What various browsers call upon initial launch

There's an interesting series of tweets from Mr Sampson who investigated each browser's communication when it was launched first time.
https://twitter.com/jonathansampson

 

Links to each browser (a bit old and not comprehensive) are here.

 

Microsoft Edge makes 130+ requests to almost 50 endpoints when first launched
August 29, 2019
https://www.theinquirer.net/inquire...ts-to-almost-50-endpoints-when-first-launched

 

I'm sure Pale Moon does better than Firefox.
I hope even better than Brave.

 

Is this the same report that was done by the "brave" browser company employee?

 

He did stated he works for Brave when someone replied.
But so far I haven't seen that as reason to invalidate the report.
He posted images for his reports. And I assume other researchers should be able replicate the test to see if it's accurate or not.

 

Yes, this truly is riduculous. How about a browser that makes zero connections to servers that are not related to websites visited by the user? And make no mistake, all browsers do this, you will also see it with Firefox and Vivaldi.

 

to mention extensions.Firefox dont make unwanted connections which are related to websites or user action. (not sure about the recommended extension section)

 

I don't think all connections are problem. What's informative is now we can roughly see what each browser communicate and where they do.

I'm not sure what you mean, but Fx itself makes dozens of unwanted (at least to some users) connections until user turn them off as mentioned in OP. It's a relatively talkative browser by default, but at least gives user some control.

 

please read again

thats the point. as written before firefox updates its own data such as safelist, blocklists etc. also telemetrie which is opt-out in total with prefs - same for safelist or blocklists (last could be dangerous because it makes firefox vulnerable)
at least you can cut down firefox so extremly hard and bad it wont work proper or would crash in many reasons.
anyhow - firefox has the options, chrome/chromium, edge and others dont have any option for most of this - nothing.

as i recommended some1 before - create or compile your own piece of browser if you are able to do this. we can talk about this and that but personal issues dont belong to here as they should be send to authors. and then they should be valid, not based on personal animosity

 

Since I've been running Chrome-Edge beta for months, I have no idea about connections made at first ever launch, but after setting my firewall to log allowed connections and clearing its events, I opened edge to wilderssecurity and after 1 minute there're only a few connections made, notably to:

Code:

Google (ipv6 protocol)
edge.microsoft.com
config.edge.skype.com
nav.smartscreen.microsoft.com

That's it. I can reproduce this repeatedly. I'm using uBlockO extension and there are 15 domain blocking rules in my firewall.

 

Okay, I see. And that is why I wrote "it gives user some control". I have to say it's unfortunate that none of Fx folks are much attractive and none of Chromium folks gives user good control. Mozilla doesn't prioritize security very much (this one will be famous, and tweets from CopperheadOS were also good read) and focusing more on performance and adding features, but anyway we have to choose from available ones.

 

and how does an article from early 2018 apply today?
and one thing is complete wrong - no password is stored as plain text, never. thats why people need always 2 files to decrypt - and in case of master-pw it needs some pretty new hardware and some software to decrypt - and ofc physical access to such files. i would say that any keylogger could get it faster - on "0wn3d" machines.

are the more proof of evidence? ofc palant write a lot during the day, this includes also bs liek any people writing a lot.
in this case palant as developer from adblock plus owned by Eyeo ist not that trustworthy as firefox, not even close. offering "acceptable ads" and maybe some more it probably undermines firefox security where people think they are save.

 

That's because people generally want performance and compare browsers based on that. When it comes to security of connections few years ago Firefox was handling them far more secure than Chrome. Chrome could be redirected to other domain when you typed domain prefixed by https://. Firefox would not do that - it would display error page, which is proper, secure way of handling connections when somebody typed full URL to https site including https:// and something in network redirects to other domain. I don't know about how Chrome/Chromium behaves today, but without evidence it changed I would not trust this browser to connect to my banking site.

 

i would - but not chrome instead chromium which is open source while chrome is not. but that is not a general matter for me, i did banking with chromium, but firefox is my preferred browser. i wont trust opera this way round ^^

 

I didn't bother to read the article. I remember the bug but didn't about the bug page so just posted the first-found one on search, but it seems nobody said Fx stores passwords in plaintext? What is completely wrong in the article is LastPass part: they use PBKDF2-HMAC-SHA256, not SHA256.

You misunderstand what is the problem. Chromium doesn't have master password at all, which brought much discussion at the time, but Chromium devs clearly stated why: long story short, it's a matter of a threat model. So, though my PERSONAL stance is closer to Fx's one (i.e. master pwd is still better than nothing, tho one shouldn't keep important info in any browser), I now don't question Chromium's practice because I understand security is always relative to threat modeling. One Fx dev also stated he wanted to remove the master pwd, as he knew "removing the feature is better than having a poor implementation of it". But 6y ago he withdrew the past statement as Fx Accounts was added since then, and admitted "it is totally dumb to do just 1 round of PBKDF". Note this is not PBKDF2, but PBKDF1 which is the same as hashing with SHA1. Yet the matter had been left, tho discussion itself had kept going on. THIS is the problem. If you take sth as a security matter, fix it. If you don't, remove the poor implementation which gives false sense of security. I'm not sure if it was the only case Fx left a security matter long time (my memory is not good).

I have no interest in discussing each problem one by one. Other than aforementioned Twitter, I recommend to read what each browser's devs have been talking & doing (in Fx case, their Bugzilla & mozilla.dev.security). There's no other way to know how they take security. Your conclusion may differ, but you'll see why I said that.

 

That redirect is not because Chrome want to do, but because the site instructs to do so by e.g. mod_rewrite. I didn't know Fx didn't respect that, but quick search seems to suggest now Fx also redirects unless auto-completion (adding www for typed domain by default) interferes. Ofc there's another factor, HSTS.
The redirection only matters if an attacker is actively monitoring your network to capture your first connection to the site, and the only true remedy is HSTS preload list. Such sites as banking should be included in the list, tho I know that is not always the case (this is why Https Everywhere still survives).

 

One day there were a party and former admin of dormitory's network thought it is good idea to redirect all traffic to local http site telling people to go to that party. I used that to test how various browsers handle that and only Firefox was not redirected when I tried to visit banking site. Again, I copy-pasted full URL including https:// prefix to browsers from my KeePass database, so it was not only domain but also https:// prefix.
I must admin that I used Firefox previously to visit my banking site.

 

IDK what the admin did, in particular if he utilized captive-portal or not, but in this case it appears your last sentence may be relevant. In the aforementioned search I found somebody (a web master) telling that the browser cache was culprit for a non-redirect (I think the real culprit is TLS session ticket tho).

 

I use a firewall called xSOS Firewall https://www.xsossoftware.com/en/product-overview/ and the required IP database, with it I can run a trace to see what a browser connects to at start up among other things. I ran two traces one for Brave and only one extension LastPass so some of the connections will be due to it, and for a fresh install of Firefox with no extensions, here are the results:

https://i.postimg.cc/8PhPP7xX/Trace.jpg

https://i.postimg.cc/cHkbBBz4/Firefox.jpg

 

I believe the below javascript settings in Chrome-based browsers can eliminate the need for HTTPS Everywere?

 

When I said I previously visited website of my bank I meant at least one day ago. Does TLS session tickets live that long?

This control becomes pain in the some part of body when somebody runs multiple profiles of web browser to limit cross-website tracking.

 

Sorry, I confused TLS session ticket with HSTS cache but they seems to be different. Anyway, web master determines how long they should be kept. But considering HSTS state can be used as super cookie, assume generally it lasts long.

You can use multiple user.js, tho I admit maintaining them is still a pain.

 

Not really, as things like mod_rewrite don't rely on javascript. There may be sites using javascript for the redirect, but I don't think that is standard.

 

I tried to read about it and gave up after the first few sentences. Too complicated for me. All I know is the javascript site permissions I have in Chrome & Edge Chrome won't allow javascript to run on non-https sites.