vissha Posted August 15, 2015 Share Posted August 15, 2015 How to Disable Silent Pre-Connections in FirefoxPrevent the browser from starting connections on mouse hoverThe Mozilla Speculative Connect API is a new feature that was added to Firefox's many many versions ago, allowing the browser to set up HTTP connections in advance for links it deems the user "is about" to navigate to.Basically, the API comes into play whenever a user hovers the mouse over a link, the browser interpreting this action as an intent to navigate to it.Firefox will start issuing HTTP requests to that URL, setting up TCP and SSL handshakes in advance, in the case the user actually clicks and navigates to that particular page.As you can imagine, this is great for improving page load times. What you did not know is that this type of behavior can be used by malicious actors to track users, even if they don't navigate to their sites.As Yuri Khan points out on the Mozilla bug tracker, the current version of the Speculative Connect API, implemented without a GUI to let users disable this feature, is a hole in Firefox's privacy shield.An attacker that wants to verify a list of email addresses could easily take a list of IPv6 addresses, associate them with an email, create a basic HTML page and host it on that address.An attacker could log your IP even without you navigating to his siteSending a message to that email, specially crafted to show a big link that covers as much space inside the email as possible, would help the attacker verify which email address is still in use thanks to the Speculative Connect API.Because simply hovering a link in Firefox will initiate a connection to that server, the attacker could easily verify if the email is still in use, and even log the user's IP without him ever landing on his site.While for many years users were instructed by security experts to hover a link before they navigate to it, this works to the advantage of malicious actors now.Obviously, you cannot perform serious attacks on a user hovering a link, this being a privacy-related issue and not a security vulnerability.Since this feature is turned on by default for all users, until the Firefox team decides to implement a checkbox somewhere in the browser's settings to let the user decide if to use this feature or not, there's only one way to disable silent link pre-connections. It includes the steps described below.Step 1: In a new tab type "about:config"Step 2: Type in "network.http.speculative-parallel-limit"Step 3: Double-click the setting and enter "0" in the popup that appears.Source-1Source-2The default value for the setting is "6". If you'd like to reset the setting after modification, right-click on the setting and click on "Reset". Link to comment Share on other sites More sharing options...
Batu69 Posted August 15, 2015 Share Posted August 15, 2015 Pre-fetching or caching of web pages is a technique used by many web browsers to improve perceived performance -- it's nothing new. But Firefox takes a slightly sinister and stealthy approach. Simply hover your mouse over a link and the browser fires off requests to the associated website in the background.While this sounds potentially helpful, it is also something of a privacy and security concern -- not to mention a waste of bandwidth. You might hover over a link simply to check out the destination in the status bar; if there is a link to a malicious or unsavory website, you probably don’t want these stealthy connections being made in the background. If you're worried about your security or privacy, or just want to be back in control of your web connection, there are steps you can take. As pointed out in a discussion thread on Slashdot, this is not a feature of individual websites controlled by JavaScript or CSS, it's controlled entirely by Firefox. If you disable JavaScript and CSS, these requests are still fired by simply hovering over a link -- there are various tools that can be used to monitor what is happening with your web traffic. The preloading is a feature of an API called nsISpeculativeConnect, and Mozilla says that it:Lets non-networking code provide hints to the networking layer that an HTTP connection attempt to a particular site is likely to happen soon; this lets the networking layer begin setting up TCP and, if appropriate, SSL handshakes to save time when the connection is actually opened later.There have been concerns about the privacy implications of the feature for some time, with some people submitting bug reports about it. Calls for a global setting to be introduced that makes it easy to control whether these pre-connections are enabled or not have been denied -- the issue has a RESOLVED WONTFIX fix label slapped on it indicating that there are no plans to change the way things works.But you can fight back if you want.Mozilla has anticipated that what Firefox is doing will not be to everyone's liking and has set up a page on its support site entitled "How to stop Firefox from making automatic connections". The introduction reads:Some people are concerned about the connections Firefox makes to the Internet, especially when those connections are made for no apparent reason (see Mozilla's Firefox Browser Privacy Notice for additional information). This article explains various reasons why Firefox may make a connection to the Internet and how you can stop it from doing so, if you wish.To disable the speculative pre-connections feature, take the following steps:Type about:config in the address bar and hit Enter.Click I'll be careful, I promise!Perform a search for the text network.http.speculative-parallel-limit.Change the value of this item to 0.That's it!As one commenter says on Slashdot:One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.Source Link to comment Share on other sites More sharing options...
coromonadalix Posted August 15, 2015 Share Posted August 15, 2015 F..... annoying behaviour, and they dont want to add a setting for it. Bye Bye Firefox ... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.