Each Firefox download has a unique identifier
Internet users who download the Firefox web browser from the official Mozilla website get a unique identifier attached to the installer that is submitted to Mozilla on install and first run.
The identifier, called dltoken by Mozilla internally, is used to link downloads to installations and first runs of the Firefox browser. The identifier is unique to each Firefox installer, which means that it is submitted to Mozilla whenever it is used.
While it is possible to download new installers each time a new Firefox version is released, it is also possible to use the downloaded installer again for that purpose.
A bug report on Mozilla's official bug tracking website confirms the use of the download token. The linked document is not public, but the listing itself confirms the use and provides an explanation on why it has been implemented:
This data will allow us to correlate telemetry IDs with download tokens and Google Analytics IDs. This will allow us to track which installs result from which downloads to determine the answers to questions like, "Why do we see so many installs per day, but not that many downloads per day?"
According to Mozilla's description, the identifier is used to analyze downloading and installation trends among other things.
The feature is powered by Telemetry in Firefox and it applies to all Firefox channels.
Interested users may verify the findings. One of the easier ways is to check the hashes of two or more Firefox installer downloads (the same version, language and architecture). Each hash is different. A search for dltoken using any hex editor reveals the string in the Firefox installer.
Firefox users who prefer to download the browser without the unique identifier may do so in the following two ways:
- Download the Firefox installer from Mozilla's HTTPS repository (formerly the FTP repository).
- Download Firefox from third-party download sites that host the installer, e.g., from Softonic.
The downloaded installers do not have the unique identifier, as they are identical whenever they are downloaded.
Mozilla notes that the opt-out mechanism is the standard Telemetry opt-out. How users may opt-out before the installation of Firefox is unclear. A quick check of Chrome installers returned identical hashes each time.
Now You: how useful do you think is the information to Mozilla? (thanks PMC for the tip)
It’s useful enough for them to have implemented it. GA telemetry isn’t horribly invasive. Google is a bit slicker and implements the install tagging server-side leaving as little client side evidence as they can.
As for Firefox, you can prevent launch of the first-run OOBE via their Enterprise Policies, they have an atomic policy toggle for all outbound telemetry as far as I know, doubt it changed in the past 5 months since I stopped bothering to use FF. (Edge Enterprise FTW!)
This is a deal breaker. They have now made me a Mozilla basher. Screw them!
Awww
You might like LibreWolf.
Is it true you work for Google or Microsoft?
Wait until you see the stuff the EU is planning in order to “protect” you. They want an end to anonymity completely.
Doesn’t sound like a bright future. Can you specify what you are talking about?
Mozilla questioning everything but their poor approach to the browser and community. How to fix this and win back marketshare? The answer invariably is MORE TELEMETRY!
And they all cheered in their board meeting!
“IT’S GOLD!!”
“MAKE IT SO!!”
“WINNING!!”
Morons!
This ‘feature’ appears to enable interested persons to identify specific computers accessing specific sites. I suspect our ‘security services’ would find this ‘feature’ very useful should they have access to the data.
I do download a new installer each time a new Firefox version is released and perform a clean install (previous version is uninstalled). I always download the installer from [https://archive.mozilla.org/pub/firefox/releases/] but I do acknowledge [https://ftp.mozilla.org/pub/firefox/releases/] provided in the article. I just downloaded FF98.0 from the latter and it’s exactly the same as the installer from the former : hence, no dltoken identifier.
Besides this dltoken, there are two more IDs right in a Firefox’s profile, in the prefs.js file, accessible as well in about:config : toolkit.telemetry.cachedClientID AND browser.newtabpage.activity-stream.impressionId
No idea what the second relates to, but the first is surprising given all telemetry is blocked here.
Setting both to “” (about:config or with user.js) doesn’t change anything, but because I set pref values with Firefox Autoconfig rather than with a user.js file I can clear both on start and this time they are rebuilt but with different values :
// RESET IDs AT START
clearPref(“toolkit.telemetry.cachedClientID”);
clearPref(“browser.newtabpage.activity-stream.impressionId”);
Am I over-reacting? Maybe. I just dislike IDs hanging around and if my battle doesn’t change anything at least it doesn’t harm.
See what they’ve done to me, ma? Twenty years ago when I started surfing on the Web I’d post my name, email and so on (fortunately a good guy told me then to at least always avoid sharing my true “snail-mail” address) and now I behave as a newborn soldier, always cautious, often over-cautious, maybe occasionally paranoid. But, hey, we’re all like special agents in that we have to be aware of not only the bad guys but as well of the “good guys”, those who track us for our good, to protect us, for a better e-experience …
The beat goes on, baby.
And that is the thing:
All telemetry they collect is useless, since they scared away the tech savvy crowd. The clever people still use Firefox, especially on Linux. But they have become mutes toward Mozilla.
At the same time they wonder why so many people complain on bugzilla, yet use the argument they are a minority. They are not! Just because I disable telemetry in about:config and on DNS level doesn’t mean I am irrelevant or a minority.
I simply would prefer not to bug my machine to have a right to veto terrible changes to the browser I love!
“O Mozilla, your leaders have been like foxes among ruins.”
— modified from Ezekiel 13:4
“The beast that you saw was, and is not, and is about to rise from the bottomless pit and go to destruction. And the dwellers on earth whose names have not been written in the book of life from the foundation of the world will marvel to see the beast, because it was and is not and is to come”
— Revelation 17:8
@Tom Hawack
“the book of life” aka the “tree of life”, aka the “right hand of god”, aka the right hemisphere of the brain.
Sorry for the off-topic, couldn’t resist.
@Neutrino, no problem! I had tried myself to comment the quote but after 5 minutes gave up and considered that I’d appear smarter without trying to be. Remains the verse is increasingly questioning as you read it again and again. I found it by searching for revolt+bible, I’m not at all an exegete :=)
Back to our beasts, those which are!
Even on Linux, I’m not sure all builds of FF are safe. Old fashioned repositories and Flatpaks should be good, but I’m very suspicious of Snaps. On the next Ubuntu LTS, they say FF will come as a Snap by default. I personally use Librewolf on my setup though.
“See what they’ve done to me, ma? …e-experience …”
Ah! Ah! Ah! Terrific. A hymn of pain. Not to mention that our category is the most suffering possible: we are not computer scientists but neither people who don’t care. We do what we can with the awareness of our own limits knowing that if we give them an inch, they’ll take a mile.
After buying that useless device called ‘smathphone’ imposed by changing times, joking about it, I thought: maybe I could put an ad on Tinder peer looking for a better half who is competent in the matter.
‘Smartphone’. It sucks so bad that I keep making the mistake writing ‘Smart’.
For all of smathphones flaws, you can’t beat its usability factor when you need to do something quick while walking or outside. It may not be perfect but with few switches here and there, it can help albeit on a limited basis.
@Yash
Sure, but I’m still thinking about buying a simple Nokia and using that other (smart)thing in the rare cases I need it. It’s not a matter of privacy or anything else, I just don’t usually use it and I also find it cumbersome. I can spend time behind laptops, hardware components for assembled PCs, various technologies… but strangely I’ve never been interested in mobile phones. Well I guess I’m wrong since they are all stuck in front of the phone lately.
@Shiva
Just say you are typing on a virtual keyboard on a phone. Those smear and swipe keyboards are disliked but pretty much everyone with a mechanical keyboard.
@Shiva, >”A hymn of pain”. Everything is relative. When I wrote “I behave as a newborn soldier, always cautious, often over-cautious, maybe occasionally paranoid.” I should have emphasized on the difference with an armed soldier which faces blood and blasted bodies. Pain in our case, half moral and psychological half humorous, is not comparable to a soldier’s pain, sufferance when defending his invaded country, but also when attacking another (soldiers endorse, governments and sometimes a leader by himself decide.). Imagine moreover those facing the same without being soldiers …
I’m adding this as I just watched a TV documentary.
The fact that FF is downloadable without a unique ID is not the issue, and not even that useful since most users are unaware of the possibility and/or will not make use of it.
The elephant in the room is that that unique ID can, and undoubtedly will some time, be used for installations and 1st runs.
In other words, this is another step down the Google path.
FF’s telemetry is changed almost every time there is an update, so you have to check again and again what has changed and correct/counteract it.
Why would anyone download directly from Firefox? It’s already in the repos for nearly all distros. Is this article about Windows or Mac users? They are already uniquely identified in so many different ways, why should they care about this?
That is defeatist thinking and whataboutism. Because one company tracks you, all others must as well? Cool. Also try reading the article, your other questions are already answered in it.
Cool, I guess it’s a concern for Windows and Mac users, in which case I do not care. Those who desire to be identified and tracked, and spend their money to be identified and tracked, will be identified and tracked.
@Andy Prough
Quick reality check for you: Mozilla tagging their installers with unique IDs is not the fault of Apple or Microsoft.
And “wanting to be tracked”… If needing applications to run which are not available on Linux is the same as “wanting to be tracked” for you, then yes.
You are “thinking”.
About 95% do not “think”, they just follow. They have no clue in what ways and how they are tracked. Nor are they able to see how this will affect the future of humanity as a whole. It is impossible for most people to see small things leading to something much bigger. So they do not “desire” to be tracked, they just don’t understand any of it (and don’t care to much because they do not see a bigger picture).
If you do see the bigger picture and do care I suggest you try and help these people (and thus all people) instead of saying “I don’t care”. If you “don’t care” for anyone but yourself or your own “group” you are worse than the ignorant. You can’t blame people for not knowing or being able to see the things that are coming: it’s just how it works.
I’m sure both of you using Linux will be fine, but the vast majority of us will be using Windows.
Personally, I started downloading from the ftp site as soon they started using those horrid stub-installers way back when.
For firefox? I would imagine the percentage of users on various distros is quite high. We’re not talking about Chrome. Firefox is the default browser on nearly every distro.
Off topic: To add an extra layer of defense against ransomware, just add russian as an extra language on your computer.
Does this apply to Tor Browser as well?
An installer triggering an outbound connection is actually fairly common, though the reasons may vary. It’s usually to check if you’re installing the latest version but by default I block all such connections. I’ve noticed before that installing Firefox triggers my firewall but I didn’t know that THIS was the reason why. Well now I know. ;)
>Interested users may verify the findings. One of the easier ways is to check the hashes of two or more Firefox installer downloads (the same version, language and architecture). Each hash is different.
I just tried downloading it (US version) and:
If I download in Firefox, all installers are exactly the same, with the same hash (SHA256 starting with 340b1…, just like the one in your screenshot).
If I download in Chrome, the installers are different.
Same here. Which is why I find wording of this article interesting.
Anyway as with all software – Linux, Windows, Android – I always turn off internet connection especially on start and allow it only after changing certain settings. Time consuming yeah but hey this is modern world. New tech and all which we were crying for.
Scary! What if you had the installer from another computer using a mirror download link and installed Firefox offline on thousands of computers? Would it count once you get online?
*facepalm*
Question is why do they care about things like “Why do we see so many installs per day, but not that many downloads per day?”. I can’t think of any reason why a developer would want or even need that question answered.
Maybe a software developer can enlighten me.
wow, Mozilla turns into yet another doxing enterprise
Is this also a problem with the FF fork Librewolf? Very disappointed in FF. At the very least, this should be OPT-IN. Back to searching for a strong-by-default privacy browser.
So many new intrusions by Mozilla, Google-sponsored white knight of privacy(TM), how do you guys even keep track of all the newly introduced settings you need to toggle with each new update? But then, in a way, it is good that most Firefox diehards appear to be masochists that keep using this crap no matter how heavily Mozilla is betraying them. This list of 200+ settings you need to toggle in order to turn Firefox into what it is being advertised as (the most privacy-respecting browser out there short of Tor) is MASSIVELY off-putting to newbies. Good for other browsers in the privacy space, I don’t complain at all.
Bingo. I’ve always found their reactions hilarious.
“That’s it, I’m not going to use it after ” (Were you sleeping under a rock since 2011 when they started down this path by imitating Chrome?)
“Mozilla does respect privacy! You can always change these 50 about:config settings to be private again!” (Until they get rid of it altogether, as they did with making extension signing mandatory).
I use Pale Moon as a primary (unlike what you’ve said elsewhere, it works great with 99% of the sites I use, and Google/Facebook are not among them). Brave is my backup browser and it works great as well.
Along with this there is something else about telemetry that should concern us
When you turn off telemetry you don’t actually turn off the collection of data. You just save it locally.
You don’t send it to Mozilla, but you do store it.
Perhaps in some future upgrade they will turn on the telemetry during install and collect all your past telemetry.
It’s not just Mozilla and that is the broader issue here, it has become a tech cultural issue now that is so rampant. Once Google came in with their filth and then Microsoft weighed in with their lowbrow operating system from 8 upwards it was all downhill from there. These kinds of activities and practices were once heavily frowned upon and referred to as spyware then someone decided to change the name to Telemetry to remove any negative connotations or to attempt to undermine the perception of what it actually is.
It’s not a new practice, people that reverse software have been dealing with this kind of thing long before Mozilla started doing it but the fact that every man and their donkey are doing it now suggests that this kind of thing is accepted by the tech companies which is troubling indeed. We even have spyware (aka Telemetry) in drivers these days.
Mozilla isn’t the first to do it and they certainly won’t be the last. Mozilla is practically a lost cause these days. I don’t see them ever redeeming themselves and changing their ways anymore, the only thing one can hope for is that someone forks their work and heavily rewrites everything at which point they will take over all operations and have their team, community and skill set down. Mozilla will be left to languish and vanish to the sands of time and the world will keep spinning.
Others have tried to but failed to capitalize on such a plan so who knows. They just never managed to gather any real traction and capture the magic in a bottle that was once Firefox. I’m not begrudging any such projects and wish them much success but at this point its a huge uphill battle for the respective brands.
It’s almost as if they stayed in the shadows of Mozilla which is not where you want to be especially when Mozilla is in such a state.
Well said
I wonder what the Linux Mint Maintainers will have to say about that!
“And I think to myself~ What a wonderful world~”
Does anybody know please if the same applies when we download plugins or addons (.xpi) from Mozilla?
Does each xpi download (or online install) of any plugin has a GUID?
XPIs are the same to all users. They have an internal ID that is the same to all of us and used for the sqlite databases. Like where uBlock stores their filter rules and your settings. So no addon has access to the data of other addons.
No, extensions IDs are randomized once, so it’s different for every user, it was supposedly a privacy protection but turns out such ids are sometimes leaked by some extensions what gives a ~100% fingerprint chance. It has been reported already, 5 years ago.
If I have deleted the ID from the keys
browser.newtabpage.activity-stream.impressionId
toolkit.telemetry.cachedClientID
and I update via Help/about Firefox, will tracking be re-enabled?
@hg, I’m not savant enough to know if what applies to my Firefox 98.0 / Windows 7 environment applies to all.
What I can say, as I noted above, is that deleting the values of the preferences you mention (either within about:config either within a user.js file) doesn’t make it : the preferences remain with the same values.
In my case, because I use Firefox’s Autoconfig [https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig] I can *clear* (not delete) these values which means they will be reset and modified on Firefox restart. Deleting only theses values will have them be reset to what they were previously but *not* modified.
// RESET IDs AT START
clearPref(“toolkit.telemetry.cachedClientID”);
clearPref(“browser.newtabpage.activity-stream.impressionId”);
In other words there’s nothing you can do about these prefs without Autoconfig.
But don’t worry : these prefs may very well be insignificant but because I’m uncertain I tried to play around with them, see how I could control them. Be noted that having these prefs get a new value at every start is better than having them set to nul (blank) in that it won’t set you apart :=)
Windows 64-bit, English (US), on both Stable and ESR
https://www.mozilla.org/en-US/firefox/all/#product-desktop-release
Name: Firefox Setup 98.0.1.exe
Size: 55528896 bytes (52 MiB)
SHA256: 340b13d52f3987ebb1c01b66cd389d26d5fa13db225f6dc135c3b4a8cca781b1
SHA1: 5dcdb1e5ee9172b78510fc9fc1ce2a759b09201f
https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr
Name: Firefox Setup 91.7.1esr.exe
Size: 55985512 bytes (53 MiB)
SHA256: 872449f18479088b2cb33ba5f3e91296c071de30e3a1ffed4c5a50dc3a27f67e
SHA1: 4c00b46b2a7a685801eaf6bdece68484338390b0
I can’t reproduce it on this page. I am not defending this behaviour, rather providing another potential solution. I have tried downloading it twice, using two different devices, running different operating systems and different browsers, on different ISPs. I always get the same file. You may want to check your downloads against mines, and if they match, it means this page is not distributing the moodified installer. I do wonder exactly what is modified, the reason why I tried this is that I wanted to see exactly what is different.
Just checked it myself, my downloads from those pages match the ones from their ftp-wannabe page. Maybe it’s a regional thing?
When I download from the page you linked, I get different hashes each time. Which browser did you use for the downloading?
Martin,
Windows 10 > Chrome Dev 32-bit PAF and Firefox 64-bit ESR
Android 12 > Chrome ARM/64-bit
All four downloads match.
Strange that Martin gets different hashes each time.
I have the same hashes for downloads performed from 3 download sources, and the same each time.
Hashes are the same as those mentioned by Yuliya for Firefox 98.0.1
Downloaded with Firefox 98.0 x64 on Windows 7 x64
Firefox Setup 98.0.1.exe from
[https://www.mozilla.org/en-US/firefox/all/#product-desktop-release]
[https://archive.mozilla.org/pub/firefox/releases/98.0.1/win64/en-US/]
[https://ftp.mozilla.org/pub/firefox/releases/98.0.1/win64/en-US/]
SHA-256: 340B13D52F3987EBB1C01B66CD389D26D5FA13DB225F6DC135C3B4A8CCA781B1
SHA-1: 5DCDB1E5EE9172B78510FC9FC1CE2A759B09201F
Can you try and download from the same source twice and compare the hashes?
@Martin, downloading from the same source twice had been performed as I wrote it, “I have the same hashes for downloads performed from 3 download sources, and the same each time” : “…and the same each time”. I can test again. Any preference for the source, all three?
Firefox Setup 98.0.1.exe from
[https://www.mozilla.org/en-US/firefox/all/#product-desktop-release] : / Firefox / Windows 64 / English (US)
Unchanged :
SHA-256: 340B13D52F3987EBB1C01B66CD389D26D5FA13DB225F6DC135C3B4A8CCA781B1
SHA-1: 5DCDB1E5EE9172B78510FC9FC1CE2A759B09201F
What you encounter is odd. PLEASE : anyone else experiencing such a hash disparity?
FWIW I just downloaded again Firefox Setup 98.0.1.exe from
[https://www.mozilla.org/en-US/firefox/all/#product-desktop-release] : / Firefox / Windows 64 / English (US)
This time with FF’s ‘User-Agent Switcher’ extension set with ‘Windows 10 / Chrome 96’ : same hashes…
What if someone gets their Firefox software from the repos of a GNU/Linux distro – like Debian or Ubuntu for example? Would those packages also have a unique ID?
I just downloaded Firefox Setup 98.0.1.exe from the main site (not FTP repository). and uploaded it to Virustotal but the file was already scanned, first submitted about a week ago. So I guess it is not completely unique.
I downloaded again using Tor, that one had a different SHA1 and was NOT already scanned by VirusTotal.
Another minus Mozilla!!!
I’d like to know too. In France we’re far from it, even for adult contents they want website to check the age of a visitor with a certified method, but they don’t tell them how.
The Beast stumbled in the dark for it could no longer see the path. It started to fracture and weaken, trying to reshape itself into the form of metal.
Even the witches would no longer lay eyes upon it, for it had become hideous and twisted.
The soul of the Beast seemed lost forever.
Then, by the full moon’s light, a child was born; a child with the unbridled soul of the Beast that would make all others pale in comparison.
—?from the Chronicles of the Pale Moon, 24:2
I am still using the last best vrsion of Forefox 51 …not changing it any time soon.