Browser Startup Comparison

February 29th, 2020

With the recent announcements that Firefox will start enabling DNS over HTTPS by default, I started to wonder just what kinds of outgoing lookups and connections the browser makes when it first starts up. Well, pcap or it didn't happen, and here's what I found:

The first time you start Firefox, it looks up a surprising number of names, connects to several domains, and fetches and posts data, all before you had a chance to enter a URL. Somewhat surprised by this, I then set out to compare Firefox to some other Browsers, namely Google Chrome, Microsoft Edge and Apple Safari.

After I first published this blog post, several people asked about other browsers, so on 2020-03-03, I added information about Opera and Brave; on 2020-03-13, I added information about Vivaldi. Below is the breakdown of my findings.

Setup

All browsers were installed on a macOS Catalina 10.15.3 dual-stack IPv4/IPv6 enabled system and invoked without any existing user profile (i.e., ~/Library/Application Support/<browser> does not exist). The system was connected to the internet via a residential ISP (RCN) from New York City (this is relevant since some of the default connections made or other behavior in the browser may be based on your location). IPv6 connectivity was provided via a Hurricane Electric IPv6 Tunnel.

The SSLKEYLOGFILE environment variable was set so as to allow capturing of the TLS session keys for use with Wireshark to be able to inspect the HTTP calls. (This works for Firefox, Chrome, and other Chrome-based browsers (i.e., Edge), but not for Safari.) Most other user applications were terminated or suspended; various system daemons were also suspended, so as to minimize unrelated network traffic.

Once tcpdump(1) was running, the browser was opened. After any initial browser screens, we opened a new tab, entered www.netmeister.org in the location bar, and hit enter. After the website was loaded, the browser was closed completely and the packet capture stopped.

The resulting pcap file was pruned from unrelated network traffic (e.g., ARP, etc.) and subsequently processed using tcpdump(1) and Wireshark in combination with Little Snitch's network monitor.

Firefox

After starting Mozilla Firefox 73.0.1 for the first time, I notice that it performs a significant number of DNS queries via the default resolver. That is, this instance of the browser does not yet appear to have DoH enabled by default. It then loads a welcome page, allowing the user to "Join Firefox", while loading the Firefox Privacy Notice in a second tab:

After closing this pane, you get a second "Welcome to Firefox" display, offering you the opportunity to sign in to some of Firefox's services:

After closing that pane, you then get the default "new tab" experience, offering a Google search bar, a few "Top Sites", and a number of "Recommended Reading" tiles:

At this point, I enter www.netmeister.org in the location bar and hit return, then close the browser after the page has loaded. Upon termination of the Firefox process, a pingsender process is started, which sends telemetry to Mozilla upon browser shutdown (one you've started Firefox, you can disable this via about:config->toolkit.telemetry.shutdownPingSender.enabled):

DNS Lookups

Firefox performed a total of 106 queries for 65 distinct names; the queries were A and AAAA lookups only, usually (but not always) both for a given name and were via to the locally configured stub resolver. That is, even though Mozilla began rolling out DNS over HTTPS, this host and browser were not in the bucket for which this is currently enabled. Firefox also did not look up the DoH Canary Domain as that domain is only used when the user is opted into DoH via the default.

The list of DNS queries performed varies from time to time, likely based on the getpocket widget in the welcome screen. It's also worth noting that not all of the names looked up are actually contacted; this is part of the DNS pre-fetching enabled in Firefox (see this link and this link for more details; in about:config, you can toggle network.dns.disablePrefetch to true to disable this behavior).

The total list of DNS lookups done on a fresh new start by Firefox was, in order:

detectportal.firefox.com.
location.services.mozilla.com.
locprod1-elb-eu-west-1.prod.mozaws.net.
mozilla.org.
www.mozilla.org.
firefox.settings.services.mozilla.com.
d2k03kvdk5cku0.cloudfront.net.
ocsp.digicert.com.
cs9.wac.phicdn.net.
incoming.telemetry.mozilla.org.
pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com.
search.services.mozilla.com.
spocs.getpocket.com.
getpocket.cdn.mozilla.net.
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com.
search.r53-2.services.mozilla.com.
ocsp.sca1b.amazontrust.com.
push.services.mozilla.com.
autopush.prod.mozaws.net.
content-signature-2.cdn.mozilla.net.
d2nxq2uap88usk.cloudfront.net.
img-getpocket.cdn.mozilla.net.
shavar.services.mozilla.com.
shavar.prod.mozaws.net.
firefox-settings-attachments.cdn.mozilla.net.
d80i88epwmv41.cloudfront.net.
tracking-protection.cdn.mozilla.net.
d1zkz3k4cclnv6.cloudfront.net.
snippets.cdn.mozilla.net.
d228z91au11ukj.cloudfront.net.
accounts.firefox.com.
getpocket.com.
slate.com.
www.nextadvisor.com.
www.gq.com.
jezebel.com.
fe2.edge.pantheon.io.
www.theguardian.com.
condenast.map.fastly.net.
dualstack.guardian.map.fastly.net.
www.youtube.com.
www.facebook.com.
www.reddit.com.
youtube-ui.l.google.com.
www.wikipedia.org.
star-mini.c10r.facebook.com.
twitter.com.
reddit.map.fastly.net.
dyna.wikimedia.org.
www.vox.com.
www.washingtonpost.com.
medium.com.
vox-chorus.map.fastly.net.
e9631.j.akamaiedge.net.
www.joinhoney.com.
landing.chirpbooks.com.
www.reviewed.com.
joinhoney.com.
secure.pageserve.co.
domains.gannett.map.fastly.net.
www.google.com.
ocsp.pki.goog.
pki-goog.l.google.com.
www.netmeister.org.
panix.netmeister.org.
incoming.telemetry.mozilla.org.

Of those, only www.netmeister.org was a domain entered by the user. (You may also notice a number of domains listed above that are, e.g., AWS systems that the original name already references via a CNAME result. In this case, the response to the initial lookup included the A records in its ADDITIONAL SECTION, but did not provide any AAAA records (because, e.g., AWS is primarily IPv4 only). As a result, a second, explicit AAAA query is made.)

HTTP Traffic

When you start a browser, you may naively assume that the first HTTP traffic exchanged would occur after you entered a URL and hit return. However, we notice the following substantial exchanges other than the ones for the requested website take place, roughly (some requests to the same service have been grouped together) in order:

detectportal.firefox.com

All three calls simply return success, which appears to come from an Amazon S3 bucket fronted by Akamai.

www.mozilla.org

This yields a 301 redirect, so it then fetches:

This is the request for the privacy policy page loaded in the second, background tab, and we then see the various related requests for the page resources (JavaScript, CSS, images, etc.).

The returned page includes a bunch of the usual headers, with perhaps these two of interest:

Content-Security-Policy: frame-src www.googletagmanager.com www.google-analytics.com www.youtube-nocookie.com trackertest.org www.surveygizmo.com accounts.firefox.com accounts.firefox.com.cn www.youtube.com; child-src www.googletag
X-Clacks-Overhead: GNU Terry Pratchett

(I appreciate the X-Clacks-Overhead header, which this server also has set since 2015.)

firefox.settings.services.mozilla.com

{
    "data": [
        {
            "bucket": "main",
            "collection": "fxmonitor-breaches",
            "host": "firefox.settings.services.mozilla.com",
            "id": "8ee6692e-d686-a614-6e4f-23d71b55b7f3",
            "last_modified": 1582320498428
        }
    ]
}

{
    "data": {
        "attachment": {
            "enabled": false,
            "required": false
        },
        "displayFields": [
            "Name",
            "Domain",
            "BreachDate",
            "PwnCount"
        ],
        "id": "fxmonitor-breaches",
        "last_modified": 1582659696027,
        "signature": {
            "mode": "p384ecdsa",
            "public_key": "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEeeJjPprtJYzqYb5LEfvbGzTppLwOfLMfl7AbWV1h9HnaudC+FtkkB1Pbwh0gbvbTXhM2cNtftECMkdF/NdkMbj7DLzFCXip/1zTaqF/u3Vg9ZwmNvGJfeaeCZ/DG1/le",
            "ref": "1smzg6ull4lfn31j0zgd5lz70k",
            "signature": "vFUs8DDH892P_jqGth3YCv_AWQLJjOMjdZSfLuweA7pwofrtoXWBMcoT40WyxBTEV328TaeSdzCBJd96Ex45ry4gN-RCTwY6hGo9gozZTv4qAvcom3uAp8qpUk555fA_",
            "signer_id": "remote-settings",
            "type": "contentsignaturepki",
            "x5u": "https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2020-04-14-15-04-35.chain"
        },
        "sort": "-last_modified"
    },
    "permissions": {}
}

{
    "data": [
        {
            "bucket": "main",
            "collection": "cfr-fxa",
            "host": "firefox.settings.services.mozilla.com",
            "id": "1d402bfe-4765-79b2-df44-da88d9c24c96",
            "last_modified": 1570801254189
        }
    ]
}

{
    "data": [
        {
            "bucket": "main",
            "collection": "cfr-fxa",
            "host": "firefox.settings.services.mozilla.com",
            "id": "1d402bfe-4765-79b2-df44-da88d9c24c96",
            "last_modified": 1570801254189
        }
    ]
}

{
    "data": {
        "id": "cfr-fxa",
        "last_modified": 1582659703930,
        "signature": {
            "mode": "p384ecdsa",
            "public_key": "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEeeJjPprtJYzqYb5LEfvbGzTppLwOfLMfl7AbWV1h9HnaudC+FtkkB1Pbwh0gbvbTXhM2cNtftECMkdF/NdkMbj7DLzFCXip/1zTaqF/u3Vg9ZwmNvGJfeaeCZ/DG1/le",
            "ref": "3smkbpfa1mawn3ddfepqkhsy7h",
            "signature": "zJma-4xrQ13do_EQGFLKc0TvyJlxut5sskWJSwRMO7kDVsonK2AwiHWKoEo-KyMJaYpze8ZhH14xyf5llxaZ2eMOIVxkFapY8vE0Xvd5kQhkWXBsN4lnMto-dZEZUNhw",
            "signer_id": "remote-settings",
            "type": "contentsignaturepki",
            "x5u": "https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2020-04-14-15-04-35.chain"
        }
    },
    "permissions": {}
}

GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US
GET /v1/
GET /v1/buckets/monitor/collections/changes/records?collection=cfr&bucket=main
GET /v1/buckets/main/collections/cfr?_expected=1582570728505
GET /v1/buckets/main/collections/cfr/records?_expected=1582570728505&_sort=-last_modified
GET /v1/buckets/monitor/collections/changes/records?collection=message-groups&bucket=main
GET /v1/buckets/monitor/collections/changes/records?collection=whats-new-panel&bucket=main
GET /v1/buckets/main/collections/whats-new-panel?_expected=1582304242703
GET /v1/buckets/main/collections/whats-new-panel/records?_expected=1582304242703&_sort=-last_modified

(I'm not quite clear on why the last requests were never replied to by the server. The pcap file only shows a bunch of ACKs following the various GET requests, but never an HTTP reply before the connection is terminated.)

location.services.mozilla.com

spocs.getpocket.com

This request builds the getpocket widget in the welcome interstitial.

incoming.telemetry.mozilla.org

{
    "addon_version": "20200217142647",
    "event": "ASR_RS_NO_MESSAGES",
    "event_context": "message-groups",
    "impression_id": "{e7a8a44c-ec7a-8242-b25f-647ff8170a50}",
    "locale": "en-US",
    "message_id": "n/a",
    "release_channel": "release",
    "version": "73.0.1"
}

{
    "addon_version": "20200217142647",
    "event": "ASR_RS_NO_MESSAGES",
    "event_context": "message-groups",
    "impression_id": "{e7a8a44c-ec7a-8242-b25f-647ff8170a50}",
    "locale": "en-US",
    "message_id": "n/a",
    "release_channel": "release",
    "version": "73.0.1"
}

{
    "addon_version": "20200217142647",
    "client_id": "1f5fdef9-68db-b346-9f81-71e70221b0ab",
    "event": "IMPRESSION",
    "id": "FIRST_RUN",
    "locale": "en-US",
    "message_id": "TRAILHEAD_1",
    "release_channel": "release",
    "source": "FIRST_RUN",
    "version": "73.0.1"
}

{
    "addon_version": "20200217142647",
    "client_id": "1f5fdef9-68db-b346-9f81-71e70221b0ab",
    "event": "SKIPPED_SIGNIN",
    "locale": "en-US",
    "page": "about:welcome",
    "release_channel": "release",
    "session_id": "{93be1f9f-52b3-d248-8c11-12b738a7b79b}",
    "user_prefs": 255,
    "value": "{\"has_flow_params\":true}",
    "version": "73.0.1"
}

{
    "addon_version": "20200217142647",
    "bucket_id": "FXA_ACCOUNTS_BADGE",
    "event": "IMPRESSION",
    "impression_id": "{e7a8a44c-ec7a-8242-b25f-647ff8170a50}",
    "locale": "en-US",
    "message_id": "n/a",
    "release_channel": "release",
    "source": "CFR",
    "version": "73.0.1"
}

{
    "addon_version": "20200217142647",
    "client_id": "1f5fdef9-68db-b346-9f81-71e70221b0ab",
    "event": "DISMISS",
    "id": "onboarding-cards",
    "locale": "en-US",
    "message_id": "TRAILHEAD_CARD_2,TRAILHEAD_CARD_3,TRAILHEAD_CARD_6",
    "release_channel": "release",
    "source": "onboarding-cards",
    "version": "73.0.1"
}

{
    "action": "activity_stream_impression_stats",
    "addon_version": "20200217142647",
    "client_id": "n/a",
    "impression_id": "{e7a8a44c-ec7a-8242-b25f-647ff8170a50}",
    "locale": "en-US",
    "page": "about:welcome",
    "release_channel": "release",
    "session_id": "n/a",
    "source": "CARDGRID",
    "tiles": [
        {
            "id": 54373,
            "pos": 1
        },
        {
            "id": 54410,
            "pos": 0
        },
        {
            "id": 19143760,
            "pos": 2,
            "shim": "1,eyJ2IjoiMS4zIiwiYXYiOjUwODA1MSwiYXQiOjM2MTcsImJ0IjowLCJjbSI6MTAzNjUwMCwiY2giOjM2ODQ4LCJjayI6e30sImNyIjoxNjQ3NDQ5OSwiZGkiOiJkYzk4NTNmOGExZTk0OWI4YWQ2MmQyM2JkZWE2MDRmYyIsImRqIjowLCJpaSI6ImYyOWUxZGQyZjk4YTRkYWRiYjRjOTEyOGFhZTUxMmViIiwiZG0iOjMsImZjIjoxOTE0Mzc2MCwiZmwiOjExMDU5NDEzLCJpcCI6IjMuMjE5LjI1NC4xMjMiLCJrdyI6ImNvdW50cnktdXMscmVnaW9uLW55IiwibnciOjEwMjUwLCJwYyI6MS4yNSwiZWMiOjEuMjUsInByIjoxNDc1MTcsInJ0IjoyLCJycyI6NTAwLCJzYSI6IjgiLCJzYiI6ImktMDdkYTRkYTg1ZDEwNWFlYjAiLCJzcCI6OTE5ODEsInN0IjoxMDcwMDk4LCJ1ayI6IntlN2E4YTQ0Yy1lYzdhLTgyNDItYjI1Zi02NDdmZjgxNzBhNTB9Iiwiem4iOjIxNzk5NSwidHMiOjE1ODI3MjgxMjU2ODQsInBuIjoic3BvY3MiLCJnYyI6dHJ1ZSwiZ3MiOiJub25lIiwiYmEiOjEsImZxIjoxfQ,Jy00HJd2IyyCiBgpUfRwvM_aDj4"
        }
    ],
    "user_prefs": 255,
    "version": "73.0.1"
}

firefox-settings-attachments.cdn.mozilla.net

shavar.services.mozilla.com

n:3600
i:social-tracking-protection-facebook-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-facebook-digest256/73.0/1578954954
i:except-flashallow-digest256
u:tracking-protection.cdn.mozilla.net/except-flashallow-digest256/1490633678
i:allow-flashallow-digest256
u:tracking-protection.cdn.mozilla.net/allow-flashallow-digest256/1490633678
i:social-tracking-protection-linkedin-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-linkedin-digest256/73.0/1578954954
i:google-trackwhite-digest256
u:tracking-protection.cdn.mozilla.net/google-trackwhite-digest256/1579741547
i:analytics-track-digest256
u:tracking-protection.cdn.mozilla.net/analytics-track-digest256/73.0/1581379643
i:except-flash-digest256
u:tracking-protection.cdn.mozilla.net/except-flash-digest256/1494877265
i:except-flashsubdoc-digest256
u:tracking-protection.cdn.mozilla.net/except-flashsubdoc-digest256/1517935265
i:mozstd-trackwhite-digest256
u:tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/73.0/1582074377
i:block-flashsubdoc-digest256
u:tracking-protection.cdn.mozilla.net/block-flashsubdoc-digest256/1512160865
i:base-fingerprinting-track-digest256
u:tracking-protection.cdn.mozilla.net/base-fingerprinting-track-digest256/73.0/1581379643
i:social-track-digest256
u:tracking-protection.cdn.mozilla.net/social-track-digest256/73.0/1581543360
i:social-tracking-protection-twitter-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-twitter-digest256/73.0/1578954954
i:content-track-digest256
u:tracking-protection.cdn.mozilla.net/content-track-digest256/73.0/1578954954
i:block-flash-digest256
u:tracking-protection.cdn.mozilla.net/block-flash-digest256/1496263270
i:base-cryptomining-track-digest256
u:tracking-protection.cdn.mozilla.net/base-cryptomining-track-digest256/73.0/1578954954
i:mozplugin-block-digest256
u:tracking-protection.cdn.mozilla.net/mozplugin-block-digest256/1471849627
i:ads-track-digest256
u:tracking-protection.cdn.mozilla.net/ads-track-digest256/73.0/1581543360

tracking-protection.cdn.mozilla.net

GET /social-tracking-protection-facebook-digest256/73.0/1578954954
GET /except-flashallow-digest256/1490633678
GET /allow-flashallow-digest256/1490633678
GET /social-tracking-protection-linkedin-digest256/73.0/1578954954
GET /analytics-track-digest256/73.0/1581379643
GET /except-flash-digest256/1494877265
GET /except-flashsubdoc-digest256/1517935265
GET /mozstd-trackwhite-digest256/73.0/1582074377
GET /block-flashsubdoc-digest256/1512160865
GET /base-fingerprinting-track-digest256/73.0/1581379643
GET /social-track-digest256/73.0/1581543360
GET /social-tracking-protection-twitter-digest256/73.0/1578954954
GET /content-track-digest256/73.0/1578954954
GET /block-flash-digest256/1496263270
GET /base-cryptomining-track-digest256/73.0/1578954954
GET /mozplugin-block-digest256/1471849627
GET /ads-track-digest256/73.0/1581543360

snippets.cdn.mozilla.net

This data makes up the Firefox Snippets; more info here. In about:config search for snippet to see options to disable this.

ocsp.digicert.com

ocsp.sca1b.amazontrust.com

ocsp.pki.goog

incoming.telemetry.mozilla.org

Finally, after closing the browser, Firefox kicks off the pingsender process to send more telemetry:

Summary

During this first invocation, Firefox makes HTTP connections to 10 different IPs. These IPs are in 5 different AS operated by 3 different companies (Akamai, Amazon, Cloudflare) using 5 different 2nd-level domains:

firefox.com, mozilla.com, mozilla.net, mozilla.org

Registrar:     MarkMonitor Inc.
Organization:  Mozilla Corporation
State:         CA
Country:       US

getpocket.com

Registrar:     NameCheap, Inc.
Organization:  Read It Later, Inc
State:         CA
Country:       US

The user does not appear to be given an option to prevent the sending of the telemetry data or to have the various widgets before they are loaded. Once the browser has started, a knowledgeable user may change some of the preferences or settings to disable these features.

Chrome

After starting Google Chrome 80.0.3987.122 for the first time, it displays the welcome site:

DNS Lookups

Chrome performed a total of 43 queries for 19 distinct names; the queries were A and AAAA lookups only and were via to the locally configured stub resolver.

The total list of DNS lookups done on a fresh new start by Chrome was, in order:

local.
clients2.google.com.
clientservices.googleapis.com.
accounts.google.com.
clients2.googleusercontent.com.
ff.search.yahoo.com.
www.netmeister.org.
vprmudr.cable.rcn.com.
ncortvjulifhod.cable.rcn.com.
hklhckmpbugndd.cable.rcn.com.
vprmudr.cable.rcn.com.
hklhckmpbugndd.cable.rcn.com.
vprmudr.
ncortvjulifhod.cable.rcn.com.
hklhckmpbugndd.
ncortvjulifhod.
www.gstatic.com.
redirector.gvt1.com.
r1---sn-ab5sznly.gvt1.com.
r5---sn-ab5szn7z.gvt1.com.
www.googleapis.com.
ssl.gstatic.com.

Unlike for Firefox, all domains looked up do include both A and AAAA records (directly, or via the ADDITIONAL SECTION in the CNAME result).

The list of names looked up included at least three random character sequences (vprmudr, hklhckmpbugndd, and ncortvjulifhod, each then attempted with my ISPs default search domain cable.rcn.com) in what looks like an attempt to determine whether the local ISP performs NXDOMAIN hijacking; see this discussion for details.

(Added 2020-08-23: APNIC reports that these lookups cause up to half of all traffic to the root servers!)

HTTP Traffic

At startup, Chrome makes a number of HTTP calls, as broken down below:

clients2.google.com

clientservices.googleapis.com

accounts.google.com

clients2.googleusercontent.com

GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP1q2vfaFufYPJ7MMPEdkxYurQqLKfsqlETBqnGAQLjVuUqXAP5kzjisGuCNTfqCtcNWXHJuTNrtTwTfHV02dRyiAMZSmuXqm5VWwl1zMmIqqfa62Kc5n3rCxg/extension_0_10_0_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0PBKVA-da_-T21yR2UQUNKDZNldfzJCCheccCxyc0eUdDcCzD3ksljCA37sYE2YQuixwb_lBQCF7WBqfrrMonZAMZSmuWOasTHxYEehcxrMknyH19pG5TAFg/extension_0_10_0_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP199BPyTfUTqlzrFainq_xpziexr6SSBQsG3al6SBOxXjhz6mtW75j-F1xkh0sFvlhqvkI3ro_fhpbYGWlt8yIvAMZSmuUbWgSmyx0vin-zLiRBVV3QIcVxrQ/extension_14_2_0_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP34GdSPM8CJTB4XCoKDlT3eZoUVQ66lPGkI7tJP3yA8iyZlYPMFkFE3rtpsNUquY08htcd-DWwPeCsE33hz642FAMZSmuX_x3TLW5Bs8_F8kxawtOpjwV_QwQ/extension_3_1_40_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP1q2vfaFufYPJ7MMPEdkxYurQqLKfsqlETBqnGAQLjVuUqXAP5kzjisGuCNTfqCtcNWXHJuTNrtTwTfHV02dRyiAMZSmuXqm5VWwl1zMmIqqfa62Kc5n3rCxg/extension_0_10_0_0.crx
GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0w4lDJ_bL6-4cEiO2dNd4wY6MRtrB86olYdAWJNSpbQk1Q83A9EM8DbPrtbQ_AZGp0O9Rp13bGeg_IlBP8lMjLAMZSmuXJMLTQge2ehP4yzENeXXd5OSiVew/extension_8_2_0_0.crx
GET /crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCOlBIvoDMAma8GvG4TlJV63hrc-qX-TqF8hD5aOTImPGuQQq6BujLIzdacuWTEqILccAS18tmDS6pfwab4-elsoAMZSmuX3wxOtQqAilonYeas4_oS69Ej8Jg/extension_4_42_0_2.crx

ff.search.yahoo.com

GET /gossip?output=fxjson&command=www.n
GET /gossip?output=fxjson&command=www.netm
GET /gossip?output=fxjson&command=www.netmeist
GET /gossip?output=fxjson&command=www.netmeiste
GET /gossip?output=fxjson&command=www.netmeister.o

Here we see the search autocomplete functionality of the location bar: as you enter the URL, your partial URL is sent to the default search engine little by little to allow for the autocomplete window to provide you with guesses.

What's interesting here is that the default provider is Yahoo. I had removed all previous preferences and started from scratch, but somewhere Chrome picked up my previous default?

Secondly, the search happens over plain HTTP, not HTTPS! This is due to Chrome having the predictive search URL hardcoded as HTTP. I've opened a ticket to see whether a change request should be submitted to Chrome to switch this over to HTTPS, which ff.search.yahoo.com does support.

Once Chrome has started, you can disable the autocomplete search function via chrome://settings/syncSetup?search=autocomplete.

redirector.gvt1.com

GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx

r5---sn-ab5szn7z.gvt1.com

This is an odd exchange: the GET request appears not to be answered with an HTTP response, although a number of TCP packets are being sent back. Making the same request via curl(1) yields another redirect to http://r4---sn-ab5l6nzk.gvt1.com, which then returns an HTTP 200 with binary data with Content-Type: application/x-chrome-extension.

This is likely due to my system profile enforcing the installation of certain Chrome extensions, and thus perhaps not an accurate reflection of what a plain vanilla install or setup would look like.

www.googleapis.com

{
    "expiry": "2020-05-22",
    "protocol_version": 1,
    "pubkey_sha1_hash": "a2159534e3753e716819beb8aae14b326927505a",
    "signature": "FGiusqn6tdvURrEpDMuf9gy+uU0MtFWIo+aVxHr36uzjv8ORy5yfsevik+nXBjAlD+J2h/2ysZ8ws6DfuRBIT1Pq+0xkr8qTkOwc9WX7uZoz91bTD0RgSQGxhWZIDnQFukFaBk4QogMxD+lehi0jZmCyPnJPMgtBFbeLfEW+WojKzOAKMchajMQVhh8eUwLYR6NOLschjWYgE4EOJhmlHuinvHjSV9bkFdiO/Ubb0GV1Sye8i+/NjgN2b+Zd8Acql5n2fq/mLSNIbYq/PJsgMvGRplda6AjVE+wK3gIwnBc+P2tk/e9Nt/mF1U07X0hRxZEYK8/ZCXgj8LVPVK3iog=="
}

ssl.gstatic.com

GET /safebrowsing/csd/client_model_v5_variation_0.pb
GET /safebrowsing/csd/client_model_v5_ext_variation_0.pb

Other Traffic

SSDP

When Chrome starts, it sends out an SSDP M-SEARCH * packet to the IPv4 site-local multicast address 239.255.255.250, port 1900. This is presumably to help in the discovery of, e.g., cloud printers or other local devices.

A local system may respond with an HTTP response including a Location header, indicating a URL to fetch content from. In my case, my local Tivo helpfully replied, and Chrome then went to fetch the file http://172.16.1.6:37176/dd.xml.

(See this issue for more information. There's also this entertaining blog post relating to SSDP. Related config flag: chrome://flags/#media-router.)

mDNS

Similarly to SSDP, Chrome also sends out an mDNS broadcast to 224.0.0.251 and ff02::fb with a query for a _googlecast._tcp.local PTR record. Local devies such as, e.g., a Google Nest Hub, respond with an IP address and additional information about the device, and Chrome may then perform an HTTP GET request, e.g., for Expert Info /ssdp/device-desc.xml, which returns a product description.

(I'm also seeing at least two packets speaking the AJP13 protocol being exchanged, but can't make much sense of them; I'm not feeling particularly warm and fuzzy about that being in use on my devices, however.)

Summary

During this first invocation, Chrome makes HTTP connections to external systems on 8 different IPs, all IPv6. These IPs are in 2 different AS operated by 2 different companies (Google and Yahoo) in 6 different 2nd-level domains:

google.com, googleapis.com, googleusercontent.com, gstatic.com, gvt1.com

Registrar:     MarkMonitor Inc.
Organization:  Google LLC
State:         CA
Country:       US

yahoo.com

Registrar:     MarkMonitor Inc.
Organization:  Oath Inc.
State:         VA
Country:       US

It is worth noting that if the default search engine had not been Yahoo, but Google, then all of the traffic would have gone to Google's systems only. It is also worth noting that all of Google's systems used IPv6, TLS 1.3, and HTTP2.

Edge

Edge is now a Chrome based browser, so we expect at least some similarities with Google Chrome. Let's see if that's true or how much Microsoft changed here.

When installing Edge, the installer offers you an option to choose whether to "help microsoft improve our products by sending crash reports, info about how you use the browser, and websites you visit" to Microsoft, linking to this webpage. This is a nice touch, as it allows you to opt out of data collection even before the first start of the browser! In this example, I chose to opt out.

After starting Microsoft Edge 80.0.361.57 for the first time, it displays a startup site:

Here, you can choose to import Chrome settings or sign into your profile or whatnot. Let's not. After opting out, you then get a generic welcome page:

DNS Lookups

Edge performed a total of 102 queries for 46 distinct names; the queries were A and AAAA lookups only and were via to the locally configured stub resolver.

The total list of DNS lookups done on a fresh new start by Edge was, in order:

gsp-ssl.ls.apple.com.
gsp-ssl-dynamic.ls4-apple.com.akadns.net.
ocsp.apple.com.
world-gen.g.aaplimg.com.
nav.smartscreen.microsoft.com.
wd-prod-ss-us-northcentral-2-fe.northcentralus.cloudapp.azure.com.
www.microsoft.com.
e13678.dspb.akamaiedge.net.
ntp.msn.com.
local.
self.events.data.microsoft.com.
skypedataprdcolneu05.cloudapp.net.
config.edge.skype.com.
gsp64-ssl.ls.apple.com.
gsp64-ssl.ls-apple.com.akadns.net.
assets.msn.com.
img-s-msn-com.akamaized.net.
otf.msn.com.
sb.scorecardresearch.com.
api.msn.com.
c.bing.com.
smartscreen-prod.microsoft.com.
c.msn.com.
www.msn.com.
edge.microsoft.com.
arc.msn.com.
uxdfqnr.cable.rcn.com.
axpajkorx.cable.rcn.com.
vpajxujeblxm.cable.rcn.com.
axpajkorx.cable.rcn.com.
uxdfqnr.cable.rcn.com.
axpajkorx.
uxdfqnr.
vpajxujeblxm.cable.rcn.com.
uxdfqnr.
vpajxujeblxm.
edge.microsoft.com.
ris.api.iris.microsoft.com.
world-gen.g.aaplimg.com.
go.microsoft.com.
microsoftedgewelcome.microsoft.com.
edgewelcomecdn.microsoft.com.
az725175.vo.msecnd.net.
www.microsoft.com.
mem.gfx.ms.
img-prod-cms-rt-microsoft-com.akamaized.net.
c.s-microsoft.com.
web.vortex.data.microsoft.com.
www.bing.com.
www.ne.
www.net.
www.ne.cable.rcn.com.
www.ne.
www.ne.cable.rcn.com.
www.ne.
www.netmeister.org.
wd-prod-ss-us-northcentral-2-fe.northcentralus.cloudapp.azure.com.

As before with Google Chrome, we see a number of lookups of random character sequences to detect DNS hijacking; we also see consecutive lookups of records as we type our destination name, www.netmeister.org.

HTTP Traffic

At startup, Edge makes a number of HTTP calls, as broken down below:

ntp.msn.com

GET /edge/ntp?locale=en-US&fre=1&rt=1&dsp=1&sp=Bing&startpage=1
GET /content/view/v1/weathersummary/en-us/40.74,-73.9855?units=F&days=5
GET /breakingnews/v1/cms/api/amp/article/AA157JY
GET /service/msn/topics?apikey=0QfOX3Vn51YCzitbLaRkTTBadtWpgTN8NZLW0C1SEM&activityId=AADBF64E-E4FA-4BAA-8500-0FBE111C0ECC&ocid=anaheim-dhp-feeds&market=en-us&user=m-1F7801155A8F68020D0C0F6B5B0D6994&fdhead=msnallexpusers,muidflt10cf,muidflt26cf,muidflt50cf,muidflt313cf,complianceedge1cf,samrtb-n,platagyhp2cf,moneyhp1cf,compliancehp1cf,starthz1cf,samrtbflex-nc,artgly3cf,gallery2cf,jslltelemetry,msnapp4cf,1s-feed-next-v1&queryType=MyFeed&$top=1000&allTopics=true&$select=id,name,image,feedType&location=40.74|-73.9855

That's a whole lot of requests. One curious thing here is the presence of an apiKey parameter; it's unclear what this is used for if it's baked into the application.

(It appears that ntp.msn.com has absolutely nothing to do with NTP. Browser context suggests "New Tab Page.)

config.edge.skype.com

GET /config/v1/Edge/80.0.361.57?agents=EdgeDomainActions%2CEdgeFirstRun%2CEdgeFirstRunConfig%2CEdgeDataConfig&enabledomainactions=1&osname=mac&channel=stable&osver=10.15.3&osarch=x86_64&uma=0&mngd=0
GET /config/v1/Edge/80.0.361.57?enabledomainactions=1&osname=mac&channel=stable&osver=10.15.3&osarch=x86_64&uma=0&mngd=0

assets.msn.com

That's a lot of requests! There has got to be a more efficient way than to request near 100 .js files here.

www.msn.com

set-cookie: _EDGE_S=F=1; path=/; httponly; domain=msn.com
set-cookie: _EDGE_V=1; path=/; httponly; expires=Thu, 25-Mar-2021 03:34:19 GMT; domain=msn.com
set-cookie: MUID=3035F9C5A0886FBE1139F7BAA1006E02; path=/; expires=Thu, 25-Mar-2021 03:34:19 GMT; domain=msn.com

img-s-msn-com.akamaized.net

self.events.data.microsoft.com

POST /OneCollector/1.0/
APIKey: 7005b72804a64fa4b2138faab88f877b-0046e00d-6cb7-4bb8-8ac2-0128c6c05c4a-7918
Content-Type: application/bond-compact-binary
SDK-Version: EVT-MacOSX-C++-No-3.2.297.1

c.msn.com

/c.gif?udc=true&rid=aadbf64ee4fa4baa85000fbe111c0ecc&rnd=1582933548322&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-US%26fre%3D1%26rt%3D1%26dsp%3D1%26sp%3DBing%26startpage%3D1%26ocid%3Dmsedgdhp&scr=1440x900&anoncknm=APP_ANON&issso=0&aadState=0&di=340&lng=en-us&activityId=aadbf64ee4fa4baa85000fbe111c0ecc&d.dgk=unknown&d.imd=0&st.dpt=antp&subcvs=homepage&pg.n=default&pg.t=dhp&pg.p=anaheim

sb.scorecardresearch.com

/b?c1=2&c2=3000001&cs_ucfr=1&rn=1582933548323&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-US%26fre%3D1%26rt%3D1%26dsp%3D1%26sp%3DBing%26startpage%3D1%26ocid%3Dmsedgdhp&c8=&c9=

otf.msn.com

edge.microsoft.com

GET /autofillservice/query?q=Chc2LjEuMTcxNS4xNDQyL2VuIChHR0xMKRMZiWbV8PbQA_0jLZSQkvokIy2UkJL6JBQ=
GET /abusiveadblocking/api/v1/blocklist

ris.api.iris.microsoft.com

GET /v1/a/click?PG=IRIS000001.0000000216&UNID=88000216&CID=128000000001812729&PID=425122465&TargetID=700336220&REQASID=&ASID=0823319A7CDB414F99B3E4ABFCF120DA&REQT=20200228T234550&UIT=M&ID=00000000000000000000000000000

microsoftedgewelcome.microsoft.com

GET /
GET /en-us/
misc images etc.

edgewelcomecdn.microsoft.com

img-prod-cms-rt-microsoft-com.akamaized.net

web.vortex.data.microsoft.com

GET /collect/v1/t.js?ver=%272.1%27&name=%27Ms.Webi.PageView%27&time=%272020-02-28T23%3A46%3A17.109Z%27&os=%27MacOS%27&appId=%27JS%3AMsedgefre%27&-ver=%271.0%27&-impressionGuid=%27881ba457-a44e-44c4-8128-9f4a25147990%27&-pageName=%27Undefined%27&-uri=%27https%3A%2F%2Fmicrosoftedgewelcome.microsoft.com%2Fen-us%2F%27&-market=%27en-us%27&-resHeight=900&-resWidth=1440&-pageTags=%27%7B%22metaTags%22%3A%7B%7D%7D%27&-behavior=0&*baseType=%27Ms.Content.PageView%27&*cookieEnabled=true&*isJs=true&*title=%27Microsoft%20Edge%27&*isLoggedIn=false&*flashInstalled=false&ext-javascript-ver=%271.1%27&ext-javascript-libVer=%274.2.14%27&ext-javascript-domain=%27microsoftedgewelcome.microsoft.com%27&ext-javascript-userConsent=false&$mscomCookies=false

POST /collect/v1?$mscomCookies=false&ext-javascript-msfpc=%27GUID%3Db21dda85de3c47b293a5e93ee20dae56%26HASH%3Db21d%26LV%3D202002%26V%3D4%26LU%3D1582933577229%27

document.cookie="MSFPC=GUID=b21dda85de3c47b293a5e93ee20dae56&HASH=b21d&LV=202002&V=4&LU=1582933577229;expires=Sat, 27 Feb 2021 23:46:17 GMT;path=/;Secure;SameSite=None";if(awa.ix){awa.ix.set({"mc1":"b21dda85de3c47b293a5e93ee20dae56"})};if(awa.firstEventDone){awa.firstEventDone()};

{"ipv":false,"pvm":null,"rej":0,"bln":0,"acc":1,"efi":[]}

Other Traffic

SSDP and mDNS

Since Edge is based on Chrome, it's no surprise we see the same SSDP and mDNS traffic as we saw above.

Summary

During this first invocation, Edge makes HTTP connections to external systems on 14 different IPs, almost all IPv4. These IPs are in 6 different AS operated by 3 different companies (Microsoft, Akamai, MCI) in 5 different 2nd-level domains:

akamaized.net

Registrar:     Akamai Technologies, Inc.
Organization:  Akamai Technologies, inc.
State:         MA
Country:       US

microsoft.com, msn.com

Registrar:     MarkMonitor Inc.
Organization:  Microsoft Corporation
State:         WA
Country:       US

scorecardresearch.com

Registrar:     MarkMonitor Inc.
Organization:  TMRG, Inc
State:         VA
Country:       US

skype.com

Registrar:     MarkMonitor Inc.
Organization:  Skype
State:         Dublin
Country:       IE

Safari

Safari is a bit of an outlier in this analysis: it is more closely integrated with the OS, starts a few other processes, and has access to a shared DNS cache via mDNSResponder.

It also is the only browser that I did not start in a factory-new configuration; instead, I started with the default of a blank page, thereby avoiding loading a heavy advertising driven homepage or anything of that sort. The reason for this is that I simply could not easily untangle Safari from whatever system settings I have as defaults to recreate or simulate a fresh install.

What's more, unlike with Firefox or Chrome based browsers, Safari does not honor the SSLKEYLOGFILE environment variable, meaning I can't decrypt the TLS traffic easily in Wireshark without setting up a proxy, a trouble through which I didn't bother going. Therefor, I can only provide the correlation of IP addresses to which Safari made a TLS connection with the SNI from the TLS handshake and the Little Snitch network map and connection information, but not provide the details of the data exchanged.

The version of Safari used here is 13.0.5 (15608.5.11).

DNS Lookups

Safari performed a total of 43 queries for 26 distinct names; the queries were A and AAAA lookups only and were via to the locally configured stub resolver.

There were some lookups that appeared to have been made as follow ups to previously cached results. For example, no DNS query for www.bing.com was observed in the pcap file, but a query for the resolution of its CNAME (a-0001.a-afdentry.net.trafficmanager.net.) was observed. This appears to be the effect of mDNSResponder caching DNS lookups.

The total list of DNS lookups done on a fresh new start by Safari was, in order:

xp.itunes-apple.com.akadns.net.
e17437.dscb.akamaiedge.net.
api-glb-nyc.smoot.apple.com.
play.itunes.apple.com.edgesuite.net.
a1806.dscb.akamai.net.
e673.dsce9.akamaiedge.net.
www-src.linkedin.com.
www-cdn.icloud.com.akadns.net.
e6858.dsce9.akamaiedge.net.
e4478.a.akamaiedge.net.
static-exp1.licdn.com.
cs945.wpc.epsiloncdn.net.
atsv2-fp-shed.wg1.b.yahoo.com.
a-0001.a-afdentry.net.trafficmanager.net.
dual-a-0001.a-msedge.net.
edge.gycpi.b.yahoodns.net.
search.yahoo.com.
csc.beap.bc.yahoo.com.
geo.yahoo.com.
geoycpi-uno.gycpi.b.yahoodns.net.
www.google.com.
dyna.wikimedia.org.
upload.wikimedia.org.
star-mini.c10r.facebook.com.
twitter.com.
cs2-wac.apr-8315.edgecastdns.net.

HTTP Traffic

Since Safari is much more integrated into macOS than the other browsers, we see connections made not only by Safari, but also by other processes initiated by Safari.

At startup, the following HTTP calls are observed:

xp.apple.com

This connection is made by Apple's CommerceKit framework, a process kicked off by Safari and used to enable app, music, and book purchases.

api-glb-nyc.smoot.apple.com

This connection is made by Apple's CoreParsec framework, a process kicked off by Safari and used to manage access and data for Siri suggestions.

play.itunes.apple.com

Another CommerceKit framework connection.

pd.itunes.apple.com

Another CommerceKit framework connection.

www.linkedin.com

www.apple.com

www.icloud.com

www.yahoo.com

www.bing.com

s.yimg.com

search.yahoo.com

geo.yahoo.com

video-api.yql.yahoo.com

www.google.com

www.wikipedia.org

upload.wikimedia.org

www.facebook.com

twitter.com

abs.twimg.com

Other Traffic

mDNS

Safari also starts out sending MDNS probes for various SRV names like _adisk._tcp.local, _afpovertcp._tcp.local, _apple-pairable._tcp.local, _airport._tcp.local etc.

Summary

During this first invocation, Safari makes HTTP connections to external systems on 19 different IPs, most IPv6. These IPs are in 12 different AS operated by 10 different companies (Akamai, Apple, Facebook, Google, LinkedIn, MCI, Microsoft, Twitter, Wikimedia, Yahoo) in 12 different 2nd-level domains:

apple.com, icloud.com

Registrar:     CSC Corporate Domains, Inc.
Organization:  Apple Inc.
State:         CA
Country:       US

bing.com

Registrar:     MarkMonitor Inc.
Organization:  Microsoft Corporation
State:         WA
Country:       US

facebook.com

Registrar:     RegistrarSafe, LLC
Organization:  Facebook, Inc.
State:         CA
Country:       US

google.com

Registrar:     MarkMonitor Inc.
Organization:  Google LLC
State:         CA
Country:       US

linkedin.com

Registrar:     MarkMonitor Inc.
Organization:  LinkedIn Corporation
State:         CA
Country:       US

twimg.com, twitter.com

Registrar:     CSC Corporate Domains, Inc.
Organization:  Twitter, Inc.
State:         CA
Country:       US

wikimedia.org, wikipedia.org

Registrar:     MarkMonitor Inc.
Organization:  Wikimedia Foundation, Inc.
State:         CA
Country:       US

yahoo.com, yimg.com

Registrar:     MarkMonitor Inc.
Organization:  Oath Inc.
State:         VA
Country:       US

What's interesting about Safari is that even though it doesn't load a welcome page or display any content at startup as per my preferences, it still fetches content from the various popular domains, suggesting there is some pre-fetching to content happening in the background.

Brave

After starting Brave Version 1.4.95 (Chromium 80.0.3987.122) for the first time, it displays a welcome screen with an option to "Skip welcome tour", which we thankfully select.

After that, we enter our destination URL, let the page load, and exit the browser.

DNS Lookups

Brave performed a total of 57 queries for 19 distinct names; the queries were A and AAAA lookups only and were via to the locally configured stub resolver.

The total list of DNS lookups done on a fresh new start by Brave was, in order:

updates.bravesoftware.com.
f2.shared.global.fastly.net.
static1.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
laptop-updates.brave.com.
no-thanks.invalid.
go-updater.brave.com.
componentupdater.brave.com.
brave-core-ext.s3.brave.com.
tor.bravesoftware.com.
crlsets.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
krdjdubihfhlri.cable.rcn.com.
rhqnzult.cable.rcn.com.
ckzlqdialux.cable.rcn.com.
krdjdubihfhlri.cable.rcn.com.
krdjdubihfhlri.
rhqnzult.cable.rcn.com.
ckzlqdialux.cable.rcn.com.
rhqnzult.
ckzlqdialux.
rhqnzult.
ckzlqdialux.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
static.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
www.netmeister.org.

As before with Google Chrome and Edge, we see a number of lookups of random character sequences to detect DNS hijacking; we also note that no-thanks.invalid was looked up 5 times in total.

HTTP Traffic

At startup, Brave makes a number of HTTP calls, as broken down below:

static1.brave.com

Braveservicekey: qjVKcxtUybh8WpKNoQ7EbgbkJTMu7omjDHKk=VrPApb8PwJyPE9eqchxedTsMEWg
GET /autofill/hourly/bins.json
GET /autofill/weekly/merchants.json
GET /safebrowsing/csd/client_model_v5_variation_0.pb
GET /safebrowsing/csd/client_model_v5_ext_variation_0.pb

{ "cpan_eligible_bin_wl_regex": ["^4[0-9]{15,18}$"] }

{ "cpan_eligible_merchant_wl": ["dump-truck.appspot.com"] }

The requests here are interesting in the use of the Braveservicekey; the json data returned is Brotli compressed.

laptop-updates.brave.com

GET /promo/custom-headers

PUT /promo/initialize/nonua

GET /1/usage/brave-core?platform=osx-bc*amp;channel=release*amp;version=1.4.95*amp;daily=true*amp;weekly=true*amp;monthly=true*amp;first=true*amp;woi=2020-03-02*amp;ref=BRV001

{
    "api_key": "fe033168-0ff8-4af6-9a7f-95e2cbfc9f4f",
    "platform": "osx",
    "referral_code": "BRV001"
}

[
    {
        "cookieNames": [],
        "domains": [
            "coinbase.com",
            "api.coinbase.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "coinbase"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "softonic.com",
            "softonic.cn",
            "softonic.jp",
            "softonic.pl",
            "softonic.com.br"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "softonic"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "marketwatch.com",
            "barrons.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "dowjones"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "townsquareblogs.com",
            "tasteofcountry.com",
            "ultimateclassicrock.com",
            "xxlmag.com",
            "popcrush.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "townsquare"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "cheddar.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "cheddar"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "upbit.com",
            "sg.upbit.com",
            "id.upbit.com",
            "ccx.upbit.com",
            "ccx.upbitit.com",
            "ccxsg.upbit.com",
            "cgate.upbitit.be",
            "ccxid.upbit.com",
            "cgate.upbitit.tv"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "upbit"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "eaff.com",
            "stg.eaff.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "eaff"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "sandbox.uphold.com",
            "api-sandbox.uphold.com",
            "uphold.com",
            "api.uphold.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "uphold"
        }
    }
]


{"ts":1583209242790,"status":"ok"}

Another use of an API key as well as a referral code. The returned data contains a number of domains that may have to do with Brave's ad system?

go-updated.brave.com

X-Goog-Update-AppId: gccbbckogglekeggclmmekihdgdpdgoe
BraveServiceKey: qjVKcxtUybh8WpKNoQ7EbgbkJTMu7omjDHKk=VrPApb8PwJyPE9eqchxedTsMEWg\r\n

POST /extensions

{
    "request": {
        "@os": "mac",
        "@updater": "",
        "acceptformat": "crx2,crx3",
        "app": [
            {
                "appid": "gccbbckogglekeggclmmekihdgdpdgoe",
                "enabled": true,
                "installsource": "ondemand",
                "ping": {
                    "r": -2
                },
                "updatecheck": {},
                "version": "0.0.0.0"
            }
        ],
        "arch": "x64",
        "dedup": "cr",
        "domainjoined": false,
        "hw": {
            "physmemory": 16
        },
        "lang": "",
        "nacl_arch": "x86-64",
        "os": {
            "arch": "x86_64",
            "platform": "Mac OS X",
            "version": "10.15.3"
        },
        "prodchannel": "stable",
        "prodversion": "80.1.4.95",
        "protocol": "3.1",
        "requestid": "{d5698802-5f71-460d-b3f0-6956886f191e}",
        "sessionid": "{92504c9b-3e1d-4d9e-80b4-59a725cc23e3}",
        "updaterchannel": "stable",
        "updaterversion": "80.1.4.95"
    }
}

componentupdated.brave.com

X-Goog-Update-AppId: hfnkpimlhhgieaddgfemjhofmfblmnib
BraveServiceKey: qjVKcxtUybh8WpKNoQ7EbgbkJTMu7omjDHKk=VrPApb8PwJyPE9eqchxedTsMEWg

POST /service/update2/json

crlsets.brave.com

GET /edgedl/release2/chrome_component/ANaMfc39lnLzNeHAqi34CPs_5726/AgjeNiYMWjgOFctWc_IsaA

brave-core-ext.s3.brave.com

GET /release/gccbbckogglekeggclmmekihdgdpdgoe/extension_1_0_21.crx
GET /release/cffkpbalmllkdoenhmdmpbkajipdjfam/extension_1_0_498.crx
GET /release/afalakplffnnnlkncjhbmahjfjhmlkal/extension_1_0_22.crx
GET /release/oofiananboodjbbmdelgdommihjbkfag/extension_1_0_14.crx

Summary

During this first invocation, Brave makes HTTP connections to external systems on 3 different IPs. These IPs are in 2 different AS operated by 2 different companies (Cloudflare, Fastly) with domains in a single 2nd-level domain:

brave.com

Registrar:     NameCheap, Inc.
Organization:  Brave Software
State:         CA
Country:       US

Opera

For Opera, things were split into two processes to track: the installer, and the browser invocation itself, which immediately and automatically followed the installation. Once the installer completed and opened the browser window (version 67.0.3575.53), a default startup page was loaded:

After that, we enter our destination URL, let the page load, and exit the browser.

DNS Lookups

Opera (and its installer) performed a total of 74 queries for 29 distinct names; the queries were A and AAAA lookups as well as one PTR lookup and were via to the locally configured stub resolver.

The total list of DNS lookups done on a fresh new installation of Opera was, in order:

autoupdate.geo.opera.com.
lati.autoupdate.opera.com.
download.opera.com.
us-download.opera.com.
download3.operacdn.com.
e11604.g.akamaiedge.net.
autoupdate.geo.opera.com.
lati.autoupdate.opera.com.
sitecheck.opera.com.
speeddials.opera.com.
redir.opera.com.
sd-images.operacdn.com.
speeddials.opera.com.
www.opera.com.
exchange.opera.com.
recover.operacdn.com.
merchandise.opera-api.com.
discover.operacdn.com.
extension-updates.opera.com.
world-gen.g.aaplimg.com.
www.google.com.
www.ne.
www.net.
www.ne.cable.rcn.com.
18.238.202.199.in-addr.arpa.
www.ne.cable.rcn.com.
features.opera-api.com.
www.ne.
www.netmeister.org.
www.ne.
www.ne.cable.rcn.com.
desktop-dna.osp.opera.software.
download1.operacdn.com.
update.googleapis.com.
redirector.gvt1.com.
r5---sn-ab5sznle.gvt1.com.
autoupdate.geo.opera.com.
lati.autoupdate.opera.com.

As another Chrome based browser, we're not surprised to again see the same DNS hijacking detection lookups as well as the incremental lookups as we type our destination URL www.netmeister.org.

HTTP Traffic

After installation, the browser is started and makes a number of HTTP calls, as broken down below:

autoupdate.geo.opera.com

IP:	2001:4c28:3000:622:37:228:108:132 (Opera, AS39832)
Location:	Norway
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	GET /geolocation/ POST / POST /stats/desktop-sessions-sub/v1/binary
Payload:	this XML data, then this XML data, then this XML data 1635 bytes application/x-osp data all of this data
Result:	{ "country": "US", "timestamp": 1583286077 } misc XML data, such as this

---

speeddials.opera.com

IP:	107.167.110.216 (OperaSoftware, AS21837)
Location:	Ashburn, VA
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	GET /api/v2/partner-content?product=*amp;country=US*amp;edition=*amp;uuid=900cb00e-d350-4aed-a74e-d4c08ec47567 GET /api/v2/suggestions?product=*amp;country=US*amp;language=en-US*amp;uuid=0d1ac479-1b16-412e-86dc-118fcdede04c*amp;type=desktop-suggestions GET /api/v2/suggestions?product=*amp;country=US*amp;language=en-US*amp;uuid=0d1ac479-1b16-412e-86dc-118fcdede04c*amp;type=desktop-suggestions GET /api/v3/news?country=us*amp;language=en*amp;locale=en_US*amp;category=ar,bu,en,fo,ga,he,li,lv,mo,ne,sc,sp,te,tr*amp;timezone=-05:00 GET /api/v1/features?country=US*amp;language=en-US*amp;uuid=a036c8a3-4076-4918-853f-dd9650893333 GET /api/v1/thumbnails/www.netmeister.org
Result:	this json data all of this json data another 88Kb of json data

An interesting request here is the lookup of a thumbnail for the destination address, suggesting any domain you enter is going to be sent to speeddials.opera.com.

---

features.opera-api.com

IP:	107.167.110.216 (OperaSoftware, AS21837)
Location:	Ashburn, VA
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	GET /api/v1/features?country=US*amp;language=en-US*amp;uuid=a036c8a3-4076-4918-853f-dd9650893333
Result:	this json data

---

sitecheck.opera.com

IP:	107.167.110.211 (OperaSoftware, AS21837)
Location:	Ashburn, VA
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	POST /api/v2/check POST /api/v2/check POST /api/v2/check
Payload:	50 bytes of protobuf data
Result:	26 bytes of protobuf data

---

extensions-updates.opera.com

IP:	107.167.110.211 (OperaSoftware, AS21837)
Location:	Ashburn, VA
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	GET /api/omaha/update/?os=mac*amp;arch=x64*amp;os_arch=x86_64*amp;nacl_arch=x86-64*amp;prod=chromiumcrx*amp;prodchannel=Stable*amp;prodversion=80.0.3987.122*amp;lang=en-US*amp;acceptformat=crx3*amp;x=id%3Dcom.opera.crx.blacklist%26v%3D0%26uc GET /api/omaha/blacklist.aa8c9c6d317f343a4c2e1b80f132be89058411264919eb57947037b57467cf9f.txt
Result:	this blacklist

---

redir.opera.com

IP:	37.228.108.143 (Opera, AS39832)
Location:	Reston, VA
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	GET /www.opera.com/firstrun/?http_referrer=*amp;query=
Result:	302 redirect to https://www.opera.com/client/welcome

---

sd-images.operacdn.com

IP:	23.64.21.104 (Akamai, AS20940)
Location:	Netherlands
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	GET /api/v1/images/a07ea74aa0b3aae5b7dc37789a2e834b1e883060.png [ 20 more images ]
Result:	PNG images

---

www.opera.com

IP:	3.133.238.181 (Amazon, AS16509)
Location:	Seattle, WA
Port:	443
Protocol:	HTTP2
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	GET /client/welcome
Result:	this welcome page

---

exchange.opera.com

IP:	185.26.182.112 (Opera, AS39832)
Location:	generic Europe
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	GET /api/v1/cmc/ GET /api/v1/ecb/ GET /api/v1/nbu/
Result:	misc XML and json data representing currency exchange rates

---

redirector.gvt1.com

IP:	2607:f8b0:4006:804::200e (Google, AS15169)
Location:	generic US
Port:	80
Protocol:	HTTP 1.1
Request:	GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvN2Q5QUFXVzIwUTZCbVBNNnZaYm4wUXdzdw/4.10.1582.2_oimompecagnajdejgnnjijobebaeigek.crx
Result:	302 redirect to http://r5---sn-ab5sznle.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvN2Q5QUFXVzIwUTZCbVBNNnZaYm4wUXdzdw/4.10.1582.2_oimompecagnajdejgnnjijobebaeigek.crx?cms_redirect=yes*amp;mip=2001:470:1f07:1d1:1008:72fe:df23:db77*amp;mm=28*amp;mn=sn-ab5sznle*amp;ms=nvh*amp;mt=1583285867*amp;mv=u*amp;mvi=4*amp;pl=47*amp;shardbypass=yes

---

r5---sn-ab5sznle.gvt1.com

IP:	2607:f8b0:4006:3b::b (Google, AS15169)
Location:	generic US
Port:	80
Protocol:	HTTP 1.1
Request:	GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvN2Q5QUFXVzIwUTZCbVBNNnZaYm4wUXdzdw/4.10.1582.2_oimompecagnajdejgnnjijobebaeigek.crx
Result:	~4MB Content-Type: application/x-chrome-extension

---

autoupdate.geo.opera.com

IP:	2001:4c28:3000:622:37:228:108:132 (Opera, AS39832)
Location:	Norway
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Request:	Authorization:Basic azREem0ySzBNcjRqM3hHNzE5cEZ1MGhLRU9zdVo1YlQ6\r\n Credentials: k4Dzm2K0Mr4j3xG719pFu0hKEOsuZ5bT: POST /stats/desktop-sessions-sub/v1/binary
Payload:	1635 bytes of application/x-osp data

Another case of some sort of authentication token baked into the client.

---

Summary

During this first invocation, Opera makes HTTP connections to external systems on 9 different IPs. These IPs are in 5 different AS operated by 5 different companies (Akamai, Amazon, Google, Opera (NO), and Opera (US)) with domains in four different 2nd-level domains:

gvt1.com

Registrar:     MarkMonitor Inc.
Organization:  Google LLC
State:         CA
Country:       US

opera-api.com, opera.com, operacdn.com

Registrar:     NameWeb BVBA
Organization:  Opera Software AS
Country:       NO

---

Vivaldi

Vivaldi 2.11.1811.47 is another Chromium based browser that was tested based on popular demand.

The packet capture was started before opening the application for the first time after downloading it; we are prompted to confirm that we want to install the browser, then eventually displays a welcome screen, where we can skip the tour to end up on the home screen:

In the background, Vivaldi opens a second tab with the "What's New" page:

DNS Lookups

Vivaldi performed a total of 52 queries for 24 distinct names; the queries were for A and AAAA lookups only and were via the locally configured stub resolver.

The total list of DNS lookups done on a fresh new start by Vivaldi was, in order:

local.
update.vivaldi.com.
www.gstatic.com.
clients2.google.com.
downloads.vivaldi.com.
ocsp2.globalsign.com.
ocsp.globalsign.com.
cdn.globalsigncdn.com.cdn.cloudflare.net.
ocsp.pki.goog.
pki-goog.l.google.com.
vivaldi.com.
ocsp.digicert.com.
cs9.wac.phicdn.net.
redirector.gvt1.com.
r1---sn-ab5sznly.gvt1.com.
s.w.org.
kuocktk.cable.rcn.com.
gomgxdwum.cable.rcn.com.
xwdigyrjjgxnukq.cable.rcn.com.
kuocktk.cable.rcn.com.
xwdigyrjjgxnukq.
gomgxdwum.cable.rcn.com.
kuocktk.
gomgxdwum.cable.rcn.com.
kuocktk.
gomgxdwum.
ssl.gstatic.com.
update.vivaldi.com.
www.netmeister.org.

As before with Google Chrome, we see a number of lookups of random character sequences to detect DNS hijacking.

HTTP Traffic

At startup, Vivaldi makes a number of HTTP calls, as broken down below:

www.gstatic.com

IP:	2607:f8b0:4006:811::2003 (Google, AS15169)
Location:	generic US
Port:	443
Protocol:	HTTP2
TLS:	1.3, TLS_AES_128_GCM_SHA256
Request:	GET /autofill/hourly/bins.json GET /autofill/weekly/merchants.json
Result:	{ "cpan_eligible_merchant_wl": ["dump-truck.appspot.com"] } { "cpan_eligible_bin_wl_regex": ["^4[0-9]{15,18}$"] }

---

downloads.vivaldi.com

IP:	151.139.236.233 (Highwinds Network Group, AS33438)
Location:	generic US
Port:	443
Protocol:	HTTP 1.1
TLS:	1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Request:	GET /blocklist/current.json
Result:	7.1 MB blocklist of > 25K naughty domains

---

clients2.google.com

IP:	2607:f8b0:4006:811::200e (Google, AS15169)
Location:	generic US
Port:	443
Protocol:	HTTP2
TLS:	1.3, TLS_AES_128_GCM_SHA256
Request:	GET /service/update2/crx?os=mac&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=80.0.3987.136&lang=en-US&acceptformat=crx3&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1
Result:	<?xml version="1.0" encoding="UTF-8"?> <gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"> <daystart elapsed_days="4820" elapsed_seconds="35325"/> <app appid="pkedcjkdefgpdelpbcmbmeomcjbeemfm" cohort="" cohortname="" status="ok"> <ping status="ok"/> <updatecheck codebase="http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx" fp="1.9fcd7a76a4b67fe5efd45a1170a7f75bd9fe57644103eee43d5348f422c2320b" hash_sha256="9fcd7a76a4b67fe5efd45a1170a7f75bd9fe57644103eee43d5348f422c2320b" protected="0" size="859573" status="ok" version="8019.1111.0.0"/> </app> </gupdate>

---

update.vivaldi.com

IP:	82.22.130.137 (Virgin Media, AS5089)
Location:	Ipswitch, England
Port:	443
Protocol:	HTTP2
TLS:	1.2, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Request:	POST /rep/rep?installation_status=new_user&weekly&monthly
Payload:	_cvar={"1":["cpu","x86_64"],"2":["v","2.11.1811.47"]}&action_name=FirstRun&idsite=36&rec=1&res=2880x1800&uid=90996D26C813590E&url=http://localhost/FirstRun&installation_year=2020&installation_week=11&earliest_installation_year=0&earliest_installation_week=0&ua=Mozilla/5.0+(Macintosh%3B+Intel+Mac+OS+X+10_15_3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/80.0.3987.136+Safari/537.36

Of interest here is that the data posted to the server includes your screen resolution as well as 'uid' of some sort.

---

redirector.gvt1.com

IP:	2607:f8b0:4006:811::200e (Google, AS15169)
Location:	generic US
Port:	80
Protocol:	HTTP 1.1
Request:	GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
Result:	Redirect to http://r1---sn-ab5sznly.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=uP&mip=2001:470:1f07:1d1:c0fc:4ab4:ec31:5694&mm=28&mn=sn-ab5sznly&ms=nvh&mt=1584117640&mv=u&mvi=0&pl=47&shardbypass=yes

---

r1---sn-ab5sznly.gvt1.com

IP:	2607:f8b0:4006:6::6 (Google, AS15169)
Location:	generic US
Port:	80
Protocol:	HTTP 1.1
Request:	GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjk4QUFXWHV4aEtlX19peUJMaUFXd3dUZw/8019.1111.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=uP&mip=2001:470:1f07:1d1:c0fc:4ab4:ec31:5694&mm=28&mn=sn-ab5sznly&ms=nvh&mt=1584117640&mv=u&mvi=0&pl=47&shardbypass=yes
Result:	8K Content-Type: application/x-chrome-extension

---

vivaldi.com

IP:	2606:4700:3037::6812:3719 (Cloudflare, AS13335)
Location:	generic US
Port:	443
Protocol:	HTTP2
TLS:	1.3, TLS_AES_128_GCM_SHA256
Request:	GET /newfeatures?hl=en-US&version=2.11.1811.47&os=M GET /browser/whats-new-in-vivaldi-2-11 GET /whats-new-in-vivaldi-2-11/ GET /wp-includes/css/dist/block-library/style.min.css?ver=5.3.2 GET /wp-content/themes/vivaldicom-theme/style.css?ver=1582721612 GET /wp-content/themes/vivaldicom-theme/fonts/font-awesome/font-awesome.min.css?ver=1539179228 GET /wp-includes/js/jquery/jquery.js?ver=1.12.4-wp GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 GET /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js GET /wp-content/plugins/page-links-to/dist/new-tab.js?ver=3.2.2 GET /wp-content/themes/vivaldicom-theme/img/vivaldilogo-standard.png GET /logme.gif GET /wp-content/uploads/vivaldi.2.11.pip-hero_b.jpg GET /wp-content/uploads/2.11-PiP_Screenshot_Final.png GET /wp-content/uploads/2.11_OS-themes_Screenshot_Final.png GET /wp-content/uploads/keyboard-shortcut-tabs_loop.gif GET /wp-content/themes/vivaldicom-theme/img/social_twitter.png GET /wp-content/themes/vivaldicom-theme/img/social_facebook.png GET /wp-content/themes/vivaldicom-theme/img/social_reddit.png GET /wp-content/themes/vivaldicom-theme/img/social_email.png GET /wp-content/themes/vivaldicom-theme/img/icons/mail.png GET /wp-content/themes/vivaldicom-theme/img/icons/vivaldi-red.svg GET /wp-content/themes/vivaldicom-theme/img/android/icon-vivaldi-beta.png GET /rep/rep?action_name=What%E2%80%99s%20New%20in%20Vivaldi%202.11%20%7C%20Vivaldi%20Browser&idsite=4&rec=1&r=463671&h=12&m=48&s=43&url=https%3A%2F%2Fvivaldi.com%2Fwhats-new-in-vivaldi-2-11%2F&_id=1657ef4941f57060&_idts=1584118123&_idvc=1&_idn=0&_refts=0&_viewts=1584118123&send_image=1&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=0&java=0&gears=0&ag=0&cookie=1&res=1440x900&gt_ms=679&pv_id=lqmvek GET /favicon.ico
Result:	Redirect to /browser/whats-new-in-vivaldi-2-11 Redirect to https://vivaldi.com/whats-new-in-vivaldi-2-11/ Startup and What's New pages

---

ssl.gstatic.com

IP:	2607:f8b0:4006:811::2003 (Google, AS15169)
Location:	generic US
Port:	443
Protocol:	HTTP2
TLS:	1.3, TLS_AES_128_GCM_SHA256
Request:	GET /safebrowsing/csd/client_model_v5_variation_0.pb GET /safebrowsing/csd/client_model_v5_ext_variation_0.pb
Result:	80K of Content-Type: application/octet-stream

Other Traffic

SSDP and mDNS

Since Edge is based on Chrome, it's no surprise we see the same SSDP and mDNS traffic as we saw above.

---

Summary

During the first invocation, Vivaldi makes HTTP connections to external systems on 6 different IPs in 4 different AS operated by 4 different companies (Google, Highwinds Network Group, Virgin Media, Cloudflare) in 4 different 2nd-level domains:

google.com, gstatic.com, gvt1.com

Registrar:     MarkMonitor Inc.
Organization:  Google LLC
State:         CA
Country:       US

vivaldi.com

Registrar:     GoDaddy.com, LLC
Organization:  Domains By Proxy, LLC
State:         AZ
Country:       US

---

Conclusion

Well, there you have it. When you start a browser and visit a single page, you're not connecting to just that page. All of the major browsers make a number of calls to their provider for updates, as well as to third parties, but they differ in how widespread those connections are:

Browser	# of unique names looked up via DNS	# of services contacted via HTTP	amount of data downloaded	amount of data uploaded
Mozilla Firefox 73.0.1	65	10 (in 5 different 2nd-level domains)	9.54 MB	171 kB
Google Chrome 80.0.3987.122	19	9 (in 6 different 2nd-level domains)	7.21 MB	20.3 kB
Microsoft Edge 80.0.361.57	46	15 (in 5 different 2nd-level domains)	10.8 MB	382 kB
Safari 13.0.5 (15608.5.11)	26	19 (in 12 different 2nd-level domains)	560 kB	24.5 kB
Brave 1.4.95 (Chromium 80.0.3987.122)	19	6 (in a single 2nd-level domain)	8.4 MB	38.9 kB
Opera 67.0.3575.53	29	12 (in 4 different 2nd-level domains)	5.05 MB	75.1 kB
Vivaldi 2.11.1811.47	24	8 (in 4 different 2nd-level domains)	9.84 MB	50.7 kB

A few additional things that I think stand out:

• Firefox makes a surprising number of connections and lookups
• Chrome has the fewest connections and keeps data within the company
• HTTP2 and TLS 1.3 are now widely used for the main sites; IPv6 is still not ubiquitous
• Chrome is the only browser that makes all calls via IPv6, TLS 1.3, and HTTP2 only
• there is basically no plain HTTP; almost all observed traffic was HTTPS
• by and large, we only use two or three different TLS ciphers (Wikimedia was the only one to deviate by offering ECDSA with ChaCha20/Poly1305; all others were RSA/GCM (for TLS 1.2) or TLS_AES_128_GCM_SHA256 (for TLS 1.3)); considering how many different ciphers most servers offer, we are arriving at a perhaps surprising monoculture of ciphers
• Safari is hard to untangle from the OS, taking advantage of several helper apps
• Firefox is the only browser left to make OCSP calls (about:config#ocsp); Safari appears to outsource this to trustd, while Chrome (and by extension, Edge) simply have OCSP lookups disabled

The other thing worth pointing out here is that from a network perspective, we're looking at significant centralization of our resources: companies use the same registrar and almost all connections were made to primarily the same handful of (CDN) networks (Akamai, Amazon, Google).

With the advent of DNS over HTTPS, I plan on revisiting the default connectivity from a DNS point of view with different configurations (default DNS, use of the canary domain (for Firefox), use of Google's DNS, ...). But of course that won't have any impact on where the browsers make their HTTP calls to, and I think that is something that's not been paid much attention to in this debate.

February 29th, 2020

---

Additional Links:

• Discussions on Lobsters
• Discussions on Hacker News
• Web Browser Privacy: What Do Browsers SayWhen They Phone Home? (A very similar analysis, covered here.)

Related blog posts:

DNS Security: Threat Modeling DNSSEC, DoT, and DoH

New Adventures in DNSSEC and DANE

Capturing specific SSL and TLS version packets using tcpdump(8)

DNS tcpdump by example

(Some) Browser Privacy Settings