The Mozilla Speculative Connect API is a new one feature που προστέθηκε πριν από πολλές πολλές εκδόσεις του Firefox, και η αποστολή του είναι να δημιουργεί εκ των προτέρων στο πρόγραμμα περιήγησης HTTP συνδέσεις, που πιθανολογεί ότι ο χρήστης θα μεταβεί.
Basically, this API comes to the fore every time a user hovers over a link. Then the browser, interpreting this action as an intent to navigate to it, starts issuing HTTP requests to that web page, and pre-establishes TCP and SSL handshakes, just in case the user does click on the specific link to go to the specific page.
As you can imagine, this API is there to improve page loading times. And he does well on several occasions.
What you don't know is that this type of behavior can be used by malicious actors (usually websites) to track their users, even if they ultimately won't browse their sites.
As he points out Yuri Khan on the Mozilla bug tracker, the current version of the Speculative Connect API, which does not have a GUI that allows users to disable this feature, adds a hole to the Firefox privacy shield.
An attacker who wants to check a list of email addresses could easily get a list of IPv6 addresses, link them to an email, create a basic HTML page and host it at that address.
Sending a message to this email, specially crafted to contain a large link that fills up as much space as possible on the email server, would help the attacker, thanks to the Speculative Connect API, control which email address is still in use.
Because Firefox would just start a connection to the server, the attacker could easily verify if the email is still in use, and also learn the user's IP without ever having the victim visit his website.
Obviously, you can not perform serious attacks on a user who simply goes over his mouse over a connection but Speculative Connect API is more privacy-sensitive than a security vulnerability.
Since this feature is enabled by default for all users, until the Firefox team decides to put a checkbox somewhere in the browser settings that will allow the user to decide whether or not to use this feature, there is only a way to disable this silent pre-connection. Just follow these steps.
Step 1: In a new tab write “about:config” and press the “I'll pay attention” button in the question that Firefox will ask you
Step 2: Type “network.http.speculative-parallel-limit” in the search box
Step 3: Double click on the setting and enter "0" in the popup window that appears.
Once you have disconnected the Speculative Connect API.
