Odd Firefox phoning home (Linux) SOLVED

[Grumpus]

What is observed:
Opening Firefox it sends a signal to an IP number identified as Amazon.
Blocking outbound to the one IP only causes another to take it's place. (Blocking in both directions with outbound first)
I figured this is something to do with Tracking and played with different settings to see if it could be stopped,no change.
The varying IPs are definitely called by Firefox first and occurs with each page change.
If in a location for a short period the signal goes out again without a page change.
Usually there are a half dozen or more hits varying in size and eating a half KB to more.
It would not be so much of an issue except it is unidentified and seems to occur with every page change and does not appear to be phishing protection.
this is typical: 54.192.19.56:80 = <---both directions 5 <----hits 776 - <----Bytes

Concern is this appears to be a form of tracking regardless of tracking on or off?

[DanRaisch]

There are a good number of explanations other than tracking. https://support.mozilla.org/t5/Protect- ... /ta-p/1748

[Grumpus]

Thanks Dan, most of the things on the Mozilla list had already been dealt with but I did add a couple with no change.
A restart after changes did nothing to stop the out call, also getting some different than normal IP numbers for some bookmarks.
This may be something else altogether, going to continue to block the IPs as they show up.

[Reflective]

Nothing to be concerned about. It could be due to your AV checking for updates such as when the company you got it from uses Amazonaws server storage.

The IP address you posted resolves to server-54-192-19-56.iad12.r.cloudfront.net Cloudfront is an Amazon company.

Install Decentraleyes to help you maintain your privacy.

[mightyglydd]

What is observed:
Opening Firefox it sends a signal to an IP number identified as Amazon.

See here..
http://forums.mozillazine.org/viewtopic ... #p14717527

[Grumpus]

@Reflective, Thanks, Linux doesn't use any AV products except for mail, usually just multiple layers of various security measures.
Blocking both cloudfront and amazonaws IPs apparently doesn't work as it's something embedded in Firefox which is calling home.
Doesn't happen in SeaMonkey or Midori and just started with this latest Firefox 52 adjustment update.
Same issue with Ubuntu Firefox install so it has to be something embedded.
Both were supposed to be updates for security fix and this might be it but it seems odd.
If it was up to me I'd shut down AWS until they got their ship in order, there's something wrong with this bunch.

[Reflective]

Maybe this will help: https://support.mozilla.org/t5/Protect- ... /ta-p/1748

[Grumpus]

@Reflective - Unfortunately that page only goes to Firefox 51 (suggested by Dan) and I've now covered everything listed and a lot more.
I went through the entire about:config and pref.js to see if I could find it. Still makes the call to an AWS ip.
I reiterate this did not occur before the second 52 update and did not occur with 51.
This new outcall is from a second update of Firefox 52 for Linux, both Ubuntu and Linux Mint are making the calls.
This latest update was supposed to be a security fix.
It wouldn't be so bad if it was once a session but it appears too frequently at two different quantity levels.
It's too much like a tracker or info grab like telemetry or something else which should be able to be blocked in the GUI.
Good or bad is not the issue it's just pinpointing what it is and what it's purpose is.
Mozilla is not paying for my bandwidth and my calculations, though it may seem minimal to some is over several Mb of decrease in my monthly allotment each online session.
Some of us do not have unlimited data plans. Makes it a little hard for testing, updates and constant browser updates.
Trying to deal with Fedora I killed two months worth of data and time because some genius didn't allow for a switch to turn off update info downloads.

[Mrere]

captivedetect.canonicalURL may be the culprit.

[Grumpus]

That's the critter.
Lookup put "detectportal.firefox.com." squarely on the AWS IP.
Now I have to figure out if it's blockable or if it should be.
Thank You very much. Mrere

Edit after changes, Closed Firefox and logged system offline. Still hit with AWS ips but different.
Changes made:
captivedetect.maxRetryCount;0
captivedetect.canonicalURL; (made blank)
captivedetect.canonicalContent; (made blank)
captivedetect.maxWaitingTime;(made blank)
captivedetect.pollingTime;0
network.captive-portal-service.enabled;false
network.captive-portal-service.backoffFactor;
network.captive-portal-service.maxInterval;0
network.captive-portal-service.minInterval;0

Consideration seems to lean towards not necessary for my form of access as there is no visible preliminary page for connection.
Dedicated setup.

[therube]

Wikipedia: Captive portal

[Andr4s]

Hello,

Do you have a conclusion, what causes the connections to the Amazon servers?
We use a proxy server and I see a lot of denied messages to the IPs listed above on our firewall. At least FF should connect via the proxy... At start-up the browser hangs for seconds and I suppose this is one of the cause.

Andras

[Grumpus]

Some of this is cloud based for legitimate reasons.
Data reporting, telemetry, Firefox Health report, updating, certificates, and in some cases various interested parties as in tracking.
Advertising, hacks and any number of other detritus, each AWS or Azure related IP in the cloud could be involved.
In my opinion claims the cloud is secure seems to be a load when you consider cloud providers haven't been too concerned with the clients activities unless someone who they might listen too takes them to task for it.
There was a lot of discussion in the early stages of the cloud implementation and there was a much negative as there was positive.
Exchanges of scientific and medical information into a cloud database can be a good thing as long as the cloud isn't compromised and the data re-edited to do harm.
As it is in all things, the interpretation and the literal can be modified to suit purpose.

[MZnube]

Some of this is cloud based for legitimate reasons.
Data reporting, telemetry, Firefox Health report, updating, certificates, and in some cases various interested parties as in tracking.
Advertising, hacks and any number of other detritus, each AWS or Azure related IP in the cloud could be involved.
In my opinion claims the cloud is secure seems to be a load when you consider cloud providers haven't been too concerned with the clients activities unless someone who they might listen too takes them to task for it.
There was a lot of discussion in the early stages of the cloud implementation and there was a much negative as there was positive.
Exchanges of scientific and medical information into a cloud database can be a good thing as long as the cloud isn't compromised and the data re-edited to do harm.
As it is in all things, the interpretation and the literal can be modified to suit purpose.

FWIW, I just searched about:config for "https:" and set all the strings to a blank string. Then I don't get any mysterious connections as far as I can tell.
This is on FF 55 on Windows.

[Grumpus]

@MZnube - there are a number of important strings in about:config for various malware spoofing and other security reasons. To just blank all the strings without any knowledge or consideration for what they may be for will not benefit your operation of Firefox. There are some strings which may be an issue and if some services are not used these also.
However you might want to review each of the https strings you blanked and if security or protection right click on the item and hit reset.
If the items and strings were bold they might also be related to extensions or changes made so be careful.
I hope you took notes.