DEV Community

loading...
Cover image for Firefox sends data to Google by default. Here's how to prevent it

Firefox sends data to Google by default. Here's how to prevent it

mvoloskov profile image Miloslav Voloskov ・4 min read

TL;DR: about:configbrowser.safebrowsing → disable everything

The very names “Mozilla” and Firefox browser particularly are perceived as caring about your privacy. While they claim they don’t buy or sell user data directly, there is still some stuff involved under the hood that I consider shady.

Mozilla in their FAQ claims they don’t buy or sell your data

Look! Firefox serves their logo from an address beginning with “chrome”! Are they silently switched to Chromium which sends your IP to Google on startup?

Firefox serves their logo from an address beginning with “chrome”

What?

Firefox using chrome:// somewhere in their browser may be suspicious, but there is something straight up alarming ahead.

According to Mozilla forum, there is a thing called Google SafeBrowsing that “has been a part of Firefox for a very long time”. This thing is essentially the catalogue of unwanted websites and software that Mozilla is striving to protect you from.

The problem is every website you visit is checked up with Google’s service by the very nature of how the aforementioned protection mechanism works. This may be the huge problem for those who are switching to Firefox trying to escape Google.

Even if Google can’t acquire your IP while performing the check-up (which I doubt), with the sheer amount of data they have it’s trivial to tie your requests to your identity.

The solution

  1. Type about:config in your address bar. You’ll end up on advanced settings page.
  2. Type browser.safebrowsing in the search bar on top.
  3. You’ll see Google services’ URLs. Replace every single URL with https://127.0.0.1. Disable everything you can switching true to false.

This is how I set things up:

Parameter Value
browser.safebrowsing.allowOverride false
browser.safebrowsing.blockedURIs.enabled false
browser.safebrowsing.debug false
browser.safebrowsing.downloads.enabled false
browser.safebrowsing.downloads.remote.block_dangerous false
browser.safebrowsing.downloads.remote.block_dangerous_host false
browser.safebrowsing.downloads.remote.block_potentially_unwanted false
browser.safebrowsing.downloads.remote.block_uncommon false
browser.safebrowsing.downloads.remote.enabled false
browser.safebrowsing.downloads.remote.timeout_ms 15000
browser.safebrowsing.downloads.remote.url https://127.0.0.1
browser.safebrowsing.id null
browser.safebrowsing.malware.enabled false
browser.safebrowsing.passwords.enabled false
browser.safebrowsing.phishing.enabled false
browser.safebrowsing.prefixset_max_array_size 524288
browser.safebrowsing.provider.google.advisoryName Google Safe Browsing
browser.safebrowsing.provider.google.advisoryURL https://127.0.0.1
browser.safebrowsing.provider.google.gethashURL https://127.0.0.1
browser.safebrowsing.provider.google.lists (empty list)
browser.safebrowsing.provider.google.pver 2.2
browser.safebrowsing.provider.google.reportMalwareMistakeURL https://127.0.0.1
browser.safebrowsing.provider.google.reportPhishMistakeURL https://127.0.0.1
browser.safebrowsing.provider.google.reportURL https://127.0.0.1
browser.safebrowsing.provider.google.updateURL https://127.0.0.1
browser.safebrowsing.provider.google4.advisoryName Google Safe Browsing
browser.safebrowsing.provider.google4.advisoryURL https://127.0.0.1
browser.safebrowsing.provider.google4.dataSharing.enabled false
browser.safebrowsing.provider.google4.dataSharingURL https://127.0.0.1
browser.safebrowsing.provider.google4.gethashURL https://127.0.0.1
browser.safebrowsing.provider.google4.lastupdatetime 1603739550029
browser.safebrowsing.provider.google4.lists (empty list)
browser.safebrowsing.provider.google4.nextupdatetime 1603741356029
browser.safebrowsing.provider.google4.pver 4
browser.safebrowsing.provider.google4.reportMalwareMistakeURL https://127.0.0.1
browser.safebrowsing.provider.google4.reportPhishMistakeURL https://127.0.0.1
browser.safebrowsing.provider.google4.reportURL https://127.0.0.1
browser.safebrowsing.provider.google4.updateURL https://127.0.0.1
browser.safebrowsing.provider.mozilla.gethashURL https://127.0.0.1
browser.safebrowsing.provider.mozilla.lastupdatetime 1603739273301
browser.safebrowsing.provider.mozilla.lists (empty list)
browser.safebrowsing.provider.mozilla.lists.base moz-std
browser.safebrowsing.provider.mozilla.lists.content moz-full
browser.safebrowsing.provider.mozilla.nextupdatetime 1603742873301
browser.safebrowsing.provider.mozilla.pver 2.2
browser.safebrowsing.provider.mozilla.updateURL https://127.0.0.1
browser.safebrowsing.reportPhishURL https://127.0.0.1
services.sync.prefs.sync.browser.safebrowsing.downloads.enabled false
services.sync.prefs.sync.browser.safebrowsing.downloads.remote. block_potentially_unwanted false
services.sync.prefs.sync.browser.safebrowsing.malware.enabled false
services.sync.prefs.sync.browser.safebrowsing.phishing.enabled false
browser.safebrowsing false

Additional steps

This is what you can also consider disabling. Those are DRM options, geolocation and telemetry reports:

  • toolkit.telemetry.enabled
  • datareporting.healthreport.service.enabled
  • datareporting.healthreport.uploadEnabled
  • media.eme.enabled
  • media.gmp-eme-adobe.enabled
  • browser.pocket.enabled
  • geo.enabled

Today I learned

  • Chromium is not private at all
  • Firefox sends data to a Google service by default
  • Firefox uses chrome:// in their browser’s code just like Chromium-based browsers

Always doubt the defaults.

Discussion (4)

pic
Editor guide
Collapse
cipharius profile image
Valts Liepiņš

Can't comment on the safebrowsing portion, but chrome:// URI is not related to any google product. "Chrome" is how web browsers call the UI that is part of browser itself, which is not the rendered website.
developer.mozilla.org/en-US/docs/M...

Collapse
mvoloskov profile image
Collapse
turnerj profile image
James Turner

Ummm, it doesn't look like the safe browsing logic is done via sending URLs to Google as you visit websites. What it looks like instead is that Google is queried for a "threat list" every 30 minutes (based on the timestamps I'm seeing in my about:config) where this list is checked directly for corresponding URLs. Only when new URLs are reported by you could Google be aware what you visited.

It does mean that Google would know your IP address and maybe User-Agent (if Firefox sends it for such a background request) but shouldn't know any specific website you visit. So Google might be able to infer general information about your system (if the User-Agent is sent) and the fact that you use Firefox (I assume the API key that it is using is a single one tied to Mozilla) - this is far less than Google being told every website you visit from a privacy point-of-view.

If you are especially concerned with privacy, I'd suggest going as far to enable privacy.resistFingerprinting rather than disabling half the options you have.

Collapse
mvoloskov profile image
Miloslav Voloskov Author • Edited

Thanks! But I’m still concerned that Firefox visits a Google service every 30 minutes by default and it’s not an opt-in feature. I bet if it was opt-in, its adoption would be like 2%.