When I first open Firefox, I always get this notification from my firewall within about 30 seconds-ish. It does not matter if I'm yet browsing the web, I could just have a blank page up, or I could be using a local network website; I always get a message saying that Firefox is attempting to connect to safebrowsing.google.com.

As you can see in the firewall prompt picture, this connection is started by my computer, more specifically Firefox.

As you can see in the picture of my firewall's packet log, there are repeated inbound/outbound connections to that address with the browser just sitting open, and not doing anything.

System Details:

• Firefox 32.0.0.5350
• Windows 8

Firefox Details:

• Options/Advanced/Update/Firefox updates: Never check for updates
• Options/Advanced/Update/Automatically update: Search Engines is unchecked.
• Options/Advanced/Data Choices/Telemetry: Telemetry is unchecked.
• Options/Advanced/Data Choices/Firefox Health Report: Enable Firefox Health Report is unchecked.
• Options/Advanced/Data Choices/Crash Reporter: Enable Crash Reporter is unchecked.
• Options/General/Startup: When Firefox Starts is set to Show my home page.
• Options/General/Startup: Home Page is set to about:newtab.
• Manage Search Engine List: Google is set at the top of my list, and Show search suggestions is enabled.

If I manually attempt to visit safebrowsing.google.com in Firefox it just redirects to Google.ca. According to Wikipedia:

The Google Chrome, Apple Safari and Mozilla Firefox web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats.

However, I don't see what Firefox could possibly be looking up when I'm not even browsing the web.

As mentioned in this answer, shouldn't it only be looking things up if I perform a search, or type a URL in the address bar?

I would like to know why this connection is occuring, and what is being sent/recieved over it? This will help me decide whether to leave it alone, create a custom firewall rule blocking it, or ditch Firefox for a more respectful browser; I have low tolerance for non-user-initiated internet/network use by any application, even if it is intended to be helpful.

2 Answers

You are getting an up to date list of blacklisted URLs that are known to contain phishing and malware. The update happens shortly after startup and once again every 30-45 minutes.

Mozilla claims the following:

"No information about you or the sites you visit is communicated during list updates... in the event that you encounter a reported phishing or malware site [b]efore blocking the site, Firefox will request a double-check to ensure that the reported site has not been removed from the list since your last update."

The accepted answer here is unfortunately completely wrong, as this feature can absolutely be disabled easily.

Despite what it says, none of the messing with the hosts file is necessary, you can just change the "Block reported attack sites" and "Block reported web forgeries" settings in Firefox's Security Preferences and this will stop both the updates and checking the lists from happening.

If you manually fiddle in the about:config settings, you must also flip this preference: "browser.safebrowsing.downloads.enabled" which disables updating of blacklisted downloads as well.

Mozilla claims that no information about search queries is ever sent, only the double-check of an encountered reported phishing or malware site, as mentioned above.

Browsers that use Google's Safe Browsing will periodically download the most recent list of dangerous sites. When you visit a site the local copy of the list will be checked to make sure it's not flagged. Information about your system such as your IP, cookies that uniquely identify your computer, and you search query may sometimes be uploaded to Google (REF: ) (REF: ) (REF: ).

So it appears that this is what my computer is sending/receiving. The reason it occurs all the time is because I have disk protection installed that erases changes upon reboot so my list is likely way out of data the first time I open Mozilla Firefox.

Unfortunately the Google Safe Browsing feature of Mozilla Firefox cannot be turned off. You can alter your settings to not use the Google Safe Browsing list. Go to Options/Security and uncheckBlock reported attack sites and Block reported web forgeries (REF: ) . However this doesn't prevent Mozilla Firefox from sending/recieving data from safebrowsing.google.com, it only tells your browser not to use the list information to protect you.

Work Arounds:

1. Create an entry in you hosts file to redirect safebrowsing.google.com to your localhost ip address. This will protect you from any program you run that uses Google Safe Browsing, because the connection attempt will be to your own computer instead of Google's server.

   • Open C:\Windows\System32\Drivers\etc\hosts in Notepad with administrative privilidges.
   • At the bottom write:

127.0.0.1 safebrowsing.google.com

• Save, and exit Notepad.

  2. Create a firewall rule that blocks Mozilla Firefox from connecting to host name safebrowsing.google.com, the IP address 173.194.33.102, or the MAC address 00-22-75-4a-af-1d. The host name would be the ideal choice to avoid accidental blocking of other Google services that could be hosted from the same IP. Also the IP or MAC addresses could change, but the host name won't since the connection is initiated on your end to a specific host name.

3. Use a different web browser. Pale Moon ( ) is Firefox based, but doesn't seem to have the Google's Safe Browsing feature, at least I don't see the options present, nor does my firewall log any attempts to connect tosafebrowsing.google.com by Pale Moon. It's available in 32bit and 64bit for Windows. There is third party project, Pale Moon For Linux ( ), that ports Pale Moon to Linux.