Wednesday, March 23, 2022 [Tweets] [Favorites]

Firefox Unique Download Identifiers

Martin Brinkmann (via Hacker News):

Internet users who download the Firefox web browser from the official Mozilla website get a unique identifier attached to the installer that is submitted to Mozilla on install and first run.

[…]

This data will allow us to correlate telemetry IDs with download tokens and Google Analytics IDs. This will allow us to track which installs result from which downloads to determine the answers to questions like, “Why do we see so many installs per day, but not that many downloads per day?”

[…]

Mozilla notes that the opt-out mechanism is the standard Telemetry opt-out. How users may opt-out before the installation of Firefox is unclear.

I don’t think this applies to the Mac version. It would be hard to combine with notarization.

Previously:

2 Comments

Steve Hartwell

>>I don’t think this applies to the Mac version. It would be hard to combine with notarization.

I would have to read the current Firefox source to understand what it actually does to get a "download token", but the first thing that came to mind for macOS is the quarantine extended attribute which is copied from the Firefox disk image to the application when it is drag-installed:
% xattr -l Firefox.app/Contents/MacOS/firefox
com.apple.quarantine: 0181;623b932a;Chromium;

if indeed the first part of that is unique in some way.

(FWIW: Windows has a quarantine-like attribute as well, known as the Zone Identifier.)

>I don’t think this applies to the Mac version.

Indeed.

On macOS, downloaded Firefox from Safari and Edge. Same hash. On Windows, downloaded Firefox from IE and Edge. Two hashes.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment