Privacy made in Mozilla


The hunted

Mozilla, the well-known foundation publishing - among other things - Firefox, pretends to be quite concerned about your privacy. Today I will question this noble intention as facts sometimes show a different reality. This matter was first shown to me by Aeris on Twitter and after discussing this problem one more time, I decided a blog post shoud be useful. This post is an adaptation from a first post I made in French (I clarified some elements and add a few more). Some screenshots remain in French, but it should not be a big deal :)

So the problem is present in both Firefox and Thunderbird. What makes these softwares popular is, among other things, the possibility given to users to install add-ons to add new functionnalities to the ones already present. To do so in Firefox, one have to go on the about:addons URL (or the Add-ons menu in Thunderbird). This menu, especially the Get Add-ons page, is in fact a Web page downloaded from addons.mozilla.org. It can be seen here on a fresh Firefox account :



The issue is that this web site uses the Google Analytics tracker. The latter will be downloaded through one the menu of your software. To make it worse, popular adblocker/privacy caring add-ons like uMatrix and uBlock are disabled by default on any URI using the about: scheme ! Privacy Badger does not seem to block it either by default on this page. I was able to configure it to block Google Analytics on one my machine but was enable to reproduce it (if you find a way, please let me know). So here's fresh and juicy data for Google. We can see here the request to download the tracker script in Firefox's developer tools :

By default, it is not blocked by uBlock

Same with uMatrix.



To block it easily, use uBlock or uMatrix, go to the about:addons page and activate the add-ons you prefer (on uMatrix, click on the On/Off button and save your changes by clicking on the padlock).

What about Thunderbird ? The menu works the same way. The problem can be seen by looking at the DNS requests made by the software while launching and opening the menu :

		Jul  7 22:22:45 ShaftTesting-VM unbound: [1169:3] info: 127.0.0.1 services.addons.mozilla.org. A IN
		Jul  7 22:22:45 ShaftTesting-VM unbound: [1169:1] info: 127.0.0.1 services.addons.mozilla.org. AAAA IN
		Jul  7 22:22:47 ShaftTesting-VM unbound: [1169:3] info: 127.0.0.1 ocsp.digicert.com. A IN
		Jul  7 22:22:47 ShaftTesting-VM unbound: [1169:2] info: 127.0.0.1 ocsp.digicert.com. AAAA IN
		Jul  7 22:22:52 ShaftTesting-VM unbound: [1169:2] info: 127.0.0.1 live.mozillamessaging.com. A IN
		Jul  7 22:22:52 ShaftTesting-VM unbound: [1169:0] info: 127.0.0.1 live.mozillamessaging.com. AAAA IN
		Jul  7 22:22:52 ShaftTesting-VM unbound: [1169:2] info: 127.0.0.1 addons.cdn.mozilla.net. A IN
		Jul  7 22:22:52 ShaftTesting-VM unbound: [1169:0] info: 127.0.0.1 addons.cdn.mozilla.net. AAAA IN
		Jul  7 22:22:53 ShaftTesting-VM unbound: [1169:0] info: 127.0.0.1 ocsp.usertrust.com. A IN
		Jul  7 22:22:53 ShaftTesting-VM unbound: [1169:1] info: 127.0.0.1 ocsp.usertrust.com. AAAA IN
		Jul  7 22:23:08 ShaftTesting-VM unbound: [1169:0] info: 127.0.0.1 ssl.google-analytics.com. A IN
		Jul  7 22:23:08 ShaftTesting-VM unbound: [1169:1] info: 127.0.0.1 ssl.google-analytics.com. AAAA IN

No comments. To avoid it in Thunderbird, uBlock Origin is available : download it then go in the options, click Show Dashboard then on the Whitelist pane. Remove the about-scheme line and save.



The presence of this tracker in the software seems purely intentional from Mozilla. By downloading a page from one of its website, the privacy policy of the latter seems to applies. The use of Google Analytics is clearly mentionned. The fact that this tracker is opted-in and placed in this particular menu (where users typically go after install with no add-ons installed) makes the matter worse. I'm not a specialist on legal matters, but my guess is that, for European users, Mozilla will have to opt-out this tracker in 2018 in accordance to the GDPR. I asked uBlock dev to stop whitelisting about-scheme pages. He declined for now (needs a lot of testing to make sure it won't brake anything). Mozilla also gives a link to a Google Add-ons to desactivate Analytics. One of the best way to get rid of those annoyances remains an entry in a hosts file or a lying DNS resolver (or a policy-implementing resolver according to the DNS terminology). Last but not least, let's call this irony :