What is being send to/received from "safebrowsing.google.com" when I open Firefox?

9

3

When I first open Firefox, I always get this notification from my firewall within about 30 seconds-ish. It does not matter if I'm yet browsing the web, I could just have a blank page up, or I could be using a local network website; I always get a message saying that Firefox is attempting to connect to safebrowsing.google.com.

Firewall Prompt

As you can see in the firewall prompt picture, this connection is started by my computer, more specifically Firefox.

Firewall Packet Log

As you can see in the picture of my firewall's packet log, there are repeated inbound/outbound connections to that address with the browser just sitting open, and not doing anything.

System Details:

  • Firefox 32.0.0.5350
  • Windows 8

Firefox Details:

  • Options/Advanced/Update/Firefox updates: Never check for updates
  • Options/Advanced/Update/Automatically update: Search Engines is unchecked.
  • Options/Advanced/Data Choices/Telemetry: Telemetry is unchecked.
  • Options/Advanced/Data Choices/Firefox Health Report: Enable Firefox Health Report is unchecked.
  • Options/Advanced/Data Choices/Crash Reporter: Enable Crash Reporter is unchecked.
  • Options/General/Startup: When Firefox Starts is set to Show my home page.
  • Options/General/Startup: Home Page is set to about:newtab.
  • Manage Search Engine List: Google is set at the top of my list, and Show search suggestions is enabled.

If I manually attempt to visit safebrowsing.google.com in Firefox it just redirects to Google.ca. According to Wikipedia:

The Google Chrome, Apple Safari and Mozilla Firefox web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats.

However, I don't see what Firefox could possibly be looking up when I'm not even browsing the web.

As mentioned in this answer, shouldn't it only be looking things up if I perform a search, or type a URL in the address bar?

I would like to know why this connection is occuring, and what is being sent/recieved over it? This will help me decide whether to leave it alone, create a custom firewall rule blocking it, or ditch Firefox for a more respectful browser; I have low tolerance for non-user-initiated internet/network use by any application, even if it is intended to be helpful.

Robin Hood

Posted 2014-10-28T05:39:20.857

Reputation: 3 192

1

It might be just updating the list of safe sites. This might be worth reading: https://support.mozilla.org/fr/questions/922449

– rink.attendant.6 – 2014-10-28T05:44:53.503

Answers

-3

Browsers that use Google's Safe Browsing will periodically download the most recent list of dangerous sites. When you visit a site the local copy of the list will be checked to make sure it's not flagged. Information about your system such as your IP, cookies that uniquely identify your computer, and you search query may sometimes be uploaded to Google (REF: http://www.google.com/intl/en_us/privacy/browsing.html ) (REF: https://www.google.com/intl/en/chrome/browser/privacy/ ) (REF: http://www.google.com/intl/en/policies/privacy/key-terms/#toc-terms-server-logs ).

So it appears that this is what my computer is sending/receiving. The reason it occurs all the time is because I have disk protection installed that erases changes upon reboot so my list is likely way out of data the first time I open Mozilla Firefox.

Unfortunately the Google Safe Browsing feature of Mozilla Firefox cannot be turned off. You can alter your settings to not use the Google Safe Browsing list. Go to Options/Security and uncheck Block reported attack sites and Block reported web forgeries (REF: https://support.mozilla.org/en-US/questions/922449 ) . However this doesn't prevent Mozilla Firefox from sending/recieving data from safebrowsing.google.com, it only tells your browser not to use the list information to protect you.

Work Arounds:

  1. Create an entry in you hosts file to redirect safebrowsing.google.com to your localhost ip address. This will protect you from any program you run that uses Google Safe Browsing, because the connection attempt will be to your own computer instead of Google's server.

    • Open C:\Windows\System32\Drivers\etc\hosts in Notepad with administrative privilidges.
    • At the bottom write:

127.0.0.1 safebrowsing.google.com

  • Save, and exit Notepad.

    1. Create a firewall rule that blocks Mozilla Firefox from connecting to host name safebrowsing.google.com, the IP address 173.194.33.102, or the MAC address 00-22-75-4a-af-1d. The host name would be the ideal choice to avoid accidental blocking of other Google services that could be hosted from the same IP. Also the IP or MAC addresses could change, but the host name won't since the connection is initiated on your end to a specific host name.

Firewall Rule For Symantec Endpoint Protection

  1. Use a different web browser. Pale Moon ( http://www.palemoon.org/ ) is Firefox based, but doesn't seem to have the Google's Safe Browsing feature, at least I don't see the options present, nor does my firewall log any attempts to connect to safebrowsing.google.com by Pale Moon. It's available in 32bit and 64bit for Windows. There is third party project, Pale Moon For Linux ( http://sourceforge.net/projects/pm4linux/ ), that ports Pale Moon to Linux.

Disable Safe Browsing List Use In Mozilla Firefox vs Pale Moon Absence

Robin Hood

Posted 2014-10-28T05:39:20.857

Reputation: 3 192

Of your first 3 "REF"erences: 1 is only a redirect to 2, and they're about Google Chrome (Not Firefox). And the 3rd only talks about what every website tries to do - log IP's and read it's own cookies. None of your references say if Firefox treats updating the "safe browsing list" like a regular website visit (using cookies) or if it's a stand-alone one-shot download. And your Pale Moon "screenshot" clearly show the Firefox checkboxes to turn OFF "safe browsing" – Xen2050 – 2015-02-26T15:21:18.513

1The MAC address is totally irrelevant for internet traffic. – Brad – 2016-02-22T19:49:33.333

9

You are getting an up to date list of blacklisted URLs that are known to contain phishing and malware. The update happens shortly after startup and once again every 30-45 minutes.

Mozilla claims the following:

"No information about you or the sites you visit is communicated during list updates... in the event that you encounter a reported phishing or malware site [b]efore blocking the site, Firefox will request a double-check to ensure that the reported site has not been removed from the list since your last update."

The accepted answer here is unfortunately completely wrong, as this feature can absolutely be disabled easily.

Despite what it says, none of the messing with the hosts file is necessary, you can just change the "Block reported attack sites" and "Block reported web forgeries" settings in Firefox's Security Preferences and this will stop both the updates and checking the lists from happening. Firefox Security Preferences image

If you manually fiddle in the about:config settings, you must also flip this preference: "browser.safebrowsing.downloads.enabled" which disables updating of blacklisted downloads as well.

Mozilla claims that no information about search queries is ever sent, only the double-check of an encountered reported phishing or malware site, as mentioned above.

gcp

Posted 2014-10-28T05:39:20.857

Reputation: 199

4I appreciate the good intention of editing my post to say "Mozilla claims", but I am the actual person that wrote the code. And yes, you can and should complain and file bugs if it doesn't work as stated. – gcp – 2015-03-23T09:41:51.810

So... Firefox doesn't send my IP to Google, right? I read this https://mailman.stanford.edu/pipermail/liberationtech/2015-April/015236.html and I was looking for an answer when I stumbled upon yours.

– Manuel Durando – 2015-04-27T18:22:42.673

2If disable the feature then no connection is made, as pointed out above and in the link you posted. Making a connection to any server (in this case to get an updated malware database) always sends your IP, because the server needs to know where to send the response. That's how TCP/IP and the internet works! The link you quoted isn't...wrong...but written in a quite deceptive manner to make it sound like sending the IP is something exceptional that's intentionally done for malicious reasons. – gcp – 2015-04-28T14:33:51.487

@gcp, since you wrote this feature, could you explain what the "browser.safebrowsing.downloads.remote.enabled" preference does? There doesn't seem to be a kb.mozillazine or developer.mozilla page on it, and googling it comes back only to this page. – sundar - Reinstate Monica – 2015-07-07T01:01:19.937

@sundar This enables remote lookups for the Application Reputation/Download Protection part of SafeBrowsing. This is only relevant when you do an actual download, not during normal browsing. We have a local blacklist of hashes of evil binaries. If something is not on the blacklist, we check a local whitelist of signer certificates. If the binary is not signed or the signature is unknown, we'll do a remote lookup to verify that it is not a known virus or malware. With the remote lookup disabled, only things on the local blacklist are blocked. – gcp – 2015-07-08T08:18:59.833

1

@sundar The feature page is here, there are links to further documentation. https://wiki.mozilla.org/Security/Features/Application_Reputation

– gcp – 2015-07-08T08:22:17.283

Asked: 2014-10-28T05:39:20.857

Viewed: 9 994 times

Active: 2015-02-26T16:46:09.373