-
July 25th, 2007, 01:45 PM
#1
FireFox calling home?
I just happened to be running Wireshark doing some other stuff and noticed an very short SSL exchange happen. I had Firefox open, but only on a couple of regular http pages. Any ideas? I didn't think Mozilla was into this kind of secret phoning home, it seems more of an M$ trick. Here's some excerpts from the reassembled convo (with human readable extracts and snips) -- but it's just mostly the SSL cert and encryption setup stuff, nothing to indicate what it's really doing...
Anyone know what's going on?
IP dest was 63.245.209.49 (Mozilla.org)
...+.........aus2.mozilla.org.
........................F..F.?..S.....0....`..bk] .../..L.X G."..6.`...
C..F.[...u..#.F...|..............0...0.........
j
5......:0
..*.H..
.....0..1.0...U....US1.0...U....Texas1.0...U....San Antonio1.0...U....GS CA1$0"..U.
..XRamp Security Services Inc1&0$..U....XRamp Security Services GS CA0..
050105052436Z.
080105054019Z0..1.0...U....US1.0...U...
California1.0...U...
Mountain View1.0...U.
..Mozilla Foundation1.0...U...
*.mozilla.org1.0...U...
*.mozilla.org1%0#..*.H..
.....hostmaster@mozilla.org0..0
http://crl.xrampsecurity.com/XRampGSCA.crl0U..U. .N0L0J..`.H...E....0;09..+........-http://www.xrampsecurity.com/legal/issuer.asp0
-
July 25th, 2007, 02:19 PM
#2
Hi Mykol,
Obviously I don't know what all that means other than than FF was establishing a secure link with the mothership.
As far as I am aware XRamp Security Services Inc. are reputable suppliers of secure communications technology and are accepted by the likes of Visa, Amex and so on.
If you let it, FF will do one or most of these:
1. Check for updates to FF
2. Check for updates to plugins to FF
3. Warn you that an update is available
4. Automatically update
I would suggest that you look at <Tools> <Options> <Updates> and see what your settings are.
If that happened this morning (GMT) then FF did do an update on my machine.
-
July 25th, 2007, 02:28 PM
#3
CRL? Certificate Revocation List? It looks like an SSL certificate..
FF update check seems the most logical explanation.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 25th, 2007, 03:45 PM
#4
yep
...that's what I was leading to -- an update, or a certificate update. Just wondering if anyone had any insight on anything *else* that may be going on. If it were Internet Exploder, I'd immediately think malicious, with Mozilla, I'm thinking practical (and giving the benefit of the doubt)...
cheers!
-
July 25th, 2007, 09:19 PM
#5
nihil is right. FF checks for updates rather regularly. Several times a day (Dont know the actual number) but when it does that it checks for updates for anything else like plugins etc. If you have ThunderBird, you will probably notice the same thing going on to pretty much the same internet addresses.
I believe in making the world safe for our children, but not our children’s children, because I don’t think children should be having sex. -- Jack Handey
-
July 29th, 2007, 06:00 PM
#6
weird how it uses an SSL connection to do it though........transmitting private information maybe??? Could be worthwhile setting an SSL proxy up to see what it being sent...
//edit: although on second thoughts it is going to need to validate the identity of the remote host that is receives updates from.
-
July 29th, 2007, 07:42 PM
#7
first of all, wow. we're getting paranoid about open source code?
It's using a cert to verify the update. otherwise you can't verify it's integrity. Windows update does the same thing. Or, didn't you know?
-
July 29th, 2007, 08:10 PM
#8
first of all, wow. we're getting paranoid about open source code?
Shame, shame and triple shame on you d34dl0k1 !!!. You actually only got a half of it there
Open source, closed source............... it really doesn't matter.......... both are equally crap.
What I didn't bother to mention was "what are the motives of FF to do such a thing............err like what benefits would they gain?"
To get a reasonable chance of a conviction you have to demonstrate:
1. Ability to commit the crime
2. Presence (or at least lack of alibi)
3. Motive to commit said crime
It is on #3 that the case fails miserably?
Incidentally, don't get seduced by open source............... I could provide many open sources....... and you wouldn't even know what language they were in? They are not "audited" by jealous "wannabees", unlike closed source applications....... mainly because such information is of no commercial value.
-
July 30th, 2007, 04:48 AM
#9
Ha! We agree both are equally crap. However, I find even the slightest accusation against Firefox to be somewhat ignorant when the benefit of THE SOURCE is available!
Seduced by open source... that's the first time i've been accused of THAT! ha.
-
July 30th, 2007, 08:17 AM
#10
Hi, d34dl0k1,
I get the feeling that there is something of a generation gap (or three!) between us?
I come from a generation when you actually got the source (if you wanted it) of COTS products. So, these packages would be "closed source" in today's nomenclature because they are proprietary COTS?
I am referring to stuff like IBM's "MAAPICS" and the like, and I am talking about applications, NOT operating systems.
Now, you needed the source for systems integration and interfacing your own grown applications (typically, reporting and statistics).
What you did not do, is mess with the source (that made your application unsupportable under the terms of your EULA)............hence my use of the expression "seduce". Because there is a temptation to make amendments to the sources of today's "open source" applications. In fact you are encouraged to do so?
I take your point that the "vanilla" version of an open source application is unlikely to contain anything underhand, because it can be examined, and will have been subjected to an independent peer review.
My approach was that the provider (Mozilla) has no motivation to do such a thing anyway. My advice would be that people should just be sure to get their open source applications from the developers' or other trusted website.
Mainstream open source code will be scrutinised, but the compiled executable on http:/narstyhakzncrakz.biz will not have been. And the source could well have been amended to produce that compilation.
Similar Threads
-
By Tedob1 in forum Cosmos
Replies: 9
Last Post: May 7th, 2006, 05:06 AM
-
By SDK in forum Spyware / Adware
Replies: 12
Last Post: February 9th, 2005, 08:11 PM
-
By neosamurai in forum General Computer Discussions
Replies: 1
Last Post: December 8th, 2004, 11:47 PM
-
By SDK in forum Miscellaneous Security Discussions
Replies: 31
Last Post: September 9th, 2004, 07:56 AM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|