Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Which of 50 Mozilla Firefox 44.0.2 hosts should we NOT block?

732 views
Skip to first unread message

JamieJones

unread,
Feb 17, 2016, 2:06:32 AM2/17/16
to mozilla-sup...@lists.mozilla.org
Which of the 50 Mozilla Firefox 44.0.2 default hosts should we NOT block?

Following are the 50 default hosts in Mozilla Firefox 44.0.2 in the order
found, where only the first occurrance of each unique host is commented.

For privacy purposes, which of the following 50 default hosts should we
NOT block by putting them in our hosts files?

127.0.0.1 detectportal.firefox.com # captivedetect.canonicalURL;http://detectportal.firefox.com/success.txt
127.0.0.1 www.mozilla.org # firefox spying https://www.mozilla.org/en-US/firefox/44.0.2/firstrun/
127.0.0.1 input.mozilla.org # app.feedback.baseURL;https://input.mozilla.org/%LOCALE%/feedback/%APP%/%VERSION%/
127.0.0.1 support.mozilla.org # app.support.baseURL;https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
127.0.0.1 aus5.mozilla.org # app.update.url;https://aus5.mozilla.org/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
127.0.0.1 www.mozilla.org # app.update.url.details;https://www.mozilla.org/%LOCALE%/firefox/notes
127.0.0.1 crash-stats.mozilla.org # breakpad.reportURL;https://crash-stats.mozilla.com/report/index/
127.0.0.1 snippets.cdn.mozilla.net # browser.aboutHomeSnippets.updateUrl;https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/
127.0.0.1 marketplace.firefox.com # browser.apps.URL;https://marketplace.firefox.com/discovery/
127.0.0.1 add.my.yahoo.com # browser.contentHandlers.types.0.uri;https://add.my.yahoo.com/rss?url=%s
127.0.0.1 addons.mozilla.org # browser.dictionaries.download.url;https://addons.mozilla.org/%LOCALE%/firefox/dictionaries/
127.0.0.1 tiles.services.mozilla.com # browser.newtabpage.directory.ping;https://tiles.services.mozilla.com/v3/links/
127.0.0.1 sb-ssl.google.com # browser.safebrowsing.appRepURL;https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY%
127.0.0.1 safebrowsing.google.com # browser.safebrowsing.provider.google.gethashURL;https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%VERSION%&pver=2.2
127.0.0.1 shavar.services.mozilla.com # browser.safebrowsing.provider.mozilla.gethashURL;https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%VERSION%&pver=2.2
127.0.0.1 search.services.mozilla.com # browser.search.geoSpecificDefaults.url;https://search.services.mozilla.com/1/%APP%/%VERSION%/%CHANNEL%/%LOCALE%/%REGION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%
127.0.0.1 location.services.mozilla.com # browser.search.geoip.url;https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
127.0.0.1 self-repair.mozilla.org # browser.selfsupport.url;https://self-repair.mozilla.org/%LOCALE%/repair
127.0.0.1 fhr.cdn.mozilla.net # datareporting.healthreport.about.reportUrl;https://fhr.cdn.mozilla.net/%LOCALE%/v4/
127.0.0.1 fhr.data.mozilla.net # datareporting.healthreport.documentServerURI;https://fhr.data.mozilla.com/
127.0.0.1 code.cdn.mozilla.net # devtools.devices.url;https://code.cdn.mozilla.net/devices/devices.json
127.0.0.1 api.imgur.com # devtools.gcli.imgurUploadURL;https://api.imgur.com/3/image
127.0.0.1 ajax.googleapis.com # devtools.gcli.jquerySrc;https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js
127.0.0.1 cdnjs.cloudflare.com # devtools.gcli.lodashSrc;https://cdnjs.cloudflare.com/ajax/libs/lodash.js/2.4.1/lodash.min.js
127.0.0.1 ftp.mozilla.org # devtools.webide.adaptersAddonURL;https://ftp.mozilla.org/pub/mozilla.org/labs/valence/#OS#/valence-#OS#-latest.xpi
127.0.0.1 telemetry-experiment.cdn.mozilla.net # experiments.manifest.uri;https://telemetry-experiment.cdn.mozilla.net/manifest/v1/firefox/%VERSION%/%CHANNEL%
127.0.0.1 blocklist.addons.mozilla.org # extensions.blocklist.itemURL;https://blocklist.addons.mozilla.org/%LOCALE%/%APP%/blocked/%blockID%
127.0.0.1 services.addons.mozilla.org # extensions.webservice.discoverURL;https://services.addons.mozilla.org/%LOCALE%/firefox/discovery/pane/%VERSION%/%OS%/%COMPATIBILITY_MODE%
127.0.0.1 www.mibbit.com # gecko.handlerService.schemes.irc.0.uriTemplate;https://www.mibbit.com/?url=%s
127.0.0.1 compose.mail.yahoo.com # gecko.handlerService.schemes.mailto.0.uriTemplate;https://compose.mail.yahoo.com/?To=%s
127.0.0.1 mail.google.com # gecko.handlerService.schemes.mailto.1.uriTemplate;https://mail.google.com/mail/?extsrc=mailto&url=%s
127.0.0.1 30boxes.com # gecko.handlerService.schemes.webcal.0.uriTemplate;https://30boxes.com/external/widget?refer=ff&url=%s
127.0.0.1 www.googleapis.com # geo.wifi.uri;https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%
127.0.0.1 api.accounts.firefox.com # identity.fxaccounts.auth.uri;https://api.accounts.firefox.com/v1
127.0.0.1 accounts.firefox.com # identity.fxaccounts.remote.force_auth.uri;https://accounts.firefox.com/force_auth?service=sync&context=fx_desktop_v1
127.0.0.1 oauth.accounts.firefox.com # identity.fxaccounts.remote.oauth.uri;https://oauth.accounts.firefox.com/v1
127.0.0.1 profile.accounts.firefox.com # identity.fxaccounts.remote.profile.uri;https://profile.accounts.firefox.com/v1
127.0.0.1 token.services.mozilla.com # identity.sync.tokenserver.uri;https://token.services.mozilla.com/1.0/sync/1.5
127.0.0.1 www.firefox.com # loop.learnMoreUrl;https://www.firefox.com/hello/
127.0.0.1 hello.firefox.com # loop.linkClicker.url;https://hello.firefox.com/
127.0.0.1 www.google.com # loop.oauth.google.scope;https://www.google.com/m8/feeds
127.0.0.1 loop.services.mozilla.com # loop.server;https://loop.services.mozilla.com/v0
127.0.0.1 data.mozilla.com # security.ssl.errorReporting.url;https://data.mozilla.com/submit/sslreports
127.0.0.1 setup.services.mozilla.com # services.sync.jpake.serverURL;https://setup.services.mozilla.com/
127.0.0.1 services.mozilla.com # services.sync.privacyURL;https://services.mozilla.com/privacy-policy/
127.0.0.1 auth.services.mozilla.com # services.sync.serverURL;https://auth.services.mozilla.com/
127.0.0.1 activations.cdn.mozilla.net # social.directories;https://activations.cdn.mozilla.net
127.0.0.1 mozsocial.cliqz.com # social.whitelist;https://mozsocial.cliqz.com
127.0.0.1 incoming.telemetry.mozilla.org # toolkit.telemetry.server;https://incoming.telemetry.mozilla.org
127.0.0.1 wiki.mozilla.org # xpinstall.signatures.devInfoURL;https://wiki.mozilla.org/Addons/Extension_Signing

For privacy purposes, which of the above 50 default hosts should we
NOT block by putting them in our hosts files?

WaltS48

unread,
Feb 17, 2016, 7:20:34 AM2/17/16
to mozilla-sup...@lists.mozilla.org
All of them.

Andy Ho

unread,
Feb 17, 2016, 12:01:53 PM2/17/16
to mozilla-sup...@lists.mozilla.org
JamieJones suggested:

> For privacy purposes, which of the following 50 default hosts should we
> NOT block by putting them in our hosts files?

Most people just put all those web sites into their user.js file owned by
the user instead of in a hosts file owned by root.

user_pref("loop.oauth.google.scope", "https://127.0.0.1.www.google.com/m8/feeds");//loop.oauth.google.scope
user_pref("gecko.handlerService.schemes.mailto.1.uriTemplate", "https://127.0.0.1.mail.google.com/mail/?extsrc=mailto&url=%s");//mail.google.com
user_pref("geo.wifi.uri", "https://127.0.0.1.www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%");//www.googlepis.com

etc.

EE

unread,
Feb 17, 2016, 1:38:34 PM2/17/16
to mozilla-sup...@lists.mozilla.org
If you do not want to be geolocated you do not need that, so you could
block that. Why does the telemetry stuff need to be sent? If you do
not want to tell Mozilla whatever your browser is doing, you could block
that. If you do not use the social stuff like Facebook and Twitter,
then block the social activation.
What good is marketplace.firefox.com? The last time I looked at it, it
had nothing useful there, and it was impossible to download anything
from there anyway.


WaltS48

unread,
Feb 17, 2016, 3:17:08 PM2/17/16
to mozilla-sup...@lists.mozilla.org
Back to Candyland is very useful, I waste hours a week playing it :) and
never had a problem downloading from Marketplace. I am saddened that
they are removing WebRT, and the game will no longer play on my desktop
when that is removed from the browser. The Marketplace icon has already
been removed from the about:home page and Customize widget and the text
link removed from the Tools menu. So you can't get to
marketplace.firefox.com unless you have it bookmarked. I expect
Marketplace to go away altogether.

By all means turn off Telemetry, but don't complain when they remove a
feature like Tab Groups/Panorama because Telemetry indicates no one is
using it.

Andy Ho

unread,
Feb 18, 2016, 3:28:04 PM2/18/16
to mozilla-sup...@lists.mozilla.org
Andy Ho suggested:

> Most people just put all those web sites into their user.js file owned by
> the user instead of in a hosts file owned by root.

Or you can just make a *simpler* hosts file.
To make the question easier to understand, here are the 50 unique
web sites which a typical Firefox 44 browser phones home daily.

Are all 50 necessary for proper operation of the browser?
Surely some must be merely privacy leaks.

But which of the following 50 default URLs inside of Firefox are useful?
And which are potential privacy leaks?

127.0.0.1 30boxes.com
127.0.0.1 accounts.firefox.com
127.0.0.1 activations.cdn.mozilla.net
127.0.0.1 add.my.yahoo.com
127.0.0.1 ajax.googleapis.com
127.0.0.1 api.accounts.firefox.com
127.0.0.1 api.imgur.com
127.0.0.1 aus5.mozilla.org
127.0.0.1 auth.services.mozilla.com
127.0.0.1 blocklist.addons.mozilla.org
127.0.0.1 cdnjs.cloudflare.com
127.0.0.1 code.cdn.mozilla.net
127.0.0.1 compose.mail.yahoo.com
127.0.0.1 crash-stats.mozilla.org
127.0.0.1 data.mozilla.com
127.0.0.1 detectportal.firefox.com
127.0.0.1 fhr.cdn.mozilla.net
127.0.0.1 fhr.data.mozilla.net
127.0.0.1 ftp.mozilla.org
127.0.0.1 hello.firefox.com
127.0.0.1 incoming.telemetry.mozilla.org
127.0.0.1 input.mozilla.org
127.0.0.1 location.services.mozilla.com
127.0.0.1 loop.services.mozilla.com
127.0.0.1 marketplace.firefox.com
127.0.0.1 mozsocial.cliqz.com
127.0.0.1 oauth.accounts.firefox.com
127.0.0.1 profile.accounts.firefox.com
127.0.0.1 safebrowsing.google.com
127.0.0.1 sb-ssl.google.com
127.0.0.1 search.services.mozilla.com
127.0.0.1 self-repair.mozilla.org
127.0.0.1 services.mozilla.com
127.0.0.1 setup.services.mozilla.com
127.0.0.1 shavar.services.mozilla.com
127.0.0.1 snippets.cdn.mozilla.net
127.0.0.1 support.mozilla.org
127.0.0.1 telemetry-experiment.cdn.mozilla.net
127.0.0.1 tiles.services.mozilla.com
127.0.0.1 token.services.mozilla.com
127.0.0.1 wiki.mozilla.org
127.0.0.1 www.firefox.com
127.0.0.1 www.googleapis.com
127.0.0.1 www.mibbit.com
127.0.0.1 www.mozilla.org

JamieJones

unread,
Feb 18, 2016, 5:13:25 PM2/18/16
to mozilla-sup...@lists.mozilla.org
EE wrote:

> If you do not want to be geolocated you do not need that, so you could
> block that.

Thanks for the advice.

The geolocation block seems like a no brainer to me, although I confess I
don't really know *why* there is *any* built-in URL for geolocation of your
browser in Firefox 44.
> Why does the telemetry stuff need to be sent?

Blocking whatever "telemetry" is also seems to be a no brainer, alghough,
again, I have no idea why Firefox 44 wants to 'telemetry' anything!
> If you do not use the social stuff like Facebook and Twitter,
> then block the social activation.

I didn't see Facebook or Twitter in the URLs but use neither and would
block both if I did see them. Where do you see them?
Are they inherent in this?
127.0.0.1 mozsocial.cliqz.com # social.whitelist;https://mozsocial.cliqz.com

> What good is marketplace.firefox.com? The last time I looked at it, it
> had nothing useful there, and it was impossible to download anything
> from there anyway.

I never download *anything* other than the half dozen security and privacy
extensions (noscript, ghostery, https everywhere, canvas blocker, user agent
switcher, etc.). So there's no need to allowing a marketplace to spy on us.
That still leaves a ton of unique built-in spying URLs though, e.g.,
how did this url get into Firefox that was downloaded by me?
And, who wants a "yahoo" URl spying on us every single day?
127.0.0.1 add.my.yahoo.com # browser.contentHandlers.types.0.uri;https://add.my.yahoo.com/rss?url=%s

And, what is imgur doing spying on every single browser session?
127.0.0.1 api.imgur.com # devtools.gcli.imgurUploadURL;https://api.imgur.com/3/image


Anyone know *why* there are 50 unique URLs spying on us by default?

JamieJones

unread,
Feb 18, 2016, 5:13:33 PM2/18/16
to mozilla-sup...@lists.mozilla.org
WaltS48 wrote:

> By all means turn off Telemetry, but don't complain when they remove a
> feature like Tab Groups/Panorama because Telemetry indicates no one is
> using it.

What *is* telemetry doing there anyway?

JamieJones

unread,
Feb 18, 2016, 5:13:54 PM2/18/16
to mozilla-sup...@lists.mozilla.org
WaltS48 wrote:

> By all means turn off Telemetry, but don't complain when they remove a
> feature like Tab Groups/Panorama because Telemetry indicates no one is
> using it.

The question is whether *any* of the 50 unique web sites visited regularly
by Firefox under the covers is actually beneficial to the user?

»Q«

unread,
Feb 18, 2016, 5:44:03 PM2/18/16
to mozilla-sup...@lists.mozilla.org
In <news:mailman.897.145583360...@lists.mozilla.org>,
JamieJones <jjo...@aol.com> wrote:

> I don't really know *why* there is *any* built-in URL for geolocation
> of your browser in Firefox 44.

<https://www.mozilla.org/firefox/geolocation/>

> I have no idea why Firefox 44 wants to 'telemetry' anything!

<https://wiki.mozilla.org/Telemetry/FAQ>

JamieJones

unread,
Feb 18, 2016, 6:32:35 PM2/18/16
to mozilla-sup...@lists.mozilla.org
Johnny wrote ... on Thu, 18 Feb 2016 16:41:08 -0600 ...

> You will have to decide which ones you want to keep. I don't use
> Google, and have it blocked with NoScript, so I'm going to delete all
> the addresses about safe browsing. The same with Yahoo.

I appreciate the input because these 50 sites are in EVERYONE's Firefox!

So it behooves us to work together so we're all informed properly of
the browser phoning home.

> You could probably delete Geo Location, Telemetry, Updates, and a few
> others.

The telemetry ones seem particularly invasive!
toolkit.telemetry.server;https://incoming.telemetry.mozilla.org
experiments.manifest.uri;https://telemetry-experiment.cdn.mozilla.net/manifest/v1/firefox/%VERSION%/%CHANNEL%

So do the geolocation ones:
geo.wifi.uri;https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%
browser.search.geoip.url;https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%

The update ones are confusing what they actually update:
browser.aboutHomeSnippets.updateUrl;https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/
app.update.url;https://aus5.mozilla.org/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml

> Try starting Firefox to a blank page, and then run netstat -N and look
> at the established connections. These are connections I'm concerned
> about.

I get a lot of these types of connections with "netstat -N".
unix 3 [ ] STREAM CONNECTED 17154 /tmp/akonadi-jamie.ygrNUJ/akonadiserver.socket
unix 3 [ ] STREAM CONNECTED 17737 /tmp/akonadi-jamie.yqrNUJ/mysql.socket

Do you think that's due to Firefox phoning home?

> When I start Firefox and use netstat -N to check the established
> connections, these two always connect, and stay connected as long as
> I'm using Firefox:
>
> 69.195.158.198:https Joe's Datacenter
> 54.230.205.241:https Amazon AWS Network Operations

I don't see any IP addresses like you do, when I run netstat -N.

> I would like to start Firefox without any established connections,
> until I visit a website.

That makes total sense to me.
I was shocked that I had downloaded a linux Firefox and yet, it still
phoned home about canonical, for example.

captivedetect.canonicalURL;http://detectportal.firefox.com/success.txt

> I wonder if it's a way for Mozilla to make money? I know Google used
> to pay them 300 million a year to have Google search included with
> Firefox.

Each of the 50 unique URLs probably pays them money.

But they should be more upfront about it and tell us that they make
money off of spying on us.

That would at least be reasonable.

WaltS48

unread,
Feb 18, 2016, 6:42:04 PM2/18/16
to mozilla-sup...@lists.mozilla.org
On 02/18/2016 06:32 PM, JamieJones wrote:
But they should be more upfront about it and tell us that they make
money off of spying on us.

Maybe you should read the Privacy Policy and the End-User Rights both available from Help > About Firefox.

--
Linux Mint 17.3 | KDE 4.14.2 | Thunderbird 45.0b1(Beta)
Go Bucs! Go Steelers! Go Pitt! Go Pens! Go Sabres! cateye
Visit Pittsburgh
Coexist · Understanding Across Divides

Philip Chee

unread,
Feb 23, 2016, 11:33:34 PM2/23/16
to mozilla-sup...@lists.mozilla.org
On 19/02/2016 07:32, JamieJones wrote:
> That makes total sense to me.
> I was shocked that I had downloaded a linux Firefox and yet, it still
> phoned home about canonical, for example.
>
> captivedetect.canonicalURL;http://detectportal.firefox.com/success.txt

What makes you think firefox.com is run by Canonical? Hint the word
"canonical" existed long before the Canonical company was founded.

Phil

--
Philip Chee <phi...@aleytys.pc.my>, <phili...@gmail.com>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.

Wolf K.

unread,
Feb 24, 2016, 9:12:13 AM2/24/16
to mozilla-sup...@lists.mozilla.org
On 2016-02-23 23:32, Philip Chee wrote:
> On 19/02/2016 07:32, JamieJones wrote:
>> That makes total sense to me.
>> I was shocked that I had downloaded a linux Firefox and yet, it still
>> phoned home about canonical, for example.
>>
>> captivedetect.canonicalURL;http://detectportal.firefox.com/success.txt
>
> What makes you think firefox.com is run by Canonical? Hint the word
> "canonical" existed long before the Canonical company was founded.
>

AFAIK, in Mozilla context, "canonical" merely means "according to the
established rules and conventions", the ones followed by the devs.

--
Best,
Wolf K.
kirkwood40.blogspot.ca
0 new messages