# Can Firefox be trusted?



## fossette (Apr 25, 2016)

I have installed Firefox from the ports tree (firefox-45.0.1,1 right now).  Recently, I noticed my drive going wild for a few seconds.  It seems to hapen every day at the same time.  I find it especially strange when I just edit text using a different application.  So now, I do `top` to see what is running at those time.  I need to do this quickly because this behavior doesn't last very long.  I few days ago, I noticed a firefox executable related to flash or something.  Tonignt, I saw a `find`, then an `xz` on the top processes of `top`.  Now, I'm being very concerned.  Each time, Firefox was parked on a page I trust (because I wrote it myself).  Files changed at the time of the drive scan were all located in the Firefox cache, and I wasn't even using it.

Anybody of you know what might be going on in there?  Btw, I disabled the Firefox Send Statistics option so that shouldn't be it (if it really does what it says).  What would be a good way to monitor Firefox's activity?  Should we run Firefox from a jail?

Thanks!
Dominique.


----------



## Crest (Apr 25, 2016)

Running firefox in a jail on your host X server is fairly useless because X11 doesn't provide security between clients. A nested X server could reduce this attack surface to a point where it might be worth the effort.


----------



## Juha Nurmela (Apr 25, 2016)

There are valid reasons for the daily disk churn, for example /usr/local/etc/periodic/daily/411.pkg-backup.

And malign reasons, of course 
Juha


----------



## Crest (Apr 25, 2016)

And depending on the open tabs contents firefox might produce lots of disk activity for harmless reasons. You can use filemon(), auditd(), truss() and/or dtrace() to learn more about firefox.


----------



## SirDice (Apr 25, 2016)

fossette said:


> Tonignt, I saw a  find, then an  xz on the top processes of  top.


That's probably periodic(8) kicking off. That usually runs around 2 or 3 AM.


----------



## fossette (Apr 25, 2016)

Thanks for all the excellent suggestions!  I will study each of them.  And SirDice, that may be it because it was indeed 3am.  I guess I shouldn't stay up that late...

Sorry to Mozilla for always having doubt about Firefox.  With such a huge system and its flexible add-ons, I would prefer an option to run it completely isolated.  There is ransomware crap so nasty on the Windows side that a Firefox vulnerability on the UNIX side would be a complete disaster.

PS: Have you done your backup lately?  Always keep them on several disconnected media!

Dominique.


----------



## sidetone (May 30, 2016)

I have this same problem, a secondary harddisk goes crazy, when nothing intensive is running, until I unmount it. This seems to happen after I installed Firefox, on a newly installed system. Then again, I can't be sure it's Firefox. xz(1) is a file compression utility as you probably already know. I think I'll remove Firefox and go with something else.

This problem started when I started using FreeBSD 10.3, while it was released close to the same day this thread started, I'm not sure where the problem is. There was a mention of how there was a filesystem allocating bug on FreeBSD 10.3 before, but that doesn't explain why find(1) and xz(1) would be running (periodic managing /var/log/ can partially explain xz running). About a month later, a fresh install didn't immediately have the problem of the harddisk acting up, until I started installing ports/packages. There's no package vulnerabilities showing when running `pkg audit -F`, meaning if there's a vulnerability, it hasn't been found yet.

You can also check the `netstat` and `sockstat` commands for open internet port connections.


----------



## fossette (May 30, 2016)

Sidetone, I was using FreeBSD 10.2 at the time.  SirDice suspicions about periodic(8) seem more and more plausible as I may have experienced it once without the presence of `firefox`.  I can't recall.  When I'll have the time, I'll build myself a tool using the function library used by `ps` itself.  I'll report back my findings.

Dominique.


----------



## sidetone (May 30, 2016)

I was aware that it's unlikely that you had installed FreeBSD 10.3 and had a running system on about the same day it came out. After installing 10.3, or certain packages was when similar and other problems started for me. In my case, it wasn't always around 3 am. Harddisk access times can be explained by a mentioned bug in 10.3, so this is what immediately came to mind, but after looking at the dates, I hesitated to post here, until my computer acted buggy in how the harddisk started acting more recently. This time it was after adding more packages, not the installation of 10.3, and it had another problem (possibly benign) that is for another thread. Older installations didn't have these problems, so this is why it gets my attention.

There are compressed log files in /var/log/, so xz running there periodically back up logs makes sense, as I said it can partially (usually rather) explain that.


----------



## Deleted member 9563 (May 31, 2016)

Install Noscript and you may see a difference. It was a revelation for me. Active sites are rampant these days. You can always uninstall with a single click if you don't want to keep it.


----------



## abishai (Jun 1, 2016)

I suggest uBlock Origins + uMatrix plugins.


----------

