Privacy blunder? Firefox's Get Add-ons page uses Google Analytics
The Firefox web browser ships with an add-on management interface that users may load directly by typing about:addons in the browser's address bar, or by using menus of the browser the page is linked from.
The management interface comes with several pages that separate extensions from themes, plugins, services, scripts and other "add-ons" that users may add to Firefox in one way or another.
There is also a Get Add-ons page that lists add-on suggestions to users. It is making the rounds right now connects to Google Analytics when users access it.
Nicolas Petton posted a message on Twitter on July 11, 2017 that Mozilla was using Google Analytics on the about:addons page. The message was picked up on social news sites such as Reddit and Hacker News shortly thereafter.
Some users voiced concerned about the integration of Google Analytics in Firefox (on this one page), stating that a browser that advertises with being privacy-focused should not do that.
Mozilla employees provided detailed information on the implementation on various sites, including on GitHub where a issue was raised by a concerned user.
According to Mozilla employee Matthew Riley MacPherson, known as tofumatt on GitHub, about:addons loads an iFrame with content hosted on a Mozilla website which contains the Google Analytics script.
Mozilla has a special agreement with Google which means that the data is aggregated and anonymised. Another Mozilla employee, who goes by the handle potch, added on Hacker News that Mozilla negotiated a special deal with Google that only a "subset of data" is collected, and that the "data is only used for statistical purposes".
When asked why Mozilla was not using self-hosted analytics scripts like Piwik, Matthew replied that hosting their own analytics product -- Piwik in particular -- was more work for "a worse product".
Matthew suggested to disable the tracking for users who have opted out of Telemetry tracking in the Firefox browser. This has not been implemented yet, and it is unclear whether this is going to happen.
Ultimately, this seems to be Mozilla's stance on the issue right now according to Matthew:
We won't be discontinuing our usage of analytics for our web properties, but I do think it would be nice to consider easy opt-outs for users like yourself who clearly do not want to participate in analytics sharing.
The maker of uBlock Origin posted an interesting observation in the thread as well. The legacy version of uBlock Origin can block the requests on internal Firefox pages, while the WebExtension version cannot.
Legacy uBlock Origin can block the network request to GA.
However webext-hybrid uBO as per Network pane in dev tools does not block it. Same for pure webext Ghostery, the network request to GA was not blocked, again as per Network pane in dev tools.
What is concerning is that both uBO webext-hybrid and Ghostery report the network request to GA as being blocked, while it is really not as per Network pane in dev tools. It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally, GA was not really blocked on about:addons, but there is no way for the webext blockers to know this and report properly to users.
The Tor browser developers, a browser that is a modified version of Firefox for added security and privacy, have voiced concerns as well.
Disallow 'about:addons' unless the extensions directory is volatile, because regardless of what Mozilla PR says about respecting privacy, loading Google Analytics in a page that gets loaded as an IFRAME as part of an 'about:' internal page, is anything but.
Tip: Firefox users who don't use Get Add-ons can disable the functionality in the following way:
- Load about:config?filter=extensions.webservice.discoverURL
- Double-click on the preference, and remove all characters so that the value is blank.
- Restart Firefox.
See how to block automatic connections that Firefox makes for additional information, or the list of Firefox security and privacy preferences.
It is clear that there are multiple points of view on the issue at hand:
- Some users think that Firefox should never connect to third-parties without explicit user consent.
- Others think that the issue is blown out of proportion, as it is limited to a single page in the browser.
- Mozilla acknowledges that tracking is taking place, confirms that it has a special deal in place with Google, and that it considers opting users out that have opted out of Telemetry tracking.
My personal stance on the matter is that I think it is unwise to integrate anything that connects back to Google in the Firefox browser. Unwise because it torpedos Mozilla's stance on privacy in the eyes of some Firefox users.
Now You: What's your take on this?
Mozilla are shooting themselves in the foot by using GA, this can allow Google to better TARGET Firefox users by having their IP.
Tor Browser developers are going to disable GetAddons pane on about:addons, which is a nice solution: set `extensions.getAddons.showPane` set to `false`.
Funny thing is, it doesn’t exist in Firefox and I don’t have that pane. And, it is set to true in Pale Moon and I don’t have that pane. I changed it to false in PM. No surprise. There was no change.
What’s the original URL in Firefox? In Pale Moon, it’s “hxxp://addons.palemoon.org/integration/addon-manager/internal/discover/”
It is https://discovery.addons.mozilla.org/%LOCALE%/firefox/discovery/pane/%VERSION%/%OS%/%COMPATIBILITY_MODE%
Onboarding also uses GA – see https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf (thanks earthling)
“Onboarding also uses GA – see https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf (thanks earthling)”
Apart from blocking GoogleAnalytics in the Hosts file or at the router level, is there any other way to prevent this? I’m assuming that NoScript or uBlock won’t help here because this occurs at browser startup.
Not 100% sure about the whole onboarding process, as I plan to kill it. Its a system addon, and there is also a pref for it `browser.onboarding.enabled`
Yes, use umatrix
I had that address already removed, but only because I don’t need that addon discover feature, I find it useless. As for the fact that it acts as a tracker, bad. Very bad. And it’s not like Mozilla is in the brightest light atm.
Well it’s not technically within Firefox. It’s a page loaded from the web like any other page, except it’s in a special context. So of course it contains analytics crap like all pages even on AMO. It’s not at all the same as say, Hello or Safebrowsing or Telemetry. It’s a regular web page. My stance is the same as Tor developers, the problem is the context in which the page is loaded.
That means the fix has to either be to run it in a normal context, or load a no-analytics page when Telemetry is disabled.
Most privacy conscious users disabled the GetAddons page years ago for this reason, it’s not exactly new news. It doesn’t invalidate studies on Firefox’s privacy level because it’s not a sudden discovery that we missed when evaluating Firefox. I wonder what made people suddenly remember though.
Quote regarding this web page’s analytics:
(Source: https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14 )
> AFAIK (again) we do have a special contract with GA that doesn’t allow them
> to re-use / sell our data, so I guess the same argument from the Privacy
> team applies here too and this time we implemented it following this
Mozilla went through a year long legal discussion with GA before we would ever implement it on our websites. GA had to provide how and what they stored and we would only sign a contract with them if they allowed Mozilla to opt-out of Google using the data for mining and 3rd parties.
We now have two check boxes in our GA premium account that allows us to opt-out of additional usage of our data. Because Mozilla pushed Google so hard, those two check boxes are available to every other GA user in the world regardless if they have a premium account like we do. GA also doesn’t track IPs or store PII within the tool.
I will attached a screenshot of the two check boxes in GA.
Mozilla has apparently decided to disable GA when the user has Do-not-track enabled. (They could do it for people with only telemetry disabled too)
4 year old ticket?
https://bugzilla.mozilla.org/show_bug.cgi?id=1380448 – this is the TP regression ticket (to enable DNT to be honored on about pages re web content). THIS is not the overall solution, but a regression bug.
Controlling GA/trackers/telemetry via the DNT option is a crock of shit, and wrong. By default you have to opt-in to DNT (a requirement in the framework when it was set up by EFF & advertisers), which then makes it mandatory for the end-user to opt-out of this tracking. Opt-out is shitty and not privacy friendly.
I hope an overall solution is that it is covered by the Telemetry checkbox, and that Mozilla clearly state somewhere that 3rd parties are being used for telemetry (because right now that is NOT made clear, even if we knew about it for a long time).
Personally, I do not give a sh*t, as the discover addons URL has been blanked since day 1 of the ghacks user.js. Additonally uBo and uMatrix block this (and NS is deny-all JS), and I can block at an OS or network level – but I am pissed off that web-content in about pages cannot be controlled by Web Extensions. And the addon discovery page is NOT the only one that sends info to THIRD PARTIES (WTF mozilla!)
I talked about two different topics :)
Last line is about DNT indeed.
Everything else is about when and how they set up the analytics. Four years ago, that’s how new this news is, and you’ve known it ever since, so why are you pissed now, it was the same yesterday and a year ago and three years ago, yet you (and I too) vouched for Firefox’s privacy. I took that into account when evaluating the product, which means that there is no sudden event and no need to reevaluate the rating which is unquestionably the highest among all browsers that are not Tor.
And now it is time to improve privacy on this part too. Like you I think it should be tied to the Telemetry preference, and most importantly the community should pressure so that WebExt become able to filter about:* requests. Or these request are removes altogether.
Uh no, it’s not 4 years ago that it occurred. I thought this was oddly recent. The bug is 4 years old and is indeed DNT related (that might have confused you) but the comment I linked to is about Mozilla using GA for their web pages, which is way older than 4 years.
As I said the *ticket* is 4 years old (as is the comment) :)
I should clarify something here. DNT can be used globally (in normal + private browsing (PB) mode), but it is opt-in. Tracking Protecting (TP) uses DNT regardless of your DNT setting `privacy.donottrackheader.enabled`. TP is off by default in normal windows, but on by default in PB Mode. This distinction is made clearer in the new preferences UI currently in Nightly (see the pretty pic in https://github.com/ghacksuserjs/ghacks-user.js/issues/163#issuecomment-313210730). When opening a PB mode window you get a bunch of PB mode info (thus you have been informed)
Either way you look at it, when users decide to open PB mode, or start in PB mode, or enable TP in all windows, they are OPTING in.
In other words, if the “tracking” (let’s face it, it is telemetry for mozilla) on the AMO web page loaded in about:config is to rely on TP or DNT – then it is a crock of shit, because by default, you are f*cked and have to explicitly make a settings change.
As Tom Hawack points out below “Firefox > Options > Advanced > Data Choices > Enable Firefox Health Report > Share additional data (i.e., telemetry)” – this does not say anything about 3rd parties, and in fact says NOT to share with Mozilla. The fact the discover addons about page uses web content and not Mozilla’s normal telemetry delivery mechanism, is besides the point. I OPTED OUT of telemetry, they should honor that, and not try and hide behind some other pref(s)
Sounds like we’re not playing the same tune :D
Me quoting the comment was not about DNT, it was an anecdote regarding how GA came to be used, how Mozilla pestered Google for a whole year to get more privacy for everyone, etc, it’s interesting but it’s a digression.
Then I brought up DNT as a one-liner topic completely separate from that bug or comment because DNT is what they are going to use to let the page be loaded without GA. I too would prefer the presence of a GA-positive GetAddons page being linked to the telemetry preference. Seeing how you developed your comment around DNT, I’m guessing the only thing that pisses you off is DNT being used as a solution, and you’re aware that the introduction of GA is very old news, way older than 4 years, and never prevented Firefox from being so highly rated with regards to privacy.
I don’t know the entirety of what is going to be decided beyond DNT (I don’t know if they decided everything yet), something might happen regarding about: pages loading shit as IFrames in a world where add-ons can’t filter about: requests.
I’ve known about it for almost a year now because NoScript blocks it from loading when I clean install. I allow Google Analytics as I know how useful it is for web developers and helping keep their sites running, so I’m not fussed.
The webRequest API (the primary way WebExtensions observe and block traffic) is designed to “hide/protect” some things from WebExtensions. The documentation at https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest says this: “The webRequest API does not give you access to some security sensitive requests such as update checks and OCSP checks”. If you look at related bugs, such as:
You’ll see they are worried about addons disrupting important core browser functionality. Which is a legitimate concern. The limitation makes sense, as a default. Unfortunately, they are refusing to allow the user to control this (example: give one extension the permission to access “special traffic” too). I don’t think they are familiar with, or care about, those contexts where monitoring and controlling all traffic is crucial to security ;-(
To be fair, even on my profile uBlock Origin is set not to filter about:* URLs. In spite of this I have 0 leak, though only because I flipped a couple prefs. So it’s not as bad as it looks because vanilla browser configuration can deal with everything, but it’s still bad because trust requires a counter-power in the form of an add-on.
Only webRequest needs access to about:* pages, that’s the sole API really needed as opposed to all WebExt APIs.
IMO all network requests should be accessible to webRequest, including Safebrowsing, including OCSP, including updates, because that’s a guarantee of trust: Should Mozilla suddenly relax their policy with regards to such requests, or should vanilla browser configuration become insufficiently thorough in some areas, I know a trusty add-on can keep Firefox in check. Though again, even if my add-ons currently have this capability, they are not set to use it, not even NoScript and uBlock, not even on my most locked down profile.
The capability must still be there either way though. Putting this it behind a scary permission is perfectly acceptable.
There is a bug to allow intercepting of “privileged” sites with explicit permission:
I’m waiting for Vivaldi to get more polished so I can dump Chrome and use it. Firefox is already dead and Mozilla can only hope not to gain more, but keep what people they have left.
^ TL;DR: I am a Chrome user waiting to switch to Vivaldi, hello Firefox users
I honestly think we probably need to fork Firefox again ala IceWeasel. The first time was over branding, but this one would be to eliminate the tracking and telemetry as well as keep the old extension system going for a while until WebExtenstions are powerful enough to handle nearly everything the old ones could do.
Dumb decision by Mozilla, even if it does only affect the “Get Addons” page. If they are using third party services to collect information it should be easily tell, and disable (This was a surprise to me).
I’ve disabled sharing telemetry for now until Mozilla do something to gain my respect back.
> The maker of uBlock Origin posted an interesting observation in the thread as well. The legacy version of uBlock Origin can block the requests on internal Firefox pages, while the WebExtension version cannot.
Well this was expected, as their stupid policy does not allow for addons running on them. Another reason not to use FF57.
good thing I have blocked Google Analytics at my router many years ago…
ABP block this (rule: ||google-analytics.com^ )
“Some users think that Firefox should never connect to third-parties without explicit user consent.” : count me in.
Firefox > Options > Advanced > Data Choices > Enable Firefox Health Report > Share additional data (i.e., telemetry) :
If “Share additional data” is unchecked this choice must include NO exceptions, not one, WHATEVER the context.
Be it reminded that whatever the browser, the application, having a system-wide protection is recommended : Google Analytics (it’s one of those basically basic items…) is blocked easily with several tools of which Windows’ HOSTS file.
Concerning the fact that uBlockO as well as Ghostery are severely handicapped in their WebExtension format is a strong argument in favor of legacy add-ons and IMO gives the flavor of what will become of add-ons once limited to the fantastic joke called Webextensions : an ersatz.
I’m disappointed by Mozilla, to put it mildly. Even more when one of it’s employers has the nerve to declare that in his opinion nothing is to be done about GA’s intrusion in one of Firefox’s page and that nothing will be done. I notice that the problematic is know to wonder if something will be done once the user has unchecked : Share additional data. What more does Mozilla need? Begging? Don’t count on me, Moz : either you start being serious about privacy, either you start being about avoiding to advocate a half-private browser, either you accept to see more and more users get off from Firefox. Who the heck do you think you are? A privileged organization legitimate to practice a few privacy dispensations on the ground of your holiness? Think twice. Many users are starting to get fed up with your policies.
Context information from Mozilla employee Callahad: https://www.reddit.com/r/firefox/comments/6mt8i4/security_fuckup_aboutaddons_uses_google_analytics/dk51wm0/
I agree it must still be fixed properly now, the way you described in your second line.
I feel with you, Tom. However – unlike you – I never trusted Mozilla when it comes to privacy. They were always an entity financed by Google, which is almost a 100% guarantee for them never technically being a threat to their tracking. The WebExtensions being unable to block this is further confirming my worst fears. Extensions being unlimited in the browser is not only bad, rather, only this way you can stop such privacy desasters. Google limited their extensions on purpose, and so does Mozilla now. They aren’t the good guys, probably never were. Yet with their browser alone one at least had the option to limit such privacy evasions, even when they come from the vendor itself. I hope this is opening your eyes for what Mozilla has become, a state of things I’ve talked about for years here. Remember, we are not only talking about a mere browser here. We are talking about data of millions and millions of people being mined without their explicit consent(!). Shame on you, Mozilla! Luckily I always had a distrust against these data-selling traitors! Apropos: Where did this “Ding Ding Dong” from this thread: https://www.ghacks.net/2017/06/23/mozilla-should-hide-legacy-add-ons-on-firefox-amo/ go? This guy really argued in favor of Firefox being the most private browser ever, despite being provided with conclusive evidence against his statement. I hope this fool reads this now and realizes just how deep his denial is. Remember how he crawled back to you, hoping you would come to another result than me. I guess he was wrong, because I always based my statements on actual facts, and so do you.
PS I: I guess now we know what they meant to say with this: https://www.google.de/search?q=mozilla+big+browser+is+watching+you&prmd=inv&source=lnms&tbm=isch&sa=X&ved=0ahUKEwifx9z-nojVAhVCKVAKHYNZBAMQ_AUICSgB&biw=320&bih=445&dpr=2#imgrc=klsm7CKQrNY78M:
PS II: “Ersatz” in German (starts with a capital letter) means “replacement”, without negative or positive connotation. What you meant to say was “ein Witz” (a joke) or “eine Peinlichkeit” (an embarrassment), right?
It’s another piece in the puzzle of losing control over ones privacy. And that’s all it is about. Your and my privacy for sale. According to my profile I am a 19 year old female physician with 2 children and 4 grandchildren, divorced twice, owner of seven goats and on top of that I am a lesbian who likes to visit home improvement stores. As long as my profile is accurate as this I can live with it and will continue taking cruises to the Sahara desert.
To rebound on user profiles in general, how would I know if what appears in a profile corresponds to what is truly known by the profiler? I could even imagine that less a profile is accurate more it is likely to be fake. In the scenario “Hey, dear user, here’s what we know about you” is “all we know” implicit? Is a profile stating the truth, all the truth, nothing but the truth, “truth” being what the profiler actually knows? Files, profiles, cases … what a pain. Don’t trust any company, especially on the Web, no company loves you, no company respects you, when they say they do, like Mozilla, it’s baloney, it’s only intended to get in the user’s privacy bed. Trust your friends, have a good and honest approach with people but, on the Web, it’s business, only business, so trust no advertiser, no service, software company, they’re all the same, craps in their ethics even if their applications my be close to excellency.
I would say if it is only specific to the “Get Add-ons” page, I can live with it. I never visit that page anyway.
Firefox needs to have some metrics about its users. If everyone switched their user-agent over to Chrome, it would be hard to determine the accurate install numbers for Firefox.
Well… one more example of why it’s a good idea to use a HOSTS file as a second line of defense! Not that I needed to but I verified with the dev tools that my hosts file was blocking google.analytics, I did have to disable uBO Legacy to verify my hosts file worked. Tried the uBO WebExtension briefly in Nightly not long ago and decided what with it causing longer browser startup times (half second, the horror), I also suspected (rightly so) that some network requests would get through because of the api.
I rarely have even opened the Get Add-ons page much less used it, I use a bookmark for AMO. I wanted to ask what’s all the hubbub about but I guess people actually use the Get Add-ons page. lol
Firefox ain’t what it used to be. One day it will be just another fork of Google Chrome.
We’re all slowly becoming forks of Google.
+1 literary style
Special arrangements with google… collect only a subset… anonymized. Yes, because on-demand, as needed, “they” can re-establish your full fingerprint.
Reported to TorProject 3yrs ago
The above was also reported to PaleMoon forum (not by me). The report was poo-pooh’ed by MoonBaby & the reporter was lambasted(?) ridiculed.
The details of the torproject ticket are inexact. Each time firefox is launched, the ONLY detail harvested and retained in memory throughout the firefox session is the email address associated with user’s O/S login account. HOWEVER, note that the mechanism is in place to retrieve additional details. With each launch, MaintenanceService has opportunity to retrieve “updates” ~~ a temporarily installed (removed after use) component would be free to utilize the in-place mechanism to harvest and exfiltrate details of O/S login account (given name/surname, organization, department).
Set aside the example of nsUserInfo. Numerous other fingerprinting mechanisms are inbuilt within the ff core codebase. If you delve into the code, note how “SpecialPowers” (actual name, within the code) can be granted to “services/components” blessed by “mozco, and partners”. On-demand, injected via MaintenanceService, a component can for instance invoke the mechanism whose prima faciae purpose is to support EME, thereby harvesting and exfiltrating details including the SERIAL NUMBER of the device’s motherboard. Mozco would never “partner with” a TLA and facilitate such exfiltration, right?
Welcome to your new firefox installation. The installtime datestamp will be your GUID, serving as part of your fingerprint in case you “get clever” and thwart one of the other, redundant, fingerprinting menchanisms. Without this GUID, your install will be unable to: retrieve CA revocations lists (and other mozilla-provided lists)…
We should _NOT_ be entrusting/allowing a sole party, the browser distributor, to ALSO supply the cryptographically-signed Certificate Authority datastore, yet that’s the status quo.
PLEASE WAKE UP ~~ if you don’t code, can’t read code, pass this on and ask someone knowledgable to examine the firefox code. It’s supposed to be OPEN SOURCE, but it’s huge and convoluted, and no one seems interested in bothering/caring.
This doesn’t affect me as i don’t use that page anyway. When i open about:addons it always goes to extensions so i’m good. i might just disable it for the hell of it. Firefox is still remaining my main browser and i have NO plans of changing it. Scroogle.
Since we’re talking about Firefox communicating with Google: it’s an eye-opener the 1st time you look in about:config and type “google.” By default, Firefox is communicating with WAY too many google urls. Even one is too many for my taste!
Also, thank you so much for this article. Your work is truly appreciated.
Oh my Gode, Mozilla is still working with the devil,