Privacy made in Mozilla
Mozilla, the well-known foundation publishing - among other things - Firefox, pretends to be quite concerned about your privacy. Today I will question this noble intention as facts sometimes show a different reality. This matter was first shown to me by Aeris on Twitter and after discussing this problem one more time, I decided a blog post shoud be useful. This post is an adaptation from a first post I made in French (I clarified some elements and add a few more). Some screenshots remain in French, but it should not be a big deal :)
So the problem is present in both Firefox and Thunderbird. What makes these softwares popular is, among other things, the possibility given to users to install add-ons to add new functionnalities to the ones already present. To do so in Firefox, one have to go on the
about:addons URL (or the
Add-ons menu in Thunderbird). This menu, especially the
Get Add-ons page, is in fact a Web page downloaded from
addons.mozilla.org. It can be seen here on a fresh Firefox account :
The issue is that this web site uses the Google Analytics tracker. The latter will be downloaded through one the menu of your software. To make it worse, popular adblocker/privacy caring add-ons like uMatrix and uBlock are disabled by default on any URI using the
about: scheme ! Privacy Badger does not seem to block it either by default on this page. I was able to configure it to block Google Analytics on one my machine but was enable to reproduce it (if you find a way, please let me know). So here's fresh and juicy data for Google. We can see here the request to download the tracker script in Firefox's developer tools :
By default, it is not blocked by uBlock
Same with uMatrix.
To block it easily, use uBlock or uMatrix, go to the
about:addons page and activate the add-ons you prefer (on uMatrix, click on the On/Off button and save your changes by clicking on the padlock).
What about Thunderbird ? The menu works the same way. The problem can be seen by looking at the DNS requests made by the software while launching and opening the menu :
Jul 7 22:22:45 ShaftTesting-VM unbound: [1169:3] info: 127.0.0.1 services.addons.mozilla.org. A IN Jul 7 22:22:45 ShaftTesting-VM unbound: [1169:1] info: 127.0.0.1 services.addons.mozilla.org. AAAA IN Jul 7 22:22:47 ShaftTesting-VM unbound: [1169:3] info: 127.0.0.1 ocsp.digicert.com. A IN Jul 7 22:22:47 ShaftTesting-VM unbound: [1169:2] info: 127.0.0.1 ocsp.digicert.com. AAAA IN Jul 7 22:22:52 ShaftTesting-VM unbound: [1169:2] info: 127.0.0.1 live.mozillamessaging.com. A IN Jul 7 22:22:52 ShaftTesting-VM unbound: [1169:0] info: 127.0.0.1 live.mozillamessaging.com. AAAA IN Jul 7 22:22:52 ShaftTesting-VM unbound: [1169:2] info: 127.0.0.1 addons.cdn.mozilla.net. A IN Jul 7 22:22:52 ShaftTesting-VM unbound: [1169:0] info: 127.0.0.1 addons.cdn.mozilla.net. AAAA IN Jul 7 22:22:53 ShaftTesting-VM unbound: [1169:0] info: 127.0.0.1 ocsp.usertrust.com. A IN Jul 7 22:22:53 ShaftTesting-VM unbound: [1169:1] info: 127.0.0.1 ocsp.usertrust.com. AAAA IN Jul 7 22:23:08 ShaftTesting-VM unbound: [1169:0] info: 127.0.0.1 ssl.google-analytics.com. A IN Jul 7 22:23:08 ShaftTesting-VM unbound: [1169:1] info: 127.0.0.1 ssl.google-analytics.com. AAAA IN
No comments. To avoid it in Thunderbird, uBlock Origin is available : download it then go in the options, click
Show Dashboard then on the Whitelist pane. Remove the
about-scheme line and save.