Firefox and Thunderbird phone home daily

[Cadium]

I do not see what the fuss is over the fact that Mozilla products report back to the company in this regard. If it weren't for software "phoning home", there would be no such thing as "update checks" or "automatic updates". If you have a problem with this behavior, stop using the software or block the outbound traffic on your firewall/router/tinfoil hat and call it a day.

[Andrew Lyle Global Moderator]

I am sure if Microsoft did this, people would be following random guides on disabling this feature. Because it is firefox, no one really cares... double standard.

in the end.. who cares. It checks for updates, and that is good enough.

[HoochieMamma]

This article is fail.

No, franzon is fail.

[zhangm Supervisor]

I've actually dealt with this "feature" on OS X. In order to comply with some absurd legal requirements for public-accessible kiosks, I've had to route all browser traffic through a proxy which requires Kerberos authentication. After disabling automatic updates to Firefox, addons, and extensions, Kerberos prompts continued to spawn. I went into about:config and replaced all instances of external addresses with http://127.0.0.1/, which seemed to fix it.

[osirisX]

[slang123]

And the Captain Obvious of the Day Award goes to...

People who don't know the how their web bound software works and why it's necessary for some of them to phone home, and are concerned by that, should just get and stay offline. One would think that it's bloody obvious that checking for updates, be it manually or automatically, will involve phoning home.

Off-topic: Your display pic is dancing in perfect time to my music, it really freaked me out lol.

On-topic: Countless apps do this for updates, this isn't news

[Victor V.]

The reason for that is that Firefox is open-source whereas Microsoft programs are not. When one can look at the source code and find out exactly what information is being transmitted, it's easier to accept the behaviour because nothing is kept secret and, if it comes down to it, you can always just hack that part out of the source code and recompile. Compare this to the "black box" paradigm of Microsoft (and Adobe and Macromedia and Autodesk and Apple and Intuit and...) software and you need, at the minimum, a packet sniffer to figure out what's being sent, and sometimes cryptanalysis tools on top of that.

It's a matter of openness and transparency. Firefox has it. Microsoft products do not.

You are right. But admit it, hundreds of users who would never thought about what you just said would blame Microsoft all day long for this, just for the lulz of being inconvenient.

[sourc3]

How do people think software will check for updates without hitting a server (the easiest way)? Would you rather run a small p2p so you phone an ANONYMOUS person for updates?

Software isn't really magic, just because you don't see them those bits don't appear on your computer out of nowhere :) and being a Microsoft platform developer, I absolutely LOVE firefox. It has it's own small problems, but it's a brilliant piece of software.

[wellofsouls]

So... how else exactly is firefox/thunderbird supposed to check for updates without 'phoning home'??

I think people should actually try read through that article before posting comments like this.

that guy explicitly said "the cause of the connection is a feature that cannot be disabled from any menu, only the about:config configuration page."

and automatic updates can be disabled from the menu.

So it sounds like completely different things to me.

People who don't know the how their web bound software works and why it's necessary for some of them to phone home, and are concerned by that, should just get and stay offline. One would think that it's bloody obvious that checking for updates, be it manually or automatically, will involve phoning home.

And the user of a web bound software should be able to easily config the said software to access the web only when he/she wants it to. It's bloody obvious that when the automatic update is disabled, and when the user is not manually checking for updates, and when all apparent options that'll "phone home" get disabled, then it should not phone home.

The reason for that is that Firefox is open-source whereas Microsoft programs are not. When one can look at the source code and find out exactly what information is being transmitted, it's easier to accept the behaviour because nothing is kept secret and, if it comes down to it, you can always just hack that part out of the source code and recompile.

Out of the 26+ millions people who have downloaded Firefox 3 up to now, I bet there are less than 1000 who are even remotely capable of hacking the source code. Heck I do programming everyday to make a living for more than half a decade already, and even I'd think twice before trying to go through that overwhelming bloat mess called Mozilla/Gecko.

[cyberbeing]

The add-on blocklist update is there for the security and integrity of the browser and it's not something you want to make a menu entry for and risk that a novice user or even grandma will disable it. That person might then end up downloading a bad extension which ruins his/her experience with Firefox, ends up blaming Mozilla, and never uses Firefox again.

Considering this isn't really something that would be smart to disable, I think Mozilla made the right choice and made it an about:config option that hopefully only advanced users with a reason to do so would change.

IP Address - Required

The time and date - Required for SSL

Version Number - Required

Checking if any of your extensions match the blocklist - Required

Total number of active users of their software - I assume this means it checks for multiple profiles so it can run all of them against the blocklist. Probably Required.

I don't see Mozilla doing anything in there that would be considered farming data.

[primexx]

The add-on blocklist update is there for the security and integrity of the browser and it's not something you want to make a menu entry for and risk that a novice user or even grandma will disable it. That person might then end up downloading a bad extension which ruins his/her experience with Firefox, ends up blaming Mozilla, and never uses Firefox again.

Considering this isn't really something that would be smart to disable, I think Mozilla made the right choice and made it an about:config option that hopefully only advanced users with a reason to do so would change.

IP Address - Required

The time and date - Required for SSL

Version Number - Required

Checking if any of your extensions match the blocklist - Required

Total number of active users of their software - I assume this means it checks for multiple profiles so it can run all of them against the blocklist. Probably Required.

I don't see Mozilla doing anything in there that would be considered farming data.

oh I didn't realise time/date was needed for ssl, I stand corrected (from my previous post) then.

[Code.Red]

Even if the time and date wasn't required for SSL, they could get the time and date just from when the packet is being sent out, and the # of active users could just be derived from how many different IP addresses ask for updates. That leaves only two things it's actually sending: the version number and your extensions... which is pretty much required if you are asking to see if there are any updates to the software.

[wellofsouls]

The add-on blocklist update is there for the security and integrity of the browser and it's not something you want to make a menu entry for and risk that a novice user or even grandma will disable it. That person might then end up downloading a bad extension which ruins his/her experience with Firefox, ends up blaming Mozilla, and never uses Firefox again.

Funny that Firefox 3 has easily accessible options to disable Anti-Malware and Anti-Phishing features, which are arguable more dangerous than disabling the add-on blocklist (since the novice user or grandma is more likely to stumble upon bad sites than install add-ons themselves, if the grandma even knows what "add-ons" are about).

And that's why there are settings under tabs called "Security" and "Advanced". When there's a menu entry to disable automatic update of the browser itself, which is arguably far more important to the browser's security and integrity, the excuse of "no option for disabling add-on blocklist update because it's too risky" is simply ridiculous.

Edited July 1, 2008 by wellofsouls

[Kupo-Cheer]

I have no reason to defend Firefox and Tunderbird, but I'm going to anyway.

Even before I knew this, I kind of assumed that's what the programs did anyway. There's nothing personal enough for me to care about in that little bit of information, and it helps the team make their programs better. If it were anything I had to pay for I'd be a little miffed because most of the time, pay-for programs only "phone home" to make sure you aren't pirating their software. I guess I just hate being thought of as a criminal before I've done anything wrong.

And not only does this little bit of information help the team, but it is also probably used in helping Firefox figure out if it needs an update or not.

I guess a little disclaimer box telling you the information it will be sending would be nice (sort of like what Winamp and a lot of other programs use), but this is something so trivial I really don't care.

[cyberbeing]

Funny that Firefox 3 has easily accessible options to disable Anti-Malware and Anti-Phishing features, which are arguable more dangerous than disabling the add-on blocklist (since the novice user or grandma is more likely to stumble upon bad sites than install add-ons themselves, if the grandma even knows what "add-ons" are about).

And that's why there are settings under tabs called "Security" and "Advanced". When there's a menu entry to disable automatic update of the browser itself, which is arguably far more important to the browser's security and integrity, the excuse of "no option for disabling add-on blocklist update because it's too risky" is simply ridiculous.

Add-ons integrate into the browser itself and affect it's core functionality. A user made add-on messing up their application is something any company should be worried about. The add-on blocklist gives them some limited control over their browser being contaminated with a bad extensions. As I'll say again, only an advanced user should have a reason to disable this. What is so hard about going into about:config and changing an entry anyway? I would consider that easily accessible for an advanced user.

Anything that is website related should have an easily accessible option to disable. Why should Mozilla care if you want to give away your personal information to a phishing website or download malware to your computer? The browser is doing what it is designed to do. You can't say as much for add-ons.

[NEVER85]

*yawn* This is a joke.

[shakey_snake]

but if it was a microsoft app it would be like "omgz uninstall teh spywarez and sue micro$$$oft!1!111!!"

IE does this; it's called Windows Updates. :)

[wellofsouls]

Add-ons integrate into the browser itself and affect it's core functionality. A user made add-on messing up their application is something any company should be worried about. The add-on blocklist gives them some limited control over their browser being contaminated with a bad extensions. As I'll say again, only an advanced user should have a reason to disable this. What is so hard about going into about:config and changing an entry anyway? I would consider that easily accessible for an advanced user.

and the browser itself is integrated into the... well, browser itself. By your logic, disabling automatic updates should be worried much more than disabling add-on blocklist. There's nothing hard about going into about:config, but any excuse trying to rationalize not having an option for disabling add-on blocklist update out of fear for some supposed "risk", while there are "Advanced" options for disabling the whole browser update, is simple ridiculous.

only an advanced user should have a reason to disable this.

And why there's an option tab named "Advanced"? um, I guess it means exactly for "Advanced" users.

Anything that is website related should have an easily accessible option to disable. Why should Mozilla care if you want to give away your personal information to a phishing website or download malware to your computer? The browser is doing what it is designed to do. You can't say as much for add-ons.

oh, and the add-on blocklist is related to the addons.mozilla.org website. And Firefox browser is designed to be extensible with add-ons, so if the users choose to install add-ons that has security risks, they should have the same freedom as going to some phishing sites, and the Firefox browser is just doing what it's designed for. At least for Firefox, I can surely say as much for installings add-ons as for browsing websites.

[cyberbeing]

and the browser itself is integrated into the... well, browser itself. By your logic, disabling automatic updates should be worried much more than disabling add-on blocklist. There's nothing hard about going into about:config, but any excuse trying to rationalize not having an option for disabling add-on blocklist update out of fear for some supposed "risk", while there are "Advanced" options for disabling the whole browser update, is simple ridiculous.

You shouldn't force people to automatically upgrade their software. Unlike you, I see nothing wrong with keeping a blocklist of bad extensions up to date which should be completely invisible to the user.

oh, and the add-on blocklist is related to the addons.mozilla.org website. And Firefox browser is designed to be extensible with add-ons, so if the users choose to install add-ons that has security risks, they should have the same freedom as going to some phishing sites, and the Firefox browser is just doing what it's designed for. At least for Firefox, I can surely say as much for installings add-ons as for browsing websites.

They do have the same freedom, it's just made harder on purpose. I wasn't really arguing about security risks as much as the integrity of the browser. Websites might be blocked on accident or the user might have other protections in place to protect them from phishing schemes or malware and don't like being bothered. Are they a bit similar, sure, but I make a distinct separation between accessing websites and software integrity.

And why there's an option tab named "Advanced"? um, I guess it means exactly for "Advanced" users.

There isn't much "Advanced" about the "Advanced" option tab. If I say "Only expert users..." would that make you happy? Or is there an "Expert" option tab somewhere I'm missing as well. :rolleyes:

The reason there isn't an option is because none of the developers must of thought there was a good enough reason to add such an option to the gui and to keep it as uncluttered as possible. As you seem to care so much about it, why don't you file a bug on Bugzilla (and get a bunch of people to support you so the change is made) or write an extension to add this option you care so much about to the options dialog. If they decided to add the option to the GUI, I wouldn't have a problem with it but personally I don't think it's really needed.

Lets just agree to disagree. :yes: We each have our own opinions and neither is more right than the other. I can see where you're coming from about not liking your information being sent without permission and why someone with your point of view would want an easily accessible option to disable. If you are unable to see why Mozilla would do what it did with no malicious intent in mind then I have no reason to debate with you over this any longer.

Edited July 1, 2008 by cyberbeing

[4CxbqFxVnstmA Veteran]

IE does this; it's called Windows Updates. :)

It comes down to risk and trust, or maybe just caring. Any program that informs you of updates has to check the internet. As someone said, the nice thing about open source is you, or someone knowledgeable if you dont know, can tell what is being sent by looking at the code. This means you can't really have open source spyware.

I use Ubuntu Linux and let it call the repo every day to check for updates to my software. I can set it for once a week or turn it off entirely if I want though. This is sort of like Windows update but for all the software on the system at once. I trust Ubuntu when they say they keep these records anonymous. If you trust Microsoft, then that is fine too.

Ubuntu also has the following option (disabled is the default):

I used to use Firefox but now use Opera as the new version is so cool but I know I am giving up the chance of knowing exactly what is going on behind the scene with my web browser because Opera is closed source. It is a risk I'll take in this case. :)

[wellofsouls]

You shouldn't force people to automatically upgrade their software. Unlike you, I see nothing wrong with keeping a blocklist of bad extensions up to date which should be completely invisible to the user.

If you shouldn't force people to automatically update their software, then you shouldn't force people to automatically update add-on blocklist inside the software, which is a "software update" itself.

Unlike me what? I never said whether it's wrong or not, or maybe you are seeing things that I myself have not seen from my own posts? :rolleyes: I just said that what the article has described is actually not about the automatic software update option in the menu.

They do have the same freedom, it's just made harder on purpose. I wasn't really arguing about security risks as much as the integrity of the browser. Websites might be blocked on accident or the user might have other protections in place to protect them from phishing schemes or malware and don't like being bothered. Are they a bit similar, sure, but I make a distinct separation between accessing websites and software integrity.

And software updates is what software integrity is about. Again, like what I have said multiple times already, when there's option to turn off software updates, saying not having an option to turn off add-on blocklist updates at the same place is because of some "software integrity" concerns is completely ridiculous.

There isn't much "Advanced" about the "Advanced" option tab. If I say "Only expert users..." would that make you happy? Or is there an "Expert" option tab somewhere I'm missing as well. :rolleyes:

Nope, whether it's "Expert" or "Advanced" is completely irrelevant here, my point is that, there are options that shouldn't be casually turned off in the "Security" and "Advanced" tabs, just like the add-on blocklist option. So not having the options to turn off the add-on blocklist update at those places have absolutely nothing to do with whatever supposed "software integrity" risk involved :rolleyes: If you think there isn't much "Advanced" about the "Advanced" tab, then you should tell that to Mozilla, not me :laugh:

The reason there isn't an option is because none of the developers must of thought there was a good enough reason to add such an option to the gui and to keep it as uncluttered as possible.

Now we are getting to something, yes that's a good reason I can agree with, instead of some illogical nonsense about it having something to do with "security", "software integrity", or whatever :yes:

As you seem to care so much about it, why don't you file a bug on Bugzilla (and get a bunch of people to support you so the change is made) or write an extension to add this option you care so much about to the options dialog. If they decided to add the option to the GUI, I wouldn't have a problem with it but personally I don't think it's really needed.

Now you shouldn't put words in other's mouth. I have never said anything about adding it to the GUI. And I personally have no problem with Firefox "phone home" at all.

Lets just agree to disagree. :yes: We each have our own opinions and neither is more right than the other. I can see where you're coming from about not liking your information being sent without permission and why someone with your point of view would want an easily accessible option to disable. If you are unable to see why Mozilla would do what it did with no malicious intent in mind then I have no reason to debate with you over this any longer.

I think you should try read my posts before replying, or are you only seeing things you wish to see? Nope, I have nothing against firefox sending some data back home to get updates. My point of view regarding this "phone home" stuff is I don't care.

My posts here are just replying to some other posts in this thread regarding the following issues :

1. The article is NOT talking about the automatic software update options that can be disabled in the options menu, which is what a lot of people here seem to think without properly reading through the article itself.

2. The article is talking about Firefox "phone home" after disabling all apparent menu options.

3. The excuse of "Firefox is open-source so you can hack its code yourself" is not applicable to most of its users.

4. The excuse of "Firefox hides the option for disabling add-on blocklist updates because of concerns with security/software integrity/whatever risk" is completely ridiculous and illogical when it has easily accessible options to turn off its anti-phishing/anti-malware/auto-update feature.

and now,

5. I can agree that firefox may have hidden such an option in the about:config in order to avoid GUI cluttering, or, I may even say, maybe they just think this option isn't important enough to warrant a place in the options menu.

So you'd better first understand what my posts are saying before deciding what to "agree to disagree". I have nothing against Firefox phone home for some automatic updates, I just don't agree with some people seeing only what they want to see and ignoring what the article here is really about. Or pulling out some ridiculous excuses to rationalize certain Mozilla decisions in some strange illogical ways :shifty:

[swarfega]

Isnt it just the version checker so it knows if you need to update?

[ViperAFK]

Jesus you people really make a mountain of a molehill.

[morphen]

OMFG IM SWITCHING TO OPERA!!!!!!!!!

or.... i just give a **** :p

paranoid people :p

[arrrgh]

wellofsouls, doesn't Opera have exactly similar auto-update feature? I haven't seen any options to turn off browser.js updates through the GUI, afaik it automatically downloads updates once a week.