Backdoor in FireFox in Kali and Parrot OSes (and others)

Read up on “reverse dns” it’s a thing that’s been around a long time.

2 Likes

That’s not reverse DNS that I know of, DNS is where you have a domain name and look up the IPv4 address. Reverse DNS is where you have the IP address and want the domain name.
Isn’t it? All the docs I can find say it is . . .

1 Like

netstat by default is showing you the results of a reverse DNS lookup of the IP address rather than the actual IP address. netstat -n should show the IP address only.

The server in this case contains the reverse of it’s IPv4 address in it’s DNS name. A common trend today when coming up with unique indentifiers is to reverse the domain name, you’ll quite often see “com.apple.blah.blah…”, “com.google.blah.blah…” etc,. in file names, package names config settings etc,. What you are seeing is the reverse DNS of the IP which is a machine name that contains the IP in reverse notation, which is probably some scheme being used to make listing, sorting and identifing machines a little easier on their end.

These connections you are seeing are accessing/using Firefox services that are hosted on rented servers from google. It used to be the case that if you set the Firefox home page preference to “Blank” that was enough to stop any connections, I have no idea if that’s still the case tho.

5 Likes

Didnt I see a link here on Purism forums that pointed to an article indicating that 80-90% of all Firefox revenue comes from “a single company” in return for “setting the default search engine” which basically means Firefox is admitting to being a Google-sponsored browser?

So, I do also get the feeling that we live in a world where the controls are gradually getting tighter so that only Chromium and Firefox sucessfully function on websites people need, and both are sponsored by Google even if they sometimes claim independence.

The more you know, the more paranoid we become. It’s a problem with my Librem 5 that I haven’t quite figured out how to solve yet. Even doing host duckduckgo.com and then doing a whois on the IP address returned shows that it’s actually Microsoft. A lot of the things that we think are in opposition to the system might actually only be sponsored opposition, for all I can tell.

Edit: All this being said, I still want my Librem 5 to be my only phone as a matter of principle to believe I was trying even if I don’t succeed. The convergence and other natures of the device are more enjoyable to me than Android, even if I assume that I will never be safe from world governments because to be honest they have more money and power than I do and they always will.

3 Likes

Yes, duckduckgo is not truly independent, it just hopefully strips away personal information before passing on the search queries to Big Tech search engines.

For something more independent that actually has its own index and its own crawler and so on, have a look at Mojeek:

4 Likes

After DuckDuckGo, I used Gigablast for quite a while, but it looks like it was recently shutdown without any announcement or notice. After using several search engines, including Startpage, SearX(NG) and LibreX, I started using Mojeek for the last few months, but very recently decided to go back to Startpage for now. It is one of the few ties I have with Google, even though the relationship is indirect.

2 Likes

re. reverse DNS. Yes, @Loki and @OpojOJirYAlG , looks like the devil’s in the detail as usual, that wikipedia article I quoted goes on to say the same thing essentially.
Thanks.

1 Like

Or perhaps it’s being hosted on Azure…

1 Like

That’s probably exactly what is happening. And if I were the Azure cloud, why wouldn’t I harvest data from all the client applications in my cloud? Data is money! :stuck_out_tongue:

1 Like

According to a thread on codeberg.org, it’s Mozilla’s push notification service. That service is hosted on Google, hence that Google IP address.

They were able to get rid of that connection by changing the dom.push.connection.enabled setting to false.

9 Likes

Fascinating thread, I had a good read through it and have a more informed perspective on the LibreWolf team. Thank you for sharing.

2 Likes

Is it rude to ask for a summary of what you learned, for those of us in a hurry?

1 Like

One aspect not brought up in the codeberg thread, unless I missed it: hosting on Google helps to perpetuate Google’s power and to increase their revenue. But I’m not sure if, say, millions of end-users disabled the connection that it would have an impact on Google, as Mozilla has already paid for the hosting.

3 Likes

No, but my perspective of them is still primarily limited to just this one Codeberg and the associated GitLab thread, so it may not necessarily reflect them as a whole.

Basically, the main point is that in order to use push notifications in Firefox, it is required to serve them from a server hosted by Google and operated by Mozilla. Here is the relevant article about the feature itself.

The most important quote is this one.

So assuming you want to know my perspective on the LibreWolf team’s stance on keeping this feature enabled, I think it is fine when viewed in the context of their mission to reduce browser fingerprinting. Their argument is that if you do not want your IP address to be stored by Mozilla for 90 days, you should use a VPN.

But, going back to this thread, the issue is that during initialization of Firefox for the first time, it connects to these Google-hosted Mozilla services without the user being informed of them. That should at least be changed so that such a feature is only opt-in, specifically when Web Push is enabled and actually utilized by the user during normal operation.

4 Likes

I am more worried about Google’s server being involved.

Thinking about the following scenario: someone is using Firefox to connect to something, take this Purism forum as an example. The user logs in on that forum and posts some messages there. That user then reasonably thinks that there is a connection between Firefox on the local computer, and Purism’s server where the forum is hosted. However, the push notification service that is apparently on by default, means that each time someone replies to that user a message is sent via Google’s server. So if Google wants to know the IP address of that user, Google could post some replies on the forum triggering such notifications and they could monitor that on their server, identifying the timing to find out which notifications go to that specific user. Google can do that, in spite of the user having chosen to use Firefox and Purism, the user has at no point chosen to involve Google.

Anyway, I agree that the push notofication feature should be off by default, it is very inappropriate for Firefox to connect to a Google-hosted server by default like that.

5 Likes

Well everyone’s threat model is different, so if yours involve auditing every (sub)domain and blacklisting specific hosting solutions, that is not a responsibility a privacy-focused browser can reasonably take without affecting other users. You control what you browse, even if that means you will encounter many unexpected third-parties along the way. This line of thinking is similar to what operating system you decide to install and use on your Librem devices.

I do not necessarily know if Discourse works as you have described, as my Firefox ESR configuration on both of my devices is specifically hardened against any calls to action. However, I will state that Google already has plenty of resources and tools to identify users automatically without needing to resort to manual intervention using Discourse accounts. The way I see it at the moment, they may as well be a digital continent.

1 Like

Are they? So, as far as I know, I’m nobody. There are no 3 letter agencies after me, and I am not engaged in any illegal activities as far as I know. I am just an internet user who has fun with technology.

With all of that in mind, years ago I used to believe that some of this internet privacy and security stuff was less applicable to me and I should just use whatever technology worked well, because I didn’t need to worry. Even if the government builds an infrastructure to record all messages like Snowden said, why is that a problem if I do nothing wrong?

But after some years of approaching the problem that way, I began to find myself in situations where I saw myself being used to worsen the lives of people around me, or as an agent of change where the change wasn’t good and I wasn’t informed of what was happening unless I spent a lot of time self-analyzing. And for me, the end result conclusion, is that whatever government entities created those surveillance systems to try to keep people save failed abhorrently at their jobs. Because they allowed the same corporations who were probably contracted to build their stuff, to then go and use similar principles to build similar data collection tools for the purpose of increasing profits and powering machine learning on the people, we now live in this horrible world spiraling towards a future where nobody can agree on anything and we are all crazy about this or that, even though none of it is what really matters. And after society falls apart because of all that, the circle will be complete, indicating that whoever originally started doing data collection under the guise of national security actually led to the end of the nation, because of the limits of their intuition.

And that’s just my country, who knows if it’s the same in other parts of the world. But as a result, don’t we all have the same threat model? Even someone who is no one should probably still try to be as offline or as anonymous or as private as the worst criminal, because we don’t want to become AI-used instruments of destruction for our society and our family and our friends!

So, isn’t the difference just what people know? Let’s say you are doing some things that keep you more secure than what I am doing. That doesn’t happen because your threats are different, does it? I would imagine it happens because you know more about how to secure your well-being and the integrity of your mind.

And, when it comes to using people as instruments/weapons against their loved ones, one of the primary companies with sufficient AI tech to use people like that for the last few years, as far as I could tell, was Google itself. It seems like if Microsoft can get enough money to get enough development to become the next Google in that way, they probably will, so obviously Google is not the only offender of this kind. But they are certainly one of the biggest.

And as such, isn’t the simple idea that “Firefox opens a connection to XYZ when its process starts and closes the connection when it ends, and keeps the connection live for the entire duration of the use of Firefox,” as an idea, something ludicrously important that anyone using Firefox would want to know? Why talk about hosting solutions and whether Google is bad, or talk about whether or which user IP address is leaked, instead of this simple reality that Firefox is giving someone online the timestamp-able metadata for a log of the entire duration of its use? The fact that it is Google is bad, but if it was not Google, it would still be bad. If link “the standards” and say that “the standards” say it should be like this, and therefore it shall, what about if the standards are dumb?

If somebody told me that “the standards” say that mobile handsets should not allow the user to have root access, nor to install applications other than from Google Play, and that therefore PureOS Phosh should not be allowed to exist because it didn’t follow “the standards,” then we would just know that “the standards” were obviously compromised. I would still want to use my Librem 5 in such a case.

Likewise, there is a gap in my understanding regarding the implementation of these push notifications. Obviously, per the LibreWolf thread(s) that were linked above, one option to kill this constant connection to the push service from Firefox is to go into the browser settings and turn off the push connection setting. However, I actually have a use case for getting Firefox notifications on my Librem 5. So on a high level I can understand why users might want the functionality of a push notifications feature. But what I do not understand yet – and again, this might be ignorance speaking – is why a push notification would use a separate server at all. Suppose I was writing a browser: why wouldn’t I make a JavaScript function such as displayNotification("You got pinged"); such that whenever the JavaScript code executing in the browser called this function, the browser then would submit this text string (along with browser name/process name/icon) to the local window manager tech stack to display a “notification.” At no point, when I imagine how I would construct this feature, would I feel the need to connect to a third party independent of the communication between the local browser and the specific site that was visited that is itself providing the notifications. Now that I said this, I suppose the complexity arises from a browser policy that JavaScript is not allowed to run while a site’s visual page is not in the foreground, but I still think that introducing a third-party (Mozilla?) server into the equation seems like a contrived solution rather than an ideal solution.

Maybe this is a call to action that someone should build or invent an ideal solution? As an example, if I want to use my Librem 5 as a libre solution to as much as I can control, but then connect to slack.com for my job, it’s useful for me to enable the Notifications feature from Slack so that when my work pings me, my phone buzzes. But why does this interaction need to involve a third party server that isn’t me, and isn’t slack?

So, getting back to my original point, I don’t really feel like this is a “threat model” thing. It seems like we should all want our devices to leak as little additional information to third parties as possible, unilaterally, and there is an information leak to a third party here that as of yet I do not understand the rationale for. And I would think this would apply to all users.

3 Likes

I cannot answer all of your questions and concerns without spending an hour or two breaking each of them down, so I will only focus on what I perceive as important.


First off, threat modelling is about determining what assets you want to protect, what adversaries are interested in them, and what resources and skills they have to dedicate to acquiring it. Distilled to its rawest form, it is about time, and the more time you want to buy yourself, generally, the more expensive it becomes to protect your assets.

So depending on your threat model, you may end up using different tools even though our adversaries may share similar skillsets. For example, most people are comfortable trusting government-regulated financial institutions with their money, while others may prefer to carry cash, use cryptocurrencies such as Monero, install a floor safe in their basement, and/or build a (modular) vault. The degree of time and resources required to defeat these security mechanisms vary, which is why threat models are different for everyone.


Building on this argument while also addressing the push notification server as previously mentioned, only some users have an issue with the LibreWolf team keeping Web Push enabled. Those who want a solution can access about:config and change the value of dom.push.connection.enabled to false, or use a VPN.

You accept it or make your own “smart” standards.

If you want to read more about how Web Push messages are encrypted, I highly suggest reading the RFC it is based upon.

Read the Introduction.

What is considered ideal is different for everyone, no different from threat models. That is why many proposed “solutions” exist. If they are not suitable for your needs, you either wait for someone to invent it or you build it yourself.

4 Likes

Thanks! This was really helpful. They explained their rationale that Push Notifications on a browser should be sent through a third party to consolidate them and save processing.

With that in mind, I looked up the Mozilla autopush code on GitHub and created my own autopush endpoint using their docker image, on my own server, and modified the Firefox setting dom.push.serverURL from the default push.services.mozilla.com to instead point to some custom URL where my test server was located.

At this point, I encountered something strange. The automatic connection to 34.117.65.55 push notification services was gone, and during startup netstat clearly showed that my Librem 5 handset with the Firefox application running was connecting to my custom server instead of 34.117.65.55 on startup. But, my custom server didn’t do the wss security on top of the ws WebSocket technology correctly [I didn’t bother getting a certificate to do https/wss instead of ws], because I was just senselessly running the Mozilla docker image, so rather than sticking around as an open connection like what we see to 34.117.65.55 from Firefox on default settings, the connection to my server quickly was gone, probably due to some failure although I wasn’t sure where to look for Firefox logs regarding the cause of the error. Again, I’m pretty sure the cause was probably just some configuration on my part.

But then, I had the weirdest thing happen. I tried doing an activity that would give me a Firefox notification for the use case where I need notifications, and I still got the notification anyway despite netstat showing no sign of communicating with the default US Intelligence Air Force Mozilla version of the push noifications, nor any sign of communication with my botched attempt at running the docker image for autopush.

Is that a known thing, that if these systems are not available then notifications still work anyway? I’m just… a little confused about the point of it all. Maybe I’m misunderstanding.

1 Like

Use the Mozilla Autopush documentation, specifically this page.