What various browsers call upon initial launch

Discussion in 'other software & services' started by Yuki2718, Sep 3, 2019.

  1. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    There's an interesting series of tweets from Mr Sampson who investigated each browser's communication when it was launched first time.
    https://twitter.com/jonathansampson
     
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    Links to each browser (a bit old and not comprehensive) are here.
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    17,362
    Microsoft Edge makes 130+ requests to almost 50 endpoints when first launched
    August 29, 2019
    https://www.theinquirer.net/inquire...ts-to-almost-50-endpoints-when-first-launched
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,528
    Location:
    Italy
    I'm sure Pale Moon does better than Firefox.
    I hope even better than Brave.
     
  5. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,132
    Location:
    UK
    Is this the same report that was done by the "brave" browser company employee?
     
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    949
    He did stated he works for Brave when someone replied.
    But so far I haven't seen that as reason to invalidate the report.
    He posted images for his reports. And I assume other researchers should be able replicate the test to see if it's accurate or not.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,965
    Location:
    The Netherlands
    Yes, this truly is riduculous. How about a browser that makes zero connections to servers that are not related to websites visited by the user? And make no mistake, all browsers do this, you will also see it with Firefox and Vivaldi.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,941
    to mention extensions.Firefox dont make unwanted connections which are related to websites or user action. (not sure about the recommended extension section)
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    I don't think all connections are problem. What's informative is now we can roughly see what each browser communicate and where they do.
    I'm not sure what you mean, but Fx itself makes dozens of unwanted (at least to some users) connections until user turn them off as mentioned in OP. It's a relatively talkative browser by default, but at least gives user some control.
     
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,941
    please read again
    thats the point. as written before firefox updates its own data such as safelist, blocklists etc. also telemetrie which is opt-out in total with prefs - same for safelist or blocklists (last could be dangerous because it makes firefox vulnerable)
    at least you can cut down firefox so extremly hard and bad it wont work proper or would crash in many reasons.
    anyhow - firefox has the options, chrome/chromium, edge and others dont have any option for most of this - nothing.

    as i recommended some1 before - create or compile your own piece of browser if you are able to do this. we can talk about this and that but personal issues dont belong to here as they should be send to authors. and then they should be valid, not based on personal animosity ;)
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,517
    Location:
    Canada
    Since I've been running Chrome-Edge beta for months, I have no idea about connections made at first ever launch, but after setting my firewall to log allowed connections and clearing its events, I opened edge to wilderssecurity and after 1 minute there're only a few connections made, notably to:

    Code:
    Google (ipv6 protocol)
    edge.microsoft.com
    config.edge.skype.com
    nav.smartscreen.microsoft.com
    
    That's it. I can reproduce this repeatedly. I'm using uBlockO extension and there are 15 domain blocking rules in my firewall.
     
  12. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    Okay, I see. And that is why I wrote "it gives user some control". I have to say it's unfortunate that none of Fx folks are much attractive and none of Chromium folks gives user good control. Mozilla doesn't prioritize security very much (this one will be famous, and tweets from CopperheadOS were also good read) and focusing more on performance and adding features, but anyway we have to choose from available ones.
     
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,941
    and how does an article from early 2018 apply today?
    and one thing is complete wrong - no password is stored as plain text, never. thats why people need always 2 files to decrypt - and in case of master-pw it needs some pretty new hardware and some software to decrypt - and ofc physical access to such files. i would say that any keylogger could get it faster - on "0wn3d" machines.
    are the more proof of evidence? ofc palant write a lot during the day, this includes also bs liek any people writing a lot.
    in this case palant as developer from adblock plus owned by Eyeo ist not that trustworthy as firefox, not even close. offering "acceptable ads" and maybe some more it probably undermines firefox security where people think they are save.
     
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    899
    Location:
    Member state of European Union
    That's because people generally want performance and compare browsers based on that. When it comes to security of connections few years ago Firefox was handling them far more secure than Chrome. Chrome could be redirected to other domain when you typed domain prefixed by https://. Firefox would not do that - it would display error page, which is proper, secure way of handling connections when somebody typed full URL to https site including https:// and something in network redirects to other domain. I don't know about how Chrome/Chromium behaves today, but without evidence it changed I would not trust this browser to connect to my banking site.
     
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,941
    i would - but not chrome instead chromium which is open source while chrome is not. but that is not a general matter for me, i did banking with chromium, but firefox is my preferred browser. i wont trust opera this way round ^^
     
  16. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    I didn't bother to read the article. I remember the bug but didn't about the bug page so just posted the first-found one on search, but it seems nobody said Fx stores passwords in plaintext? What is completely wrong in the article is LastPass part: they use PBKDF2-HMAC-SHA256, not SHA256.

    You misunderstand what is the problem. Chromium doesn't have master password at all, which brought much discussion at the time, but Chromium devs clearly stated why: long story short, it's a matter of a threat model. So, though my PERSONAL stance is closer to Fx's one (i.e. master pwd is still better than nothing, tho one shouldn't keep important info in any browser), I now don't question Chromium's practice because I understand security is always relative to threat modeling. One Fx dev also stated he wanted to remove the master pwd, as he knew "removing the feature is better than having a poor implementation of it". But 6y ago he withdrew the past statement as Fx Accounts was added since then, and admitted "it is totally dumb to do just 1 round of PBKDF". Note this is not PBKDF2, but PBKDF1 which is the same as hashing with SHA1. Yet the matter had been left, tho discussion itself had kept going on. THIS is the problem. If you take sth as a security matter, fix it. If you don't, remove the poor implementation which gives false sense of security. I'm not sure if it was the only case Fx left a security matter long time (my memory is not good).

    I have no interest in discussing each problem one by one. Other than aforementioned Twitter, I recommend to read what each browser's devs have been talking & doing (in Fx case, their Bugzilla & mozilla.dev.security). There's no other way to know how they take security. Your conclusion may differ, but you'll see why I said that.
     
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    That redirect is not because Chrome want to do, but because the site instructs to do so by e.g. mod_rewrite. I didn't know Fx didn't respect that, but quick search seems to suggest now Fx also redirects unless auto-completion (adding www for typed domain by default) interferes. Ofc there's another factor, HSTS.
    The redirection only matters if an attacker is actively monitoring your network to capture your first connection to the site, and the only true remedy is HSTS preload list. Such sites as banking should be included in the list, tho I know that is not always the case (this is why Https Everywhere still survives).
     
  18. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    899
    Location:
    Member state of European Union
    One day there were a party and former admin of dormitory's network thought it is good idea to redirect all traffic to local http site telling people to go to that party. I used that to test how various browsers handle that and only Firefox was not redirected when I tried to visit banking site. Again, I copy-pasted full URL including https:// prefix to browsers from my KeePass database, so it was not only domain but also https:// prefix.
    I must admin that I used Firefox previously to visit my banking site.
     
  19. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    IDK what the admin did, in particular if he utilized captive-portal or not, but in this case it appears your last sentence may be relevant. In the aforementioned search I found somebody (a web master) telling that the browser cache was culprit for a non-redirect (I think the real culprit is TLS session ticket tho).
     
  20. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    318
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,517
    Location:
    Canada
    I believe the below javascript settings in Chrome-based browsers can eliminate the need for HTTPS Everywere?

    Screenshot.png
     
  22. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    899
    Location:
    Member state of European Union
    When I said I previously visited website of my bank I meant at least one day ago. Does TLS session tickets live that long?

    This control becomes pain in the some part of body when somebody runs multiple profiles of web browser to limit cross-website tracking.
     
  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    Sorry, I confused TLS session ticket with HSTS cache but they seems to be different. Anyway, web master determines how long they should be kept. But considering HSTS state can be used as super cookie, assume generally it lasts long.
    You can use multiple user.js, tho I admit maintaining them is still a pain.
     
  24. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,682
    Not really, as things like mod_rewrite don't rely on javascript. There may be sites using javascript for the redirect, but I don't think that is standard.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,517
    Location:
    Canada
    I tried to read about it and gave up after the first few sentences. Too complicated for me. All I know is the javascript site permissions I have in Chrome & Edge Chrome won't allow javascript to run on non-https sites.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.