I was playing around with Wireshark when I noticed something very suspicious: every time I open Firefox (official build from Ubuntu repos), it immediately connects to a server with an apparently random name like d2ddoduugvun08.cloudfront.net
and sends some encrypted data.
I couldn't find anything specific on this domain, but it pops up on some malware sites.
At first I thought it was some Firefox telemetry server but it is disabled and the server is not a Mozilla server.
I deleted my ~/.mozilla
folder, in case my profile was the problem, but the connection was still there every time.
At this point I thought my installation of Firefox was compromised, so I purged it and redownloaded it from the repos. The connection was still there.
I moved to another machine with Windows, and it doesn't make this connection; when I booted into an Ubuntu live USB, it does.
I decided to build Firefox from source and it does not make this connection.
I tried to use mitmproxy
to intercept it but it ignores my system proxy settings.
So my question is: is this a legit thing added by Canonical? Is the Firefox package on Ubuntu compromised by some malware?
Thanks
Best Answer
It appears to be firefox heartbeat telemetry. It could be disabled in
about:config
settings (that particular one can probably be disabled withapp.normandy.enabled=false
inabout:config
)If you do not like firefox phoning home (and elsewhere), there are also a few other settings you may want to change