[Secure-testing-team] Bug#827395: firefox-esr: Firefox-esr privacy invading defaults load beacons on 1st run
Ann Onymous
tempp2002-deb at yahoo.com
Wed Jun 15 18:00:09 UTC 2016
Package: firefox-esr
Version: 45.2.0esr-1~deb8u1
Severity: serious
Tags: security newcomer upstream
Justification: 2
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
On a fresh network install of Debian 8.5 and first run of firefox-esr,
the following hosts were contacted:
tiles.services.mozilla.com
ocsp.digicert.com
location.services.mozilla.com
tiles-cloudfront.cdn.mozilla.net
www.mozilla.org
cdn.optimizely.com
vassg142.ocsp.omniroot.com
cdn3.optimizely.com
www.googletagmanager.com
accounts.firefox.com
snippets.cdn.mozilla.net
clients1.google.com
www.google.com
shavar.services.mozilla.com
www.google-analytics.com
tracking-protection.cdn.mozilla.net
stats.g.doubleclick.net
self-repair.mozilla.org
* What exactly did you do (or not do) that was effective (or
ineffective)?
Changing the home page will stop some of this behaviour.
"Tracking protection" and "safe browsing" are also responsible for some of the traffic although I'm not suggesting that should be disabled by default.
Not all of the features responsible can be disabled from the application's prefences, users should be able to make a choice rather than maybe later discovering their privacy is broken by an obscure setting in about:config
* What was the outcome of this action?
Despair, Debian is the only OS I use which doesn't need modification to stop it making connections to the internet without an obvious user action. firefox-esr breaks this massively.
* What outcome did you expect instead?
A default browser which in default settings doesn't start tracking activities with Google or anyone else before I've even loaded a page.
-- Package-specific info:
-- Extensions information
Name: Default theme
Location: /usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
Package: firefox-esr
Status: enabled
Name: Firefox Hello Beta
Location: ${PROFILE_EXTENSIONS}/loop at mozilla.org.xpi
Status: enabled
-- Plugins information
-- Addons package information
ii firefox-esr 45.2.0esr-1~ amd64 Mozilla Firefox web browser - Ext
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages firefox-esr depends on:
ii debianutils 4.4+b1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18+deb8u4
ii libcairo2 1.14.0-2.1+deb8u1
ii libdbus-1-3 1.8.20-0+deb8u1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-3+deb8u1
ii libgcc1 1:4.9.2-10
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u5
ii libglib2.0-0 2.42.1-1+b1
ii libgtk2.0-0 2.24.25-3+deb8u1
ii libhunspell-1.3-0 1.3.3-3
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.7.1-1+deb8u1
ii libstartup-notification0 0.12-4
ii libstdc++6 4.9.2-10
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages firefox-esr recommends:
ii gstreamer1.0-libav 1.4.4-2
ii gstreamer1.0-plugins-good 1.4.4-2
Versions of packages firefox-esr suggests:
pn fonts-lmodern <none>
pn fonts-stix | otf-stix <none>
ii libcanberra0 0.30-2.1
pn libgnomeui-0 <none>
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
pn mozplugger <none>
-- no debconf information
More information about the Secure-testing-team
mailing list