Why, google, why? [solved - kind of]

toxygen · 2009-10-11 02:22:26

let me preface by saying this is not a discussion about google and its practices, i dont want to start some kind of argument about privacy/paranoia

here is my situation. I want to be able to open firefox, go to x.y.z webpage, and not have google loading for no reason. let me describe what happens now.
- open firefox (no homepage, no search box, no extensions). netstat shows me no open connections. so far so good.
- visit archlinux, opens up "archlinux.org" (and lets say netstat shows me a connection to "archlinux.org" (I know that's not the actual server name)). so far so good.
- a few seconds into this, i see this:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    Timer

tcp        0      0 192.168.1.100:48738     iy-in-f100.google.c:www ESTABLISHED user   19146      3204/firefox-bin    off (0.00/0/0)

ok so there's an open outgoing connection to google. why? ok, i'm assuming (big assumption here based on other similar forums) that it has something to do with ads, or the search engine, or whatever. I add the following to /etc/hosts:

# [Google Inc]
127.0.0.1 adwords.google.com #[Gmail ads]
127.0.0.1 pagead.googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com #[Google AdWords]
127.0.0.1 adservices.google.com
127.0.0.1 ssl.google-analytics.com
127.0.0.1 www.google-analytics.com #[Google Analytics]
127.0.0.1 imageads.googleadservices.com #[TrackingCookie.Googleadservices]
127.0.0.1 imageads1.googleadservices.com
127.0.0.1 imageads2.googleadservices.com
127.0.0.1 imageads3.googleadservices.com
127.0.0.1 imageads4.googleadservices.com
127.0.0.1 imageads5.googleadservices.com
127.0.0.1 imageads6.googleadservices.com
127.0.0.1 imageads7.googleadservices.com
127.0.0.1 imageads8.googleadservices.com
127.0.0.1 imageads9.googleadservices.com
127.0.0.1 www.googleadservices.com
127.0.0.1 show.googleadsenseagent.com
127.0.0.1 www.googlecaches.com

(sorry if this seems wrong to some of you, this is my choice). I also have noscript blocking everything it can on firefox. close firefox, wait for all connections to close (60 seconds from what i've seen). then run netstat again with the command

netstat -utoceewp (as root, though i dont think you need to be root)

the command above shows me the status/keep-alive timer of the connection. well, the google connection has its timer set to off (which i take it to mean a persistent connection). Why?

I close firefox, wait for all connections to close. Ok, no connections again (other than ntp/smtp, not related to the discussion).

ok, let's assume that the open google connection is something to do with forum software, etc. fine. I create a webpage on my own host, with absolutely nothing connecting to other sites. netstat again shows the connection to my host, and closes after no activity. this is how it should be. I close the tab and go back to a blank start page. a few seconds later, as I check netstat (which is in continuous mode per the command above), i see a new connection open:

tcp        0      0 192.168.1.100:48738     iy-in-f100.google.c:www ESTABLISHED user   19146      3204/firefox-bin    off (0.00/0/0)

huh?? nothing is loading, no other network programs are open (again other than ntpd and mail are open, not using gmail). sometimes i see this when i just open firefox with no webpage, after a few seconds of letting it sit there. why, google, why??

so short of blocking google altogether, or disconnecting my network after loading each webpage I want (is there perhaps a firefox extension that does this? a "kill all connections" extension? ), can anyone explain what this is all about?

i've tried googling (!) but cant find anything about this (surprise surprise!). Before you start calling me paranoid and overly worried about nothing, this is not about anything other than i want to have as much control as i can over what connections my computer opens to the world. and i wouldnt have that much of an issue with it if there wasn't that strange connection opening when there are no webpages open and firefox is just sitting there doing nothing.

can anyone verify? or better yet, can anyone tell me how to stop this? Thanks!

[edit] forgot to mention, I have searched for that host, and it is part of the google server farm, so it is an outgoing connection from firefox as noted in netstat, to google, for no reason that appears obvious to me. and arch is pretty good, i was mainly using it as an example, as the google connection doesnt open from the arch servers (as far as i can tell it seems almost random unless i visit a webpage with obvious google tools/search boxes (or google itself obviously))

Last edited by toxygen (2009-10-11 17:35:18)

Allan · 2009-10-11 02:30:10

I assume you have phishing detection turned off?

toxygen · 2009-10-11 02:55:23

Allan wrote:

I assume you have phishing detection turned off?

I was about to have a /facepalm moment, but i do have it off

Last edited by toxygen (2009-10-11 02:55:34)

iphitus · 2009-10-11 03:11:57

Does firefox do address searching while you type?

In Chromium, the phishing detection works via a pre-downloaded list, which urls are checked against - not by sending the urls to google.

toxygen · 2009-10-11 03:26:55

iphitus wrote:

Does firefox do address searching while you type?
In Chromium, the phishing detection works via a pre-downloaded list, which urls are checked against - not by sending the urls to google.

I had history search and bookmark searched both on. I disabled both, but the behavior continues to exhibit. good idea though.

LeoSolaris · 2009-10-11 04:05:31

Your search box in Firefox... is it set to Google? (Right by the address bar.) That MAY be the culprit. Maybe.

Try switching it to Wikipedia or Yahoo.

If that's not it, I have no idea. Switch to another browser? Iron is alright, if you don't mind the loss of flash and java. Or Uzibl.

toxygen · 2009-10-11 04:23:29

LeoSolaris wrote:

Your search box in Firefox... is it set to Google? (Right by the address bar.) That MAY be the culprit. Maybe.
Try switching it to Wikipedia or Yahoo.

searchbox is completely off

If that's not it, I have no idea. Switch to another browser? Iron is alright, if you don't mind the loss of flash and java. Or Uzibl.

i might try testing other browsers, but i need the functionality firefox + extensions give. plus noscript pretty much handles what i need, except for this one weird google thing.

1LordAnubis · 2009-10-11 05:11:08

Edit: nevermind, it seems you already use the no script add on

I always thought the "Forbid google-analytics.com" would solve the problem

Last edited by 1LordAnubis (2009-10-11 05:13:40)

ngoonee · 2009-10-11 05:11:35

You could test another browser, just to be sure its something in firefox.

toxygen · 2009-10-11 05:14:54

1LordAnubis wrote:

Edit: nevermind, it seems you already use the no script add on
I always thought the "Forbid google-analytics.com" would solve the problem

as did i, and i have it blocked in both noscript and in the hosts file (see above)

You could test another browser, just to be sure its something in firefox.

the only problem i see on this is that most other browsers dont support noscript, so they would load backgruond scripts (like google-analytics) with no real way of blocking

toxygen · 2009-10-11 05:15:46

by the way, am i the only one seeing this, or are any of you able to duplicate this behavior?

ngoonee · 2009-10-11 05:17:54

My netstat output is really long, I have all these daemons running which pretty much establish connection all the time (including IMAP downloads from gmail) so it would be too much trouble for me to test, sorry.

1LordAnubis · 2009-10-11 05:21:37

toxygen wrote:

by the way, am i the only one seeing this, or are any of you able to duplicate this behavior?

Eerily confirmed:

anubis@thor ~/ $ netstat | grep google
tcp        0      0 192.168.1.3:39904       yx-in-f101.google.c:www ESTABLISHED

ataraxia · 2009-10-11 05:23:11

Why don't you tcpdump it, and see what it's doing?

fukawi2 · 2009-10-11 06:12:58

Google Safe Browsing? Firefox incorporates it.

rusty99 · 2009-10-11 07:01:21

Appears to be caused by a flash cookie,

deej · 2009-10-11 07:11:05

[deej@ShaDoh ~]$ netstat | grep google
[deej@ShaDoh ~]$

I'm using Opera; no special settings aside from 'delete all cookies when exiting Opera' and
I'm using Scroogle Scraper as default search engine. NetStat was run with multiple web-pages
opened, including BBC News (!).

Deej

[EDIT]

...but with 'netstat -utoceewp', we have:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    Timer
tcp        0      0 cpc1-linc4-0-0-cu:50703 84.53.178.91:www        ESTABLISHED deej       30413      1699/opera          off (0.00/0/0)
tcp        0      0 cpc1-linc4-0-0-cu:36590 wy-in-f138.google.c:www ESTABLISHED deej       30564      1699/opera          off (0.00/0/0)

mmm...

[EDIT 2]

...after blocking 'wy-in-f138,google.com' in Operas' Preferences, we have:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    Timer
tcp        0      0 cpc1-linc4-0-0-cu:49819 84.53.178.217:www       ESTABLISHED deej       32065      3443/opera          off (0.00/0/0)
tcp        0      0 cpc1-linc4-0-0-cu:54258 sitecheck2.opera.co:www ESTABLISHED deej       32034      3443/opera          off (0.00/0/0)
tcp        0      0 cpc1-linc4-0-0-cu:50907 newslb308.telhc.bbc:www TIME_WAIT   root       0          -                   timewait (32.82/0/0)
tcp        0      1 cpc1-linc4-0-0-cu:54245 sitecheck2.opera.co:www FIN_WAIT1   root       0          -                   on (10.35/8/0)

Last edited by deej (2009-10-11 08:17:08)

zowki · 2009-10-11 07:45:33

I don't have access to my linux box right now but I can verify that this is happening in google chrome (duh!), internet explorer and firefox (tested with netstat in windows xp). I'm going to install wireshark and start analyzing these packets. Will report back my finds.

Edit:
I'm no networking expert so I didnt understand anything by looking at the data of each packet and I don't think I'll post the packets here since I might give off too much information about my computer by doing that.

Last edited by zowki (2009-10-11 08:33:01)

atordo · 2009-10-11 12:27:13

Just a suggestion for further investigation: install privoxy and set a proper debug level (i.e. "debug 15361" in the config file). Set Firefox to use the proxy, run it for a while then examine the log file. If you can find some pattern you can block the offending hosts/paths.

mcover · 2009-10-11 12:56:22

It's safebrowsing.

153    96.047363    X.X.X.X    66.102.9.100    HTTP    POST /safebrowsing/downloads?client=navclient-auto-ffox&appver=3.5.3&pver=2.2&wrkey=[...] HTTP/1.1  (text/plain)

You can disable it by going to "about:config", filter "safebrowsing" and set "browser.safebrowsing.enabled" to "false".

bernarcher · 2009-10-11 14:24:15

There are lots of safebrowsing entries here, all concerning malware and phishing detection. I'm not sure I want to switch them off.

So to say, it is a built-in firefox feature, like it or not.

toxygen · 2009-10-11 17:34:21

After further investigation, and thanks to all your suggestions, the culprit is indeed safe-browsing. for whatever reason though, disabling both through prefs-> security and about:config, did not stop this outgoing connection. I thought "oh well, i'll live with it" but i remembered "hey this is linux, i can change the source!" and yes, mozconfig in the firefox packages does have "--enable-safebrowsing", i disabled, rebuilt, and now i'm finally free of this outgoing connection!

thanks to everyone for your ideas. and yes, i'm aware this makes me "unsafe", but i'll do the security myself, and not rely on google to tell me what's good and what's not

thanks all!

deej · 2009-10-11 17:40:26

Now to find a cure for Opera users...

Deej

fijam · 2009-10-11 18:02:42

deej wrote:

Now to find a cure for Opera users...
Deej

Why don't you recompile the same way as with firefox. Oh wait...

eDio · 2009-10-11 19:14:34

Now to find a cure for Opera users...

Hmmm... I'm using opera, but now under Windows, and the only connection to google caused by miranda for GTALKing

Arch Linux

#1 2009-10-11 02:22:26

Why, google, why? [solved - kind of]

#2 2009-10-11 02:30:10

Re: Why, google, why? [solved - kind of]

#3 2009-10-11 02:55:23

Re: Why, google, why? [solved - kind of]

#4 2009-10-11 03:11:57

Re: Why, google, why? [solved - kind of]

#5 2009-10-11 03:26:55

Re: Why, google, why? [solved - kind of]

#6 2009-10-11 04:05:31

Re: Why, google, why? [solved - kind of]

#7 2009-10-11 04:23:29

Re: Why, google, why? [solved - kind of]

#8 2009-10-11 05:11:08

Re: Why, google, why? [solved - kind of]

#9 2009-10-11 05:11:35

Re: Why, google, why? [solved - kind of]

#10 2009-10-11 05:14:54

Re: Why, google, why? [solved - kind of]

#11 2009-10-11 05:15:46

Re: Why, google, why? [solved - kind of]

#12 2009-10-11 05:17:54

Re: Why, google, why? [solved - kind of]

#13 2009-10-11 05:21:37

Re: Why, google, why? [solved - kind of]

#14 2009-10-11 05:23:11

Re: Why, google, why? [solved - kind of]

#15 2009-10-11 06:12:58

Re: Why, google, why? [solved - kind of]

#16 2009-10-11 07:01:21

Re: Why, google, why? [solved - kind of]

#17 2009-10-11 07:11:05

Re: Why, google, why? [solved - kind of]

#18 2009-10-11 07:45:33

Re: Why, google, why? [solved - kind of]

#19 2009-10-11 12:27:13

Re: Why, google, why? [solved - kind of]

#20 2009-10-11 12:56:22

Re: Why, google, why? [solved - kind of]

#21 2009-10-11 14:24:15

Re: Why, google, why? [solved - kind of]

#22 2009-10-11 17:34:21

Re: Why, google, why? [solved - kind of]

#23 2009-10-11 17:40:26

Re: Why, google, why? [solved - kind of]

#24 2009-10-11 18:02:42

Re: Why, google, why? [solved - kind of]

#25 2009-10-11 19:14:34

Re: Why, google, why? [solved - kind of]

Board footer