info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Firefox keeps wanting to stay connected to a Cloudfront server
1,080 views
Skip to first unread message
John Corliss
Apr 20, 2017, 6:29:43 AM4/20/17
to mozilla-sup...@lists.mozilla.org
I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
telemetry, blocked updating of all my extensions, blocked automatic
updating of the browser itself, actually gone into about:config and
removed many URLs. I've blocked the program from checking for
certificates. My home page is about:blank. New tabs open to about:blank.
Yet, every time I start Firefox it establishes a connection to an Amazon
server at 52.84.50.138.
If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
it reconnects to that same server.
I've used Wireshark to examine the packets, but am unable to see
anything useful because they're encrypted for the most part.
And all of this is without me even going to a website.
Does anybody any idea what's going on here?
--
John Corliss
telemetry, blocked updating of all my extensions, blocked automatic
updating of the browser itself, actually gone into about:config and
removed many URLs. I've blocked the program from checking for
certificates. My home page is about:blank. New tabs open to about:blank.
Yet, every time I start Firefox it establishes a connection to an Amazon
server at 52.84.50.138.
If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
it reconnects to that same server.
I've used Wireshark to examine the packets, but am unable to see
anything useful because they're encrypted for the most part.
And all of this is without me even going to a website.
Does anybody any idea what's going on here?
--
John Corliss
John Corliss
Apr 20, 2017, 7:12:09 AM4/20/17
to mozilla-sup...@lists.mozilla.org
John Corliss wrote:
> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
> telemetry, blocked updating of all my extensions, blocked automatic
> updating of the browser itself, actually gone into about:config and
> removed many URLs. I've blocked the program from checking for
> certificates. My home page is about:blank. New tabs open to about:blank.
>
> Yet, every time I start Firefox it establishes a connection to an Amazon
> server at 52.84.50.138.
Actually, that should have been 52.84.50.* because the IP address varies
> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
> telemetry, blocked updating of all my extensions, blocked automatic
> updating of the browser itself, actually gone into about:config and
> removed many URLs. I've blocked the program from checking for
> certificates. My home page is about:blank. New tabs open to about:blank.
>
> Yet, every time I start Firefox it establishes a connection to an Amazon
> server at 52.84.50.138.
at the end.
> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
> it reconnects to that same server.
>
> I've used Wireshark to examine the packets, but am unable to see
> anything useful because they're encrypted for the most part.
>
> And all of this is without me even going to a website.
>
> Does anybody any idea what's going on here?
less insist upon remaining connected to a server the whole time I'm
surfing. If this isn't due to malware, it's a complete betrayal of my
trust by Mozilla.
--
John Corliss
TCW
Apr 20, 2017, 9:56:54 AM4/20/17
to mozilla-sup...@lists.mozilla.org
Wolf K.
Apr 20, 2017, 10:27:46 AM4/20/17
to mozilla-sup...@lists.mozilla.org
at boot, and ensures you are always connected. Use a utility that shows
what starts at boot, if the Amazon applet is shown, disable or remove
it. If it's not there, it may be references in the registry, run
regedit, search for "amazon". Delete all amazon-related lines that you find.
FWIW, Amazon has installed a link on my system, which I can see when I
activate the Links toolbar, but I'm too lazy to find it and delete it.
--
Wolf K.
https://kirkwood40.blogspot.com
"What good is it having lower taxes when you can’t drink the water?”
WaltS48
Apr 20, 2017, 10:33:02 AM4/20/17
to mozilla-sup...@lists.mozilla.org
You do know that Mozilla uses Amazon Web Services to host it's files. I
think most of its infrastructure has been moved there.
Probably needs to connect there to download blocklists, hotfixes, system
add-ons and updates.
--
Go Bucs and Pens!
Coexist <https://www.coexist.org/>
National Popular Vote <http://www.nationalpopularvote.com/>
Ubuntu 16.04LTS
John Corliss
Apr 20, 2017, 11:05:44 AM4/20/17
to mozilla-sup...@lists.mozilla.org
WaltS48 wrote:
> On 4/20/17 6:28 AM, John Corliss wrote:
>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>> telemetry, blocked updating of all my extensions, blocked automatic
>> updating of the browser itself, actually gone into about:config and
>> removed many URLs. I've blocked the program from checking for
>> certificates. My home page is about:blank. New tabs open to about:blank.
>>
>> Yet, every time I start Firefox it establishes a connection to an Amazon
>> server at 52.84.50.138.
>>
>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>> it reconnects to that same server.
>>
>> I've used Wireshark to examine the packets, but am unable to see
>> anything useful because they're encrypted for the most part.
>>
>> And all of this is without me even going to a website.
>>
>> Does anybody any idea what's going on here?
>>
> Not sure if this is the correct answer.
>
> You do know that Mozilla uses Amazon Web Services to host it's files. I
> think most of its infrastructure has been moved there.
Yes, I do know that. Thanks anyway though.
> On 4/20/17 6:28 AM, John Corliss wrote:
>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>> telemetry, blocked updating of all my extensions, blocked automatic
>> updating of the browser itself, actually gone into about:config and
>> removed many URLs. I've blocked the program from checking for
>> certificates. My home page is about:blank. New tabs open to about:blank.
>>
>> Yet, every time I start Firefox it establishes a connection to an Amazon
>> server at 52.84.50.138.
>>
>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>> it reconnects to that same server.
>>
>> I've used Wireshark to examine the packets, but am unable to see
>> anything useful because they're encrypted for the most part.
>>
>> And all of this is without me even going to a website.
>>
>> Does anybody any idea what's going on here?
>>
> Not sure if this is the correct answer.
>
> You do know that Mozilla uses Amazon Web Services to host it's files. I
> think most of its infrastructure has been moved there.
> Probably needs to connect there to download blocklists, hotfixes, system
> add-ons and updates.
--
John Corliss
John Corliss
Apr 20, 2017, 11:09:30 AM4/20/17
to mozilla-sup...@lists.mozilla.org
Wolf K. wrote:
> John Corliss wrote:
>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>> telemetry, blocked updating of all my extensions, blocked automatic
>> updating of the browser itself, actually gone into about:config and
>> removed many URLs. I've blocked the program from checking for
>> certificates. My home page is about:blank. New tabs open to about:blank.
>>
>> Yet, every time I start Firefox it establishes a connection to an Amazon
>> server at 52.84.50.138.
>>
>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>> it reconnects to that same server.
>>
>> I've used Wireshark to examine the packets, but am unable to see
>> anything useful because they're encrypted for the most part.
>>
>> And all of this is without me even going to a website.
>>
>> Does anybody any idea what's going on here?
>
> I think it likely that Amazon has installed a monitor applet
?? In Windows XP? On a desktop computer?
> John Corliss wrote:
>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>> telemetry, blocked updating of all my extensions, blocked automatic
>> updating of the browser itself, actually gone into about:config and
>> removed many URLs. I've blocked the program from checking for
>> certificates. My home page is about:blank. New tabs open to about:blank.
>>
>> Yet, every time I start Firefox it establishes a connection to an Amazon
>> server at 52.84.50.138.
>>
>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>> it reconnects to that same server.
>>
>> I've used Wireshark to examine the packets, but am unable to see
>> anything useful because they're encrypted for the most part.
>>
>> And all of this is without me even going to a website.
>>
>> Does anybody any idea what's going on here?
>
> I think it likely that Amazon has installed a monitor applet
> that starts
> at boot, and ensures you are always connected. Use a utility that shows
> what starts at boot, if the Amazon applet is shown, disable or remove
> it. If it's not there, it may be references in the registry, run
> regedit, search for "amazon". Delete all amazon-related lines that you find.
character entries (which are hidden.)
> FWIW, Amazon has installed a link on my system, which I can see when I
> activate the Links toolbar, but I'm too lazy to find it and delete it.
toolbar, is that what you mean? There's nothing in my Bookmarks that
doesn't belong there.
Thanks for replying though.
--
John Corliss
John Corliss
Apr 20, 2017, 11:11:25 AM4/20/17
to mozilla-sup...@lists.mozilla.org
profile which has no mods or extensions. It does the same thing.
--
John Corliss
David E. Ross
Apr 20, 2017, 12:11:04 PM4/20/17
to mozilla-sup...@lists.mozilla.org
updated from <https://www.mozilla.com/%LOCALE%/blocklist/>, where
%LOCALE% indicates the localization of the browser.
--
David E. Ross
<http://www.rossde.com>
Consider:
* Most state mandate that drivers have liability insurance.
* Employers are mandated to have worker's compensation insurance.
* If you live in a flood zone, flood insurance is mandatory.
* If your home has a mortgage, fire insurance is mandatory.
Why then is mandatory health insurance so bad??
Wolf K.
Apr 20, 2017, 12:30:02 PM4/20/17
to mozilla-sup...@lists.mozilla.org
On 2017-04-20 11:08, John Corliss wrote:
> Wolf K. wrote:
>> John Corliss wrote:
>>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>>> telemetry, blocked updating of all my extensions, blocked automatic
>>> updating of the browser itself, actually gone into about:config and
>>> removed many URLs. I've blocked the program from checking for
>>> certificates. My home page is about:blank. New tabs open to about:blank.
>>>
>>> Yet, every time I start Firefox it establishes a connection to an Amazon
>>> server at 52.84.50.138.
>>>
>>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>>> it reconnects to that same server.
>>>
>>> I've used Wireshark to examine the packets, but am unable to see
>>> anything useful because they're encrypted for the most part.
>>>
>>> And all of this is without me even going to a website.
>>>
>>> Does anybody any idea what's going on here?
>>
>> I think it likely that Amazon has installed a monitor applet
>
> ?? In Windows XP? On a desktop computer?
Sure. It's just a bit of code that executes at boot. Like the Update
> Wolf K. wrote:
>> John Corliss wrote:
>>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>>> telemetry, blocked updating of all my extensions, blocked automatic
>>> updating of the browser itself, actually gone into about:config and
>>> removed many URLs. I've blocked the program from checking for
>>> certificates. My home page is about:blank. New tabs open to about:blank.
>>>
>>> Yet, every time I start Firefox it establishes a connection to an Amazon
>>> server at 52.84.50.138.
>>>
>>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>>> it reconnects to that same server.
>>>
>>> I've used Wireshark to examine the packets, but am unable to see
>>> anything useful because they're encrypted for the most part.
>>>
>>> And all of this is without me even going to a website.
>>>
>>> Does anybody any idea what's going on here?
>>
>> I think it likely that Amazon has installed a monitor applet
>
> ?? In Windows XP? On a desktop computer?
Monitors that many programs install. The applet would sniff the system
at regular intervals, and trigger Firefox to connect. Keep in mind that
anything you run has the same permission levels (privileges) as as you.
On XP, the default us Administrator level. If you want to reduce
installation of unwanted stuff, create a 2nd user with limited
privileges, and use it for browsing.
>> that starts
>> at boot, and ensures you are always connected. Use a utility that shows
>> what starts at boot, if the Amazon applet is shown, disable or remove
>> it. If it's not there, it may be references in the registry, run
>> regedit, search for "amazon". Delete all amazon-related lines that you find.
>
> No mention of Amazon in my registry, unless it's in one of those >256
> character entries (which are hidden.)
>
>> FWIW, Amazon has installed a link on my system, which I can see when I
>> activate the Links toolbar, but I'm too lazy to find it and delete it.
>
> Links toolbar? Are you talking about Firefox?
can't recall what's on the XP taskbar.
Click on "Links, and a menu pane pops up showing all installed links.
> I have a Bookmarks
> toolbar, is that what you mean? There's nothing in my Bookmarks that
> doesn't belong there.
>
> Thanks for replying though.
John Corliss
Apr 20, 2017, 1:49:49 PM4/20/17
to mozilla-sup...@lists.mozilla.org
Wolf K. wrote:
> On 2017-04-20 11:08, John Corliss wrote:
>> Wolf K. wrote:
>>> John Corliss wrote:
>>>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>>>> telemetry, blocked updating of all my extensions, blocked automatic
>>>> updating of the browser itself, actually gone into about:config and
>>>> removed many URLs. I've blocked the program from checking for
>>>> certificates. My home page is about:blank. New tabs open to about:blank.
>>>>
>>>> Yet, every time I start Firefox it establishes a connection to an Amazon
>>>> server at 52.84.50.138.
>>>>
>>>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>>>> it reconnects to that same server.
>>>>
>>>> I've used Wireshark to examine the packets, but am unable to see
>>>> anything useful because they're encrypted for the most part.
>>>>
>>>> And all of this is without me even going to a website.
>>>>
>>>> Does anybody any idea what's going on here?
>>>
>>> I think it likely that Amazon has installed a monitor applet
>>
>> ?? In Windows XP? On a desktop computer?
>
> Sure. It's just a bit of code that executes at boot. Like the Update
> Monitors that many programs install. The applet would sniff the system
> at regular intervals, and trigger Firefox to connect.
Absolutely nothing like that is happening on my computer.
> On 2017-04-20 11:08, John Corliss wrote:
>> Wolf K. wrote:
>>> John Corliss wrote:
>>>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>>>> telemetry, blocked updating of all my extensions, blocked automatic
>>>> updating of the browser itself, actually gone into about:config and
>>>> removed many URLs. I've blocked the program from checking for
>>>> certificates. My home page is about:blank. New tabs open to about:blank.
>>>>
>>>> Yet, every time I start Firefox it establishes a connection to an Amazon
>>>> server at 52.84.50.138.
>>>>
>>>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>>>> it reconnects to that same server.
>>>>
>>>> I've used Wireshark to examine the packets, but am unable to see
>>>> anything useful because they're encrypted for the most part.
>>>>
>>>> And all of this is without me even going to a website.
>>>>
>>>> Does anybody any idea what's going on here?
>>>
>>> I think it likely that Amazon has installed a monitor applet
>>
>> ?? In Windows XP? On a desktop computer?
>
> Sure. It's just a bit of code that executes at boot. Like the Update
> Monitors that many programs install. The applet would sniff the system
> at regular intervals, and trigger Firefox to connect.
> Keep in mind that
> anything you run has the same permission levels (privileges) as as you.
> On XP, the default us Administrator level. If you want to reduce
> installation of unwanted stuff, create a 2nd user with limited
> privileges, and use it for browsing.
system I own without my permission.
>>> that starts at boot, and ensures you are always connected. Use a utility
>>> that shows what starts at boot, if the Amazon applet is shown, disable
>>> or remove it. If it's not there, it may be references in the registry, run
>>> regedit, search for "amazon". Delete all amazon-related lines that you find.
>>
>> No mention of Amazon in my registry, unless it's in one of those >256
>> character entries (which are hidden.)
>>
>>> FWIW, Amazon has installed a link on my system, which I can see when I
>>> activate the Links toolbar, but I'm too lazy to find it and delete it.
>>
>> Links toolbar? Are you talking about Firefox?
>
> It's optional on the Windows Taskbar at the bottom of the screen, Win8,
> can't recall what's on the XP taskbar.
> Click on "Links, and a menu pane pops up showing all installed links.
Besides, it only shows IE Favorites, not Firefox Bookmarks.
>> I have a Bookmarks toolbar, is that what you mean? There's nothing in
>> my Bookmarks that doesn't belong there.
>>
>> Thanks for replying though.
>
> Well, it was a long shot.
--
Christian Riechers
Apr 20, 2017, 1:51:48 PM4/20/17
to mozilla-sup...@lists.mozilla.org
On 04/20/2017 12:28 PM, John Corliss wrote:
> I've blocked the program from checking for
> certificates.
Not exactly sure what that means, but it sounds like a silly idea.
> I've blocked the program from checking for
> certificates.
John Corliss
Apr 20, 2017, 1:53:43 PM4/20/17
to mozilla-sup...@lists.mozilla.org
Turning it off is covered there.
Besides, I don't think that's what it is. The connection keeps
reconnecting and stays active during the first several minutes I surf.
Then it reconnects at random times as long as I have Firefox running.
NSA spyware maybe?
--
John Corliss
John Corliss
Apr 20, 2017, 1:57:47 PM4/20/17
to mozilla-sup...@lists.mozilla.org
Christian Riechers wrote:
> John Corliss wrote:
>> I've blocked the program from checking for
>> certificates.
>
> Not exactly sure what that means, but it sounds like a silly idea.
Tools/Options/Advanced/Certificates/(uncheck)Query OCSP responder
> John Corliss wrote:
>> I've blocked the program from checking for
>> certificates.
>
> Not exactly sure what that means, but it sounds like a silly idea.
servers to confirm the current validity of certificates
Don't be so quick to judge. I only turned it off long enough to rule it
out as the cause of the phantom connection.
--
John Corliss
TCW
Apr 20, 2017, 2:47:38 PM4/20/17
to mozilla-sup...@lists.mozilla.org
it from within the folder. If Portable Firefox also does the same thing,
then there is either something on your machine doing this or maybe your
modem/router is acting up. No DDNS stuff running anywhere? CurrPorts is
pretty good but also try TCPView to see if there's a culprit behind the
connection. It should show the app or service trying to make the
connection. Are you also by chance using Amazon Prime with Firestick or
something?
Mayayana
Apr 20, 2017, 3:23:48 PM4/20/17
to mozilla-sup...@lists.mozilla.org
"John Corliss" <r9j...@yahoo.com> wrote
|
| Yet, every time I start Firefox it establishes a connection to an Amazon
| server at 52.84.50.138.
|
No info, but I decided to test mine. It tries to look
for a Roku on every startup, despite that I have the SSDP
service disabled. And at first startup it tried to go to
port 119 at 216.166.97.169, YHC Corp in Texas. Weird
stuff.
Is the call on port 80? I block all ports but
53/80/81/443 using a firewall. (Also XP, using
Online Armor.) There's no defensible reason
to be going out to other ports.
|
| Yet, every time I start Firefox it establishes a connection to an Amazon
| server at 52.84.50.138.
|
for a Roku on every startup, despite that I have the SSDP
service disabled. And at first startup it tried to go to
port 119 at 216.166.97.169, YHC Corp in Texas. Weird
stuff.
Is the call on port 80? I block all ports but
53/80/81/443 using a firewall. (Also XP, using
Online Armor.) There's no defensible reason
to be going out to other ports.
Ron K.
Apr 20, 2017, 3:44:44 PM4/20/17
to mozilla-sup...@lists.mozilla.org
is a homograph scam. The fix for that is to toggle the punycode pref to
true (default is false),
--
Ron K.
Thunderbird user since May, 2003
Mayayana
Apr 20, 2017, 5:43:44 PM4/20/17
to mozilla-sup...@lists.mozilla.org
"Ron K." <ronki...@gmail.com> wrote
| Port 119 is odd for a browser since that is a NNTP port.
Yes. and Smart Sniffer recorded a 503 error response.
Timed out.
| I wonder if that is a homograph scam.
There was no link. I just started Firefox. And the IP
address resolves to a US company. I looked up that
company and they also seem to offer a speed test.
It's possible something in an extension is calling them.
But I don't have many extensions.
| Port 119 is odd for a browser since that is a NNTP port.
Timed out.
| I wonder if that is a homograph scam.
address resolves to a US company. I looked up that
company and they also seem to offer a speed test.
It's possible something in an extension is calling them.
But I don't have many extensions.
Andy Burns
Apr 20, 2017, 5:48:32 PM4/20/17
to mozilla-sup...@lists.mozilla.org
John Corliss wrote:
> I've used Wireshark to examine the packets, but am unable to see
> anything useful because they're encrypted for the most part.
Any use?
> I've used Wireshark to examine the packets, but am unable to see
> anything useful because they're encrypted for the most part.
<https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/>
WaltS48
Apr 20, 2017, 6:10:05 PM4/20/17
to mozilla-sup...@lists.mozilla.org
Application Update Service Helper
Multi-process staged rolllout
Web Compat
All are system add-ons installed by Mozilla.
Or just connects to deliver content from web sites faster.
<https://aws.amazon.com/cloudfront/>
Mayayana
Apr 20, 2017, 7:00:42 PM4/20/17
to mozilla-sup...@lists.mozilla.org
"WaltS48" <thali...@REMOVEaol.com> wrote
| Could it be one of these connecting to Mozilla. Maybe Pocket.
|
| Application Update Service Helper
| Multi-process staged rolllout
| Web Compat
| Pocket
|
| All are system add-ons installed by Mozilla.
I don't understand what you're describing.
System add-ons? There are no services installed
that I'm aware of. And there's certainly no reason
to connect to some company in Austin, Texas on
port 119. Like John Corliss, I disable just about
everything, including Firefox auto updates, and
I clear strings in about:config. So Firefix itself
shouldn't even know where it might call out to.
| Could it be one of these connecting to Mozilla. Maybe Pocket.
|
| Application Update Service Helper
| Multi-process staged rolllout
| Web Compat
|
| All are system add-ons installed by Mozilla.
System add-ons? There are no services installed
that I'm aware of. And there's certainly no reason
to connect to some company in Austin, Texas on
port 119. Like John Corliss, I disable just about
everything, including Firefox auto updates, and
I clear strings in about:config. So Firefix itself
shouldn't even know where it might call out to.
WaltS48
Apr 20, 2017, 7:17:10 PM4/20/17
to mozilla-sup...@lists.mozilla.org
I'm getting lost. The Cloudfront server is on Port 119?
<https://aws.amazon.com/cloudfront/>
Anyway, I'll stop here and let you guys have fun breaking your Firefox
installations.
Mayayana
Apr 20, 2017, 10:04:00 PM4/20/17
to mozilla-sup...@lists.mozilla.org
"WaltS48" <thali...@REMOVEaol.com> wrote
|
<http://gecko.readthedocs.io/en/latest/toolkit/mozapps/extensions/addon-manager/SystemAddons.html>
|
Weird. Thanks. I didn't know about all that. The
value for the update URL is in my prefs:
pref("media.gmp-manager.url")
But I've cleared the URL. Thankfully, it looks like my
current version (FF 36) predates all of this IoT and
cross-device hoopla. I have no features folder and
don't seem to have prefs for system add-ons.
| I'm getting lost. The Cloudfront server is on Port 119?
|
| <https://aws.amazon.com/cloudfront/>
|
| Anyway, I'll stop here and let you guys have fun breaking your Firefox
| installations.
|
:) Amazon was where John Corliss's Firefox is
going. Mine was going to port 119 at a place
called YHC corporation.
|
<http://gecko.readthedocs.io/en/latest/toolkit/mozapps/extensions/addon-manager/SystemAddons.html>
|
Weird. Thanks. I didn't know about all that. The
value for the update URL is in my prefs:
pref("media.gmp-manager.url")
But I've cleared the URL. Thankfully, it looks like my
current version (FF 36) predates all of this IoT and
cross-device hoopla. I have no features folder and
don't seem to have prefs for system add-ons.
| I'm getting lost. The Cloudfront server is on Port 119?
|
| <https://aws.amazon.com/cloudfront/>
|
| Anyway, I'll stop here and let you guys have fun breaking your Firefox
| installations.
|
going. Mine was going to port 119 at a place
called YHC corporation.
John Corliss
Apr 21, 2017, 12:36:08 AM4/21/17
to mozilla-sup...@lists.mozilla.org
TCW wrote:
> John Corliss wrote:
>> TCW wrote:
>>> John Corliss wrote:
>>>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>>>> telemetry, blocked updating of all my extensions, blocked automatic
>>>> updating of the browser itself, actually gone into about:config and
>>>> removed many URLs. I've blocked the program from checking for
>>>> certificates. My home page is about:blank. New tabs open to about:blank.
>>>>
>>>> Yet, every time I start Firefox it establishes a connection to an Amazon
>>>> server at 52.84.50.138.
>>>>
>>>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>>>> it reconnects to that same server.
>>>>
>>>> I've used Wireshark to examine the packets, but am unable to see
>>>> anything useful because they're encrypted for the most part.
>>>>
>>>> And all of this is without me even going to a website.
>>>>
>>>> Does anybody any idea what's going on here?
>>>
>>> Have you checked your hosts file? Done a Malware scan? Tried Safe Mode?
>>
>> Hosts file is clean, malware scan shows no malware, I have another
>> profile which has no mods or extensions. It does the same thing.
Just ran FF in Safe Mode to be sure. The connection was still made,
> John Corliss wrote:
>> TCW wrote:
>>> John Corliss wrote:
>>>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>>>> telemetry, blocked updating of all my extensions, blocked automatic
>>>> updating of the browser itself, actually gone into about:config and
>>>> removed many URLs. I've blocked the program from checking for
>>>> certificates. My home page is about:blank. New tabs open to about:blank.
>>>>
>>>> Yet, every time I start Firefox it establishes a connection to an Amazon
>>>> server at 52.84.50.138.
>>>>
>>>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>>>> it reconnects to that same server.
>>>>
>>>> I've used Wireshark to examine the packets, but am unable to see
>>>> anything useful because they're encrypted for the most part.
>>>>
>>>> And all of this is without me even going to a website.
>>>>
>>>> Does anybody any idea what's going on here?
>>>
>>> Have you checked your hosts file? Done a Malware scan? Tried Safe Mode?
>>
>> Hosts file is clean, malware scan shows no malware, I have another
>> profile which has no mods or extensions. It does the same thing.
still kept renewing itself if I killed it in CurrPorts.
> Google "Portable Firefox" and go get it, extract it to Desktop and run
> it from within the folder. If Portable Firefox also does the same thing,
> then there is either something on your machine doing this or maybe your
> modem/router is acting up. No DDNS stuff running anywhere?
> CurrPorts is pretty good but also try TCPView
Server: Windows Server 2008 and higher."
So I downloaded version 3.05. It doesn't show IP addresses, only names.
Other than that, no more info than CurrPorts. Shows Firefox as opening
the connection.
> to see if there's a culprit behind the
> connection. It should show the app or service trying to make the
> connection. Are you also by chance using Amazon Prime with Firestick or
> something?
This almost looks like some kind of botnet infection.
--
John Corliss
John Corliss
Apr 21, 2017, 12:40:38 AM4/21/17
to mozilla-sup...@lists.mozilla.org
Mayayana wrote:
> I block all ports but
> 53/80/81/443 using a firewall. (Also XP, using
> Online Armor.) There's no defensible reason
> to be going out to other ports.
1029 and 1030 are required for normal running of FF, 1033 and 1034 for
Thunderbird.
--
John Corliss
> John Corliss wrote:
>>
>> Yet, every time I start Firefox it establishes a connection to an Amazon
>> server at 52.84.50.138.
>
> No info, but I decided to test mine. It tries to look
> for a Roku on every startup, despite that I have the SSDP
> service disabled. And at first startup it tried to go to
> port 119 at 216.166.97.169, YHC Corp in Texas. Weird
> stuff.
>
> Is the call on port 80?
Yes, it's port 80.
>>
>> Yet, every time I start Firefox it establishes a connection to an Amazon
>> server at 52.84.50.138.
>
> No info, but I decided to test mine. It tries to look
> for a Roku on every startup, despite that I have the SSDP
> service disabled. And at first startup it tried to go to
> port 119 at 216.166.97.169, YHC Corp in Texas. Weird
> stuff.
>
> Is the call on port 80?
> I block all ports but
> 53/80/81/443 using a firewall. (Also XP, using
> Online Armor.) There's no defensible reason
> to be going out to other ports.
Thunderbird.
--
John Corliss
John Corliss
Apr 21, 2017, 12:42:52 AM4/21/17
to mozilla-sup...@lists.mozilla.org
WaltS48 wrote:
> On 4/20/17 6:59 PM, Mayayana wrote:
>> "WaltS48" <thali...@REMOVEaol.com> wrote
>>
>> | Could it be one of these connecting to Mozilla. Maybe Pocket.
>> |
>> | Application Update Service Helper
>> | Multi-process staged rolllout
>> | Web Compat
>> | Pocket
>> |
>> | All are system add-ons installed by Mozilla.
>>
>> I don't understand what you're describing.
>> System add-ons? There are no services installed
>> that I'm aware of. And there's certainly no reason
>> to connect to some company in Austin, Texas on
>> port 119. Like John Corliss, I disable just about
>> everything, including Firefox auto updates, and
>> I clear strings in about:config. So Firefix itself
>> shouldn't even know where it might call out to.
>
> <http://gecko.readthedocs.io/en/latest/toolkit/mozapps/extensions/addon-manager/SystemAddons.html>
>
> I'm getting lost. The Cloudfront server is on Port 119?
>
> <https://aws.amazon.com/cloudfront/>
>
> Anyway, I'll stop here and let you guys have fun breaking your Firefox
> installations.
Walt, running FF in Safe Mode made no difference. The connection was
> On 4/20/17 6:59 PM, Mayayana wrote:
>> "WaltS48" <thali...@REMOVEaol.com> wrote
>>
>> | Could it be one of these connecting to Mozilla. Maybe Pocket.
>> |
>> | Application Update Service Helper
>> | Multi-process staged rolllout
>> | Web Compat
>> |
>> | All are system add-ons installed by Mozilla.
>>
>> I don't understand what you're describing.
>> System add-ons? There are no services installed
>> that I'm aware of. And there's certainly no reason
>> to connect to some company in Austin, Texas on
>> port 119. Like John Corliss, I disable just about
>> everything, including Firefox auto updates, and
>> I clear strings in about:config. So Firefix itself
>> shouldn't even know where it might call out to.
>
> <http://gecko.readthedocs.io/en/latest/toolkit/mozapps/extensions/addon-manager/SystemAddons.html>
>
> I'm getting lost. The Cloudfront server is on Port 119?
>
> <https://aws.amazon.com/cloudfront/>
>
> Anyway, I'll stop here and let you guys have fun breaking your Firefox
> installations.
still made the same.
--
John Corliss
John Corliss
Apr 21, 2017, 12:52:48 AM4/21/17
to mozilla-sup...@lists.mozilla.org
changes necessary to do it. Will see if that works and get back to you.
--
John Corliss
John Corliss
Apr 21, 2017, 1:29:14 AM4/21/17
to mozilla-sup...@lists.mozilla.org
Sure looks that way though.
--
John Corliss
horst
Apr 21, 2017, 5:38:26 AM4/21/17
to mozilla-sup...@lists.mozilla.org
On 20.04.2017 12:28, John Corliss wrote:
> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
> telemetry, blocked updating of all my extensions, blocked automatic
> updating of the browser itself, actually gone into about:config and
> removed many URLs. I've blocked the program from checking for
> certificates. My home page is about:blank. New tabs open to about:blank.
>
> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
> telemetry, blocked updating of all my extensions, blocked automatic
> updating of the browser itself, actually gone into about:config and
> removed many URLs. I've blocked the program from checking for
> certificates. My home page is about:blank. New tabs open to about:blank.
>
> Yet, every time I start Firefox it establishes a connection to an Amazon
> server at 52.84.50.138.
>
> server at 52.84.50.138.
>
> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
> it reconnects to that same server.
>
> it reconnects to that same server.
>
> I've used Wireshark to examine the packets, but am unable to see
> anything useful because they're encrypted for the most part.
>
> anything useful because they're encrypted for the most part.
>
> And all of this is without me even going to a website.
>
> Does anybody any idea what's going on here?
>
Check with Autoruns if there are some suspicious apps running at login.
>
> Does anybody any idea what's going on here?
>
https://technet.microsoft.com/it-it/sysinternals/bb963902
Richmond
Apr 21, 2017, 6:04:14 AM4/21/17
to mozilla-sup...@lists.mozilla.org
John Corliss <r9j...@yahoo.com> writes:
> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
> telemetry, blocked updating of all my extensions, blocked automatic
> updating of the browser itself, actually gone into about:config and
> removed many URLs. I've blocked the program from checking for
> certificates. My home page is about:blank. New tabs open to about:blank.
>
> Yet, every time I start Firefox it establishes a connection to an Amazon
> server at 52.84.50.138.
>
> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
> it reconnects to that same server.
>
> I've used Wireshark to examine the packets, but am unable to see
> anything useful because they're encrypted for the most part.
>
> And all of this is without me even going to a website.
>
> Does anybody any idea what's going on here?
I checked my own firefox running on linux, and what do you know? there
> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
> telemetry, blocked updating of all my extensions, blocked automatic
> updating of the browser itself, actually gone into about:config and
> removed many URLs. I've blocked the program from checking for
> certificates. My home page is about:blank. New tabs open to about:blank.
>
> Yet, every time I start Firefox it establishes a connection to an Amazon
> server at 52.84.50.138.
>
> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
> it reconnects to that same server.
>
> I've used Wireshark to examine the packets, but am unable to see
> anything useful because they're encrypted for the most part.
>
> And all of this is without me even going to a website.
>
> Does anybody any idea what's going on here?
is a connection to cloudfront, even though it was still sitting on the
profile manager dialog.
One thing that springs to mind, in the spirit of brainstorming, is that
the new tab page contains various thumbnails of websites, even in safe
mode. Maybe it is preloading these? You can change it somewhere in the
settings. I haven't tried that yet.
Any site could be using cloudfont in theory.
Richmond
Apr 21, 2017, 6:11:43 AM4/21/17
to mozilla-sup...@lists.mozilla.org
Try setting this:
browser.newtab.preload
to false.
browser.newtab.preload
to false.
John Corliss
Apr 21, 2017, 9:06:35 AM4/21/17
to mozilla-sup...@lists.mozilla.org
startups), but saw nothing which raised a flag.
--
John Corliss
John Corliss
Apr 21, 2017, 9:08:48 AM4/21/17
to mozilla-sup...@lists.mozilla.org
the connection is persistent during the first few minutes of running FF,
then reverts to being spordadic.
--
John Corliss
Mayayana
Apr 21, 2017, 9:30:54 AM4/21/17
to mozilla-sup...@lists.mozilla.org
"John Corliss" <r9j...@yahoo.com> wrote
| > I block all ports but
| > 53/80/81/443 using a firewall. (Also XP, using
| > Online Armor.) There's no defensible reason
| > to be going out to other ports.
|
| 1029 and 1030 are required for normal running of FF, 1033 and 1034 for
| Thunderbird.
?? I can't imagine why. It doesn't cause
any conflicts for me. With TCPView open
now, using Pale Moon, I see connections
to 1049 and 1050, but only to "localhost.
(Loopback? I don't know.) I have all ports
blocked at the firewall except 53 UDP,
80,81,443 TCP. Either the firewall is not
working or PM/FF don't need to go out on
other ports.
| > I block all ports but
| > 53/80/81/443 using a firewall. (Also XP, using
| > Online Armor.) There's no defensible reason
| > to be going out to other ports.
|
| 1029 and 1030 are required for normal running of FF, 1033 and 1034 for
| Thunderbird.
any conflicts for me. With TCPView open
now, using Pale Moon, I see connections
to 1049 and 1050, but only to "localhost.
(Loopback? I don't know.) I have all ports
blocked at the firewall except 53 UDP,
80,81,443 TCP. Either the firewall is not
working or PM/FF don't need to go out on
other ports.
John Corliss
Apr 21, 2017, 9:59:35 AM4/21/17
to mozilla-sup...@lists.mozilla.org
Mayayana wrote:
> John Corliss wrote
> John Corliss wrote
--
John Corliss
John Corliss
Apr 21, 2017, 10:01:30 AM4/21/17
to mozilla-sup...@lists.mozilla.org
(the address varies.)
--
John Corliss
Richmond
Apr 21, 2017, 10:29:59 AM4/21/17
to mozilla-sup...@lists.mozilla.org
server-52-85-63-140.lhr50.r.cloudfront.net:www-http ESTABLISHED 3391/firefox
I set home page to blank and new tab page to blank.
With Seamonkey I see connections to amazonaws.
One idea: put these addresses into the hosts file to block them, and see
what breaks, if anything. Many websites will break I guess.
Another idea: Search the source code for ip addresses or cloudfront.
John Corliss
Apr 22, 2017, 3:17:46 AM4/22/17
to mozilla-sup...@lists.mozilla.org
John Corliss wrote:
> John Corliss wrote:
>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>> telemetry, blocked updating of all my extensions, blocked automatic
>> updating of the browser itself, actually gone into about:config and
>> removed many URLs. I've blocked the program from checking for
>> certificates. My home page is about:blank. New tabs open to about:blank.
>>
>> Yet, every time I start Firefox it establishes a connection to an Amazon
>> server at 52.84.50.138.
>
> Actually, that should have been 52.84.50.* because the IP address varies
> John Corliss wrote:
>> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
>> telemetry, blocked updating of all my extensions, blocked automatic
>> updating of the browser itself, actually gone into about:config and
>> removed many URLs. I've blocked the program from checking for
>> certificates. My home page is about:blank. New tabs open to about:blank.
>>
>> Yet, every time I start Firefox it establishes a connection to an Amazon
>> server at 52.84.50.138.
>
> at the end.
>
>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>> it reconnects to that same server.
>>
>> I've used Wireshark to examine the packets, but am unable to see
>> anything useful because they're encrypted for the most part.
>>
>> And all of this is without me even going to a website.
>>
>> Does anybody any idea what's going on here?
>
> I don't want Firefox to automatically connect to anything at all, much
>> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
>> it reconnects to that same server.
>>
>> I've used Wireshark to examine the packets, but am unable to see
>> anything useful because they're encrypted for the most part.
>>
>> And all of this is without me even going to a website.
>>
>> Does anybody any idea what's going on here?
>
> less insist upon remaining connected to a server the whole time I'm
> surfing. If this isn't due to malware, it's a complete betrayal of my
> trust by Mozilla.
CurrPorts lists C:\Program Files\Mozilla Firefox\nss3.dll as being the
responsible module.
--
John Corliss
John Corliss
Apr 22, 2017, 3:20:32 AM4/22/17
to mozilla-sup...@lists.mozilla.org
Richmond wrote:
Well, I hope I don't have to go that far. But I's pretty sure this
started happening when I updated Firefox to 52.0.2 (32-bit, ESR) last week.
--
John Corliss
started happening when I updated Firefox to 52.0.2 (32-bit, ESR) last week.
--
John Corliss
John Corliss
Apr 22, 2017, 3:26:48 AM4/22/17
to mozilla-sup...@lists.mozilla.org
Richmond wrote:
> With Seamonkey I see connections to amazonaws.
>
> One idea: put these addresses into the hosts file to block them, and see
> what breaks, if anything. Many websites will break I guess.
>
> Another idea: Search the source code for ip addresses or cloudfront.
Just updated to 52.1.0 (32-bit, ESR) and the problem remains.
--
John Corliss
> John Corliss writes:
>> John Corliss wrote:
>>> Richmond wrote:
>>>> Try setting this:
>>>>
>>>> browser.newtab.preload
>>>>
>>>> to false.
>>>
>>> Done. I'll let you know if this works. Hard to tell sometimes because
>>> the connection is persistent during the first few minutes of running FF,
>>> then reverts to being spordadic.
>>
>> (Later) Didn't work. I just checked and 52.84.50.190:80 is connected
>> (the address varies.)
>
> I am seeing it too. I see
>
> server-52-85-63-140.lhr50.r.cloudfront.net:www-http ESTABLISHED 3391/firefox
>
> I set home page to blank and new tab page to blank.
I've had those settings for years now (about:blank).
>> John Corliss wrote:
>>> Richmond wrote:
>>>> Try setting this:
>>>>
>>>> browser.newtab.preload
>>>>
>>>> to false.
>>>
>>> Done. I'll let you know if this works. Hard to tell sometimes because
>>> the connection is persistent during the first few minutes of running FF,
>>> then reverts to being spordadic.
>>
>> (Later) Didn't work. I just checked and 52.84.50.190:80 is connected
>> (the address varies.)
>
> I am seeing it too. I see
>
> server-52-85-63-140.lhr50.r.cloudfront.net:www-http ESTABLISHED 3391/firefox
>
> I set home page to blank and new tab page to blank.
> With Seamonkey I see connections to amazonaws.
>
> One idea: put these addresses into the hosts file to block them, and see
> what breaks, if anything. Many websites will break I guess.
>
> Another idea: Search the source code for ip addresses or cloudfront.
--
John Corliss
WaltS48
Apr 22, 2017, 8:40:32 AM4/22/17
to mozilla-sup...@lists.mozilla.org
I knew it was something important.
Network Security Service
<https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FAQ>
There were some upgrades to NSS earlier his month.
You should see version 3.24.8 for ESR52 and 3.29.4 for Firefox 53
in the Library Versions section of about:support.
Richmond
Apr 22, 2017, 8:52:24 AM4/22/17
to mozilla-sup...@lists.mozilla.org
https://support.mozilla.org/nl/questions/1076594
Some of mozilla's pages have gone missing. I expect you found the same.
Richmond
Apr 22, 2017, 9:03:11 AM4/22/17
to mozilla-sup...@lists.mozilla.org
GET
XHR
http://detectportal.firefox.com/success.txt [HTTP/1.1 200 OK 17ms]
GET
https://self-repair.mozilla.org/en-GB/repair [HTTP/1.1 200 OK 578ms]
POST
http://ocsp.digicert.com/ [HTTP/1.1 200 OK 33ms]
POST
http://ocsp.digicert.com/ [HTTP/1.1 200 OK 17ms]
GET
https://normandy-cloudfront.cdn.mozilla.net/static/bundles/selfrepair.8d056d434484b1d6ae51.js [HTTP/1.1 200 OK 0ms]
A promise chain failed to handle a rejection. Did you forget to '.catch', or did you forget to 'return'?
See https://developer.mozilla.org/Mozilla/JavaScript_code_modules/Promise.jsm/Promise
Date: Sat Apr 22 2017 13:57:44 GMT+0100 (BST)
Full Message: 2147942487
Full Stack: JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: PendingErrors.register :: line 194
JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: this.PromiseWalker.completePromise :: line 715
JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: Handler.prototype.process :: line 968
JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: this.PromiseWalker.walkerLoop :: line 813
JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: this.PromiseWalker.scheduleWalkerLoop/< :: line 747 (unknown)
GET
XHR
https://self-repair.mozilla.org/api/v1/recipe/ [HTTP/1.1 200 OK 190ms]
GET
XHR
https://self-repair.mozilla.org/api/v1/classify_client/ [HTTP/1.1 200 OK 190ms]
GET
XHR
https://self-repair.mozilla.org/api/v1/action/console-log/ [HTTP/1.1 200 OK 189ms]
GET
https://normandy-cloudfront.cdn.mozilla.net/api/v1/action/console-log/implementation/1c8908951c5076f4c5666ba79ee2292b7bb4be1d/ [HTTP/1.1 200 OK 0ms]
SHIELD active selfrepair.8d056d434484b1d6ae51.js:9:8032
GET
XHR
http://detectportal.firefox.com/success.txt [HTTP/1.1 200 OK 18ms]
Mayayana
Apr 22, 2017, 10:51:33 AM4/22/17
to mozilla-sup...@lists.mozilla.org
"Richmond" <dnom...@gmx.com> wrote | I found this that might be of
was gone from Mozilla and also not at archive.org:
http://webcache.googleusercontent.com/search?q=cache:T60gJmnEWGcJ:https://support.mozilla.org/t5/Firefox/Why-is-Firefox-making-a-connection-to-cloudfront-net-after/td-p/1100728%2Bfirefox+connecting+to+cloudfront&lr&hl=en&as_qdr=all&gbv=1&ct=clnk
>From that page I found this, similar to the URLs you posted:
https://self-repair.mozilla.org/de/repair/
Going there, it turned out to be a page with nothing
but a script link:
https://normandy-cloudfront.cdn.mozilla.net/static/bundles/selfrepair.8d056d434484b1d6ae51.js
Retrieving the script and running it through a
de-obfuscator, I see numerous mentions of
heartbeat but it also seems to be a module for
the UITour API, which is another obscure,
spyware-ish function set with a misleading name,
that seems to be connected with heartbeat:
http://bedrock.readthedocs.io/en/latest/uitour.html
I find uitour settings in my FF but not the
heartbeat "selfsupport" pref. Apparently that
functionality is only set up in a subset of
installs.
This seems to provide several new reasons to
not allow any kind of updating directly from
Mozilla's servers and to carefully clear most or all
URL strings in about:config.
interest:
|
| https://support.mozilla.org/nl/questions/1076594
|
| Some of mozilla's pages have gone missing. I expect you found the same.
Interesting stuff. I found the following, which
|
| https://support.mozilla.org/nl/questions/1076594
|
| Some of mozilla's pages have gone missing. I expect you found the same.
was gone from Mozilla and also not at archive.org:
http://webcache.googleusercontent.com/search?q=cache:T60gJmnEWGcJ:https://support.mozilla.org/t5/Firefox/Why-is-Firefox-making-a-connection-to-cloudfront-net-after/td-p/1100728%2Bfirefox+connecting+to+cloudfront&lr&hl=en&as_qdr=all&gbv=1&ct=clnk
>From that page I found this, similar to the URLs you posted:
https://self-repair.mozilla.org/de/repair/
Going there, it turned out to be a page with nothing
but a script link:
https://normandy-cloudfront.cdn.mozilla.net/static/bundles/selfrepair.8d056d434484b1d6ae51.js
Retrieving the script and running it through a
de-obfuscator, I see numerous mentions of
heartbeat but it also seems to be a module for
the UITour API, which is another obscure,
spyware-ish function set with a misleading name,
that seems to be connected with heartbeat:
http://bedrock.readthedocs.io/en/latest/uitour.html
I find uitour settings in my FF but not the
heartbeat "selfsupport" pref. Apparently that
functionality is only set up in a subset of
installs.
This seems to provide several new reasons to
not allow any kind of updating directly from
Mozilla's servers and to carefully clear most or all
URL strings in about:config.
John Corliss
Apr 22, 2017, 5:17:04 PM4/22/17
to mozilla-sup...@lists.mozilla.org
>
> Network Security Service
>
> <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FAQ>
>
> There were some upgrades to NSS earlier his month.
Well, whatever those changes were perhaps they make FF continue to
> Network Security Service
>
> <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FAQ>
>
> There were some upgrades to NSS earlier his month.
connect to an Amazon server. Almost looks like a Cloudfront.net adware
infection, but I've verified that this isn't the case.
> You should see version 3.24.8 for ESR52 and 3.29.4 for Firefox 53 in the
> Library Versions section of about:support.
___________________________________________________________________________
Library Versions
Expected minimum version Version in use
NSPR 4.13.1 4.13.1
NSS 3.28.4 3.28.4
NSSSMIME 3.28.4 3.28.4
NSSSSL 3.28.4 3.28.4
NSSUTIL 3.28.4 3.28.4
___________________________________________________________________________
--
John Corliss
John Corliss
Apr 22, 2017, 5:20:59 PM4/22/17
to mozilla-sup...@lists.mozilla.org
about:config for browser.selfsupport.url, I see that I've already set
that preference to a null value.
I wish one of the developers would enter this thread and perhaps explain
this callout.
--
John Corliss
John Corliss
Apr 22, 2017, 5:34:35 PM4/22/17
to mozilla-sup...@lists.mozilla.org
ask me.
--
John Corliss
Richmond
Apr 22, 2017, 6:10:11 PM4/22/17
to mozilla-sup...@lists.mozilla.org
Found in ./mozilla/netwerk/dns/effective_tld_names.dat
-> // Amazon CloudFront : https://aws.amazon.com/cloudfront/
Found in ./mozilla/netwerk/dns/effective_tld_names.dat
-> cloudfront.net
I don't know the meaning of these.
There were lots of references in the source for android firefox.
Mayayana
Apr 22, 2017, 6:39:40 PM4/22/17
to mozilla-sup...@lists.mozilla.org
"John Corliss" <r9j...@yahoo.com> wrote
| Damn, I thought that might have been it. However, when I checked in
| about:config for browser.selfsupport.url, I see that I've already set
| that preference to a null value.
|
The fact it exists at all implies you've
been picked for the survey and may have
somehow agreed to it.
You might also try checking:
browser.uitour.enabled
browser.uitour.url
As for not being able to delete values, I've
never seen that. I can't imagine what you're
talking about. I have none at all in my prefs,
except the "chrome:" ones.
If they're somehow coming back you might
check other .js files. Unfortunately, the master
list, greprefs.js, is in at least one copy of
omni.ja, a jar file. I'm not sure whether that's
editable.
Another option: Save your prefs and any other
critical items, delete all else, and re-install from
a standard installer download.
| Damn, I thought that might have been it. However, when I checked in
| about:config for browser.selfsupport.url, I see that I've already set
| that preference to a null value.
|
been picked for the survey and may have
somehow agreed to it.
You might also try checking:
browser.uitour.enabled
browser.uitour.url
As for not being able to delete values, I've
never seen that. I can't imagine what you're
talking about. I have none at all in my prefs,
except the "chrome:" ones.
If they're somehow coming back you might
check other .js files. Unfortunately, the master
list, greprefs.js, is in at least one copy of
omni.ja, a jar file. I'm not sure whether that's
editable.
Another option: Save your prefs and any other
critical items, delete all else, and re-install from
a standard installer download.
Mayayana
Apr 22, 2017, 6:41:25 PM4/22/17
to mozilla-sup...@lists.mozilla.org
"John Corliss" <r9j...@yahoo.com> wrote| > Network Security Service
encryption library, probably being used in the
call to Cloudfront, but not involved in the call.
| >
| > <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FAQ>
| >
| > There were some upgrades to NSS earlier his month.
|
| Well, whatever those changes were perhaps they make FF continue to
| connect to an Amazon server. Almost looks like a Cloudfront.net adware
| infection, but I've verified that this isn't the case.
I expect that's a red herring. It's just an OSS
| > <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FAQ>
| >
| > There were some upgrades to NSS earlier his month.
|
| Well, whatever those changes were perhaps they make FF continue to
| connect to an Amazon server. Almost looks like a Cloudfront.net adware
| infection, but I've verified that this isn't the case.
encryption library, probably being used in the
call to Cloudfront, but not involved in the call.
WaltS48
Apr 22, 2017, 7:28:51 PM4/22/17
to mozilla-sup...@lists.mozilla.org
John Corliss
Apr 23, 2017, 3:43:21 AM4/23/17
to mozilla-sup...@lists.mozilla.org
Richmond wrote:
I'll bet the source for the version I'm using (52.1.0, 32-bit, ESR) has
different references. Also, I'd be curious to see if any of them are
tied in with references to nss3.dll.
I never had the continual connection problem until I updated to this
current version (above) of FF that I'm using. I'm seriously considering
going back to an older version of Firefox and staying with it at this point.
--
John Corliss
different references. Also, I'd be curious to see if any of them are
tied in with references to nss3.dll.
I never had the continual connection problem until I updated to this
current version (above) of FF that I'm using. I'm seriously considering
going back to an older version of Firefox and staying with it at this point.
--
John Corliss
John Corliss
Apr 23, 2017, 4:31:57 AM4/23/17
to mozilla-sup...@lists.mozilla.org
Mayayana wrote:
is going to fool me into agreeing to anything. Remember: I set that
preference to a null value at some point.
> You might also try checking:
>
> browser.uitour.enabled
> browser.uitour.url
I changed the first to "False" and the second to a null value. No
effect, FF still calls out.
> As for not being able to delete values, I'venever seen that. I can't
on the "OK" button, and it doesn't take effect. I can't remember which
URLs they were, but there are several of them.
> Another option: Save your prefs and any other critical items, delete
> all else, and re-install from a standard installer download.
Yes, I'm aware of that option but it's a last resort that I'm trying to
avoid.
--
John Corliss
> John Corliss wrote:
>
>> Damn, I thought that might have been it. However, when I checked in
>> about:config for browser.selfsupport.url, I see that I've already set
>> that preference to a null value.
>>
> The fact it exists at all implies you've been picked for the survey
> and may have somehow agreed to it.
No... that's completely unlikely. I've been at this for too long, nobody
>
>> Damn, I thought that might have been it. However, when I checked in
>> about:config for browser.selfsupport.url, I see that I've already set
>> that preference to a null value.
>>
> The fact it exists at all implies you've been picked for the survey
> and may have somehow agreed to it.
is going to fool me into agreeing to anything. Remember: I set that
preference to a null value at some point.
> You might also try checking:
>
> browser.uitour.enabled
> browser.uitour.url
effect, FF still calls out.
> As for not being able to delete values, I'venever seen that. I can't
> imagine what you're talking about. I have none at all in my prefs,
> except the "chrome:" ones.
> If they're somehow coming back you might check other .js files.
> Unfortunately, the master list, greprefs.js, is in at least one copy of
> omni.ja, a jar file. I'm not sure whether that's editable.
They don't come back, what happens is that I delete the URL then click
> except the "chrome:" ones.
> If they're somehow coming back you might check other .js files.
> Unfortunately, the master list, greprefs.js, is in at least one copy of
> omni.ja, a jar file. I'm not sure whether that's editable.
on the "OK" button, and it doesn't take effect. I can't remember which
URLs they were, but there are several of them.
> Another option: Save your prefs and any other critical items, delete
> all else, and re-install from a standard installer download.
avoid.
--
John Corliss
John Corliss
Apr 23, 2017, 5:11:05 AM4/23/17
to mozilla-sup...@lists.mozilla.org
https://www.netskope.com/blog/category/cloud-malware/
and search for NSS3.DLL on that page.
*Sigh* If I had a big red button in front of me that would kill all the
assholes in this world who create that kind of stuff, I wouldn't
hesitate a second to slam my fist down on it.
God damn all malware authors to hell. And I seriously mean it. God damn
them all.
--
John Corliss
Mayayana
Apr 23, 2017, 10:21:48 AM4/23/17
to mozilla-sup...@lists.mozilla.org
-
"John Corliss" <r9j...@yahoo.com> wrote
| > The fact it exists at all implies you've been picked for the survey
| > and may have somehow agreed to it.
|
| No... that's completely unlikely.
It may be that you never agreed to it. I was
only going by what I've read. They say that only
some people get the "heartbeat" spyware and
they seemed to say that one is asked to
participate. On the other hand, one of the links
someone posted is explaining to people how to
disable the "selfsupport" pref. So that seems
to contradict the idea that they were asked to
allow it.
That pref doesn't exist at all normally and is
not in the greprefs.js file for FF 52. So the fact
that it exists in your prefs seems to indicate you're
a heartbeat victim. Presumably it's some kind of
add-on that gets installed to normal FF, but I
haven't come across anything to indicate those
details.
"John Corliss" <r9j...@yahoo.com> wrote
| > The fact it exists at all implies you've been picked for the survey
| > and may have somehow agreed to it.
|
| No... that's completely unlikely.
only going by what I've read. They say that only
some people get the "heartbeat" spyware and
they seemed to say that one is asked to
participate. On the other hand, one of the links
someone posted is explaining to people how to
disable the "selfsupport" pref. So that seems
to contradict the idea that they were asked to
allow it.
That pref doesn't exist at all normally and is
not in the greprefs.js file for FF 52. So the fact
that it exists in your prefs seems to indicate you're
a heartbeat victim. Presumably it's some kind of
add-on that gets installed to normal FF, but I
haven't come across anything to indicate those
details.
Mayayana
Apr 23, 2017, 10:40:35 AM4/23/17
to mozilla-sup...@lists.mozilla.org
"John Corliss" <r9j...@yahoo.com> wrote
| I'm convinced at this point that it's a malware infection. See:
|
| https://www.netskope.com/blog/category/cloud-malware/
|
| and search for NSS3.DLL on that page.
There's no reason to assume malware, and it seems to
be going to the cloudfront URL used for heartbeat. You
might be able to tell something by what's being transferred.
(Though heartbeat and malware might very well transfer
a similar record of your online activities. :)
nss3.dll is just an encryption library. An OSS alternative
to OpenSSL for cryptographic functionality.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Overview
>From your link:
"It [the malware] hooks NSS3.DLL and NSPR4.DLL to monitor
Mozilla Firefox; WS2_32.DLL, CHROME.DLL to monitor Google
Chrome; and WININET.DLL to monitor Internet Explorer.
Ws2_32.dll is a Windows sockets DLL. It's used for
various functions to call servers, ask for files,
etc. It's basically the Internet connection library.
Wininet.dll is the IE wrapper library. It's part of the
IE install and contains higher level functions, like
UrlDownloadToFile, which calls to a server without
needing to manage winsock oneself.
Hooking, as you may know, means setting up
as a kind of man-in-the-middle at OS level. In
other words, the malware is monitoring what gets
passed in and out. The fact that nss3.dll is involved
means no more than the fact that Windows sockets
may be involved. Presumably the malware is monitoring
the input into nss3, in order to get it before it's
encrypted.
What you're proposing is not farfetched in theory,
but it would imply that Cloudfront is the malware
home base. Wouldn't it be likely that malware
would be calling to E. Europe or China, rather than
to an Amazon server in Seattle?
| I'm convinced at this point that it's a malware infection. See:
|
| https://www.netskope.com/blog/category/cloud-malware/
|
| and search for NSS3.DLL on that page.
be going to the cloudfront URL used for heartbeat. You
might be able to tell something by what's being transferred.
(Though heartbeat and malware might very well transfer
a similar record of your online activities. :)
nss3.dll is just an encryption library. An OSS alternative
to OpenSSL for cryptographic functionality.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Overview
>From your link:
"It [the malware] hooks NSS3.DLL and NSPR4.DLL to monitor
Mozilla Firefox; WS2_32.DLL, CHROME.DLL to monitor Google
Chrome; and WININET.DLL to monitor Internet Explorer.
Ws2_32.dll is a Windows sockets DLL. It's used for
various functions to call servers, ask for files,
etc. It's basically the Internet connection library.
Wininet.dll is the IE wrapper library. It's part of the
IE install and contains higher level functions, like
UrlDownloadToFile, which calls to a server without
needing to manage winsock oneself.
Hooking, as you may know, means setting up
as a kind of man-in-the-middle at OS level. In
other words, the malware is monitoring what gets
passed in and out. The fact that nss3.dll is involved
means no more than the fact that Windows sockets
may be involved. Presumably the malware is monitoring
the input into nss3, in order to get it before it's
encrypted.
What you're proposing is not farfetched in theory,
but it would imply that Cloudfront is the malware
home base. Wouldn't it be likely that malware
would be calling to E. Europe or China, rather than
to an Amazon server in Seattle?
Richmond
Apr 23, 2017, 12:40:01 PM4/23/17
to mozilla-sup...@lists.mozilla.org
I have noticed similar connections with Seamonkey.
I am wondering if it has something to do with the DNS cache that firefox
employs. Maybe it has been copied to SM too. I posted in the SM support
group about it.
I am wondering if it has something to do with the DNS cache that firefox
employs. Maybe it has been copied to SM too. I posted in the SM support
group about it.
Mayayana
Apr 23, 2017, 1:54:54 PM4/23/17
to mozilla-sup...@lists.mozilla.org
"Richmond" <dnom...@gmx.com> wrote
| I am wondering if it has something to do with the DNS cache that firefox
| employs.
?? DNS cache involves storing IP addresses
to avoid repeated DNS calls.
DNS is on port 53. He's recording calls
out on port 80.
It's very unlikely he has Amazon/Cloudfront
as his DNS server. The IP is owned by Amazon
but a hostname resolution on 52.84.50.138 comes
back as:
server-52-84-50-138.sea32.r.cloudfront.net
It's easy enough to check what he's set as a
DNS server, but he seems to be very tuned into
privacy issues, so I'm guessing he's set his
own DNS setting to something like opendns.
Also, if it were DNS calls the response would
be very small.
So why would you think it's connected to DNS
caching?
| I am wondering if it has something to do with the DNS cache that firefox
| employs.
to avoid repeated DNS calls.
DNS is on port 53. He's recording calls
out on port 80.
It's very unlikely he has Amazon/Cloudfront
as his DNS server. The IP is owned by Amazon
but a hostname resolution on 52.84.50.138 comes
back as:
server-52-84-50-138.sea32.r.cloudfront.net
It's easy enough to check what he's set as a
DNS server, but he seems to be very tuned into
privacy issues, so I'm guessing he's set his
own DNS setting to something like opendns.
Also, if it were DNS calls the response would
be very small.
So why would you think it's connected to DNS
caching?
Richmond
Apr 23, 2017, 5:48:02 PM4/23/17
to mozilla-sup...@lists.mozilla.org
"Mayayana" <maya...@invalid.nospam> writes:
>
> So why would you think it's connected to DNS
> caching?
Because of these references found.
>
> So why would you think it's connected to DNS
> caching?
Mayayana
Apr 23, 2017, 9:05:07 PM4/23/17
to mozilla-sup...@lists.mozilla.org
"Richmond" <dnom...@gmx.com> wrote
| > So why would you think it's connected to DNS
| > caching?
|
| Because of these references found.
|
| Found in ./mozilla/netwerk/dns/effective_tld_names.dat
| -> // Amazon CloudFront : https://aws.amazon.com/cloudfront/
|
| Found in ./mozilla/netwerk/dns/effective_tld_names.dat
| -> cloudfront.net
|
That was in the Firefox source code? There's
no similar path in the program install. It seems to
be maybe a list of top level domains. But so what?
That might be a clue about heartbeat or some other
reason for connecting to cloudfront. That wouldn't
be surprising, since it *is* calling cloufront
clandestinely. It might indicate that Firefox is set
up to call cloudfront and the IP could even be
embedded to avoid needing DNS resolution. But it
doesn't indicate that Firefox calls cloudfront for the
purpose of DNS resolution.
Firefox will call the DNS server you have set.
On Windows, without a DNS proxy, that will be
what shows in the network settings for the
connection. It will only call on port 53, and only
when it needs to resolve a URL. None of that fits
with the described symptoms: Calling to cloudfront
at startup, on port 80, and then repeatedly every
few minutes.
The caching is just an option to store retrieved
IP addresses for a period of time to save on DNS calls.
| > So why would you think it's connected to DNS
| > caching?
|
| Because of these references found.
|
| Found in ./mozilla/netwerk/dns/effective_tld_names.dat
| -> // Amazon CloudFront : https://aws.amazon.com/cloudfront/
|
| Found in ./mozilla/netwerk/dns/effective_tld_names.dat
| -> cloudfront.net
|
no similar path in the program install. It seems to
be maybe a list of top level domains. But so what?
That might be a clue about heartbeat or some other
reason for connecting to cloudfront. That wouldn't
be surprising, since it *is* calling cloufront
clandestinely. It might indicate that Firefox is set
up to call cloudfront and the IP could even be
embedded to avoid needing DNS resolution. But it
doesn't indicate that Firefox calls cloudfront for the
purpose of DNS resolution.
Firefox will call the DNS server you have set.
On Windows, without a DNS proxy, that will be
what shows in the network settings for the
connection. It will only call on port 53, and only
when it needs to resolve a URL. None of that fits
with the described symptoms: Calling to cloudfront
at startup, on port 80, and then repeatedly every
few minutes.
The caching is just an option to store retrieved
IP addresses for a period of time to save on DNS calls.
Mayayana
Apr 23, 2017, 9:13:00 PM4/23/17
to mozilla-sup...@lists.mozilla.org
"Richmond" <dnom...@gmx.com> wrote
| > So why would you think it's connected to DNS
| > caching?
|
| Because of these references found.
|
There are actually a couple of prefs worth knowing
about in connection with this:
network.dns.disablePrefetch
network.dns.disablePrefetchFromHTTPS
Setting those to true should stop the bizarre
and potentially privacy-infringing behavior of
making DNS calls on links found in pages even
though you haven't clicked the links.
The idea seems to be that making calls in
advance saves time, like network.prefetch-next
which will actually load linked pages in advance.
But with typical network speeds those settings
make no sense and risk both security and privacy.
| > So why would you think it's connected to DNS
| > caching?
|
| Because of these references found.
|
about in connection with this:
network.dns.disablePrefetch
network.dns.disablePrefetchFromHTTPS
Setting those to true should stop the bizarre
and potentially privacy-infringing behavior of
making DNS calls on links found in pages even
though you haven't clicked the links.
The idea seems to be that making calls in
advance saves time, like network.prefetch-next
which will actually load linked pages in advance.
But with typical network speeds those settings
make no sense and risk both security and privacy.
Richmond
Apr 24, 2017, 4:11:10 AM4/24/17
to mozilla-sup...@lists.mozilla.org
"Mayayana" <maya...@invalid.nospam> writes:
> That was in the Firefox source code? There's
> no similar path in the program install.
So what?
> That was in the Firefox source code? There's
> no similar path in the program install.
> It seems to
> be maybe a list of top level domains. But so what?
> That might be a clue about heartbeat or some other
> reason for connecting to cloudfront. That wouldn't
> be surprising, since it *is* calling cloufront
> clandestinely. It might indicate that Firefox is set
> up to call cloudfront and the IP could even be
> embedded to avoid needing DNS resolution. But it
> doesn't indicate that Firefox calls cloudfront for the
> purpose of DNS resolution.
>
> Firefox will call the DNS server you have set.
> On Windows, without a DNS proxy, that will be
> what shows in the network settings for the
> connection. It will only call on port 53, and only
> when it needs to resolve a URL. None of that fits
> with the described symptoms: Calling to cloudfront
> at startup, on port 80, and then repeatedly every
> few minutes.
>
> The caching is just an option to store retrieved
> IP addresses for a period of time to save on DNS calls.
wouldn't need to do that on port 53.
It was just an idea anyway. I'll keep posting ideas.
Richmond
Apr 24, 2017, 4:58:55 AM4/24/17
to mozilla-sup...@lists.mozilla.org
John Corliss <r9j...@yahoo.com> writes:
> I'm convinced at this point that it's a malware infection. See:
>
> https://www.netskope.com/blog/category/cloud-malware/
>
> and search for NSS3.DLL on that page.
>
> *Sigh* If I had a big red button in front of me that would kill all the
> assholes in this world who create that kind of stuff, I wouldn't
> hesitate a second to slam my fist down on it.
>
> God damn all malware authors to hell. And I seriously mean it. God damn
> them all.
I seem to have cured the problem in one firefox profile on my system. I
> I'm convinced at this point that it's a malware infection. See:
>
> https://www.netskope.com/blog/category/cloud-malware/
>
> and search for NSS3.DLL on that page.
>
> *Sigh* If I had a big red button in front of me that would kill all the
> assholes in this world who create that kind of stuff, I wouldn't
> hesitate a second to slam my fist down on it.
>
> God damn all malware authors to hell. And I seriously mean it. God damn
> them all.
went through settings removing anything with an url. Mostly I disabled
safe browsing. And I removed the reference to self-repair. Now there are
no connections on startup. I am not sure if I would actually want to run
firefox like this, but my curiosity got the better of me.
I have to go and reset them all 1 by 1 to find out the exact culprit.
John Corliss
Apr 28, 2017, 3:20:38 AM4/28/17
to mozilla-sup...@lists.mozilla.org
Richmond wrote:
Sorry it took so long to get back to you. After my meltdown and cursing,
I was too embarrassed to read this group until now.
Yes, I've done pretty much what you've done, but there are some URLs in
about:config which Firefox protects. I'm able to delete the URL in the
preference, but when I click on the "OK" button it just comes back. At
the moment though, I can't recall offhand which URLs they were.
The best way to search for URLs in about:config seems to be to search
for "http".
--
John Corliss
I was too embarrassed to read this group until now.
Yes, I've done pretty much what you've done, but there are some URLs in
about:config which Firefox protects. I'm able to delete the URL in the
preference, but when I click on the "OK" button it just comes back. At
the moment though, I can't recall offhand which URLs they were.
The best way to search for URLs in about:config seems to be to search
for "http".
--
John Corliss
John Corliss
Apr 28, 2017, 4:21:28 AM4/28/17
to mozilla-sup...@lists.mozilla.org
Mayayana wrote:
along with some kind of "normal" but unwanted Firefox behavior.
>From the link I provided above:
"We are observing a growing trend in the use of such PDF decoys that use
Cloud Storage services to carry out not only phishing attacks but also
infect user devices with malware such as Remote Administration Tools
(RATs). _These latest threats are taking advantage of many companies’
“default allow” policy for Cloud Storage services..."_
What gets me about the connection is that it happens every single time I
restart Firefox and that it's _so persistent_. Then if I close it (using
Nirsoft's CurrPorts), after 60 seconds it reopens.
However, I haven't gotten an attachment on an email in many, many years.
And I never in this world would ever open one, regardless of who it's
from. My ISP provides me with SpamAssassin filtering at the server, and
I have the settings turned on to where if you're not on my whitelist,
you can't email me. I'm talking about my main email address here, not my
Yahoo and GMail addresses, but I've never gotten an attachment to an
email in either of the latter two either, except one from a friend who I
trust and it was just a text file.
I attempted to get support by going here:
https://support.mozilla.org/en-US/users/auth
but my attempts to log in failed because Mozilla is making people change
their passwords. When I attempt to get a new password, I can't get a
confirmation email from them despite several attempts.
Either Mozilla is blowing it badly or else other forces are at play here.
--
John Corliss
> John Corliss wrote:
>>
>> I'm convinced at this point that it's a malware infection. See:
>>
>> https://www.netskope.com/blog/category/cloud-malware/
>>
>> and search for NSS3.DLL on that page.
>
> There's no reason to assume malware,
Yes, but I have to at least include it in the list of possibilities
>>
>> I'm convinced at this point that it's a malware infection. See:
>>
>> https://www.netskope.com/blog/category/cloud-malware/
>>
>> and search for NSS3.DLL on that page.
>
> There's no reason to assume malware,
along with some kind of "normal" but unwanted Firefox behavior.
"We are observing a growing trend in the use of such PDF decoys that use
Cloud Storage services to carry out not only phishing attacks but also
infect user devices with malware such as Remote Administration Tools
(RATs). _These latest threats are taking advantage of many companies’
“default allow” policy for Cloud Storage services..."_
What gets me about the connection is that it happens every single time I
restart Firefox and that it's _so persistent_. Then if I close it (using
Nirsoft's CurrPorts), after 60 seconds it reopens.
However, I haven't gotten an attachment on an email in many, many years.
And I never in this world would ever open one, regardless of who it's
from. My ISP provides me with SpamAssassin filtering at the server, and
I have the settings turned on to where if you're not on my whitelist,
you can't email me. I'm talking about my main email address here, not my
Yahoo and GMail addresses, but I've never gotten an attachment to an
email in either of the latter two either, except one from a friend who I
trust and it was just a text file.
I attempted to get support by going here:
https://support.mozilla.org/en-US/users/auth
but my attempts to log in failed because Mozilla is making people change
their passwords. When I attempt to get a new password, I can't get a
confirmation email from them despite several attempts.
Either Mozilla is blowing it badly or else other forces are at play here.
--
John Corliss
John Corliss
Apr 28, 2017, 6:36:53 AM4/28/17
to mozilla-sup...@lists.mozilla.org
John Corliss wrote:
> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
> telemetry, blocked updating of all my extensions, blocked automatic
> updating of the browser itself, actually gone into about:config and
> removed many URLs. I've blocked the program from checking for
> certificates. My home page is about:blank. New tabs open to about:blank.
>
> Yet, every time I start Firefox it establishes a connection to an Amazon
> server at 52.84.50.138.
>
> I'm running Firefox 52.0.2 (32-bit) on XP MCE SP3. I've blocked all
> telemetry, blocked updating of all my extensions, blocked automatic
> updating of the browser itself, actually gone into about:config and
> removed many URLs. I've blocked the program from checking for
> certificates. My home page is about:blank. New tabs open to about:blank.
>
> Yet, every time I start Firefox it establishes a connection to an Amazon
> server at 52.84.50.138.
>
> If I use Nirsoft's CurrPorts to close that connection, after 60 seconds
> it reconnects to that same server.
>
> I've used Wireshark to examine the packets, but am unable to see
> anything useful because they're encrypted for the most part.
>
> And all of this is without me even going to a website.
>
> Does anybody any idea what's going on here?
Wow. Well, that took a while but I finally figured out what it was (I
> it reconnects to that same server.
>
> I've used Wireshark to examine the packets, but am unable to see
> anything useful because they're encrypted for the most part.
>
> And all of this is without me even going to a website.
>
> Does anybody any idea what's going on here?
sincerely hope I did). After using Wireshark to see a reference to
"success.txt" in some of the packets for the connection it was making, I
determined that it was Firefox attempting to detect a captive portal.
What's a "captive portal"?
"A captive portal is a Web page that the user of a public-access network
is obliged to view and interact with before access is granted. Captive
portals are typically used by business centers, airports, hotel lobbies,
coffee shops, and other venues that offer free Wi-Fi hot spots for
Internet users."
I'm not on a public-access network, so that this setting somehow changed
when I updated to 52.1.0 (32-bit) ESR was the fault of Mozilla
developers I'm guessing. A bug in other words, because that's when this
crap started happening.
I went into about:config and searched for "captive", then:
1. I set captivedetect.canonicalURL to a null value.
2. I set network.captive-portal-service.enabled to "false".
I suppose I could also have set captivedetect.maxRetryCount to 0, but oh
well.
And also I noticed the network.captive-portal-service.minInterval which
was causing the 60 retry interval.
So far, the connection has not returned. I sincerely hope that this is
the end of this problem.
--
John Corliss
0 new messages