14 DAY TRIAL // The Mozilla Speculative Connect API is a new feature that was added to Firefox's many many versions ago, allowing the browser to set up HTTP connections in advance for links it deems the user "is about" to navigate to.
Basically, the API comes into play whenever a user hovers the mouse over a link, the browser interpreting this action as an intent to navigate to it.
Firefox will start issuing HTTP requests to that URL, setting up TCP and SSL handshakes in advance, in the case the user actually clicks and navigates to that particular page.
As you can imagine, this is great for improving page load times. What you did not know is that this type of behavior can be used by malicious actors to track users, even if they don't navigate to their sites.
As Yuri Khan points out on the Mozilla bug tracker, the current version of the Speculative Connect API, implemented without a GUI to let users disable this feature, is a hole in Firefox's privacy shield.
An attacker that wants to verify a list of email addresses could easily take a list of IPv6 addresses, associate them with an email, create a basic HTML page and host it on that address.
An attacker could log your IP even without you navigating to his site
Sending a message to that email, specially crafted to show a big link that covers as much space inside the email as possible, would help the attacker verify which email address is still in use thanks to the Speculative Connect API.
Because simply hovering a link in Firefox will initiate a connection to that server, the attacker could easily verify if the email is still in use, and even log the user's IP without him ever landing on his site.
While for many years users were instructed by security experts to hover a link before they navigate to it, this works to the advantage of malicious actors now.
Obviously, you cannot perform serious attacks on a user hovering a link, this being a privacy-related issue and not a security vulnerability.
Since this feature is turned on by default for all users, until the Firefox team decides to implement a checkbox somewhere in the browser's settings to let the user decide if to use this feature or not, there's only one way to disable silent link pre-connections. It includes the steps described below.
Step 1: In a new tab type "about:config" Step 2: Type in "network.http.speculative-parallel-limit" Step 3: Double-click the setting and enter "0" in the popup that appears.
