Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [jschauma@netmeister.org] [@jschauma] [RSS]

Browser Startup Comparison

February 29th, 2020

'pcap or
it didn't happen' sticker With the recent announcements that Firefox will start enabling DNS over HTTPS by default, I started to wonder just what kinds of outgoing lookups and connections the browser makes when it first starts up. Well, pcap or it didn't happen, and here's what I found:

The first time you start Firefox, it looks up a surprising number of names, connects to several domains, and fetches and posts data, all before you had a chance to enter a URL. Somewhat surprised by this, I then set out to compare Firefox to some other Browsers, namely Google Chrome, Microsoft Edge and Apple Safari.

After I first published this blog post, several people asked about other browsers, so on 2020-03-03, I added information about Opera and Brave; on 2020-03-13, I added information about Vivaldi. Below is the breakdown of my findings.


Setup

All browsers were installed on a macOS Catalina 10.15.3 dual-stack IPv4/IPv6 enabled system and invoked without any existing user profile (i.e., ~/Library/Application Support/<browser> does not exist). The system was connected to the internet via a residential ISP (RCN) from New York City (this is relevant since some of the default connections made or other behavior in the browser may be based on your location). IPv6 connectivity was provided via a Hurricane Electric IPv6 Tunnel.

The SSLKEYLOGFILE environment variable was set so as to allow capturing of the TLS session keys for use with Wireshark to be able to inspect the HTTP calls. (This works for Firefox, Chrome, and other Chrome-based browsers (i.e., Edge), but not for Safari.) Most other user applications were terminated or suspended; various system daemons were also suspended, so as to minimize unrelated network traffic.

Once tcpdump(1) was running, the browser was opened. After any initial browser screens, we opened a new tab, entered www.netmeister.org in the location bar, and hit enter. After the website was loaded, the browser was closed completely and the packet capture stopped.

The resulting pcap file was pruned from unrelated network traffic (e.g., ARP, etc.) and subsequently processed using tcpdump(1) and Wireshark in combination with Little Snitch's network monitor.


Firefox

After starting Mozilla Firefox 73.0.1 for the first time, I notice that it performs a significant number of DNS queries via the default resolver. That is, this instance of the browser does not yet appear to have DoH enabled by default. It then loads a welcome page, allowing the user to "Join Firefox", while loading the Firefox Privacy Notice in a second tab:

Firefox Startup Page 1

After closing this pane, you get a second "Welcome to Firefox" display, offering you the opportunity to sign in to some of Firefox's services:

Firefox Startup Page 2

After closing that pane, you then get the default "new tab" experience, offering a Google search bar, a few "Top Sites", and a number of "Recommended Reading" tiles:

Firefox Startup Page 3

At this point, I enter www.netmeister.org in the location bar and hit return, then close the browser after the page has loaded. Upon termination of the Firefox process, a pingsender process is started, which sends telemetry to Mozilla upon browser shutdown (one you've started Firefox, you can disable this via about:config->toolkit.telemetry.shutdownPingSender.enabled):

Screenshot
of Little Snitch showing 'pingsender' connections.

DNS Lookups

Firefox performed a total of 106 queries for 65 distinct names; the queries were A and AAAA lookups only, usually (but not always) both for a given name and were via to the locally configured stub resolver. That is, even though Mozilla began rolling out DNS over HTTPS, this host and browser were not in the bucket for which this is currently enabled. Firefox also did not look up the DoH Canary Domain as that domain is only used when the user is opted into DoH via the default.

The list of DNS queries performed varies from time to time, likely based on the getpocket widget in the welcome screen. It's also worth noting that not all of the names looked up are actually contacted; this is part of the DNS pre-fetching enabled in Firefox (see this link and this link for more details; in about:config, you can toggle network.dns.disablePrefetch to true to disable this behavior).

The total list of DNS lookups done on a fresh new start by Firefox was, in order:


detectportal.firefox.com.
location.services.mozilla.com.
locprod1-elb-eu-west-1.prod.mozaws.net.
mozilla.org.
www.mozilla.org.
firefox.settings.services.mozilla.com.
d2k03kvdk5cku0.cloudfront.net.
ocsp.digicert.com.
cs9.wac.phicdn.net.
incoming.telemetry.mozilla.org.
pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com.
search.services.mozilla.com.
spocs.getpocket.com.
getpocket.cdn.mozilla.net.
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com.
search.r53-2.services.mozilla.com.
ocsp.sca1b.amazontrust.com.
push.services.mozilla.com.
autopush.prod.mozaws.net.
content-signature-2.cdn.mozilla.net.
d2nxq2uap88usk.cloudfront.net.
img-getpocket.cdn.mozilla.net.
shavar.services.mozilla.com.
shavar.prod.mozaws.net.
firefox-settings-attachments.cdn.mozilla.net.
d80i88epwmv41.cloudfront.net.
tracking-protection.cdn.mozilla.net.
d1zkz3k4cclnv6.cloudfront.net.
snippets.cdn.mozilla.net.
d228z91au11ukj.cloudfront.net.
accounts.firefox.com.
getpocket.com.
slate.com.
www.nextadvisor.com.
www.gq.com.
jezebel.com.
fe2.edge.pantheon.io.
www.theguardian.com.
condenast.map.fastly.net.
dualstack.guardian.map.fastly.net.
www.youtube.com.
www.facebook.com.
www.reddit.com.
youtube-ui.l.google.com.
www.wikipedia.org.
star-mini.c10r.facebook.com.
twitter.com.
reddit.map.fastly.net.
dyna.wikimedia.org.
www.vox.com.
www.washingtonpost.com.
medium.com.
vox-chorus.map.fastly.net.
e9631.j.akamaiedge.net.
www.joinhoney.com.
landing.chirpbooks.com.
www.reviewed.com.
joinhoney.com.
secure.pageserve.co.
domains.gannett.map.fastly.net.
www.google.com.
ocsp.pki.goog.
pki-goog.l.google.com.
www.netmeister.org.
panix.netmeister.org.
incoming.telemetry.mozilla.org.

Of those, only www.netmeister.org was a domain entered by the user. (You may also notice a number of domains listed above that are e.g., AWS systems that the original name already references via a CNAME result. In this case, the response to the initial lookup included the A records in its ADDITIONAL SECTION, but did not provide any AAAA records (because e.g., AWS is primarily IPv4 only). As a result, a second, explicit AAAA query is made.)

HTTP Traffic

When you start a browser, you may naively assume that the first HTTP traffic exchanged would occur after you entered a URL and hit return. However, we notice the following substantial exchanges other than the ones for the requested website take place, roughly (some requests to the same service have been grouped together) in order:

Map of places Firefox talks to at startup.

detectportal.firefox.com

IP:2600:141b:b000::ace8:1393 (Akamai, AS35994)
Location:generic US
Port:80
Protocol:HTTP
Request:GET /success.txt

IP:172.232.19.147 (Akamai, AS20940)
Location:generic US
Port:80
Protocol:HTTP
Request:GET /success.txt?ipv4

IP:2600:141b:b000::ace8:1393 (Akamai, AS35994)
Location:generic US
Port:80
Protocol:HTTP
Request:GET /success.txt?ipv6

All three calls simply return success, which appears to come from an Amazon S3 bucket fronted by Akamai.


www.mozilla.org

IP:2606:4700::6810:8fe4 (Cloudflare, AS13335)
Location:generic US
Port:443
Protocol:HTTP/2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:GET /privacy/firefox/

This yields a 301 redirect, so it then fetches:

IP:2606:4700::6810:8fe4 (Cloudflare, AS13335)
Location:generic US
Port:443
Protocol:HTTP/2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:GET /en-US/privacy/firefox/

This is the request for the privacy policy page loaded in the second, background tab, and we then see the various related requests for the page resources (JavaScript, CSS, images, etc.).

The returned page includes a bunch of the usual headers, with perhaps these two of interest:

Content-Security-Policy: frame-src www.googletagmanager.com www.google-analytics.com www.youtube-nocookie.com trackertest.org www.surveygizmo.com accounts.firefox.com accounts.firefox.com.cn www.youtube.com; child-src www.googletag
X-Clacks-Overhead: GNU Terry Pratchett

(I appreciate the X-Clacks-Overhead header, which this server also has set since 2015.)


firefox.settings.services.mozilla.com

IP:2600:9000:21ec:da00:16:eede:5e00:93a1 (Amazon, AS16509)
Location:generic US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:GET /v1/buckets/monitor/collections/changes/records?collection=fxmonitor-breaches&bucket=main
Result:
{
    "data": [
        {
            "bucket": "main",
            "collection": "fxmonitor-breaches",
            "host": "firefox.settings.services.mozilla.com",
            "id": "8ee6692e-d686-a614-6e4f-23d71b55b7f3",
            "last_modified": 1582320498428
        }
    ]
}
Request:GET /v1/buckets/main/collections/fxmonitor-breaches?_expected=1582320498428
Result:
{
    "data": {
        "attachment": {
            "enabled": false,
            "required": false
        },
        "displayFields": [
            "Name",
            "Domain",
            "BreachDate",
            "PwnCount"
        ],
        "id": "fxmonitor-breaches",
        "last_modified": 1582659696027,
        "signature": {
            "mode": "p384ecdsa",
            "public_key": "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEeeJjPprtJYzqYb5LEfvbGzTppLwOfLMfl7AbWV1h9HnaudC+FtkkB1Pbwh0gbvbTXhM2cNtftECMkdF/NdkMbj7DLzFCXip/1zTaqF/u3Vg9ZwmNvGJfeaeCZ/DG1/le",
            "ref": "1smzg6ull4lfn31j0zgd5lz70k",
            "signature": "vFUs8DDH892P_jqGth3YCv_AWQLJjOMjdZSfLuweA7pwofrtoXWBMcoT40WyxBTEV328TaeSdzCBJd96Ex45ry4gN-RCTwY6hGo9gozZTv4qAvcom3uAp8qpUk555fA_",
            "signer_id": "remote-settings",
            "type": "contentsignaturepki",
            "x5u": "https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2020-04-14-15-04-35.chain"
        },
        "sort": "-last_modified"
    },
    "permissions": {}
}
Request:GET /v1/buckets/monitor/collections/changes/records?collection=message-groups&bucket=main
Result:{"data":[]}
Request:GET /v1/buckets/main/collections/fxmonitor-breaches/records?_expected=1582320498428&_sort=-last_modified
Result:
{
    "data": [
        {
            "bucket": "main",
            "collection": "cfr-fxa",
            "host": "firefox.settings.services.mozilla.com",
            "id": "1d402bfe-4765-79b2-df44-da88d9c24c96",
            "last_modified": 1570801254189
        }
    ]
}
Request:GET /v1/buckets/monitor/collections/changes/records?collection=cfr-fxa&bucket=main
Result:
{
    "data": [
        {
            "bucket": "main",
            "collection": "cfr-fxa",
            "host": "firefox.settings.services.mozilla.com",
            "id": "1d402bfe-4765-79b2-df44-da88d9c24c96",
            "last_modified": 1570801254189
        }
    ]
}
Request:GET /v1/buckets/main/collections/cfr-fxa?_expected=1570801254189
Result:
{
    "data": {
        "id": "cfr-fxa",
        "last_modified": 1582659703930,
        "signature": {
            "mode": "p384ecdsa",
            "public_key": "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEeeJjPprtJYzqYb5LEfvbGzTppLwOfLMfl7AbWV1h9HnaudC+FtkkB1Pbwh0gbvbTXhM2cNtftECMkdF/NdkMbj7DLzFCXip/1zTaqF/u3Vg9ZwmNvGJfeaeCZ/DG1/le",
            "ref": "3smkbpfa1mawn3ddfepqkhsy7h",
            "signature": "zJma-4xrQ13do_EQGFLKc0TvyJlxut5sskWJSwRMO7kDVsonK2AwiHWKoEo-KyMJaYpze8ZhH14xyf5llxaZ2eMOIVxkFapY8vE0Xvd5kQhkWXBsN4lnMto-dZEZUNhw",
            "signer_id": "remote-settings",
            "type": "contentsignaturepki",
            "x5u": "https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2020-04-14-15-04-35.chain"
        }
    },
    "permissions": {}
}
Additional Requests:

GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US
GET /v1/
GET /v1/buckets/monitor/collections/changes/records?collection=cfr&bucket=main
GET /v1/buckets/main/collections/cfr?_expected=1582570728505
GET /v1/buckets/main/collections/cfr/records?_expected=1582570728505&_sort=-last_modified
GET /v1/buckets/monitor/collections/changes/records?collection=message-groups&bucket=main
GET /v1/buckets/monitor/collections/changes/records?collection=whats-new-panel&bucket=main
GET /v1/buckets/main/collections/whats-new-panel?_expected=1582304242703
GET /v1/buckets/main/collections/whats-new-panel/records?_expected=1582304242703&_sort=-last_modified
Result:no results

(I'm not quite clear on why the last requests were never replied to by the server. The pcap file only shows a bunch of ACKs following the various GET requests, but never an HTTP reply before the connection is terminated.)


location.services.mozilla.com

Map showing a connection made to Ireland

IP:52.17.223.107 (Amazon, AS16509)
Location:Dublin, Ireland
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:POST /v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Payload:{}
Result:{"country_code": "US", "country_name": "United States"}


spocs.getpocket.com

Map showing a connection made to Ashburn, VA

IP:52.72.164.94 (Amazon, AS14618)
Location:Ashburn, VA, USA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:POST /spocs
Payload:{"pocket_id":"{e7a8a44c-ec7a-8242-b25f-647ff8170a50}","version":1,"consumer_key":"40249-e88c401e1b1f2242d9e441c4"}
Result:a whole lot of data

This request builds the getpocket widget in the welcome interstitial.


incoming.telemetry.mozilla.org

Map showing a connection made to Boardman, Oregon, US

IP:34.215.13.10 (Amazon, AS16509)
Location:Boardman, Oregon, US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:POST /submit/messaging-system/undesired-events/1/7738a1e4-6470-884d-9466-c533abac84b7
Payload:
{
    "addon_version": "20200217142647",
    "event": "ASR_RS_NO_MESSAGES",
    "event_context": "message-groups",
    "impression_id": "{e7a8a44c-ec7a-8242-b25f-647ff8170a50}",
    "locale": "en-US",
    "message_id": "n/a",
    "release_channel": "release",
    "version": "73.0.1"
}
Request:POST /submit/activity-stream/spoc-fills/1/6a6cad01-ae13-c84d-955b-e9ec4e5c9b9c
Payload:a bunch of json data
Request:POST /submit/activity-stream/spoc-fills/1/a944c41c-d4e0-734e-be7a-050e66b5b17e
Payload:same as previous request
Request:POST /submit/messaging-system/undesired-events/1/a451da10-183d-d849-9dff-69ca34571d23
Payload:
{
    "addon_version": "20200217142647",
    "event": "ASR_RS_NO_MESSAGES",
    "event_context": "message-groups",
    "impression_id": "{e7a8a44c-ec7a-8242-b25f-647ff8170a50}",
    "locale": "en-US",
    "message_id": "n/a",
    "release_channel": "release",
    "version": "73.0.1"
}
Request:POST /submit/messaging-system/onboarding/1/6730966b-dabc-0849-aa33-a4528d382a3d
Payload:
{
    "addon_version": "20200217142647",
    "client_id": "1f5fdef9-68db-b346-9f81-71e70221b0ab",
    "event": "IMPRESSION",
    "id": "FIRST_RUN",
    "locale": "en-US",
    "message_id": "TRAILHEAD_1",
    "release_channel": "release",
    "source": "FIRST_RUN",
    "version": "73.0.1"
}
Request:POST /submit/activity-stream/events/1/32ee9fa3-7db1-2548-bdec-a4b33e3bf84d
Payload:
{
    "addon_version": "20200217142647",
    "client_id": "1f5fdef9-68db-b346-9f81-71e70221b0ab",
    "event": "SKIPPED_SIGNIN",
    "locale": "en-US",
    "page": "about:welcome",
    "release_channel": "release",
    "session_id": "{93be1f9f-52b3-d248-8c11-12b738a7b79b}",
    "user_prefs": 255,
    "value": "{\"has_flow_params\":true}",
    "version": "73.0.1"
}
Request:POST /submit/messaging-system/cfr/1/d48f55b7-b807-df41-87d3-8a1b88716751
Payload:
{
    "addon_version": "20200217142647",
    "bucket_id": "FXA_ACCOUNTS_BADGE",
    "event": "IMPRESSION",
    "impression_id": "{e7a8a44c-ec7a-8242-b25f-647ff8170a50}",
    "locale": "en-US",
    "message_id": "n/a",
    "release_channel": "release",
    "source": "CFR",
    "version": "73.0.1"
}
Request:POST /submit/messaging-system/onboarding/1/17dba7ee-3052-8f45-9877-bb5fd5743792
Payload:
{
    "addon_version": "20200217142647",
    "client_id": "1f5fdef9-68db-b346-9f81-71e70221b0ab",
    "event": "DISMISS",
    "id": "onboarding-cards",
    "locale": "en-US",
    "message_id": "TRAILHEAD_CARD_2,TRAILHEAD_CARD_3,TRAILHEAD_CARD_6",
    "release_channel": "release",
    "source": "onboarding-cards",
    "version": "73.0.1"
}
Request:POST /submit/activity-stream/impression-stats/1/8cebc0f1-0fa4-2c4c-a6b1-88b130a0d7d7
Payload:this json data
Request:POST /submit/activity-stream/impression-stats/1/b636069e-d8f0-4449-9104-a920b973da23
Payload:
{
    "action": "activity_stream_impression_stats",
    "addon_version": "20200217142647",
    "client_id": "n/a",
    "impression_id": "{e7a8a44c-ec7a-8242-b25f-647ff8170a50}",
    "locale": "en-US",
    "page": "about:welcome",
    "release_channel": "release",
    "session_id": "n/a",
    "source": "CARDGRID",
    "tiles": [
        {
            "id": 54373,
            "pos": 1
        },
        {
            "id": 54410,
            "pos": 0
        },
        {
            "id": 19143760,
            "pos": 2,
            "shim": "1,eyJ2IjoiMS4zIiwiYXYiOjUwODA1MSwiYXQiOjM2MTcsImJ0IjowLCJjbSI6MTAzNjUwMCwiY2giOjM2ODQ4LCJjayI6e30sImNyIjoxNjQ3NDQ5OSwiZGkiOiJkYzk4NTNmOGExZTk0OWI4YWQ2MmQyM2JkZWE2MDRmYyIsImRqIjowLCJpaSI6ImYyOWUxZGQyZjk4YTRkYWRiYjRjOTEyOGFhZTUxMmViIiwiZG0iOjMsImZjIjoxOTE0Mzc2MCwiZmwiOjExMDU5NDEzLCJpcCI6IjMuMjE5LjI1NC4xMjMiLCJrdyI6ImNvdW50cnktdXMscmVnaW9uLW55IiwibnciOjEwMjUwLCJwYyI6MS4yNSwiZWMiOjEuMjUsInByIjoxNDc1MTcsInJ0IjoyLCJycyI6NTAwLCJzYSI6IjgiLCJzYiI6ImktMDdkYTRkYTg1ZDEwNWFlYjAiLCJzcCI6OTE5ODEsInN0IjoxMDcwMDk4LCJ1ayI6IntlN2E4YTQ0Yy1lYzdhLTgyNDItYjI1Zi02NDdmZjgxNzBhNTB9Iiwiem4iOjIxNzk5NSwidHMiOjE1ODI3MjgxMjU2ODQsInBuIjoic3BvY3MiLCJnYyI6dHJ1ZSwiZ3MiOiJub25lIiwiYmEiOjEsImZxIjoxfQ,Jy00HJd2IyyCiBgpUfRwvM_aDj4"
        }
    ],
    "user_prefs": 255,
    "version": "73.0.1"
}
Result:All POST requests above yield an HTTP 200, no data


firefox-settings-attachments.cdn.mozilla.net

IP:13.225.230.8 (Amazon, AS16509)
Location:Seattle, WA, US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:GET /main-workspace/ms-language-packs/d94084ad-c828-41b8-8ec9-b01d8620245d.ftl
Result:A Fluent file: ff.ftl


shavar.services.mozilla.com

IP:52.27.36.44 (Amazon, AS16509)
Location:Boardman, OR, US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:POST /downloads?client=navclient-auto-ffox&appver=73.0&pver=2.2
Result:
n:3600
i:social-tracking-protection-facebook-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-facebook-digest256/73.0/1578954954
i:except-flashallow-digest256
u:tracking-protection.cdn.mozilla.net/except-flashallow-digest256/1490633678
i:allow-flashallow-digest256
u:tracking-protection.cdn.mozilla.net/allow-flashallow-digest256/1490633678
i:social-tracking-protection-linkedin-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-linkedin-digest256/73.0/1578954954
i:google-trackwhite-digest256
u:tracking-protection.cdn.mozilla.net/google-trackwhite-digest256/1579741547
i:analytics-track-digest256
u:tracking-protection.cdn.mozilla.net/analytics-track-digest256/73.0/1581379643
i:except-flash-digest256
u:tracking-protection.cdn.mozilla.net/except-flash-digest256/1494877265
i:except-flashsubdoc-digest256
u:tracking-protection.cdn.mozilla.net/except-flashsubdoc-digest256/1517935265
i:mozstd-trackwhite-digest256
u:tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/73.0/1582074377
i:block-flashsubdoc-digest256
u:tracking-protection.cdn.mozilla.net/block-flashsubdoc-digest256/1512160865
i:base-fingerprinting-track-digest256
u:tracking-protection.cdn.mozilla.net/base-fingerprinting-track-digest256/73.0/1581379643
i:social-track-digest256
u:tracking-protection.cdn.mozilla.net/social-track-digest256/73.0/1581543360
i:social-tracking-protection-twitter-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-twitter-digest256/73.0/1578954954
i:content-track-digest256
u:tracking-protection.cdn.mozilla.net/content-track-digest256/73.0/1578954954
i:block-flash-digest256
u:tracking-protection.cdn.mozilla.net/block-flash-digest256/1496263270
i:base-cryptomining-track-digest256
u:tracking-protection.cdn.mozilla.net/base-cryptomining-track-digest256/73.0/1578954954
i:mozplugin-block-digest256
u:tracking-protection.cdn.mozilla.net/mozplugin-block-digest256/1471849627
i:ads-track-digest256
u:tracking-protection.cdn.mozilla.net/ads-track-digest256/73.0/1581543360


tracking-protection.cdn.mozilla.net

IP:13.225.230.84 (Amazon, AS16509)
Location:Boardman, OR, US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:
GET /social-tracking-protection-facebook-digest256/73.0/1578954954
GET /except-flashallow-digest256/1490633678
GET /allow-flashallow-digest256/1490633678
GET /social-tracking-protection-linkedin-digest256/73.0/1578954954
GET /analytics-track-digest256/73.0/1581379643
GET /except-flash-digest256/1494877265
GET /except-flashsubdoc-digest256/1517935265
GET /mozstd-trackwhite-digest256/73.0/1582074377
GET /block-flashsubdoc-digest256/1512160865
GET /base-fingerprinting-track-digest256/73.0/1581379643
GET /social-track-digest256/73.0/1581543360
GET /social-tracking-protection-twitter-digest256/73.0/1578954954
GET /content-track-digest256/73.0/1578954954
GET /block-flash-digest256/1496263270
GET /base-cryptomining-track-digest256/73.0/1578954954
GET /mozplugin-block-digest256/1471849627
GET /ads-track-digest256/73.0/1581543360
Result:All requests return Content-Type: application/octet-stream


snippets.cdn.mozilla.net

IP:13.225.230.84 (Amazon, AS16509)
Location:Seattle, WA, US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:GET /6/Firefox/73.0.1/20200217142647/Darwin_x86_64-gcc3/en-US/release/Darwin%2019.3.0/default/default/
Result:302 Redirect
Request:GET /us-west/bundles-pregen/Firefox/release/en-us/default.json
Result:Brotli compressed json data.

This data makes up the Firefox Snippets; more info here. In about:config search for snippet to see options to disable this.


ocsp.digicert.com

IP:72.21.91.29 (Edgecast, AS15133)
Location:generic US
Port:80
Protocol:OCSP


ocsp.sca1b.amazontrust.com

IP:13.225.218.225 (Amazon, AS16509)
Location:generic US
Port:80
Protocol:OCSP


ocsp.pki.goog

IP:2607:f8b0:4004:810::2003 (Google, AS15169)
Location:generic US
Port:80
Protocol:OCSP


incoming.telemetry.mozilla.org

Finally, after closing the browser, Firefox kicks off the pingsender process to send more telemetry:

IP:34.215.13.10 (Amazon, AS16509)
Location:Boardman, Oregon, US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:POST /submit/telemetry/da2124b3-19a4-fe4a-b403-2e78a26a37fd/new-profile/Firefox/73.0.1/release/20200217142647
Payload:quite a bit of data
Request:POST /submit/telemetry/064eadfc-2fdb-4146-9819-26b04b6996c0/event/Firefox/73.0.1/release/20200217142647
Payload:quite a bit of data
Request:POST /submit/telemetry/5686191a-3030-b742-bc43-70ce998347b6/first-shutdown/Firefox/73.0.1/release/20200217142647
Payload:even more json data

Summary

During this first invocation, Firefox makes HTTP connections to 10 different IPs. These IPs are in 5 different AS operated by 3 different companies (Akamai, Amazon, Cloudflare) using 5 different 2nd-level domains:

firefox.com, mozilla.com, mozilla.net, mozilla.org

Registrar:     MarkMonitor Inc.
Organization:  Mozilla Corporation
State:         CA
Country:       US

getpocket.com

Registrar:     NameCheap, Inc.
Organization:  Read It Later, Inc
State:         CA
Country:       US

The user does not appear to be given an option to prevent the sending of the telemetry data or to have the various widgets before they are loaded. Once the browser has started, a knowledgeable user may change some of the preferences or settings to disable these features.


Chrome

After starting Google Chrome 80.0.3987.122 for the first time, it displays the welcome site:

Chrome Startup Page

DNS Lookups

Chrome performed a total of 43 queries for 19 distinct names; the queries were A and AAAA lookups only and were via to the locally configured stub resolver.

The total list of DNS lookups done on a fresh new start by Chrome was, in order:


local.
clients2.google.com.
clientservices.googleapis.com.
accounts.google.com.
clients2.googleusercontent.com.
ff.search.yahoo.com.
www.netmeister.org.
vprmudr.cable.rcn.com.
ncortvjulifhod.cable.rcn.com.
hklhckmpbugndd.cable.rcn.com.
vprmudr.cable.rcn.com.
hklhckmpbugndd.cable.rcn.com.
vprmudr.
ncortvjulifhod.cable.rcn.com.
hklhckmpbugndd.
ncortvjulifhod.
www.gstatic.com.
redirector.gvt1.com.
r1---sn-ab5sznly.gvt1.com.
r5---sn-ab5szn7z.gvt1.com.
www.googleapis.com.
ssl.gstatic.com.

Unlike for Firefox, all domains looked up do include both A and AAAA records (directly, or via the ADDITIONAL SECTION in the CNAME result).

The list of names looked up included at least three random character sequences (vprmudr, hklhckmpbugndd, and ncortvjulifhod, each then attempted with my ISPs default search domain cable.rcn.com) in what looks like an attempt to determine whether the local ISP performs NXDOMAIN hijacking; see this discussion for details.

HTTP Traffic

At startup, Chrome makes a number of HTTP calls, as broken down below:

Map of places Chrome talks to at startup.

clients2.google.com

IP:2607:f8b0:4006:811::200e (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:GET /service/update2/crx?os=mac&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=80.0.3987.122&lang=en-US&acceptformat=crx3&x=id%3Dfckonodhlfjlkndmedanenhgdnbopbmh%26v%3D0.0.0.0%26installedby%3Dpolicy%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dhdokiejnpimakedhajhdlcegeplioahd%26v%3D0.0.0.0%26installedby%3Dpolicy%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Daapocclcgogkmnckokdopfmhonfmgoek%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dfelcaaldnbdncclmgdcncolpebgiejap%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Daohghmighlieiainnegkcijnfilokake%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dapdfllckaahabafndbhieahigkjlhalf%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dblpcfgokakmgnkcojhhkbfbldkacnbeo%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpjkljhegncpnkpknbcohdijeoejaedia%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEA%26ping%3Dr%253D-1%2526e%253D1
Result:a bunch of XML


clientservices.googleapis.com

IP:2607:f8b0:4006:815::2003 (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:GET /chrome-variations/seed?osname=mac&channel=stable&milestone=80
Result:a bit of gzip compressed binary data


accounts.google.com

IP:2607:f8b0:4006:81b::200d (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard (no payload)
Result:["gaia.l.a.r",[] ]


clients2.googleusercontent.com

IP:2607:f8b0:4006:81b::2001 (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP1q2vfaFufYPJ7MMPEdkxYurQqLKfsqlETBqnGAQLjVuUqXAP5kzjisGuCNTfqCtcNWXHJuTNrtTwTfHV02dRyiAMZSmuXqm5VWwl1zMmIqqfa62Kc5n3rCxg/extension_0_10_0_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0PBKVA-da_-T21yR2UQUNKDZNldfzJCCheccCxyc0eUdDcCzD3ksljCA37sYE2YQuixwb_lBQCF7WBqfrrMonZAMZSmuWOasTHxYEehcxrMknyH19pG5TAFg/extension_0_10_0_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP199BPyTfUTqlzrFainq_xpziexr6SSBQsG3al6SBOxXjhz6mtW75j-F1xkh0sFvlhqvkI3ro_fhpbYGWlt8yIvAMZSmuUbWgSmyx0vin-zLiRBVV3QIcVxrQ/extension_14_2_0_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP34GdSPM8CJTB4XCoKDlT3eZoUVQ66lPGkI7tJP3yA8iyZlYPMFkFE3rtpsNUquY08htcd-DWwPeCsE33hz642FAMZSmuX_x3TLW5Bs8_F8kxawtOpjwV_QwQ/extension_3_1_40_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP1q2vfaFufYPJ7MMPEdkxYurQqLKfsqlETBqnGAQLjVuUqXAP5kzjisGuCNTfqCtcNWXHJuTNrtTwTfHV02dRyiAMZSmuXqm5VWwl1zMmIqqfa62Kc5n3rCxg/extension_0_10_0_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0w4lDJ_bL6-4cEiO2dNd4wY6MRtrB86olYdAWJNSpbQk1Q83A9EM8DbPrtbQ_AZGp0O9Rp13bGeg_IlBP8lMjLAMZSmuXJMLTQge2ehP4yzENeXXd5OSiVew/extension_8_2_0_0.crx
GET /crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCOlBIvoDMAma8GvG4TlJV63hrc-qX-TqF8hD5aOTImPGuQQq6BujLIzdacuWTEqILccAS18tmDS6pfwab4-elsoAMZSmuX3wxOtQqAilonYeas4_oS69Ej8Jg/extension_4_42_0_2.crx
Result:a lot of data of Content-Type: application/x-chrome-extension (presumably updates to installed extensions)


ff.search.yahoo.com

IP:2001:4998:58:204::2000 (Yahoo, AS26101)
Location:Lockport, NY, USA
Port:80
Protocol:HTTP
Request:
GET /gossip?output=fxjson&command=www.n
GET /gossip?output=fxjson&command=www.netm
GET /gossip?output=fxjson&command=www.netmeist
GET /gossip?output=fxjson&command=www.netmeiste
GET /gossip?output=fxjson&command=www.netmeister.o
Result:incremental predictive results

Here we see the search autocomplete functionality of the location bar: as you enter the URL, your partial URL is sent to the default search engine little by little to allow for the autocomplete window to provide you with guesses.

What's interesting here is that the default provider is Yahoo. I had removed all previous preferences and started from scratch, but somewhere Chrome picked up my previous default?

Secondly, the search happens over plain HTTP, not HTTPS! This is due to Chrome having the predictive search URL hardcoded as HTTP. I've opened a ticket to see whether a change request should be submitted to Chrome to switch this over to HTTPS, which ff.search.yahoo.com does support.

Once Chrome has started, you can disable the autocomplete search function via chrome://settings/syncSetup?search=autocomplete.


redirector.gvt1.com

IP:2607:f8b0:4006:81b::200e (Google, AS15169)
Location:generic US
Port:80
Protocol:HTTP 1.1
Request:
GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
Result:302 redirect to
http://r1---sn-ab5sznly.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=2001:470:1f07:1d1:7c01:fc76:30b9:4ae7&mm=28&mn=sn-ab5sznly&ms=nvh&mt=1582903761&mv=m&mvi=0&pl=47&shardbypass=yes
302 redirect to
http://r5---sn-ab5szn7z.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=2001:470:1f07:1d1:7c01:fc76:30b9:4ae7&mm=28&mn=sn-ab5szn7z&ms=nvh&mt=1582903761&mv=m&mvi=4&pl=47&shardbypass=yes


r5---sn-ab5szn7z.gvt1.com

IP:2607:f8b0:401e:2f::b (Google, AS15169)
Location:generic US
Port:80
Protocol:HTTP 1.1
Request:GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=2001:470:1f07:1d1:7c01:fc76:30b9:4ae7&mm=28&mn=sn-ab5szn7z&ms=nvh&mt=1582903761&mv=m&mvi=4&pl=47&shardbypass=yes
Result:No HTTP response, although I see a lot of TCP packets being exchanged?

This is an odd exchange: the GET request appears not to be answered with an HTTP response, although a number of TCP packets are being sent back. Making the same request via curl(1) yields another redirect to http://r4---sn-ab5l6nzk.gvt1.com, which then returns an HTTP 200 with binary data with Content-Type: application/x-chrome-extension.

This is likely due to my system profile enforcing the installation of certain Chrome extensions, and thus perhaps not an accurate reflection of what a plain vanilla install or setup would look like.


www.googleapis.com

IP:2607:f8b0:4006:814::200a (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:POST /chromewebstore/v1.1/items/verify
Payload:{"hash":"/9vUfvdoLbvkTMovHYoGItfv0S/q/W69PBPTlJGWwCM=","ids":["aapocclcgogkmnckokdopfmhonfmgoek"],"protocol_version":1}
Result:
{
    "expiry": "2020-05-22",
    "protocol_version": 1,
    "pubkey_sha1_hash": "a2159534e3753e716819beb8aae14b326927505a",
    "signature": "FGiusqn6tdvURrEpDMuf9gy+uU0MtFWIo+aVxHr36uzjv8ORy5yfsevik+nXBjAlD+J2h/2ysZ8ws6DfuRBIT1Pq+0xkr8qTkOwc9WX7uZoz91bTD0RgSQGxhWZIDnQFukFaBk4QogMxD+lehi0jZmCyPnJPMgtBFbeLfEW+WojKzOAKMchajMQVhh8eUwLYR6NOLschjWYgE4EOJhmlHuinvHjSV9bkFdiO/Ubb0GV1Sye8i+/NjgN2b+Zd8Acql5n2fq/mLSNIbYq/PJsgMvGRplda6AjVE+wK3gIwnBc+P2tk/e9Nt/mF1U07X0hRxZEYK8/ZCXgj8LVPVK3iog=="
}


ssl.gstatic.com

IP:2607:f8b0:4006:815::2003 (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:
GET /safebrowsing/csd/client_model_v5_variation_0.pb
GET /safebrowsing/csd/client_model_v5_ext_variation_0.pb
Result:80K of Content-Type: application/octet-stream


Other Traffic

SSDP

When Chrome starts, it sends out an SSDP M-SEARCH * packet to the IPv4 site-local multicast address 239.255.255.250, port 1900. This is presumably to help in the discovery of e.g., cloud printers or other local devices.

A local system may respond with an HTTP response including a Location header, indicating a URL to fetch content from. In my case, my local Tivo helpfully replied, and Chrome then went to fetch the file http://172.16.1.6:37176/dd.xml.

(See this issue for more information. There's also this entertaining blog post relating to SSDP. Related config flag: chrome://flags/#media-router.)

mDNS

Similarly to SSDP, Chrome also sends out an mDNS broadcast to 224.0.0.251 and ff02::fb with a query for a _googlecast._tcp.local PTR record. Local devies such as, e.g., a Google Nest Hub, respond with an IP address and additional information about the device, and Chrome may then perform an HTTP GET request e.g., for Expert Info /ssdp/device-desc.xml, which returns a product description.

(I'm also seeing at least two packets speaking the AJP13 protocol being exchanged, but can't make much sense of them; I'm not feeling particularly warm and fuzzy about that being in use on my devices, however.)


Summary

During this first invocation, Chrome makes HTTP connections to external systems on 8 different IPs, all IPv6. These IPs are in 2 different AS operated by 2 different companies (Google and Yahoo) in 6 different 2nd-level domains:

google.com, googleapis.com, googleusercontent.com, gstatic.com, gvt1.com

Registrar:     MarkMonitor Inc.
Organization:  Google LLC
State:         CA
Country:       US

yahoo.com

Registrar:     MarkMonitor Inc.
Organization:  Oath Inc.
State:         VA
Country:       US

It is worth noting that if the default search engine had not been Yahoo, but Google, then all of the traffic would have gone to Google's systems only. It is also worth noting that all of Google's systems used IPv6, TLS 1.3, and HTTP2.


Edge

Edge is now a Chrome based browser, so we expect at least some similarities with Google Chrome. Let's see if that's true or how much Microsoft changed here.

When installing Edge, the installer offers you an option to choose whether to "help microsoft improve our products by sending crash reports, info about how you use the browser, and websites you visit" to Microsoft, linking to this webpage. This is a nice touch, as it allows you to opt out of data collection even before the first start of the browser! In this example, I chose to opt out.

After starting Microsoft Edge 80.0.361.57 for the first time, it displays a startup site:

Edge Startup Page

Here, you can choose to import Chrome settings or sign into your profile or whatnot. Let's not. After opting out, you then get a generic welcome page:

Edge Welcome Page

DNS Lookups

Edge performed a total of 102 queries for 46 distinct names; the queries were A and AAAA lookups only and were via to the locally configured stub resolver.

The total list of DNS lookups done on a fresh new start by Edge was, in order:


gsp-ssl.ls.apple.com.
gsp-ssl-dynamic.ls4-apple.com.akadns.net.
ocsp.apple.com.
world-gen.g.aaplimg.com.
nav.smartscreen.microsoft.com.
wd-prod-ss-us-northcentral-2-fe.northcentralus.cloudapp.azure.com.
www.microsoft.com.
e13678.dspb.akamaiedge.net.
ntp.msn.com.
local.
self.events.data.microsoft.com.
skypedataprdcolneu05.cloudapp.net.
config.edge.skype.com.
gsp64-ssl.ls.apple.com.
gsp64-ssl.ls-apple.com.akadns.net.
assets.msn.com.
img-s-msn-com.akamaized.net.
otf.msn.com.
sb.scorecardresearch.com.
api.msn.com.
c.bing.com.
smartscreen-prod.microsoft.com.
c.msn.com.
www.msn.com.
edge.microsoft.com.
arc.msn.com.
uxdfqnr.cable.rcn.com.
axpajkorx.cable.rcn.com.
vpajxujeblxm.cable.rcn.com.
axpajkorx.cable.rcn.com.
uxdfqnr.cable.rcn.com.
axpajkorx.
uxdfqnr.
vpajxujeblxm.cable.rcn.com.
uxdfqnr.
vpajxujeblxm.
edge.microsoft.com.
ris.api.iris.microsoft.com.
world-gen.g.aaplimg.com.
go.microsoft.com.
microsoftedgewelcome.microsoft.com.
edgewelcomecdn.microsoft.com.
az725175.vo.msecnd.net.
www.microsoft.com.
mem.gfx.ms.
img-prod-cms-rt-microsoft-com.akamaized.net.
c.s-microsoft.com.
web.vortex.data.microsoft.com.
www.bing.com.
www.ne.
www.net.
www.ne.cable.rcn.com.
www.ne.
www.ne.cable.rcn.com.
www.ne.
www.netmeister.org.
wd-prod-ss-us-northcentral-2-fe.northcentralus.cloudapp.azure.com.

As before with Google Chrome, we see a number of lookups of random character sequences to detect DNS hijacking; we also see consecutive lookups of records as we type our destination name, www.netmeister.org.

HTTP Traffic

At startup, Edge makes a number of HTTP calls, as broken down below:

Map of places Edge talks to at startup.

ntp.msn.com

IP:204.79.197.203 (Microsoft, AS8068)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:a dozen or so json requests
GET /edge/ntp?locale=en-US&fre=1&rt=1&dsp=1&sp=Bing&startpage=1
GET /content/view/v1/weathersummary/en-us/40.74,-73.9855?units=F&days=5
GET /breakingnews/v1/cms/api/amp/article/AA157JY
GET /service/msn/topics?apikey=0QfOX3Vn51YCzitbLaRkTTBadtWpgTN8NZLW0C1SEM&activityId=AADBF64E-E4FA-4BAA-8500-0FBE111C0ECC&ocid=anaheim-dhp-feeds&market=en-us&user=m-1F7801155A8F68020D0C0F6B5B0D6994&fdhead=msnallexpusers,muidflt10cf,muidflt26cf,muidflt50cf,muidflt313cf,complianceedge1cf,samrtb-n,platagyhp2cf,moneyhp1cf,compliancehp1cf,starthz1cf,samrtbflex-nc,artgly3cf,gallery2cf,jslltelemetry,msnapp4cf,1s-feed-next-v1&queryType=MyFeed&$top=1000&allTopics=true&$select=id,name,image,feedType&location=40.74|-73.9855
Result:this HTML page
this weather report
this promo json blog
some more json

That's a whole lot of requests. One curious thing here is the presence of an apiKey parameter; it's unclear what this is used for if it's baked into the application.

(It appears that ntp.msn.com has absolutely nothing to do with NTP. Browser context suggests "New Tab Page.)


config.edge.skype.com

IP:13.107.3.128 (Microsoft, AS8068)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /config/v1/Edge/80.0.361.57?agents=EdgeDomainActions%2CEdgeFirstRun%2CEdgeFirstRunConfig%2CEdgeDataConfig&enabledomainactions=1&osname=mac&channel=stable&osver=10.15.3&osarch=x86_64&uma=0&mngd=0
GET /config/v1/Edge/80.0.361.57?enabledomainactions=1&osname=mac&channel=stable&osver=10.15.3&osarch=x86_64&uma=0&mngd=0
Result:a whole bunch of json
and some more json


assets.msn.com

IP:23.59.250.114 (Akamai, AS20940)
Location:New York, NY
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_256_GCM_SHA384
Request:89 (!) .js files
Result:a whole bunch of json

That's a lot of requests! There has got to be a more efficient way than to request near 100 .js files here.


www.msn.com

IP:204.79.197.203 (Microsoft, AS8068)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:GET /spartan/en-us/getappanoncookie
Result:
set-cookie: _EDGE_S=F=1; path=/; httponly; domain=msn.com
set-cookie: _EDGE_V=1; path=/; httponly; expires=Thu, 25-Mar-2021 03:34:19 GMT; domain=msn.com
set-cookie: MUID=3035F9C5A0886FBE1139F7BAA1006E02; path=/; expires=Thu, 25-Mar-2021 03:34:19 GMT; domain=msn.com


img-s-msn-com.akamaized.net

IP:2600:141b:b000::1737:eb8b (Akamai, AS35994)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:GET /tenant/amp/entityid/BBYyvk2.img
Result:image


self.events.data.microsoft.com

IP:52.114.77.34 (Microsoft, AS8075)
Location:generic US
Port:443
Protocol:HTTP
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
POST /OneCollector/1.0/
APIKey: 7005b72804a64fa4b2138faab88f877b-0046e00d-6cb7-4bb8-8ac2-0128c6c05c4a-7918
Content-Type: application/bond-compact-binary
SDK-Version: EVT-MacOSX-C++-No-3.2.297.1
Result:{"acc":1}


c.msn.com

IP:20.36.253.92 (Microsoft, AS8075)
Location:Boydton, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:
/c.gif?udc=true&rid=aadbf64ee4fa4baa85000fbe111c0ecc&rnd=1582933548322&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-US%26fre%3D1%26rt%3D1%26dsp%3D1%26sp%3DBing%26startpage%3D1%26ocid%3Dmsedgdhp&scr=1440x900&anoncknm=APP_ANON&issso=0&aadState=0&di=340&lng=en-us&activityId=aadbf64ee4fa4baa85000fbe111c0ecc&d.dgk=unknown&d.imd=0&st.dpt=antp&subcvs=homepage&pg.n=default&pg.t=dhp&pg.p=anaheim
Result:302 redirect to c.bing.com


sb.scorecardresearch.com

IP:23.192.9.190 (Akamai, AS16625)
Location:generic US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
/b?c1=2&c2=3000001&cs_ucfr=1&rn=1582933548323&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-US%26fre%3D1%26rt%3D1%26dsp%3D1%26sp%3DBing%26startpage%3D1%26ocid%3Dmsedgdhp&c8=&c9=
Result:204 No Content (scorecardresearch cookies)


otf.msn.com

IP:40.114.54.223 (Microsoft, AS8075)
Location:Washington, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:preflight OPTIONS, then
POST /c.gif?
Payload:this json


edge.microsoft.com

IP:13.107.6.158 (Microsoft, AS8068)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /autofillservice/query?q=Chc2LjEuMTcxNS4xNDQyL2VuIChHR0xMKRMZiWbV8PbQA_0jLZSQkvokIy2UkJL6JBQ=
GET /abusiveadblocking/api/v1/blocklist
Result:128k blacklist


ris.api.iris.microsoft.com

IP:13.68.92.143 (Microsoft, AS8068)
Location:Boydton, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:

GET /v1/a/click?PG=IRIS000001.0000000216&UNID=88000216&CID=128000000001812729&PID=425122465&TargetID=700336220&REQASID=&ASID=0823319A7CDB414F99B3E4ABFCF120DA&REQT=20200228T234550&UIT=M&ID=00000000000000000000000000000
Result:204 no content


microsoftedgewelcome.microsoft.com

IP:104.42.128.171 (Microsoft, AS8075)
Location:San Jose, CA
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /
GET /en-us/
misc images etc.
Result:the initial welcome site


edgewelcomecdn.microsoft.com

IP:2606:2800:11f:1cb7:261b:1f9c:2074:3c (MCI Communications, AS15133)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_256_GCM_SHA384
Request:various images, fonts, CSS and js assets


img-prod-cms-rt-microsoft-com.akamaized.net

IP:2600:141b:b000::1737:eba2 (Akamai, AS35994)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:GET /cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Result:PNG image


web.vortex.data.microsoft.com

IP:65.55.44.109 (Microsoft, AS8075)
Location:Boydton, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:
GET /collect/v1/t.js?ver=%272.1%27&name=%27Ms.Webi.PageView%27&time=%272020-02-28T23%3A46%3A17.109Z%27&os=%27MacOS%27&appId=%27JS%3AMsedgefre%27&-ver=%271.0%27&-impressionGuid=%27881ba457-a44e-44c4-8128-9f4a25147990%27&-pageName=%27Undefined%27&-uri=%27https%3A%2F%2Fmicrosoftedgewelcome.microsoft.com%2Fen-us%2F%27&-market=%27en-us%27&-resHeight=900&-resWidth=1440&-pageTags=%27%7B%22metaTags%22%3A%7B%7D%7D%27&-behavior=0&*baseType=%27Ms.Content.PageView%27&*cookieEnabled=true&*isJs=true&*title=%27Microsoft%20Edge%27&*isLoggedIn=false&*flashInstalled=false&ext-javascript-ver=%271.1%27&ext-javascript-libVer=%274.2.14%27&ext-javascript-domain=%27microsoftedgewelcome.microsoft.com%27&ext-javascript-userConsent=false&$mscomCookies=false

POST /collect/v1?$mscomCookies=false&ext-javascript-msfpc=%27GUID%3Db21dda85de3c47b293a5e93ee20dae56%26HASH%3Db21d%26LV%3D202002%26V%3D4%26LU%3D1582933577229%27
Payload:{"ver":"2.1","name":"Ms.Webi.ContentUpdate","time":"2020-02-28T23:46:17.339Z","os":"MacOS","appId":"JS:Msedgefre","data":{"baseData":{"ver":"1.0","impressionGuid":"881ba457-a44e-44c4-8128-9f4a25147990","pageName":"Undefined","uri":"https://microsoftedgewelcome.microsoft.com/en-us/","market":"en-us","pageTags":"{\"metaTags\":{},\"timing\":\"{\\\"first-paint\\\":1111.4650000017718,\\\"first-contentful-paint\\\":1283.4550000043237,\\\"navigationStart\\\":1582933575587,\\\"unloadEventStart\\\":0,\\\"unloadEventEnd\\\":0,\\\"redirectStart\\\":0,\\\"redirectEnd\\\":0,\\\"fetchStart\\\":1582933576226,\\\"domainLookupStart\\\":1582933576226,\\\"domainLookupEnd\\\":1582933576226,\\\"connectStart\\\":1582933576226,\\\"connectEnd\\\":1582933576226,\\\"secureConnectionStart\\\":0,\\\"requestStart\\\":1582933576229,\\\"responseStart\\\":1582933576349,\\\"responseEnd\\\":1582933576433,\\\"domLoading\\\":1582933576359,\\\"domInteractive\\\":1582933576873,\\\"domContentLoadedEventStart\\\":1582933576969,\\\"domContentLoadedEventEnd\\\":1582933576969,\\\"domComplete\\\":1582933577254,\\\"loadEventStart\\\":1582933577255,\\\"loadEventEnd\\\":1582933577255}\"}","pageHeight":3172,"vpHeight":794,"vpWidth":1440,"behavior":0,"vScrollOffset":0,"hScrollOffset":0,"contentVer":"2.0","content":"[{\"cN\":\"headerArea\",\"cT\":\"Area_coreuiArea\",\"id\":\"a1Body\",\"sN\":1,\"aN\":\"Body\"},{\"cN\":\"headerRegion\",\"cT\":\"Region_coreui-region\",\"id\":\"r1a1\",\"sN\":1,\"aN\":\"a1\"},{\"cN\":\"headerUniversalHeader\",\"cT\":\"Module_coreui-universalheader\",\"id\":\"m1r1a1\",\"sN\":1,\"aN\":\"r1a1\"},{\"cN\":\"Universal Header_cont\",\"cT\":\"Container\",\"id\":\"c3c1m1r1a1\",\"sN\":3,\"aN\":\"c1m1r1a1\"},{\"cN\":\"GlobalNav_Logo_cont\",\"cT\":\"Container\",\"id\":\"c3c3c1m1r1a1\",\"sN\":3,\"aN\":\"c3c1m1r1a1\"},{\"cN\":\"Category nav_cont\",\"cT\":\"Container\",\"id\":\"c6c3c1m1r1a1\",\"sN\":6,\"aN\":\"c3c1m1r1a1\"},{\"cN\":\"Header actions_cont\",\"cT\":\"Container\",\"id\":\"c7c3c1m1r1a1\",\"sN\":7,\"aN\":\"c3c1m1r1a1\"},{\"cN\":\"GlobalNav_cont\",\"cT\":\"Container\",\"id\":\"c1c7c3c1m1r1a1\",\"sN\":1,\"aN\":\"c7c3c1m1r1a1\"},{\"cN\":\"GlobalNav_More_nonnav\",\"id\":\"nn1c1c7c3c1m1r1a1\",\"sN\":1,\"aN\":\"c1c7c3c1m1r1a1\"},{\"cN\":\"GlobalNav_Search_cont\",\"cT\":\"Container\",\"id\":\"c3c1c7c3c1m1r1a1\",\"sN\":3,\"aN\":\"c1c7c3c1m1r1a1\"}]"},"baseType":"Ms.Content.ContentUpdate","title":"Microsoft Edge","cookieEnabled":true,"isJs":true,"isDomComplete":true,"isLoggedIn":false,"pageLoadTime":1668},"ext":{"javascript":{"ver":"1.1","libVer":"4.2.14","domain":"microsoftedgewelcome.microsoft.com","msfpc":"GUID=b21dda85de3c47b293a5e93ee20dae56&HASH=b21d&LV=202002&V=4&LU=1582933577229","userConsent":false}}}
Result:
document.cookie="MSFPC=GUID=b21dda85de3c47b293a5e93ee20dae56&HASH=b21d&LV=202002&V=4&LU=1582933577229;expires=Sat, 27 Feb 2021 23:46:17 GMT;path=/;Secure;SameSite=None";if(awa.ix){awa.ix.set({"mc1":"b21dda85de3c47b293a5e93ee20dae56"})};if(awa.firstEventDone){awa.firstEventDone()};

{"ipv":false,"pvm":null,"rej":0,"bln":0,"acc":1,"efi":[]}

Other Traffic

SSDP and mDNS

Since Edge is based on Chrome, it's no surprise we see the same SSDP and mDNS traffic as we saw above.


Summary

During this first invocation, Edge makes HTTP connections to external systems on 14 different IPs, almost all IPv4. These IPs are in 6 different AS operated by 3 different companies (Microsoft, Akamai, MCI) in 5 different 2nd-level domains:

akamaized.net

Registrar:     Akamai Technologies, Inc.
Organization:  Akamai Technologies, inc.
State:         MA
Country:       US

microsoft.com, msn.com

Registrar:     MarkMonitor Inc.
Organization:  Microsoft Corporation
State:         WA
Country:       US

scorecardresearch.com

Registrar:     MarkMonitor Inc.
Organization:  TMRG, Inc
State:         VA
Country:       US

skype.com

Registrar:     MarkMonitor Inc.
Organization:  Skype
State:         Dublin
Country:       IE


Safari

Safari is a bit of an outlier in this analysis: it is more closely integrated with the OS, starts a few other processes, and has access to a shared DNS cache via mDNSResponder.

It also is the only browser that I did not start in a factory-new configuration; instead, I started with the default of a blank page, thereby avoiding loading a heavy advertising driven homepage or anything of that sort. The reason for this is that I simply could not easily untangle Safari from whatever system settings I have as defaults to recreate or simulate a fresh install.

What's more, unlike with Firefox or Chrome based browsers, Safari does not honor the SSLKEYLOGFILE environment variable, meaning I can't decrypt the TLS traffic easily in Wireshark without setting up a proxy, a trouble through which I didn't bother going. Therefor, I can only provide the correlation of IP addresses to which Safari made a TLS connection with the SNI from the TLS handshake and the Little Snitch network map and connection information, but not provide the details of the data exchanged.

The version of Safari used here is 13.0.5 (15608.5.11).

DNS Lookups

Safari performed a total of 43 queries for 26 distinct names; the queries were A and AAAA lookups only and were via to the locally configured stub resolver.

There were some lookups that appeared to have been made as follow ups to previously cached results. For example, no DNS query for www.bing.com was observed in the pcap file, but a query for the resolution of its CNAME (a-0001.a-afdentry.net.trafficmanager.net.) was observed. This appears to be the effect of mDNSResponder caching DNS lookups.

The total list of DNS lookups done on a fresh new start by Safari was, in order:


xp.itunes-apple.com.akadns.net.
e17437.dscb.akamaiedge.net.
api-glb-nyc.smoot.apple.com.
play.itunes.apple.com.edgesuite.net.
a1806.dscb.akamai.net.
e673.dsce9.akamaiedge.net.
www-src.linkedin.com.
www-cdn.icloud.com.akadns.net.
e6858.dsce9.akamaiedge.net.
e4478.a.akamaiedge.net.
static-exp1.licdn.com.
cs945.wpc.epsiloncdn.net.
atsv2-fp-shed.wg1.b.yahoo.com.
a-0001.a-afdentry.net.trafficmanager.net.
dual-a-0001.a-msedge.net.
edge.gycpi.b.yahoodns.net.
search.yahoo.com.
csc.beap.bc.yahoo.com.
geo.yahoo.com.
geoycpi-uno.gycpi.b.yahoodns.net.
www.google.com.
dyna.wikimedia.org.
upload.wikimedia.org.
star-mini.c10r.facebook.com.
twitter.com.
cs2-wac.apr-8315.edgecastdns.net.

HTTP Traffic

Since Safari is much more integrated into macOS than the other browsers, we see connections made not only by Safari, but also by other processes initiated by Safari.

At startup, the following HTTP calls are observed:

Map of places Safari talks to at startup.

xp.apple.com

IP:2600:141b:13:7a4::441d (Akamai, AS20940)
Location:generic US
Port:443
TLS:1.3, TLS_AES_256_GCM_SHA384

This connection is made by Apple's CommerceKit framework, a process kicked off by Safari and used to enable app, music, and book purchases.


api-glb-nyc.smoot.apple.com

IP:17.249.121.246 (Apple, AS714)
Location:generic US
Port:443
TLS:1.3, TLS_AES_256_GCM_SHA384

This connection is made by Apple's CoreParsec framework, a process kicked off by Safari and used to manage access and data for Siri suggestions.


play.itunes.apple.com

IP:2600:141b:13::17d7:8261 (Akamai, AS20940)
Location:generic US
Port:443
TLS:1.3, TLS_AES_256_GCM_SHA384

Another CommerceKit framework connection.


pd.itunes.apple.com

IP:2600:141b:13:797::2a1 (Akamai, AS20940)
Location:generic US
Port:443
TLS:1.3, TLS_AES_256_GCM_SHA384

Another CommerceKit framework connection.


www.linkedin.com

IP:2620:109:c002::6cae:a0a (LinkedIn, AS14413)
Location:generic US
Port:443
TLS:1.2, TLS_AES_256_GCM_SHA384


www.apple.com

IP:2600:141b:13:795::1aca (Akamai, AS20940)
Location:generic US
Port:443
TLS:1.3, TLS_AES_256_GCM_SHA384


www.icloud.com

IP:104.107.17.109 (Akamai, AS16625)
Location:generic US
Port:443
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


www.yahoo.com

IP:2001:4998:58:1836::10 (Yahoo, AS26101)
Location:generic US
Port:443
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256


www.bing.com

IP:2620:1ec:c11::200 (Microsoft, AS8068)
Location:generic US
Port:443
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


s.yimg.com

IP:2001:4998:1c:800::1001 (Yahoo, AS14779)
Location:New York, NY
Port:443
TLS:1.3, TLS_AES_128_GCM_SHA256 (0x1301)


search.yahoo.com

IP:2001:4998:58:204::2000 (Yahoo, AS26101)
Location:New York, NY
Port:443
TLS:1.3, TLS_AES_128_GCM_SHA256


geo.yahoo.com

IP:2001:4998:58:207::6000 (Yahoo, AS26101)
Location:New York, NY
Port:443
TLS:1.3, TLS_AES_128_GCM_SHA256


video-api.yql.yahoo.com

IP:69.147.82.60 (Yahoo, AS14779)
Location:New York, NY
Port:443
TLS:1.3, TLS_AES_128_GCM_SHA256


www.google.com

IP:2607:f8b0:4006:803::2004 (Google, AS15169)
Location:generic US
Port:443
TLS:1.3, TLS_AES_128_GCM_SHA256


www.wikipedia.org

IP:2620:0:861:ed1a::1 (Wikimedia, AS14907)
Location:generic US
Port:443
TLS:1.2, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256


upload.wikimedia.org

IP:2620:0:861:ed1a::2:b (Wikimedia, AS14907)
Location:generic US
Port:443
TLS:1.2, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256


www.facebook.com

IP:2a03:2880:f112:83:face:b00c:0:25de (Facebook, AS32934)
Location:Dublin, Ireland
Port:443
TLS:1.3, TLS_AES_128_GCM_SHA256


twitter.com

IP:104.244.42.1 (Twitter, AS13414)
Location:generic US
Port:443
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256


abs.twimg.com

IP:2606:2800:220:13d:2176:94a:948:148e (MCI, AS15133)
Location:generic US
Port:443
TLS:1.3, TLS_AES_128_GCM_SHA256

Other Traffic

mDNS

Safari also starts out sending MDNS probes for various SRV names like _adisk._tcp.local, _afpovertcp._tcp.local, _apple-pairable._tcp.local, _airport._tcp.local etc.


Summary

During this first invocation, Safari makes HTTP connections to external systems on 19 different IPs, most IPv6. These IPs are in 12 different AS operated by 10 different companies (Akamai, Apple, Facebook, Google, LinkedIn, MCI, Microsoft, Twitter, Wikimedia, Yahoo) in 12 different 2nd-level domains:

apple.com, icloud.com

Registrar:     CSC Corporate Domains, Inc.
Organization:  Apple Inc.
State:         CA
Country:       US

bing.com

Registrar:     MarkMonitor Inc.
Organization:  Microsoft Corporation
State:         WA
Country:       US

facebook.com

Registrar:     RegistrarSafe, LLC
Organization:  Facebook, Inc.
State:         CA
Country:       US

google.com

Registrar:     MarkMonitor Inc.
Organization:  Google LLC
State:         CA
Country:       US

linkedin.com

Registrar:     MarkMonitor Inc.
Organization:  LinkedIn Corporation
State:         CA
Country:       US

twimg.com, twitter.com

Registrar:     CSC Corporate Domains, Inc.
Organization:  Twitter, Inc.
State:         CA
Country:       US

wikimedia.org, wikipedia.org

Registrar:     MarkMonitor Inc.
Organization:  Wikimedia Foundation, Inc.
State:         CA
Country:       US

yahoo.com, yimg.com

Registrar:     MarkMonitor Inc.
Organization:  Oath Inc.
State:         VA
Country:       US

What's interesting about Safari is that even though it doesn't load a welcome page or display any content at startup as per my preferences, it still fetches content from the various popular domains, suggesting there is some pre-fetching to content happening in the background.


Brave

After starting Brave Version 1.4.95 (Chromium 80.0.3987.122) for the first time, it displays a welcome screen with an option to "Skip welcome tour", which we thankfully select.

Brave
Startup Page

After that, we enter our destination URL, let the page load, and exit the browser.

DNS Lookups

Brave performed a total of 57 queries for 19 distinct names; the queries were A and AAAA lookups only and were via to the locally configured stub resolver.

The total list of DNS lookups done on a fresh new start by Brave was, in order:


updates.bravesoftware.com.
f2.shared.global.fastly.net.
static1.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
laptop-updates.brave.com.
no-thanks.invalid.
go-updater.brave.com.
componentupdater.brave.com.
brave-core-ext.s3.brave.com.
tor.bravesoftware.com.
crlsets.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
krdjdubihfhlri.cable.rcn.com.
rhqnzult.cable.rcn.com.
ckzlqdialux.cable.rcn.com.
krdjdubihfhlri.cable.rcn.com.
krdjdubihfhlri.
rhqnzult.cable.rcn.com.
ckzlqdialux.cable.rcn.com.
rhqnzult.
ckzlqdialux.
rhqnzult.
ckzlqdialux.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
static.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
www.netmeister.org.

As before with Google Chrome and Edge, we see a number of lookups of random character sequences to detect DNS hijacking; we also note that no-thanks.invalid was looked up 5 times in total.

HTTP Traffic

At startup, Brave makes a number of HTTP calls, as broken down below:

Map of places Brave talks to at
startup.


static1.brave.com

IP:2606:4700:3033::681c:17f2 (Cloudflare, AS13335)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:
Braveservicekey: qjVKcxtUybh8WpKNoQ7EbgbkJTMu7omjDHKk=VrPApb8PwJyPE9eqchxedTsMEWg
GET /autofill/hourly/bins.json
GET /autofill/weekly/merchants.json
GET /safebrowsing/csd/client_model_v5_variation_0.pb
GET /safebrowsing/csd/client_model_v5_ext_variation_0.pb
Result:
{ "cpan_eligible_bin_wl_regex": ["^4[0-9]{15,18}$"] }

{ "cpan_eligible_merchant_wl": ["dump-truck.appspot.com"] }
2 x 80 Kb binary data

The requests here are interesting in the use of the Braveservicekey; the json data returned is Brotli compressed.


laptop-updates.brave.com

IP:199.232.37.7 (Fastly, AS54113)
Location:New York, NY
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:
GET /promo/custom-headers

PUT /promo/initialize/nonua

GET /1/usage/brave-core?platform=osx-bc*amp;channel=release*amp;version=1.4.95*amp;daily=true*amp;weekly=true*amp;monthly=true*amp;first=true*amp;woi=2020-03-02*amp;ref=BRV001
Payload:
{
    "api_key": "fe033168-0ff8-4af6-9a7f-95e2cbfc9f4f",
    "platform": "osx",
    "referral_code": "BRV001"
}
Result:
[
    {
        "cookieNames": [],
        "domains": [
            "coinbase.com",
            "api.coinbase.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "coinbase"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "softonic.com",
            "softonic.cn",
            "softonic.jp",
            "softonic.pl",
            "softonic.com.br"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "softonic"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "marketwatch.com",
            "barrons.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "dowjones"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "townsquareblogs.com",
            "tasteofcountry.com",
            "ultimateclassicrock.com",
            "xxlmag.com",
            "popcrush.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "townsquare"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "cheddar.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "cheddar"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "upbit.com",
            "sg.upbit.com",
            "id.upbit.com",
            "ccx.upbit.com",
            "ccx.upbitit.com",
            "ccxsg.upbit.com",
            "cgate.upbitit.be",
            "ccxid.upbit.com",
            "cgate.upbitit.tv"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "upbit"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "eaff.com",
            "stg.eaff.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "eaff"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "sandbox.uphold.com",
            "api-sandbox.uphold.com",
            "uphold.com",
            "api.uphold.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "uphold"
        }
    }
]


{"ts":1583209242790,"status":"ok"}

Another use of an API key as well as a referral code. The returned data contains a number of domains that may have to do with Brave's ad system?


go-updated.brave.com

IP:199.232.37.7 (Fastly, AS54113)
Location:New York, NY
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:
X-Goog-Update-AppId: gccbbckogglekeggclmmekihdgdpdgoe
BraveServiceKey: qjVKcxtUybh8WpKNoQ7EbgbkJTMu7omjDHKk=VrPApb8PwJyPE9eqchxedTsMEWg\r\n

POST /extensions

This is repeated 10 times with different X-Goog-Update-AppIds but identical payload.
Payload:
{
    "request": {
        "@os": "mac",
        "@updater": "",
        "acceptformat": "crx2,crx3",
        "app": [
            {
                "appid": "gccbbckogglekeggclmmekihdgdpdgoe",
                "enabled": true,
                "installsource": "ondemand",
                "ping": {
                    "r": -2
                },
                "updatecheck": {},
                "version": "0.0.0.0"
            }
        ],
        "arch": "x64",
        "dedup": "cr",
        "domainjoined": false,
        "hw": {
            "physmemory": 16
        },
        "lang": "",
        "nacl_arch": "x86-64",
        "os": {
            "arch": "x86_64",
            "platform": "Mac OS X",
            "version": "10.15.3"
        },
        "prodchannel": "stable",
        "prodversion": "80.1.4.95",
        "protocol": "3.1",
        "requestid": "{d5698802-5f71-460d-b3f0-6956886f191e}",
        "sessionid": "{92504c9b-3e1d-4d9e-80b4-59a725cc23e3}",
        "updaterchannel": "stable",
        "updaterversion": "80.1.4.95"
    }
}

Result:Most requests returned the same json as was POSTed; one request received an HTTP 307 redirect to https://componentupdater.brave.com/service/update2/json


componentupdated.brave.com

IP:199.232.37.7 (Fastly, AS54113)
Location:New York, NY
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:
X-Goog-Update-AppId: hfnkpimlhhgieaddgfemjhofmfblmnib
BraveServiceKey: qjVKcxtUybh8WpKNoQ7EbgbkJTMu7omjDHKk=VrPApb8PwJyPE9eqchxedTsMEWg

POST /service/update2/json

Payload:same as in the previous request
Result:same as in the previous request


crlsets.brave.com

IP:199.232.37.7 (Fastly, AS54113)
Location:New York, NY
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:
GET /edgedl/release2/chrome_component/ANaMfc39lnLzNeHAqi34CPs_5726/AgjeNiYMWjgOFctWc_IsaA

Result:21848 bytes of binary data


brave-core-ext.s3.brave.com

IP:199.232.38.217 (Fastly, AS54113)
Location:New York, NY
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:
GET /release/gccbbckogglekeggclmmekihdgdpdgoe/extension_1_0_21.crx
GET /release/cffkpbalmllkdoenhmdmpbkajipdjfam/extension_1_0_498.crx
GET /release/afalakplffnnnlkncjhbmahjfjhmlkal/extension_1_0_22.crx
GET /release/oofiananboodjbbmdelgdommihjbkfag/extension_1_0_14.crx

Result:Content-Type: application/x-chrome-extension


Summary

During this first invocation, Brave makes HTTP connections to external systems on 3 different IPs. These IPs are in 2 different AS operated by 2 different companies (Cloudflare, Fastly) with domains in a single 2nd-level domain:

brave.com

Registrar:     NameCheap, Inc.
Organization:  Brave Software
State:         CA
Country:       US


Opera

For Opera, things were split into two processes to track: the installer, and the browser invocation itself, which immediately and automatically followed the installation. Once the installer completed and opened the browser window (version 67.0.3575.53), a default startup page was loaded:

Opera
Startup Page

After that, we enter our destination URL, let the page load, and exit the browser.

DNS Lookups

Opera (and its installer) performed a total of 74 queries for 29 distinct names; the queries were A and AAAA lookups as well as one PTR lookup and were via to the locally configured stub resolver.

The total list of DNS lookups done on a fresh new installation of Opera was, in order:


autoupdate.geo.opera.com.
lati.autoupdate.opera.com.
download.opera.com.
us-download.opera.com.
download3.operacdn.com.
e11604.g.akamaiedge.net.
autoupdate.geo.opera.com.
lati.autoupdate.opera.com.
sitecheck.opera.com.
speeddials.opera.com.
redir.opera.com.
sd-images.operacdn.com.
speeddials.opera.com.
www.opera.com.
exchange.opera.com.
recover.operacdn.com.
merchandise.opera-api.com.
discover.operacdn.com.
extension-updates.opera.com.
world-gen.g.aaplimg.com.
www.google.com.
www.ne.
www.net.
www.ne.cable.rcn.com.
18.238.202.199.in-addr.arpa.
www.ne.cable.rcn.com.
features.opera-api.com.
www.ne.
www.netmeister.org.
www.ne.
www.ne.cable.rcn.com.
desktop-dna.osp.opera.software.
download1.operacdn.com.
update.googleapis.com.
redirector.gvt1.com.
r5---sn-ab5sznle.gvt1.com.
autoupdate.geo.opera.com.
lati.autoupdate.opera.com.

As another Chrome based browser, we're not surprised to again see the same DNS hijacking detection lookups as well as the incremental lookups as we type our destination URL www.netmeister.org.

HTTP Traffic

After installation, the browser is started and makes a number of HTTP calls, as broken down below:

Map of places Opera talks to at
startup.

autoupdate.geo.opera.com

IP:2001:4c28:3000:622:37:228:108:132 (Opera, AS39832)
Location:Norway
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /geolocation/
POST /
POST /stats/desktop-sessions-sub/v1/binary
Payload: this XML data, then this XML data, then this XML data
1635 bytes application/x-osp data
all of this data
Result:
{ "country": "US", "timestamp": 1583286077 }

misc XML data, such as this


speeddials.opera.com

IP:107.167.110.216 (OperaSoftware, AS21837)
Location:Ashburn, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /api/v2/partner-content?product=*amp;country=US*amp;edition=*amp;uuid=900cb00e-d350-4aed-a74e-d4c08ec47567
GET /api/v2/suggestions?product=*amp;country=US*amp;language=en-US*amp;uuid=0d1ac479-1b16-412e-86dc-118fcdede04c*amp;type=desktop-suggestions
GET /api/v2/suggestions?product=*amp;country=US*amp;language=en-US*amp;uuid=0d1ac479-1b16-412e-86dc-118fcdede04c*amp;type=desktop-suggestions
GET /api/v3/news?country=us*amp;language=en*amp;locale=en_US*amp;category=ar,bu,en,fo,ga,he,li,lv,mo,ne,sc,sp,te,tr*amp;timezone=-05:00
GET /api/v1/features?country=US*amp;language=en-US*amp;uuid=a036c8a3-4076-4918-853f-dd9650893333
GET /api/v1/thumbnails/www.netmeister.org
Result: this json data
all of this json data
another 88Kb of json data

An interesting request here is the lookup of a thumbnail for the destination address, suggesting any domain you enter is going to be sent to speeddials.opera.com.


features.opera-api.com

IP:107.167.110.216 (OperaSoftware, AS21837)
Location:Ashburn, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /api/v1/features?country=US*amp;language=en-US*amp;uuid=a036c8a3-4076-4918-853f-dd9650893333
Result: this json data


sitecheck.opera.com

IP:107.167.110.211 (OperaSoftware, AS21837)
Location:Ashburn, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
POST /api/v2/check
POST /api/v2/check
POST /api/v2/check
    
Payload:50 bytes of protobuf data
Result:26 bytes of protobuf data


extensions-updates.opera.com

IP:107.167.110.211 (OperaSoftware, AS21837)
Location:Ashburn, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /api/omaha/update/?os=mac*amp;arch=x64*amp;os_arch=x86_64*amp;nacl_arch=x86-64*amp;prod=chromiumcrx*amp;prodchannel=Stable*amp;prodversion=80.0.3987.122*amp;lang=en-US*amp;acceptformat=crx3*amp;x=id%3Dcom.opera.crx.blacklist%26v%3D0%26uc
GET /api/omaha/blacklist.aa8c9c6d317f343a4c2e1b80f132be89058411264919eb57947037b57467cf9f.txt
Result:this blacklist


redir.opera.com

IP:37.228.108.143 (Opera, AS39832)
Location:Reston, VA
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /www.opera.com/firstrun/?http_referrer=*amp;query=
Result:302 redirect to https://www.opera.com/client/welcome


sd-images.operacdn.com

IP:23.64.21.104 (Akamai, AS20940)
Location:Netherlands
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /api/v1/images/a07ea74aa0b3aae5b7dc37789a2e834b1e883060.png
[ 20 more images ]
Result:PNG images


www.opera.com

IP:3.133.238.181 (Amazon, AS16509)
Location:Seattle, WA
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /client/welcome
Result:this welcome page


exchange.opera.com

IP:185.26.182.112 (Opera, AS39832)
Location:generic Europe
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
GET /api/v1/cmc/
GET /api/v1/ecb/
GET /api/v1/nbu/
Result:misc XML and json data representing currency exchange rates


redirector.gvt1.com

IP:2607:f8b0:4006:804::200e (Google, AS15169)
Location:generic US
Port:80
Protocol:HTTP 1.1
Request:
GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvN2Q5QUFXVzIwUTZCbVBNNnZaYm4wUXdzdw/4.10.1582.2_oimompecagnajdejgnnjijobebaeigek.crx
Result:302 redirect to http://r5---sn-ab5sznle.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvN2Q5QUFXVzIwUTZCbVBNNnZaYm4wUXdzdw/4.10.1582.2_oimompecagnajdejgnnjijobebaeigek.crx?cms_redirect=yes*amp;mip=2001:470:1f07:1d1:1008:72fe:df23:db77*amp;mm=28*amp;mn=sn-ab5sznle*amp;ms=nvh*amp;mt=1583285867*amp;mv=u*amp;mvi=4*amp;pl=47*amp;shardbypass=yes


r5---sn-ab5sznle.gvt1.com

IP:2607:f8b0:4006:3b::b (Google, AS15169)
Location:generic US
Port:80
Protocol:HTTP 1.1
Request:
GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvN2Q5QUFXVzIwUTZCbVBNNnZaYm4wUXdzdw/4.10.1582.2_oimompecagnajdejgnnjijobebaeigek.crx
Result:~4MB Content-Type: application/x-chrome-extension


autoupdate.geo.opera.com

IP:2001:4c28:3000:622:37:228:108:132 (Opera, AS39832)
Location:Norway
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:
Authorization:Basic azREem0ySzBNcjRqM3hHNzE5cEZ1MGhLRU9zdVo1YlQ6\r\n
  Credentials: k4Dzm2K0Mr4j3xG719pFu0hKEOsuZ5bT:
POST /stats/desktop-sessions-sub/v1/binary
Payload:1635 bytes of application/x-osp data

Another case of some sort of authentication token baked into the client.


Summary

During this first invocation, Opera makes HTTP connections to external systems on 9 different IPs. These IPs are in 5 different AS operated by 5 different companies (Akamai, Amazon, Google, Opera (NO), and Opera (US)) with domains in four different 2nd-level domains:

gvt1.com

Registrar:     MarkMonitor Inc.
Organization:  Google LLC
State:         CA
Country:       US

opera-api.com, opera.com, operacdn.com

Registrar:     NameWeb BVBA
Organization:  Opera Software AS
Country:       NO


Vivaldi

Vivaldi 2.11.1811.47 is another Chromium based browser that was tested based on popular demand.

The packet capture was started before opening the application for the first time after downloading it; we are prompted to confirm that we want to install the browser, then eventually displays a welcome screen, where we can skip the tour to end up on the home screen:

Vivaldi
Startup Page

In the background, Vivaldi opens a second tab with the "What's New" page:

Vivaldi
What's New Page

DNS Lookups

Vivaldi performed a total of 52 queries for 24 distinct names; the queries were for A and AAAA lookups only and were via the locally configured stub resolver.

The total list of DNS lookups done on a fresh new start by Vivaldi was, in order:


local.
update.vivaldi.com.
www.gstatic.com.
clients2.google.com.
downloads.vivaldi.com.
ocsp2.globalsign.com.
ocsp.globalsign.com.
cdn.globalsigncdn.com.cdn.cloudflare.net.
ocsp.pki.goog.
pki-goog.l.google.com.
vivaldi.com.
ocsp.digicert.com.
cs9.wac.phicdn.net.
redirector.gvt1.com.
r1---sn-ab5sznly.gvt1.com.
s.w.org.
kuocktk.cable.rcn.com.
gomgxdwum.cable.rcn.com.
xwdigyrjjgxnukq.cable.rcn.com.
kuocktk.cable.rcn.com.
xwdigyrjjgxnukq.
gomgxdwum.cable.rcn.com.
kuocktk.
gomgxdwum.cable.rcn.com.
kuocktk.
gomgxdwum.
ssl.gstatic.com.
update.vivaldi.com.
www.netmeister.org.

As before with Google Chrome, we see a number of lookups of random character sequences to detect DNS hijacking.

HTTP Traffic

At startup, Vivaldi makes a number of HTTP calls, as broken down below:

Map of places Vivaldi talks to at
startup.

www.gstatic.com

IP:2607:f8b0:4006:811::2003 (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:
GET /autofill/hourly/bins.json
GET /autofill/weekly/merchants.json
Result:
{
  "cpan_eligible_merchant_wl":
["dump-truck.appspot.com"]
}

{
  "cpan_eligible_bin_wl_regex": ["^4[0-9]{15,18}$"]
}


downloads.vivaldi.com

IP:151.139.236.233 (Highwinds Network Group, AS33438)
Location:generic US
Port:443
Protocol:HTTP 1.1
TLS:1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:GET /blocklist/current.json
Result:7.1 MB blocklist of > 25K naughty domains


clients2.google.com

IP:2607:f8b0:4006:811::200e (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:GET /service/update2/crx?os=mac&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=80.0.3987.136&lang=en-US&acceptformat=crx3&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1
Result:
<?xml version="1.0" encoding="UTF-8"?>
<gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod">
  <daystart elapsed_days="4820" elapsed_seconds="35325"/>
  <app appid="pkedcjkdefgpdelpbcmbmeomcjbeemfm" cohort="" cohortname="" status="ok">
    <ping status="ok"/>
    <updatecheck codebase="http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx" fp="1.9fcd7a76a4b67fe5efd45a1170a7f75bd9fe57644103eee43d5348f422c2320b" hash_sha256="9fcd7a76a4b67fe5efd45a1170a7f75bd9fe57644103eee43d5348f422c2320b" protected="0" size="859573" status="ok" version="8019.1111.0.0"/>
  </app>
</gupdate>


update.vivaldi.com

IP:82.22.130.137 (Virgin Media, AS5089)
Location:Ipswitch, England
Port:443
Protocol:HTTP2
TLS:1.2, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Request:POST /rep/rep?installation_status=new_user&weekly&monthly
Payload:_cvar={"1":["cpu","x86_64"],"2":["v","2.11.1811.47"]}&action_name=FirstRun&idsite=36&rec=1&res=2880x1800&uid=90996D26C813590E&url=http://localhost/FirstRun&installation_year=2020&installation_week=11&earliest_installation_year=0&earliest_installation_week=0&ua=Mozilla/5.0+(Macintosh%3B+Intel+Mac+OS+X+10_15_3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/80.0.3987.136+Safari/537.36

Of interest here is that the data posted to the server includes your screen resolution as well as 'uid' of some sort.


redirector.gvt1.com

IP:2607:f8b0:4006:811::200e (Google, AS15169)
Location:generic US
Port:80
Protocol:HTTP 1.1
Request:GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
Result:Redirect to http://r1---sn-ab5sznly.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=uP&mip=2001:470:1f07:1d1:c0fc:4ab4:ec31:5694&mm=28&mn=sn-ab5sznly&ms=nvh&mt=1584117640&mv=u&mvi=0&pl=47&shardbypass=yes


r1---sn-ab5sznly.gvt1.com

IP:2607:f8b0:4006:6::6 (Google, AS15169)
Location:generic US
Port:80
Protocol:HTTP 1.1
Request:GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=uP&mip=2001:470:1f07:1d1:c0fc:4ab4:ec31:5694&mm=28&mn=sn-ab5sznly&ms=nvh&mt=1584117640&mv=u&mvi=0&pl=47&shardbypass=yes
Result:8K Content-Type: application/x-chrome-extension


vivaldi.com

IP:2606:4700:3037::6812:3719 (Cloudflare, AS13335)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:
GET /newfeatures?hl=en-US&version=2.11.1811.47&os=M
GET /browser/whats-new-in-vivaldi-2-11
GET /whats-new-in-vivaldi-2-11/
GET /wp-includes/css/dist/block-library/style.min.css?ver=5.3.2
GET /wp-content/themes/vivaldicom-theme/style.css?ver=1582721612
GET /wp-content/themes/vivaldicom-theme/fonts/font-awesome/font-awesome.min.css?ver=1539179228
GET /wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
GET /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
GET /wp-content/plugins/page-links-to/dist/new-tab.js?ver=3.2.2
GET /wp-content/themes/vivaldicom-theme/img/vivaldilogo-standard.png
GET /logme.gif
GET /wp-content/uploads/vivaldi.2.11.pip-hero_b.jpg
GET /wp-content/uploads/2.11-PiP_Screenshot_Final.png
GET /wp-content/uploads/2.11_OS-themes_Screenshot_Final.png
GET /wp-content/uploads/keyboard-shortcut-tabs_loop.gif
GET /wp-content/themes/vivaldicom-theme/img/social_twitter.png
GET /wp-content/themes/vivaldicom-theme/img/social_facebook.png
GET /wp-content/themes/vivaldicom-theme/img/social_reddit.png
GET /wp-content/themes/vivaldicom-theme/img/social_email.png
GET /wp-content/themes/vivaldicom-theme/img/icons/mail.png
GET /wp-content/themes/vivaldicom-theme/img/icons/vivaldi-red.svg
GET /wp-content/themes/vivaldicom-theme/img/android/icon-vivaldi-beta.png
GET /rep/rep?action_name=What%E2%80%99s%20New%20in%20Vivaldi%202.11%20%7C%20Vivaldi%20Browser&idsite=4&rec=1&r=463671&h=12&m=48&s=43&url=https%3A%2F%2Fvivaldi.com%2Fwhats-new-in-vivaldi-2-11%2F&_id=1657ef4941f57060&_idts=1584118123&_idvc=1&_idn=0&_refts=0&_viewts=1584118123&send_image=1&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=0&java=0&gears=0&ag=0&cookie=1&res=1440x900&gt_ms=679&pv_id=lqmvek
GET /favicon.ico
Result:Redirect to /browser/whats-new-in-vivaldi-2-11
Redirect to https://vivaldi.com/whats-new-in-vivaldi-2-11/

Startup and What's New pages


ssl.gstatic.com

IP:2607:f8b0:4006:811::2003 (Google, AS15169)
Location:generic US
Port:443
Protocol:HTTP2
TLS:1.3, TLS_AES_128_GCM_SHA256
Request:GET /safebrowsing/csd/client_model_v5_variation_0.pb
GET /safebrowsing/csd/client_model_v5_ext_variation_0.pb
Result:80K of Content-Type: application/octet-stream

Other Traffic

SSDP and mDNS

Since Edge is based on Chrome, it's no surprise we see the same SSDP and mDNS traffic as we saw above.


Summary

During the first invocation, Vivaldi makes HTTP connections to external systems on 6 different IPs in 4 different AS operated by 4 different companies (Google, Highwinds Network Group, Virgin Media, Cloudflare) in 4 different 2nd-level domains:

google.com, gstatic.com, gvt1.com

Registrar:     MarkMonitor Inc.
Organization:  Google LLC
State:         CA
Country:       US

vivaldi.com

Registrar:     GoDaddy.com, LLC
Organization:  Domains By Proxy, LLC
State:         AZ
Country:       US


Conclusion

Well, there you have it. When you start a browser and visit a single page, you're not connecting to just that page. All of the major browsers make a number of calls to their provider for updates, as well as to third parties, but they differ in how widespread those connections are:

Browser # of unique names looked up via DNS # of services contacted via HTTP amount of data downloaded amount of data uploaded
Mozilla Firefox 73.0.1 65 10 (in 5 different 2nd-level domains) 9.54 MB 171 kB
Google Chrome 80.0.3987.122 19 9 (in 6 different 2nd-level domains) 7.21 MB 20.3 kB
Microsoft Edge 80.0.361.57 46 15 (in 5 different 2nd-level domains) 10.8 MB 382 kB
Safari 13.0.5 (15608.5.11) 26 19 (in 12 different 2nd-level domains) 560 kB 24.5 kB
Brave 1.4.95 (Chromium 80.0.3987.122) 19 6 (in a single 2nd-level domain) 8.4 MB 38.9 kB
Opera 67.0.3575.53 29 12 (in 4 different 2nd-level domains) 5.05 MB 75.1 kB
Vivaldi 2.11.1811.47 24 8 (in 4 different 2nd-level domains) 9.84 MB 50.7 kB

A few additional things that I think stand out:

  • Firefox makes a surprising number of connections and lookups
  • Chrome has the fewest connections and keeps data within the company
  • HTTP2 and TLS 1.3 are now widely used for the main sites; IPv6 is still not ubiquitous
  • Chrome is the only browser that makes all calls via IPv6, TLS 1.3, and HTTP2 only
  • there is basically no plain HTTP; almost all observed traffic was HTTPS
  • by and large, we only use two or three different TLS ciphers (Wikimedia was the only one to deviate by offering ECDSA with ChaCha20/Poly1305; all others were RSA/GCM (for TLS 1.2) or TLS_AES_128_GCM_SHA256 (for TLS 1.3)); considering how many different ciphers most servers offer, we are arriving at a perhaps surprising monoculture of ciphers
  • Safari is hard to untangle from the OS, taking advantage of several helper apps
  • Firefox is the only browser left to make OCSP calls (about:config#ocsp); Safari appears to outsource this to trustd, while Chrome (and by extension, Edge) simply have OCSP lookups disabled

The other thing worth pointing out here is that from a network perspective, we're looking at significant centralization of our resources: companies use the same registrar and almost all connections were made to primarily the same handful of (CDN) networks (Akamai, Amazon, Google).

With the advent of DNS over HTTPS, I plan on revisiting the default connectivity from a DNS point of view with different configurations (default DNS, use of the canary domain (for Firefox), use of Google's DNS, ...). But of course that won't have any impact on where the browsers make their HTTP calls to, and I think that is something that's not been paid much attention to in this debate.

February 29th, 2020


Additional Links:

Related blog posts:

  • DNS Security: Threat Modeling DNSSEC, DoT, and DoH
  • New Adventures in DNSSEC and DANE
  • Capturing specific SSL and TLS version packets using tcpdump(8)
  • DNS tcpdump by example
  • (Some) Browser Privacy Settings

  • [(A few) Ops Lessons We All Learn The Hard Way] [Index] [Creating AWS IPv4/IPv6 Dual Stack EC2 Instances]