OT. Firefox FYI

[Old Boozer]

I may not be the brightest bulb in the box. After two days of packet logging
Firefox 1.03, I found two TCP connects for EVERY page I went to.

HEADER:

45 00 02 85 9B E2 40 00 32 06 AA 84 CF 7E 6F D8 [email protected]....~o.

C0 A8 00 0D 00 50 04 D9 C3 0D F8 69 DA 3B E8 D5 .....P.....i.;..

50 18 19 20 3F 71 00 00 P.. ?q..

DATA:

HTTP/1.1 302 Found

Date: Sat, 07 May 2005 03:34:04 GMT

Server: Apache/2.0.46 (Red Hat)

Location:
http://news.bbc.co.uk/rss/newsonline_world_edition/front_page/rss091.xml

Content-Length: 344

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>302 Found</title>

</head><body>

<h1>Found</h1>

<p>The document has moved <a
href="http://news.bbc.co.uk/rss/newsonline_world_edition/front_page/rss091.x
ml">here</a>.</p>

<hr />

<address>Apache/2.0.46 (Red Hat) Server at fxfeeds.mozilla.org Port
80</address>

</body></html>



Firefox as far as I can tell always keeps in contact with TCP
207.126.111.216 port 80 (surf.mozzilla.org) no matter what other URL I"m
connected to.



OB.

 

[Cool Guy]

I may not be the brightest bulb in the box. After two days of packet logging
Firefox 1.03, I found two TCP connects for EVERY page I went to.

Sounds odd. I'd recommend that you ask for help on the Firefox support
forum:

http://forums.mozillazine.org/viewforum.php?f=38

 

[elaich]

Firefox as far as I can tell always keeps in contact with TCP
207.126.111.216 port 80 (surf.mozzilla.org) no matter what other
URL I"m connected to.

Uncheck "periodically check for updates" in Tools>Advanced, and see if it
still does it. Report the result here. I'm interested.

 

[Jsp]

After two days of packet logging Firefox 1.03,
I found two TCP connects for EVERY page I went to.

Location:
http://news.bbc.co.uk/rss/newsonline_world_edition/front_page/rss091.xml

Firefox as far as I can tell always keeps in contact with TCP
207.126.111.216 port 80 (surf.mozzilla.org) no matter what other URL I"m
connected to.

It seems like the first one is an rss-feed, which in Firefox can be set
as "live bookmarks". You will find it as a bookmark folder with a little
square orange icon. Firefox automatically updates this bookmarks, so has
to connect in order to do that. When installing FF, the rss-feed from
the BBC news is automatically placed in the bookmarks toolbar folder
under the name "latest headlines".
The second one I don't know. Maybe an update check for FF or extensions?

Jsp

 

[Old Boozer]

Uncheck "periodically check for updates" in Tools>Advanced, and see if it
still does it. Report the result here. I'm interested.

Yes, this was disabled when I upgraded from 1.02 to 1.03. I have used this
browser since 0.8. When my machine got a dose of ISTBAR spyware I
found that the " allow web sites to install software" was checked. This may
or may not have allowed the spyware, this I can't determine. What I did
find after doing a NETSTAT was the connection I posted. While running
a NETSTAT I noticed while jumping from site to site that the IPs would
drop off as expected but the surf.mozzilla.org did not. I don't know if an
outbound ping is involved and I don't have the time to find out. Also I am
not making a claim that this is a phone home or spyware program. The
brighter bulbs should take this to the proper groups.

OB.

 

[Old Boozer]

It seems like the first one is an rss-feed, which in Firefox can be set
as "live bookmarks". You will find it as a bookmark folder with a little
square orange icon. Firefox automatically updates this bookmarks, so has
to connect in order to do that. When installing FF, the rss-feed from
the BBC news is automatically placed in the bookmarks toolbar folder
under the name "latest headlines".
The second one I don't know. Maybe an update check for FF or extensions?

Jsp

I see. To put this in there browser by defult with no option to disable is
uncomprehensible!
I will move on to another browser and my trust in Mozzilla is gone.

OB.

 

[Paul B.]

After two days of packet logging Firefox 1.03, I found two TCP
connects for EVERY page I went to.

I just created a rule in Kerio firewall to flag me whenever FF
1.03 is in contact with 207.126.111.216, be it TCP, UDP, ICMP,
IGMP, in either direction, and gave it highest priority. Nothing
so far.

p.

 

[Mike S.]

I see. To put this in there browser by defult with no option to disable is
uncomprehensible!

Delete the bookmark!

 

[Old Boozer]

I just created a rule in Kerio firewall to flag me whenever FF
1.03 is in contact with 207.126.111.216, be it TCP, UDP, ICMP,
IGMP, in either direction, and gave it highest priority. Nothing
so far.

p.

Thank you for testing this. When I blocked that I could not get any
internet connection.

OB.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Thank you for testing this. When I blocked that I could not get any
internet connection.

I suspect that diabling live bookmarks (deleting all[1] of them) will
change that for you. I cannot tell quite what a connection to
207.126.111.216 would be doing, but it looks like it has to do with the
live bookmark feature. <http://207.126.111.216> redirects me to
<http://www.mozilla.org/products/firefox/live-bookmarks.html>. (I have
to use the IP addy, since my DNS won't resolve surf.mozilla.org --
maybe that A record is new.) Somebody in the Firefox support group
might be able to clear things up.

[1] IIRC, the BBC one is the only one that's included in the default
bookmarks file, in the Bookmarks Toolbar Folder.

 

[Arne Anka]

I alt.comp.freeware, sa »Q« utan att tänka först:

I cannot tell quite what a connection to
207.126.111.216 would be doing, but it looks like it has to do with
the live bookmark feature. <http://207.126.111.216> redirects me to
<http://www.mozilla.org/products/firefox/live-bookmarks.html>.

It's the live bookmark. The properties for the BBC-bookmark has the
addresse <http://fxfeeds.mozillazine.org/rss20.xml> and a lookup with Sam
Spade resolves "fxfeeds.mozillazine.org" as IPs 207.126.111.216 &
207.126.111.216

05/08/05 18:45:14 dns fxfeeds.mozillazine.org
Canonical name: fxfeeds.mozilla.org
Aliases:
fxfeeds.mozillazine.org
Addresses:
207.126.111.216
207.126.111.217

--
Arne Anka

Men det värsta är inte själva baksmällan,
den verkliga pärsen börjar när gårdagens
oundvikliga sanningar börjar rullas upp för en...

<http://starcruiser.dk/arne/>

 

[elaich]

When my machine got a dose of ISTBAR spyware I
found that the " allow web sites to install software" was checked.

No, it would not allow spyware to be installed. Firefox always asks for
permission, even with that box checked.

The only real reason to check that box is to allow installation of themes
and extensions, and even then, you have to give permission before Firefox
will do it.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

I alt.comp.freeware, sa »Q« utan att tänka först:


It's the live bookmark. The properties for the BBC-bookmark has
the addresse <http://fxfeeds.mozillazine.org/rss20.xml> and a
lookup with Sam Spade resolves "fxfeeds.mozillazine.org" as IPs
207.126.111.216 & 207.126.111.216

05/08/05 18:45:14 dns fxfeeds.mozillazine.org
Canonical name: fxfeeds.mozilla.org
Aliases:
fxfeeds.mozillazine.org
Addresses:
207.126.111.216
207.126.111.217

Thanks, Arne; that pretty well clears things up. I had deleted the
BBC bookmark, so I didn't see that.

 

[Maxx Pollare]

The voice of "Old Boozer" drifted in on the cyber-winds,
from the sea of virtual chaos...

I see. To put this in there browser by defult with no option to
disable is uncomprehensible! I will move on to another browser
and my trust in Mozzilla is gone.

That's FUD for you...
The only reason for the rss-feed is as an example on how it works.
There is no "spying" intented, no matter how you spin it.

 

[Old Boozer]

That's FUD for you...

Can be taken many ways.

The only reason for the rss-feed is as an example on how it works.

Still absolutely uncomprehensible to add this always connected TCP
without the users knowledge.

There is no "spying" intented, no matter how you spin it.

Unless you have any tangible evidence, you are only stating your opinion.

Maxx Pollare, a "small god" in his own mind...

I don't doubt it.

OB.

 

[Old Boozer]

No, it would not allow spyware to be installed. Firefox always asks for
permission, even with that box checked.

The only real reason to check that box is to allow installation of themes
and extensions, and even then, you have to give permission before Firefox
will do it.

http://www.vitalsecurity.org/2005/03/firefox-spyware-infects-ie.html



OB

 

[Old Boozer]

Thank you for testing this. When I blocked that I could not get any
internet connection.

I suspect that diabling live bookmarks (deleting all[1] of them) will
change that for you. I cannot tell quite what a connection to
207.126.111.216 would be doing, but it looks like it has to do with the
live bookmark feature. <http://207.126.111.216> redirects me to
<http://www.mozilla.org/products/firefox/live-bookmarks.html>. (I have
to use the IP addy, since my DNS won't resolve surf.mozilla.org --
maybe that A record is new.) Somebody in the Firefox support group
might be able to clear things up.

[1] IIRC, the BBC one is the only one that's included in the default
bookmarks file, in the Bookmarks Toolbar Folder.

Q this is a freeware program that I use. This is the one that showed the TCP
connect
and resolved the mozzilla site. The packet logging was from AnologX. Since I
will no
longer use Mozzilla, I will not post anything more that I logged.
Understand, I did not
like what I saw.

Tesseract is a multifunctional networking tool. The program has several
purposes. First, it displays network traffic in realtime. Sent and received
data is recorded and displayed on a per-host basis. All IP addresses seen
are asynchronously resolved into their hostnames without user interaction.
Any networking errors (such as ICMP messages) seen, are parsed and reported
to the user along with any pertinent information (such as which router/host
was failing if for example a ICMP Destination Unreachable message was
encountered). It also analyses the incoming data for potential network
intrusion and/or denial of service attempts. These are displayed with a
timestamp along with the offending host. Many common clandestine scan types
(such as syn/ack scans, often generated with nmap) are detected and
reported. In addition, whenever possible Tesseract tries to make an educated
guess about operating systems are running on the network



http://www.snapfiles.com/download/dltesseract.html



OB

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

"Old Boozer" <oldboozer> wrote in

http://www.vitalsecurity.org/2005/03/firefox-spyware-infects-ie.html

That's a separate issue, but it actually reinforces elaich's point.
There's a screenshot of the user being prompted, "Do you want to trust
the applet?" It's after the user clicks through that ("Being a curious
soul, I agreed to the install - and quickly wished I hadn't!") that the
alleged security breach happens.

 

[David]

http://www.vitalsecurity.org/2005/03/firefox-spyware-infects-ie.html

Which is why I do not have Java enabled. I also do not allow installs
unless I have requested them from a known site.

 

[Aaron]

Can be taken many ways.


Still absolutely uncomprehensible to add this always connected TCP
without the users knowledge.

Think of it more like having several default homepages.

Unless you have any tangible evidence, you are only stating your opinion.

What would you define as tangible evidence? Use of a packet sniffer, will
easily prove that it just makes a normal connection to retreive headlines
from BBC.

Or do you think BBC is spying on you?