hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

9.9K
active users

Finally achieved empty tcpdump starting Firefox. Had to find and clear location.services.mozilla.com and push.services.mozilla.com from show-all in about:config. Then there were the following that are hard-coded, not appearing in about:config, for which /etc/hosts needed to be invoked:

firefox.settings.services.mozilla.com content-signature-2.cdn.mozilla.net prod.remote-settings.prod.webservices.mozgcp.net content-signature-chains.prod.autograph.services.mozaws.net

FFS do better.

Cassandrich

It seems the location.services.mozilla.com probe is otherwise there, even if you turned off location access for websites, so that Mozilla can impose region-specific policies on the browser based on where it thinks you are according to geoip. 🤬

This is based on finding it under browser.region.

What are the chances they're using this to disable something privacy-invasive if geoip says you're in the EU? 🤪

Interpretation: The only thing the service returns is its guess for what country you're in (rather what country your exit IP address is in), not any more granular location. So this is NOT for providing any sort of location services. It's purely for assigning you a regulatory region.

This kind of thing is VERY DANGEROUS to be implementing, because as soon as you have any sort of support in your software for presumed-region dependent policy, totalitarian states can and will pressure you to do things like automatically trusting their MITM CA if the user is in their jurisdiction.

Then anyone who wants to MITM you can just get you to connect to a WiFi AP that goes out through a VPN to said country, tricking your browser that that's where you are.

If as a software provider you deem it absolutely necessary to support jurisdiction-dependent policy, the only even vaguely safe way to do so is to bind it at application installation time, by offering different versions of the software. You absolutely cannot make it something "detected at runtime".

With all of this comes the reminder that I'm harshly criticizing Mozilla because THEY SHOULD DO BETTER.

Doing the wrong thing because of incompetence (especially by management but also devs) is at least not as bad as doing it because you actively want to Be Evil.

@dalias Which I guess EU citizens (specially ones living abroad) could sue them over because EU privacy laws like the GDPR aren't region-locked.

@lanodan @dalias it's likely that the regulatory authority in their home country is the only one with a cause of action, but yes, EU citizens abroad could absolutely file complaints over that.

(we're not a lawyer, just familiar with this topic in general)

@dalias Who says it's incompetence and not malice?

@flod That's what happens when it's a state with no leverage.

@dalias
Countries either have leverage or they do not. They don't care if your software has this kind of support

@aslakr IIRC yep, it could be for that.