Skip to main content
Topic: firefox and firefox-esr (Read 1966 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

firefox and firefox-esr

Since Artix offers firefox and firefox-esr https://forum.artixlinux.org/index.php/topic,1625.0.html I have question regarding some of the issues I noticed regarding firefox(esr) v78 and up:
1) firefox/firefox-esr 78 (different distros/OSes) makes auto connections at start with blank page and without installed addons:
netstat -pantul
tcp        0      0 xxx.xxx.xxx.xxx:41328     159.69.198.101:443      ESTABLISHED 2523/firefox
tcp        0    126 xxx.xxx.xxx.xxx:39364     13.227.223.117:443      ESTABLISHED 2523/firefox

these connections are made to amazon servers.

similar connections are also made by Artix firefox (not tested Artix firefox-esr)
On the other hand firefox 68.11-esr stays quiet after modifying user.js
In the case of firefox 78/79 I am not able to stop these connections and I suspect that these are hard coded.

In past I was compiling my own firefox but nowadays firefox is too big and compiling would take too much time.

second problem is with weak ciphers that I don't know how to block:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

tested here:
https://browserleaks.com/ssl
and
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

I can block any other weak cipher but not these two.

Currently I can block outgoing firefox auto connections at iptables. I can't do anything about weak cipher though.

It seems that I am not the only who noticed this issue.

Of course I don't know why these weak cipher were added or why suddenly firefox 7x must make these connections. Just until now I was able to control firefox pretty well.

So what I am asking if it is possible to correct these issues?
Of course this is firefox issue, not Artix so if this problem is not correctable I understand it.

thank you

Re: firefox and firefox-esr

Reply #1
The only browser I know that makes 0 connections after some basic configuration is ungoogled-chromium. But here in arch you have to download the source (~800mb) and compile it, so it's a big no-go for me.

I never cared about the cypher, I use the latest firefox+ghacksuser.js+stevenblackhost+windscribevpn+umatrix and lesspass for passwords.

it seems that you can manually add it:
Code: [Select]
user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false);
user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false);
it worked for me according to the testpage.


------
edit: I just visited the link you posted. (https://forum.artixlinux.org/index.php/topic,1625.0.html) . In it, @Dudemanguy mentions that you can get ungoogled-chromium from a repository called "universe" which is not activated by default.
Which is very good news, firefox is too overkill for me.
The only disadvantage of ungoogled-chromium is that you have to install the extensions manually. A script can give you the url just by entering the id of the extension. Check the faq for the different methods of installing an extension.


Re: firefox and firefox-esr

Reply #2
Pale Moon doesn't seem to make any connections on start up (although it does on the unconfigured first run startup) and you can enable and disable various ciphers in about:config.
It looks like the weaker ciphers are there as a fallback and the stronger ones are used in preference, so presumably the default set up provides a good browsing experience, but for high security purposes I guess no connection is better than a weak one.

Re: firefox and firefox-esr

Reply #3
thank you both for responding.

Quote
user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false);
user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false);

fixed ciphers issue. These were hidden so that is why I was not able to disable them. Now it works.

I have firefox 68.11-esr (antiX) that does not make any auto connections after customization (about:config)

Only since 78/79 firefox started to make auto connections that I am not able to block. So I will use iptables for this.

I was using Pale Moon long time ago but it had a lot of issues then.

Never tried ungoogled-chromium. Maybe I will give a shot.

 

Re: firefox and firefox-esr

Reply #4
you have to build firefox with --disable-safe-browsing if you want to cut off all connections at startup, along with disabling any updates via about:config and all other url-based options there.  some people dont consider this 'safe' but i'm fine with it

Re: firefox and firefox-esr

Reply #5
you have to build firefox with --disable-safe-browsing if you want to cut off all connections at startup, along with disabling any updates via about:config and all other url-based options there.  some people dont consider this 'safe' but i'm fine with it

I have disabled safebrowsing and whatever updates in about:config. As I mentioned before, my customization worked in the case of firefox 68.11-esr, so I doubt that these connections are related fo safebrowsing. I suspect that this is related to services similar to normandy (telling firefox devs how I use browser). Whether this is hidden or hard coded I don't know.


Re: firefox and firefox-esr

Reply #7
Amazon and others provide CDN (Content Delivery Network) services to Mozilla. So that's reason why mozilla connect to amazon, google, edgecast, etc.