Firefox automatic callouts at startup

[John Corliss]

For a couple of weeks now, I've been compiling a list of the remote IP
addresses which Firefox connects to automatically at program startup. My
goal is to completely stop FF from doing this or at least to understand
why it's calling out to these addresses. I realize that some of these
callouts may be due to the extensions I use, also realize that there are
various IP ranges which FF connects to so that this list is going to be
incomplete. Regardless here is the list:

Note that 443 is a secure port.

52.10.12.100:443 (Amazon Technologies Inc.)
52.24.25.164:443 (Amazon Technologies Inc.)
52.24.92.179:? (Amazon Technologies Inc.)
52.25.204.59:443 (Amazon Technologies Inc.)
52.26.33.175:443 (Amazon Technologies Inc.)
54.186.142.204:443 (Amazon AWS Network Operation)
54.192.117.36:443 (Amazon Technologies Inc.)
54.192.140.73:443 (Amazon Technologies Inc.)
54.192.140.83:443 (Amazon Technologies Inc.)
54.230.71.193:443 (Amazon Web Services, Elastic Compute Cloud, EC2)
54.230.142.234:443 (Amazon Web Services, Elastic Compute Cloud, EC2)
54.240.188.126:443 (Amazon Technologies Inc.) <--------------------
54.240.188.251:443 (Amazon Technologies Inc.)
63.245.217.114.443 (Mozilla Corporation)
72.21.91.29:80 (EdgeCast Networks, Inc., *presumably looking for
newsfeeds, but I have no live bookmarks!*)
74.125.227.161:443 (Google Inc.)
93.184.215.191: 443 (Edgecast Networks)
173.194.33.168:443 (Google)
173.194.33.174:443 (Google)
216.58.216.142:80 (Google)
216.58.216.142:443 (Google)

Towards the end of quieting down Firefox, I've noticed this discussion
in the Wilders Security Forums:

http://www.wilderssecurity.com/threads/firefox-quiet.375074/

Comments?

TIA.
--
John Corliss

[EE]

If you are using the protection against malware sites and phishing
sites, the browser would make contact with Google to update the
blocklists. If you have no feeds, I cannot think why you would be
connecting with Amazon or EdgeCast.

[Paul in Houston, TX]

Do you keep cookies?
My FF 27 and SM 2.26 do not call out upon startup.

[John Corliss]

Thanks for replying!

No, although I have:

"Query OCSP responder servers to confirm the current validity of
certificates" checkmarked

that shouldn't cause any calling out at startup because I have my home
page set to about:blank.

In addition, I also have:

-Both "Block reported attack site" and "Block reported web forgeries"
unchecked in Options
-"Never check for updates(not recommended, security risk)" checked
-Search Engines Automatically Update unchecked
-No Sync account
-All Data Choices (Telemetry and Crash Reporter) unchecked
-As I've already mentioned, I'm not subscribed to any Live Feeds as far
as I know. However, I don't know of any way to find out for sure if this
is the case other than to manually go through each of my almost 1000
bookmarks. Still, I have no recollection of ever subscribing to any.

As far as extensions, I use the following which update certain
components (eg. AdBlock Plus filter subscriptions) separately from
Firefox update:

AdBlock Plus ("Automatic Updates" set to "Off", "Count Filter Hits"
unchecked, "Sync Adblock Plus Setting" unchecked
Copy Link Text ("Automatic Updates" set to "Off")
Download Panel Tweaks ("Automatic Updates" set to "Off")
Ghostery (but I have Ghostrank and "tracker library auto-updating" both
unticked)
Link Visitor ("Automatic Updates" set to "Off")
Video DownloadHelper ("Automatic Updates" set to "Off")

Shockwave Flash plugin is set to not check for updates.

I've gone into about:config, filtered on "url" and removed some of the
website address values from various preferences.

In short, I've literally spent hours trying to block firefox from
calling out at startup and my efforts have failed.

The problem I see here is that there's no reference website which
explains why various IP addresses and IP address ranges are called by
Firefox and that Mozilla doesn't require extension authors to provide
information about which IP addresses and IP address ranges (if any)
their extensions will want to be contacting.

Without that information, it's impossible in many cases to make informed
choices about whether or not you want such connections to be made by
Firefox and any extensions you use. Also, determining whether or not
malware is making such connections is made far more difficult.

In addition to all this, I want to stop Firefox from starting
wmiprvse.exe at startup (I'm still using XP MCE SP3 for my OS.) But
that's a topic for another thread.

--
John Corliss

[John Corliss]

I keep a few select cookies, but AFAIK, cookies aren't responsible for
Firefox calling out at startup.

--
John Corliss

[J. P. Gilliver (John)]

In message
<mailman.940.1435397895...@lists.mozilla.org>, John

Corliss <jcor...@fake.invalid> writes:
>EE wrote:
>> John Corliss wrote:
>>> For a couple of weeks now, I've been compiling a list of the remote IP
>>> addresses which Firefox connects to automatically at program startup. My
>>> goal is to completely stop FF from doing this or at least to understand
>>> why it's calling out to these addresses. I realize that some of these
>>> callouts may be due to the extensions I use, also realize that there are
>>> various IP ranges which FF connects to so that this list is going to be
>>> incomplete. Regardless here is the list:

{I was wondering if you were just telling us this as a public service
(which is good too!), or if you are actually wanting help with
something. But from below I deduce you _do_ want help with something.}
[list snipped]
[]

>In short, I've literally spent hours trying to block firefox from
>calling out at startup and my efforts have failed.
>
>The problem I see here is that there's no reference website which
>explains why various IP addresses and IP address ranges are called by
>Firefox and that Mozilla doesn't require extension authors to provide
>information about which IP addresses and IP address ranges (if any)
>their extensions will want to be contacting.
>
>Without that information, it's impossible in many cases to make informed
>choices about whether or not you want such connections to be made by
>Firefox and any extensions you use. Also, determining whether or not
>malware is making such connections is made far more difficult.

I agree with your frustration that such information isn't available.
However, a brute force method would be to block them anyway, and just
see if anything (Firefox and the add-ons you have) breaks. I use the
ancient Kerio as a firewall, and that allows me to block accesses by
what application is calling them, by address, by port, by direction, and
by protocol (in other words I can block Firefox, in and/or out, TCP
and/or UCP, to an address or address range, any or specific ports). I
_presume_ more modern firewalls can be configured to do similar.

>
>In addition to all this, I want to stop Firefox from starting
>wmiprvse.exe at startup (I'm still using XP MCE SP3 for my OS.) But
>that's a topic for another thread.
>

Not knowing what that does, and/or whether when you _do_ want to start
it you do it from within something else that has it hard-coded or
whether you start it by command line or shortcut that could be modified,
my immediate reaction of changing its name may or may not be valid.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Illinc fui et illud feci, habe tunicam?

[Richard]

> Date: Saturday, June 27, 2015 12:19:20 PM +0100
> From: "J. P. Gilliver (John)" <G6...@soft255.demon.co.uk>

>
> In message
> <mailman.940.1435397895...@lists.mozilla.org>,
> John Corliss <jcor...@fake.invalid> writes:

>> EE wrote:
>>> John Corliss wrote:
>>>> For a couple of weeks now, I've been compiling a list of the
>>>> remote IP addresses which Firefox connects to automatically at
>>>> program startup. My goal is to completely stop FF from doing
>>>> this or at least to understand why it's calling out to these
>>>> addresses. I realize that some of these callouts may be due to
>>>> the extensions I use, also realize that there are various IP
>>>> ranges which FF connects to so that this list is going to be
>>>> incomplete. Regardless here is the list:
>

> {I was wondering if you were just telling us this as a public
> service (which is good too!), or if you are actually wanting help
> with something. But from below I deduce you _do_ want help with
> something.}
> [list snipped]
> []

>> In short, I've literally spent hours trying to block firefox from
>> calling out at startup and my efforts have failed.
>>
>> The problem I see here is that there's no reference website which
>> explains why various IP addresses and IP address ranges are
>> called by Firefox and that Mozilla doesn't require extension
>> authors to provide information about which IP addresses and IP
>> address ranges (if any) their extensions will want to be
>> contacting.
>>
>> Without that information, it's impossible in many cases to make
>> informed choices about whether or not you want such connections
>> to be made by Firefox and any extensions you use. Also,
>> determining whether or not malware is making such connections is
>> made far more difficult.
>

> I agree with your frustration that such information isn't
> available. However, a brute force method would be to block them
> anyway, and just see if anything (Firefox and the add-ons you
> have) breaks. I use the ancient Kerio as a firewall, and that
> allows me to block accesses by what application is calling them,
> by address, by port, by direction, and by protocol (in other words
> I can block Firefox, in and/or out, TCP and/or UCP, to an address
> or address range, any or specific ports). I _presume_ more modern
> firewalls can be configured to do similar.
>>

>> In addition to all this, I want to stop Firefox from starting
>> wmiprvse.exe at startup (I'm still using XP MCE SP3 for my OS.)
>> But that's a topic for another thread.
>>

> Not knowing what that does, and/or whether when you _do_ want to
> start it you do it from within something else that has it
> hard-coded or whether you start it by command line or shortcut
> that could be modified, my immediate reaction of changing its name
> may or may not be valid.

Looking into this on a linux machine, the only calls that I get in
the start up of a fairly clean FF install, with only a few plugins
and no extensions are:

count IPnumber hostname

2 54.192.144.224 -- self-repair.mozilla.org
4 72.21.91.29 -- ocsp.digicert.com
2 173.194.121.4 -- safebrowsing.google.com / clients1.google.com
1 173.194.121.7 -- safebrowsing.google.com / clients1.google.com
2 173.194.121.9 -- safebrowsing.google.com / clients1.google.com

[both the google and mozilla names resolve to multiple ipnumbers so
what you trap (off a router) will vary based on their DNS A-record
shuffle.]

If I turn off the "block reported attack sites" and "block reported
forgeries" options under preferences/security I don't get the calls
to google on startup.

So, I would conclude that most of what the OP is seeing is from
extensions. If you're concerned by their "calls", turn them off.

Not trying to be too snarky here, but if you're running in a MS
environment, FF and related calls are probably the least of your
worries. The blast of DNS queries on my network from MS machines on
startup (and ongoing) -- looking for MS and OEM sites -- is never
ending.

[if you want something to be concerned about ... look at the
continuous spew of outbound connections from all your mobile
device's apps! [but that's not a discussion for this list.]]

[John Corliss]

Yes, I should fire up Wireshark before starting Firefox and see what I get.

> [both the google and mozilla names resolve to multiple ipnumbers so
> what you trap (off a router) will vary based on their DNS A-record
> shuffle.]
>
> If I turn off the "block reported attack sites" and "block reported
> forgeries" options under preferences/security I don't get the calls
> to google on startup.

To be fair, I've also stopped getting callouts to Google since I did
likewise.

> So, I would conclude that most of what the OP is seeing is from
> extensions. If you're concerned by their "calls", turn them off.
>
> Not trying to be too snarky here, but if you're running in a MS
> environment, FF and related calls are probably the least of your
> worries. The blast of DNS queries on my network from MS machines on
> startup (and ongoing) -- looking for MS and OEM sites -- is never
> ending.

I believe it. However as I said, I'm using XP and I don't believe that
it does this as much as newer versions of Windows.

> [if you want something to be concerned about ... look at the
> continuous spew of outbound connections from all your mobile
> device's apps! [but that's not a discussion for this list.]]

I don't use any mobile devices. Don't even have a cell phone, never have
and never will.

--
John Corliss

[John Corliss]

J. P. Gilliver (John) wrote:

I also use Kerio (2.1.5). I thought about blocking the IP addresses, but
am sure that wouldn't do any good since it would most likely simply
switch to another one within a range. And since I don't know what those
ranges are, I would be unable to set up rules blocking ranges (Kerio
2.1.5 will do this.)

>> In addition to all this, I want to stop Firefox from starting
>> wmiprvse.exe at startup (I'm still using XP MCE SP3 for my OS.) But
>> that's a topic for another thread.
>>
> Not knowing what that does, and/or whether when you _do_ want to start
> it you do it from within something else that has it hard-coded or
> whether you start it by command line or shortcut that could be modified,
> my immediate reaction of changing its name may or may not be valid.

It's unique to XP. Moz developers want to run wmiprvse.exe for
diagnostic info. Since I've turned off both Health Report and Crash
Reporter, there's no reason for wmiprvse.exe to be run. I know I could
probably remove the code which is responsible and recompile FF, but the
code would reappear with the next update.

--
John Corliss

[John R. Sowden]

I have seen a lot of text re: this call out issue. A main reason that I
use open source software is the perception of honesty on the part of the
software creation organization. I feel that I can trust them. I don't
question upgrades like I did with Microsoft. Now we seem to have an
issue of possible deception and underhandedness (must be a word-it
passed spell check). We need an official response from Mozilla. In the
spirit of open source, we should have the clear option of turning it
off. I believe that the ONLY time that a browser (a receiving program,
not a sending program) should send anything out is for diagnostic
reasons, which I turn on (see "trust" above).

John

On 06/27/2015 11:36 AM, John Corliss wrote:
> J. P. Gilliver (John) wrote:
>> John Corliss wrote:

> I also use Kerio (2.1.5). I thought about blocking the IP addresses, but
> am sure that wouldn't do any good since it would most likely simply
> switch to another one within a range. And since I don't know what those
> ranges are, I would be unable to set up rules blocking ranges (Kerio
> 2.1.5 will do this.)
>

>>> In addition to all this, I want to stop Firefox from starting
>>> wmiprvse.exe at startup (I'm still using XP MCE SP3 for my OS.) But
>>> that's a topic for another thread.
>>>
>> Not knowing what that does, and/or whether when you _do_ want to start
>> it you do it from within something else that has it hard-coded or
>> whether you start it by command line or shortcut that could be modified,
>> my immediate reaction of changing its name may or may not be valid.

[Richard]

> Date: Saturday, June 27, 2015 12:39:23 PM -0700
> From: "John R. Sowden" <jso...@americansentry.net>

>
> I have seen a lot of text re: this call out issue. A main reason
> that I use open source software is the perception of honesty on
> the part of the software creation organization. I feel that I can
> trust them. I don't question upgrades like I did with Microsoft.
> Now we seem to have an issue of possible deception and
> underhandedness (must be a word-it passed spell check). We need
> an official response from Mozilla. In the spirit of open source,
> we should have the clear option of turning it off. I believe that
> the ONLY time that a browser (a receiving program, not a sending
> program) should send anything out is for diagnostic reasons, which
> I turn on (see "trust" above).
>
> John

As I indicated in an earlier message, the "callouts" that the OP is
seeing seem to be from extensions that he has (optionally)
installed. They do not appear to be from FF core.

Analyzing my router and DNS server traffic, all I get from my
(linux) FF are:

count IPnumber hostname

2 54.192.144.224 -- self-repair.mozilla.org
4 72.21.91.29 -- ocsp.digicert.com
2 173.194.121.4 -- safebrowsing.google.com / clients1.google.com
1 173.194.121.7 -- safebrowsing.google.com / clients1.google.com
2 173.194.121.9 -- safebrowsing.google.com / clients1.google.com

The google "calls" go away if you turn off the "forgery" and "attack
site" selections under preferences/security. I didn't muck with my
certificate settings to see if the digicert.com ones would go away.

Anyone who is bothered by the two "calls" to self-repair.mozilla.org
can look at the source:

<ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest-beta/source/>

[John R. Sowden]

Are you officially connected to Mozilla? Is this an official comment by
Mozilla? If so, you should ID yourself as such.

Additionally, an official comment like "Firefox, with no "extensions" or
modifications, does not send any data from your computer anywhere except
for diagnostic data that we clearly describe, and give a clear
opportunity to block." would be a good response to this dialog.

John

> _______________________________________________
> support-firefox mailing list
> support...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-firefox
> To unsubscribe, send an email to support-fir...@lists.mozilla.org?subject=unsubscribe
>

[Richard]

> Date: Saturday, June 27, 2015 01:29:36 PM -0700

> Are you officially connected to Mozilla? Is this an official
> comment by Mozilla? If so, you should ID yourself as such.
>
> Additionally, an official comment like "Firefox, with no
> "extensions" or modifications, does not send any data from your
> computer anywhere except for diagnostic data that we clearly
> describe, and give a clear opportunity to block." would be a good
> response to this dialog.
>
> John
>

I am not associated with mozilla, and did not in any way indicate
that I was. As I thought was fairly clear, I simply did analysis in
my linux environment, and really don't see any "call out" issues
with my extension-free install. You can do your own analysis,
including packet inspection and source code review, and come to your
own conclusions.

[please keep the posting order consistent so that the thread remains
readable.]

[EE]

John R. Sowden wrote:
> I have seen a lot of text re: this call out issue. A main reason that I
> use open source software is the perception of honesty on the part of the
> software creation organization. I feel that I can trust them. I don't
> question upgrades like I did with Microsoft. Now we seem to have an
> issue of possible deception and underhandedness (must be a word-it
> passed spell check). We need an official response from Mozilla. In the
> spirit of open source, we should have the clear option of turning it
> off. I believe that the ONLY time that a browser (a receiving program,
> not a sending program) should send anything out is for diagnostic
> reasons, which I turn on (see "trust" above).
>

You can turn off that stuff. You can disable telemetry, health report,
geolocation, you can disable automatic updates, the protection against
fake sites and malware sites, and not subscribe to feeds. If you
dislike the idea of peer connections turning on your microphone or your
webcam, you can disable that. You can also use about:blank as your home
page.
If the settings will not stay put, you can copy them into a user.js file
to force the issue.

[csf...@gmail.com]

Hi John, as you, I have been monitoring firefox instance from a blank startup page. And i got interesting reports.

First i've to say that i'm not a developer, so probably i miss a lot of things.

Well, in a first try, disabling all checks for updates, all blocking web sites list and health report and those staff, i detected mainly two ip address , Amazon, Edgecast. after a few seconds firefox started with a blank page.

Inspecting packets was my following step so i discover was certificates /OCSP related, so i decided to turnoff OCSP validation.

I think automatic callouts will dissapear with this, but still there to the same ip addresses.

I inspected again packets involved on these conversation and saw the "repair.mozilla.org" entry in th packet, so i searched in about:config tab in firefox and deleted th address, restarted firefox and now no automatics callouts from firefox.

PD.I think OCSP is recommended to enable again.
Bye.