What happens when you launch a fresh install of Firefox? I was curious, so I did so with version 68.0.2, and monitored my network activity.

Here's what I learned…
Note, this doesn't involve any interaction beyond opening the browser and waiting a few minutes.

What I found were dozens of requests, which loaded nearly 16 MB in data. Lets break down what I saw.
Let's first look at which endpoints were hit, and how often. Firefox launched with a mozilla.org tab opened in a blurred tab. Resources loaded from there would explain the 26 calls. Some of these other hosts should be familiar, if you've read my other browser threads.
The first 5 requests were for detectportal.firefox.com over the HTTP protocol. These are meant to detect public networks, like that available at the coffee shop. If the response does not contain 'success', it's a good indicator you're on a portal.
Next up were 2 identical requests for ocsp.digicert.com. OCSP is the Online Certificate Status Protocol, and is used to check for revocation of bad certs. I assume FF is testing its own certificate, since the browser opens with a Mozilla tab. No clue why it checked twice.
A call to snippets.cdn.mozilla.net is next. The path carries information about the device I am using: OS, 32 or 64 bit, lang, etc. The call redirects to 12 KB of JSON. Snippets are small messages displayed on the New Tab.
Two Remote Settings calls are made to the tiles.services.mozilla.com host. They are nearly identical bits of JSON. One is for the cfr provider, and the other is for cfr-fxa, per the github.com/mozilla/gecko/… resource. I have no remote settings, which explains ASR_RS_NO_MESSAGES.
A third "tiles.services.moz" call is made, with a different body. It contains a client_id. Along with it were a few other bits of data:

event=AS_ENABLED
locale=en-US
profile_creation_date=18134
region=UNSET
release_channel=release
topic=main
value=0
version=68.0.2
The mozilla.org tab discussing the importance of Privacy loads in the background, bringing along with it the Google Tag Manager and Google Analytics. Hello, Google.
It looks like we aren't done talking with Google either. Firefox makes its next move in downloading Safe Browsing bits from Google APIs. This is common among browsers today (Exception: @brave proxies the call through brave.com, keeping users out of Google's hands).
Next up, normandy.cdn.mozilla.net. Mozilla says it "…is a feature that allows Mozilla to change the default value of a preference for a targeted set of users, without deploying an update to FF." It returns a JSON file with a handful of URLs. Firefox will use these URLs at times.
In fact, part of the Normandy response included a URL for the classify-client action. Firefox makes a call for that next. The server returns a bit of JSON that specifies the users country, and a request time:

{"country":"US","request_time":"2019-08-26T02:41:45.823283Z"}
The Normandy work doesn't stop there. Next we see calls to firefox.settings.services.mozilla.com. Each with a different path. The first request carries the bits that make up the path for the second request. And the third looks like the Snippets file from earlier.
The last normandy response above then instructs Firefox to download numerous certificates from content-signature-2.cdn.mozilla.net.

At this point, Firefox takes a break and checks for available updates. It doesn't find any, so we get an XML response with an empty <updates> object.
Another Normandy call to retrieve settings is made. This one results in a large list of buckets or records; I'm not sure of the nomenclature here. Either way, we see numerous calls for more data made as a result. For instance, "Have I Been Pwned" data is retrieved.
After a few more normandy calls, we now see a request to the aus5 sub on mozilla.org. This also passes device information, resulting in an XML response containing addons to download/install. The OpenH264 addon is requested over HTTP. I hope they do integrity checking!
Also, it looks like these identical files are being downloaded twice. Is it a coincidence that Firefox opens with 2 tabs, and makes 2 identical calls?

The 2nd addon is WideVine. This is requested directly from Google's gvt1.com domain. Hello again, Google.
Firefox has been open for a few minutes, and Mozilla would like to know about me, my machine, and how I have Firefox configured. 37,097 bytes of information are sent to incoming.telemetry.mozilla.org.
Of all browsers I've reviewed recently, Firefox is one of the most active upon installation. I think it may be the only one to immediately collect telemetry data too.

I would like to see them proxy calls to Google endpoints, and avoid the initial mozilla.org tab.
That pretty much covers what Firefox does when you first run the browser after installation.

If you enjoyed this thread, see the others I did on Opera, Vivaldi, Brave, Dissenter, and Chrome.

Take care!

I also reviewed Google Chrome, for those interested:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sampson

Sampson Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jonathansampson

27 Aug 19
Curious what happens when Safari launches with a new profile? Me too, so I fired up a proxy, and watched.

Here is what I found…
To kick this thread off, lets take a close look at that initial loading screen. For setup, I temporarily set aside the Library/Safari folder, thus giving myself a fresh profile on the subsequent launch. Check out those icons. Where do you think they're hosted/stored?
Safari launches with default 'favorites', each represented by a favicon. I assumed these would be local resources—I was wrong. Here's a look at the structure of requests produced by the proxy application. You'll notice overlaps between hosts and earlier favicons.
Read 14 tweets
27 Aug 19
What happens when you install the Edge (Chromium) Beta build and run it for the first time? I was curious.

On first-run, Edge fired off 130+ requests to nearly 50 endpoints. Here they are, sorted by total calls.

Time to take a closer look.
Here are all of the sessions for the 4 minutes or so I let the browser run. I see numerous connections to MSFT properties, but connections to non-MSFT properties too: Google APIs, Google, Double Click, Google Ad Services, Facebook, Twitter Ads, and more.
I should note, right from the start, that Edge knows more about me than any other browser can during the first-run experience. It gets this insight from Windows. As such, I'll pay closer attention to what it shares, and with whom.
Read 25 tweets
25 Aug 19
What happens when you launch Google Chrome for the first time on a Windows 10 machine?

When I launched Google Chrome for the first time (and let it sit for a minute), 32 requests were made, and 7.26 MB of data downloaded.
The first call Chrome makes is to the googleapis domain. It passes my OS type, browser channel (Stable), and version (v76) along. The response is 32KB of flags, features, and more. Not clear what they all do (as many can't be found in Chromium source) but some are fairly clear.
The next call appears to try and communicate with the Google accounts server (already trying to pair me with a profile?). This call is to accounts.google.com, for the /ListAccounts path. The endpoint responds with ["gaia.l.a.r",[]], meaning no account was found (AFAIK).
Read 16 tweets
24 Aug 19
The next browser I'd like to inspect is @brave. During the initial run, we can see about 23 calls; all of which go to the brave.com domain.

Below is an image of these sessions, sorted by descending response size. I'll break down these calls in the next Tweet.
The first call is for the integrated Tor client. Second is Brave's internal bits for content-blocking. The third call to brave-core-ext.s3.brave.com is for the HTTPS Everywhere integration. Lastly, a couple lines down, is the updater for local Tracking Protection files.
Two calls are made to static.brave.com near the top; these proxy the request for Safe Browsing bits. This is one thing you'll notice with Brave; it proxies requests when possible so as to mask user details. We see this with the static1 calls further down (updating plugins)
Read 8 tweets
24 Aug 19
Next up, the Dissenter browser. This browser is a recent fork of @brave; their first-run is nearly identical to what you'd see in slightly older builds of Brave. What sets them apart is their built-in Dissenter extension. As such, I'm going to check its network activity too.
As I stated in the previous Tweet, Dissenter is a fork of Brave. As such, their first-run experience consists largely of internal resources. Most of the initial network activity comes when you open their extension UI.

Calls to brave, YouTube, Twitter, FontAwesome, Google & more.
The call to crxdownload.brave.com is for the PDF.js extension, IIRC. Initial call to safebrowsing.brave.com gets them the Safe Browsing list (via the Brave proxy to mask end users).
Read 8 tweets
24 Aug 19
Curious what happens when you fire up a web browser for the first time? Me too. I often do this for @brave to make sure things are staying neat and tidy.

Today I would like to do it for a few other web browsers. First, let's take a look at Opera.
Launching Opera (and leaving it in its default state for a few minutes) resulted in the following calls being made.

Calls to opera and operacdn made sense. But 19 calls to yandex.ru was a surprise. Note also Amazon, FB, Walmart, Kayak, Ebay, Ali Express, and more.
Some of these are fairly heavy calls too; here's a subset ordered by their response size (descending). Overstock sets a dozen cookies. Amazon, Kayak, Ali Express, and more set me up with novel session IDs as well. Google is there too. Ready to monitor my movement across the Web.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!