What is being send to/received from "safebrowsing.google.com" when I open Firefox?

When I first open Firefox, I always get this notification from my firewall within about 30 seconds-ish. It does not matter if I'm yet browsing the web, I could just have a blank page up, or I could be using a local network website; I always get a message saying that Firefox is attempting to connect to safebrowsing.google.com.

Firewall Prompt

As you can see in the firewall prompt picture, this connection is started by my computer, more specifically Firefox.

Firewall Packet Log

As you can see in the picture of my firewall's packet log, there are repeated inbound/outbound connections to that address with the browser just sitting open, and not doing anything.

System Details:

  • Firefox 32.0.0.5350
  • Windows 8

Firefox Details:

  • Options/Advanced/Update/Firefox updates: Never check for updates
  • Options/Advanced/Update/Automatically update: Search Engines is unchecked.
  • Options/Advanced/Data Choices/Telemetry: Telemetry is unchecked.
  • Options/Advanced/Data Choices/Firefox Health Report: Enable Firefox Health Report is unchecked.
  • Options/Advanced/Data Choices/Crash Reporter: Enable Crash Reporter is unchecked.
  • Options/General/Startup: When Firefox Starts is set to Show my home page.
  • Options/General/Startup: Home Page is set to about:newtab.
  • Manage Search Engine List: Google is set at the top of my list, and Show search suggestions is enabled.

If I manually attempt to visit safebrowsing.google.com in Firefox it just redirects to Google.ca. According to Wikipedia:

The Google Chrome, Apple Safari and Mozilla Firefox web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats.

However, I don't see what Firefox could possibly be looking up when I'm not even browsing the web.

As mentioned in this answer, shouldn't it only be looking things up if I perform a search, or type a URL in the address bar?

I would like to know why this connection is occuring, and what is being sent/recieved over it? This will help me decide whether to leave it alone, create a custom firewall rule blocking it, or ditch Firefox for a more respectful browser; I have low tolerance for non-user-initiated internet/network use by any application, even if it is intended to be helpful.


You are getting an up to date list of blacklisted URLs that are known to contain phishing and malware. The update happens shortly after startup and once again every 30-45 minutes.

Mozilla claims the following:

"No information about you or the sites you visit is communicated during list updates... in the event that you encounter a reported phishing or malware site [b]efore blocking the site, Firefox will request a double-check to ensure that the reported site has not been removed from the list since your last update."

The accepted answer here is unfortunately completely wrong, as this feature can absolutely be disabled easily.

Despite what it says, none of the messing with the hosts file is necessary, you can just change the "Block reported attack sites" and "Block reported web forgeries" settings in Firefox's Security Preferences and this will stop both the updates and checking the lists from happening. Firefox Security Preferences image

If you manually fiddle in the about:config settings, you must also flip this preference: "browser.safebrowsing.downloads.enabled" which disables updating of blacklisted downloads as well.

Mozilla claims that no information about search queries is ever sent, only the double-check of an encountered reported phishing or malware site, as mentioned above.