Differences

This shows you the differences between two versions of the page.

--- project:spyzilla [2019/02/01 21:24] – [about:config] mrkva
+++ project:spyzilla [2021/08/07 04:35] – [Thunderbird] update source code line jenda
@@ Line 16: / Line 16: @@
-  * Run with parameter -P. Select "Start offline"
+  * Run with parameter -P. Select "Start offline". Please note that Firefox at least since version 67 ignore offline parameter for captive portal requests anyway, and perform HTTP requests against detectportal.firefox.com.
   * Visit Preferences. In "Security", turn off "Block reported attack sites" and "Block reported web forgeries"
   * Uncheck Advanced → Updates
@@ Line 77: / Line 77: @@
   * https://www.ghacks.net/2017/07/13/privacy-blunder-firefox-getaddons-page-google-analytics/
-===== Firefox (v. 64 basic setup) Work in Progress =====
+===== Firefox (v. 64+ basic setup) Work in Progress =====
 After these changes, firefox should not open any outgoing connections (if autoupdate was disabled by company policy / Linux distribution maintainers) when starting with a blank page, except for checking updates of installed extensions.
+XXX TODO: How to get rid of:
+  - POST https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=...&pver=2.2
+  - GET https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins?_expected=148.....
+      (once a day? with a bunch of similar requests)
+  - GET https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2020-07-06-00-19-31.chain
 ==== Edit -> Preferences ====
@@ Line 146: / Line 155: @@
 media.navigator.enabled = false
+# Disable captive portal
 network.captive-portal-service.enabled = false
+# The key above seems to be ignored in some versions, so remove the captive portal address
+captivedetect.canonicalURL = ""
 browser.ping-centre.production.endpoint = ""
@@ Line 155: / Line 168: @@
 privacy.firstparty.isolate = true
 privacy.resistFingerprinting = true
+# extension blocklists
+extensions.blocklist.enabled = false
+# extensions automatic update
+extensions.systemAddon.update.enabled = false
+# disable requests to search.services.mozilla.com/...
+browser.search.geoSpecific.Defaults = false
+# https://firefox.settings.services.mozilla.com/v1/buckets settings fetching?
+services.settings.server = ""
+# some websocket telemetry
+dom.push.enabled = false
+# ?
+app.normandy.enabled = false
+# ? investigate GET https://services.addons.mozilla.org/api/v3/addons/search/?guid=defau...
+#
+extensions.systemAddon.update.enabled = false
+services.sync.engineStatusChanged.addons = false
 </code>
@@ Line 164: / Line 200: @@
 New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline.
+When you uncheck "Allow Thunderbird to send technical and interaction data to Mozilla", it sends the following request to Mozilla:
+<code>
+POST /submit/telemetry/4e0009de-f8dc-4aad-8b07-30011f7622de/deletion-request\
+/Thunderbird/78.7.1/default/20210203182138?v=4 HTTP/1.1
+Host: incoming-telemetry.thunderbird.net
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
+{
+  "type": "deletion-request",
+  "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
+  "creationDate": "2021-02-10T18:55:32.926Z",
+  "version": 4,
+  "application": {
+    "architecture": "x86-64",
+    "buildId": "20210203182138",
+    "name": "Thunderbird",
+    "version": "78.7.1",
+    "displayVersion": "78.7.1",
+    "vendor": "",
+    "platformVersion": "78.7.0",
+    "xpcomAbi": "x86_64-gcc3",
+    "channel": "default"
+  },
+  "payload": {
+    "scalars": {}
+  },
+  "clientId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"
+}
+</code>
+When you open an attachment (tested with PDF), the following request is sent, leaking username, profile name, attachment filename and attachment SHA-256 hash (as raw binary data in the middle):
+<code>
+POST /safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY% HTTP/1.1
+Host: sb-ssl.google.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
+00000000  4e 6d 61 69 6c 62 6f 78  3a 2f 2f 2f 68 6f 6d 65  |Nmailbox:///home|
+00000010  2f 6a 65 6e 64 61 2f 2e  74 68 75 6e 64 65 72 62  |/jenda/.thunderb|
+00000020  69 72 64 2f XX XX XX XX  XX XX XX XX 2e 64 65 66  |ird/XXXXXXXX.def|
+00000030  61 75 6c 74 2f 4d 61 69  6c 2f 4c 6f 63 61 6c 25  |ault/Mail/Local%|
+00000040  32 30 46 6f 6c 64 65 72  73 2f 49 6e 62 6f 78 12  |20Folders/Inbox.|
+00000050  22 0a 20 ac a6 20 97 00  fa aa c6 15 80 ed b0 be  |". .. ..........|
+00000060  5d 60 dd 49 64 4d b8 0c  9a e4 af 46 5b b6 ca b4  |]`.IdM.....F[...|
+00000070  5b 09 e3 18 ff f4 0d 22  52 0a 4e 6d 61 69 6c 62  |[......"R.Nmailb|
+00000080  6f 78 3a 2f 2f 2f 68 6f  6d 65 2f 6a 65 6e 64 61  |ox:///home/jenda|
+00000090  2f 2e 74 68 75 6e 64 65  72 62 69 72 64 2f XX XX  |/.thunderbird/XX|
+a0  XX XX XX XX XX XX 2e 64  65 66 61 75 6c 74 2f 4d  |XXXXXX.default/M|
+b0  61 69 6c 2f 4c 6f 63 61  6c 25 32 30 46 6f 6c 64  |ail/Local%20Fold|
+c0  65 72 73 2f 49 6e 62 6f  78 10 00 30 01 4a 25 50  |ers/Inbox..0.J%P|
+d0  6f 74 76 72 7a 65 6e c3  ad 20 6f 62 6a 65 64 6e  |otvrzen.. objedn|
+e0  c3 a1 76 6b 79 20 31 35  31 30 37 35 36 34 2d 31  |..vky 15107564-1|
+f0  2e 70 64 66 50 00 5a 05  65 6e 2d 55 53           |.pdfP.Z.en-US|
+</code>
+To disable this, remove browser.safebrowsing.downloads.remote.url in about:config. [[https://searchfox.org/mozilla-central/source/toolkit/components/reputationservice/ApplicationReputation.cpp#1564|Link to source where this happens.]]
 ===== Firefox for Android =====