For Firefox in particular, I have found that with the with “most tight” privacy fine tuning (user.js and the like), the browser still creates connections on startup with no pages opened. It contacts content-signature-2.cdn.mozilla.net and at the time I found this there was no way to block this through any kind of settings. That’s why I block this host on DNS level (which is superficial - effective blocking must be on IP level after resolving). I haven’t made any test recently, so it is certainly possible that the the host has changed and/or new hosts are being contacted. This is for Firefox though, not TB, but it is no surprise TB inherits something like that. IceCat surely did that too.
When I made such tests, I found that the only modern browser which created zero connections on startup was ungoogled-chromium.
For TB specifically:
I notice that even with no extensions installed and no other VMs actively using the Internet, starting Tor Browser always results in some traffic increase (for a few seconds). I notice this in a standard network monitor panel running in sys-net. Unfortunately, I don’t know how to tcpdump (or otherwise inspect) Tor traffic, so I have no idea which hosts it contacts. One thing is sure - it calls somewhere, thus informing a remote host “Hey, I am online”.
It’s not easy to tame a browser to simply shut up after start. So many background connections.
That’s part of the reason why I looked for a way to restrict connections:
I don’t think this will ever be solved in Firefox (by the “privacy respecting” Mozilla corporation). Even the user.js hardening projects can’t solve all problems. TB itself is not much hardened according to pyllyukko’s user.js community (I don’t keep the link to the issue, where this was discussed). IIRC, there were actual links to TB’s trac (at that time) which showed pyllyukko’s contributors reporting issues which were then implemented (not all of them) into TB.
Another anti-privacy thing is OCSP. In TB it is enabled. Is that good or bad? - questionable.
Yet, the Tor project sticks with TB and accepts no arguments.
At the time when I tested different browsers for background connections, one which behaved perfectly was the good old lynx. The problem is that it can’t be customized enough to make it look like TB (HTTP header-wise).
So, for quite some time I used a simple bash script which:
Uses tor-curl (a script which uses Tor as proxy and adds the same HTTP headers as arguments to curl which TB uses) to download an URL. The connection terminates instantly after download and no unsolicited connections are made.
Displays the content in elinks (gives better colors).
lightweight (works great on old computers)
no CSS fingerprinting
no 3rd party connections
impossible to “click” anywhere, thus leak anything: content is displayed offline, just like viewing a text file
downloading only the document and nothing else is a finger-printable behaviour (but far less leaky than what a full-featured browser)
What can be done:
(A) try to find better (*read: more suitable) browsers. Perhaps something suckless.
(B) restrict connections (firewall in a separate qube)
(C) Work on the method from above to use any browser in “offline mode”: Download the document using curl, disconnect, display in “any browser”. Dynamic content and interactivity is obviously out of the question but this read-only browser can still be used.
BTW, using TB + uBO in nightmare mode is pretty close to (C) (except for the OCSP).
Re. your mention of Cloudflare in the linked GitHub issue, I suppose you have heard about Crimeflare which someone reposted under a different name to circumvent censorship: