fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

Finally achieved empty tcpdump starting Firefox. Had to find and clear location.services.mozilla.com and push.services.mozilla.com from show-all in about:config. Then there were the following that are hard-coded, not appearing in about:config, for which /etc/hosts needed to be invoked:

firefox.settings.services.mozilla.com content-signature-2.cdn.mozilla.net prod.remote-settings.prod.webservices.mozgcp.net content-signature-chains.prod.autograph.services.mozaws.net

FFS do better.

It seems the location.services.mozilla.com probe is otherwise there, even if you turned off location access for websites, so that Mozilla can impose region-specific policies on the browser based on where it thinks you are according to geoip. 🤬

This is based on finding it under browser.region.

What are the chances they're using this to disable something privacy-invasive if geoip says you're in the EU? 🤪

Interpretation: The only thing the service returns is its guess for what country you're in (rather what country your exit IP address is in), not any more granular location. So this is NOT for providing any sort of location services. It's purely for assigning you a regulatory region.

This kind of thing is VERY DANGEROUS to be implementing, because as soon as you have any sort of support in your software for presumed-region dependent policy, totalitarian states can and will pressure you to do things like automatically trusting their MITM CA if the user is in their jurisdiction.

Then anyone who wants to MITM you can just get you to connect to a WiFi AP that goes out through a VPN to said country, tricking your browser that that's where you are.

@flod That's what happens when it's a state with no leverage.