Since Artix offers firefox and firefox-esr https://forum.artixlinux.org/index.php/topic,1625.0.html (https://forum.artixlinux.org/index.php/topic,1625.0.html) I have question regarding some of the issues I noticed regarding firefox(esr) v78 and up:
1) firefox/firefox-esr 78 (different distros/OSes) makes auto connections at start with blank page and without installed addons:
netstat -pantul
tcp 0 0 xxx.xxx.xxx.xxx:41328 159.69.198.101:443 ESTABLISHED 2523/firefox
tcp 0 126 xxx.xxx.xxx.xxx:39364 13.227.223.117:443 ESTABLISHED 2523/firefox
these connections are made to amazon servers.
similar connections are also made by Artix firefox (not tested Artix firefox-esr)
On the other hand firefox 68.11-esr stays quiet after modifying user.js
In the case of firefox 78/79 I am not able to stop these connections and I suspect that these are hard coded.
In past I was compiling my own firefox but nowadays firefox is too big and compiling would take too much time.
second problem is with weak ciphers that I don't know how to block:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
tested here:
https://browserleaks.com/ssl (https://browserleaks.com/ssl)
and
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html (https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html)
I can block any other weak cipher but not these two.
Currently I can block outgoing firefox auto connections at iptables. I can't do anything about weak cipher though.
It seems that I am not the only who noticed this issue.
Of course I don't know why these weak cipher were added or why suddenly firefox 7x must make these connections. Just until now I was able to control firefox pretty well.
So what I am asking if it is possible to correct these issues?
Of course this is firefox issue, not Artix so if this problem is not correctable I understand it.
thank you
The only browser I know that makes 0 connections after some basic configuration is ungoogled-chromium.
But here in arch you have to download the source (~800mb) and compile it, so it's a big no-go for me.I never cared about the cypher, I use the latest firefox+ghacksuser.js+stevenblackhost+windscribevpn+umatrix and lesspass for passwords.
it seems that you can manually add it:
user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false);
user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false);it worked for me according to the testpage.
------
edit: I just visited the link you posted. (https://forum.artixlinux.org/index.php/topic,1625.0.html) . In it, @Dudemanguy mentions that you can get ungoogled-chromium from a repository called "universe" which is not activated by default.
Which is very good news, firefox is too overkill for me.
The only disadvantage of ungoogled-chromium is that you have to install the extensions manually. A script can give you the url just by entering the id of the extension. Check the faq (https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq) for the different methods of installing an extension.
Pale Moon doesn't seem to make any connections on start up (although it does on the unconfigured first run startup) and you can enable and disable various ciphers in about:config.
It looks like the weaker ciphers are there as a fallback and the stronger ones are used in preference, so presumably the default set up provides a good browsing experience, but for high security purposes I guess no connection is better than a weak one.
thank you both for responding.
fixed ciphers issue. These were hidden so that is why I was not able to disable them. Now it works.
I have firefox 68.11-esr (antiX) that does not make any auto connections after customization (about:config)
Only since 78/79 firefox started to make auto connections that I am not able to block. So I will use iptables for this.
I was using Pale Moon long time ago but it had a lot of issues then.
Never tried ungoogled-chromium. Maybe I will give a shot.
you have to build firefox with --disable-safe-browsing if you want to cut off all connections at startup, along with disabling any updates via about:config and all other url-based options there. some people dont consider this 'safe' but i'm fine with it
I have disabled safebrowsing and whatever updates in about:config. As I mentioned before, my customization worked in the case of firefox 68.11-esr, so I doubt that these connections are related fo safebrowsing. I suspect that this is related to services similar to normandy (telling firefox devs how I use browser). Whether this is hidden or hard coded I don't know.
I recommend LibreWolf Instead of Default Firefox
Works on Artix without pulseaudio
https://librewolf-community.gitlab.io/
Amazon and others provide CDN (Content Delivery Network) services to Mozilla. So that's reason why mozilla connect to amazon, google, edgecast, etc.