place, I would pay attention to the fact that they removed the possibility of disabling Intersection Observer API. They did it for a reason. It worried me the most.

So would that mean its privacy is still questionable even once 102 is done? The fact alone that it connects to Mozilla servers is worrying enough, would Mozilla get to see which hidden services people are using?

Not the nicest workflow, but in cases of software trying to make network connections through the clearnet, the Tails devs have already done the work of enforcing tor. It’s worth borrowing their configs now and again.

Tails - Tor enforcement also covers enforcing secure DNS

Their actual ferm conf (used to generate iptables confs) is available here: config/chroot_local-includes/etc/ferm/ferm.conf · master · tails / tails · GitLab

If you don’t want persistent enforcement, simply save your current iptables config, then load the tor-enforcing config, and finally when you’re done using tor simply restore your normal iptables.

2 Likes

about:networking shows a list of automatic connections made by the browser, both on desktop and on mobile

1 Like

I’ve done some random testing and it looks to have a set behaviour which is repeatable (or at least for me}

Install TBA
Open it
Go to about:networking and you will see this


Close TBA
Go back to about:networking
No entries

Is it this way for just me?

FYI, this issue is being tracked on Gitlab here:

2 Likes

Does this issue cause actual problems privacy-wise or is it just about aesthetics (as to not have any unsolicited connections at all)?

Does this issue cause actual problems privacy-wise or is it just about aesthetics

my understanding is each remote call needs to be addressed on it’s own merits/threat. Mostly these calls are simply not required in Tor Browser (such as updated password rules, anything on Activity Stream such as pocket news, sponsored + search suggestions, push notification checks, search engines on region change, etc - just examples, IDK if those actually happen), etc. Some stay because they are required for security reasons, and some can even be nixed in favor of just updating it once per release. Anything that reduces outgoing is always welcome, because it removes any possible threat/bug and IDK, saves on the tor network. So if it can go they probably stop it.

Everything Mozilla has added for their remote calls is not really a privacy concern: e.g. suggestions, sponsored, pocket etc are all just regional cohorts stuff, nothing PII and everyone gets the same, or large chunks of people do. Push notifications are E2E and IDs are reset.

Everyone screaming “but wah wah wah sob … unsoliticited connections” (not saying anyone here is doing that) needs to calm down and simply investigate exactly why a remote call is made and assess it. 99/100 it’s harmless for Firefox users, and 3/4 times TB doesn’t need or want it and less potential issues are always good (e.g. upcoming weather suggestions: does not make sense for a TB user whose location is obscured). Sometimes ripping it out is easier than diagnosing it. Percentages off the top of my head.