The Mozilla Speculative Connect API is a new feature that was added many many versions ago Firefox, και η αποστολή του είναι να δημιουργεί εκ των προτέρων στο πρόγραμμα περιήγησης HTTP συνδέσεις, που πιθανολογεί ότι ο user will pass.
Βασικά, το API αυτό, έρχεται στο προσκήνιο κάθε φορά που ένας χρήστης περνάει το ποντίκι πάνω από μια σύνδεση (link). Τότε το πρόγραμμα περιήγησης ερμηνεύοντας αυτήν την ενέργεια ως πρόθεση για πλοήγηση σε αυτό αρχίζει να εκδίδει αιτήσεις HTTP σε αυτή την by clicking here, and proceeds in advance to create TCP and SSL handshakes, just in case the user clicks on the specific link to go to the specific page.
As you can imagine, this API is there to improve page loading times. And he does well on several occasions.
What you do not know is that this kind of behavior can be used by malicious agents (usually websites) to watch users even if they do not eventually navigate to their sites.
As he points out Yuri Khan on the Mozilla bug tracker, the current version of the Speculative Connect API, which does not have a GUI that allows users to disable this feature, adds a hole to the Firefox privacy shield.
An attacker who wants to check a list of email addresses post officey could easily take a list of IPv6 addresses, attach them to an email, create a basic HTML page, and host it at that address.
Sending a message to this email, specially crafted to contain a large link that fills up as much space as possible on the email server, would help the attacker, thanks to the Speculative Connect API, control which email address is still in use.
Because Firefox would just start a connection to the server, the attacker could easily verify if the email is still in use, and also learn the user's IP without ever having the victim visit his website.
Obviously, you can not perform serious attacks on a user who simply goes over his mouse over a connection but Speculative Connect API is more privacy-sensitive than a security vulnerability.
Since this feature is enabled by default for all users, until the Firefox team decides to put a checkbox somewhere in the browser settings that will allow the user to decide whether or not to use this feature, there is only a way to disable this silent pre-connection. Just follow these steps.
Step 1: On a new tab type "about: config" and press the "I will watch" button on the question that Firefox will ask you
Step 2: Type “network.http.speculative-parallel-limit” in the search box
Step 3: Double click on the setting and enter "0" in the popup window that appears.
Once you have disconnected the Speculative Connect API.
