Firefox and Thunderbird phone home daily

[franzon]

http://blogs.zdnet.com/hardware/?p=2143

Several of you have emailed me to let me know of a Firefox and Thunderbird feature that you might not be aware of - both applications phone home on a daily basis.

Here?s the info as posted on Reddit:

I found this out a few days after I decided to start using Thunderbird and created strict firewall rules as a precaution.

I noticed that Thunderbird would, for no reason at all, sometimes try to contact a server over SSL. I looked up the ip address 63.245.213.32 and found it belonged to Mozilla.

On researching the problem further I found that the cause of the connection is a feature that cannot be disabled from any menu, only the about:config configuration page.

Look up extensions.blocklist.enabled for more information. It?s present in Firefox also and is enabled even if all the options are disabled through the menus.

What this tells Mozilla each day:

- IP address

- What time you were using the product

- What exact version number you were using

- If you are using any of the plugins or addons sent in the disabled list

- Total number of active users of their software

Firefox = Spyware:D :D

[DaveLegg Developer]

So... how else exactly is firefox/thunderbird supposed to check for updates without 'phoning home'??

[exotoxic]

i predict lots of "does it really matter" type replies... but if it was a microsoft app it would be like "omgz uninstall teh spywarez and sue micro$$$oft!1!111!!"

[+John Teacake MVC]

Seriously please stop using the internet if you are worried. It probably "Phones Home" as the term is given to check for updates. Also to verify the sites you browse in the Phishing filter. The information given is actually a given. Please tell me a site that doesn't know your IP address when you visit it. As for the rest of the information it sends its hardly anything personal is it. But then again Firefox will be branded as spyware as some idiots out there *sighs*

[Hurmoth]

So... how else exactly is firefox/thunderbird supposed to check for updates without 'phoning home'??

Agreed. What are people doing that they're so afraid of this information being reported back to Mozilla?

[zeroday]

Most of this is explained in their KB:

- IP address: Pretty obvious why this is sent along

- What time you were using the product: Not sure about this one, but seems harmless.

- What exact version number you were using: http://support.mozilla.com/fr/kb/Firefox+m...update_checking

- If you are using any of the plugins or addons sent in the disabled list: http://support.mozilla.com/fr/kb/Firefox+m...cklist_updating

- Total number of active users of their software: Not sure why they would need this, although it does seem harmless.

[dmd3x]

http://blogs.zdnet.com/hardware/?p=2143

Firefox = Spyware ? :D

This is stupid.

Tell that blogger to disable automatic updating. Any automatic updating will do that. And the reason it's SSL'd so that it doesn't download a fake update.

n00b

;)

[GEIST]

And the Captain Obvious of the Day Award goes to...

People who don't know the how their web bound software works and why it's necessary for some of them to phone home, and are concerned by that, should just get and stay offline. One would think that it's bloody obvious that checking for updates, be it manually or automatically, will involve phoning home.

[tsupersonic]

Another moronic article from zdnet. These people know absolutely nothing about technology.

[zhangm Supervisor]

Everyone is a hacker. :shifty:

STOPSURVINGTEHINTARNETSURRRGIVINGWEBSITESURIPADDRESSUZZZZ!

[callummr]

Better block Firefox from accessing the internet then.

:rolleyes:

[CelticWhisper]

i predict lots of "does it really matter" type replies... but if it was a microsoft app it would be like "omgz uninstall teh spywarez and sue micro$$$oft!1!111!!"

The reason for that is that Firefox is open-source whereas Microsoft programs are not. When one can look at the source code and find out exactly what information is being transmitted, it's easier to accept the behaviour because nothing is kept secret and, if it comes down to it, you can always just hack that part out of the source code and recompile. Compare this to the "black box" paradigm of Microsoft (and Adobe and Macromedia and Autodesk and Apple and Intuit and...) software and you need, at the minimum, a packet sniffer to figure out what's being sent, and sometimes cryptanalysis tools on top of that.

It's a matter of openness and transparency. Firefox has it. Microsoft products do not.

[Rappy Veteran]

Oh noes someone is watching what I do!1!1!1!

[arrrgh]

I just found out that when I click "find an update" or have similar feature set to check for updates automatically, virtually every software phones home. This is outrageous. I'm going to sue the internet.

[primexx]

the "exact time you used the software" is a bit excessive, the others I could see why.

[PL_ Veteran]

Firefox is open source anyway. If they are that concerned somebody could surely make a branch that removes the whole IP sending etc...

[DreadBoat89]

with so many people scared about software phoning home, especially when they don't know what's being sent, i could make good money selling tin foil hats

[rpgfan]

Firefox is open source anyway. If they are that concerned somebody could surely make a branch that removes the whole IP sending etc...

There are things like GhostFox, TorPark, etc.

I also am wondering about things like Debian Iceweasel or GNU IceCat that run on Linux and are based on Firefox. Oh, right... Those are updated via a package manager, a convenience that Windows doesn't have... They don't need to "phone home". :p

[revvo]

Since it's open source, just recompile it after removing the code that sends info to Mozilla. Problem solved.

Open Source Software maintainers have nothing to hide unlike a company like Microsoft.

[zerologic]

Funny how the person who posted this has an Internet Explorer 7 avatar. :laugh:

Actually doesn't Windows phone home to enable Windows Update to work? Is Windows Spyware? Ubuntu also 'phones home' to get updates, is it spyware.

Load of rubbish.

[redvamp128]

My guess is that they need to know the time of use of the product is probably to see the time from when the request was given for the updates and the time the either No Updates Available or that their is an update available. Possibly the addons in use is for the updates for them... not to mention if they have updates.

[Death Blade]

the "exact time you used the software" is a bit excessive, the others I could see why.

they need to know the time u use the software so that they can distribute the load for updates evenly.

[ViperAFK]

This article is fail.

[tiagosilva29]

So... how else exactly is Firefox/Thunderbird supposed to check for updates without 'phoning home'??

Agreed. What are people doing that they're so afraid of this information being reported back to Mozilla?

They don't. And that's kind of the point (read: bitch) of some people?* If you had read the quote on the blog entry it says: It's present in Firefox also and is enabled even if all the options are disabled through the menus.

The user does not want to automatically check for updates for $app, $addon, $searchengine. The application respects that (unless there's some restriction on either side or something...).

If your application is dealing with updates and statistics (total number of active users? lolwut), then it should prompt a dialog during the installation and inform the user of its intentions and the information that will be sent to the company and how it will be sent, and then the users chooses whether or not to allow it.

The entry is hardly moronic. The author is just blogging about a situation that is actually happening (doubts?) on which people emailed (read: bitched) him about; quotes what they are saying; provides information on how to probably solve the situation and doesn't really give a crap about the whole deal and asks for your comment. Hardly controversy bait.

The OP forgot to quote the last part of the blog entry: Personally, I’m not too fussed about this feature, but I can understand why some folks are getting hot under the collar*. Thoughts?

Funny how the person who posted this has an Internet Explorer 7 avatar. :laugh:

Actually doesn't Windows phone home to enable Windows Update to work? Is Windows Spyware? Ubuntu also 'phones home' to get updates, is it spyware.

You have to blame Ballmer on this, obviously. :p

And if I'm not mistaken, doesn't Windows and Ubuntu only "phone home" with the permission of the user? Ubuntu probably has setup as default to perform daily checks on (recommended/security) updates and only notifies. I think that the statistical part (used in the popularity section of the Add/Remove Application)is by default turned off? Correct me if I'm wrong.

There's a good post about it in the original fire, it seems:

I see your point and I wholeheartedly agree. However, there is a difference, even if it's only an ethical one, between willingly sending non-confidential data for a necessary service (over HTTP or any remote service) and having a software sending without notifying you or letting you know in any way the same data to the mother land.

All that being said, this is absolutely not a good reason to dust off your tinfoil hats people.

[The_Decryptor Veteran]

- IP address

- What time you were using the product

- What exact version number you were using

- If you are using any of the plugins or addons sent in the disabled list

- Total number of active users of their software

Firefox downloads the list, then blocks them client side, it's easier than on the server than a back and forth "Is this ok?" "yes" "Is this ok?" "no" "Is this ok?" "yes"

Even if it does report back you're using a disabled extension, the only ones disabled at the moment are plugins that cause crashes, extensions that cause crashes, and that 3rd party language pack that had remnants of ads in it.