Finally achieved empty tcpdump starting Firefox. Had to find and clear location.services.mozilla.com and push.services.mozilla.com from show-all in about:config. Then there were the following that are hard-coded, not appearing in about:config, for which /etc/hosts needed to be invoked:
firefox.settings.services.mozilla.com content-signature-2.cdn.mozilla.net prod.remote-settings.prod.webservices.mozgcp.net content-signature-chains.prod.autograph.services.mozaws.net
FFS do better.
It seems the location.services.mozilla.com probe is otherwise there, even if you turned off location access for websites, so that Mozilla can impose region-specific policies on the browser based on where it thinks you are according to geoip.
This is based on finding it under browser.region.
What are the chances they're using this to disable something privacy-invasive if geoip says you're in the EU?
Well look at that.... https://prod.classify-client.prod.webservices.mozgcp.net/
Interpretation: The only thing the service returns is its guess for what country you're in (rather what country your exit IP address is in), not any more granular location. So this is NOT for providing any sort of location services. It's purely for assigning you a regulatory region.
This kind of thing is VERY DANGEROUS to be implementing, because as soon as you have any sort of support in your software for presumed-region dependent policy, totalitarian states can and will pressure you to do things like automatically trusting their MITM CA if the user is in their jurisdiction.
Then anyone who wants to MITM you can just get you to connect to a WiFi AP that goes out through a VPN to said country, tricking your browser that that's where you are.
If as a software provider you deem it absolutely necessary to support jurisdiction-dependent policy, the only even vaguely safe way to do so is to bind it at application installation time, by offering different versions of the software. You absolutely cannot make it something "detected at runtime".
With all of this comes the reminder that I'm harshly criticizing Mozilla because THEY SHOULD DO BETTER.
Doing the wrong thing because of incompetence (especially by management but also devs) is at least not as bad as doing it because you actively want to Be Evil.
@dalias Who says it's incompetence and not malice?
@dalias And yet reality shows that browsers went exactly the opposite way, e.g. https://blog.mozilla.org/en/mozilla/mozilla-takes-action-to-protect-users-in-kazakhstan/
@flod That's what happens when it's a state with no leverage.
@dalias
Countries either have leverage or they do not. They don't care if your software has this kind of support
@dalias Aren't they activiting dns over https (DoH) towards cloudflare (and others) outside EU? https://support.mozilla.org/en-US/kb/firefox-dns-over-https
@aslakr IIRC yep, it could be for that.