It’s really annoying that the security updater for Java is trying to install the Yahoo Toolbar.
Many web browser add-ons have features that require contacting a central server. The Google Toolbar will show you a site’s PageRank. Amazon’s A9 Toolbar will show you information from Alexa. If you want this, that’s great—but if you only want it occasionally, you might not want someone tracking your entire browsing session.
After installing the A9 toolbar for testing, I decided I wanted to know just when they were contacting their server. I installed the Firefox versions of four toolbars and used netstat to see when they connected.
- A9 Toolbar: Constant connections to hosts at amazon.com and alexa.com, but only when the toolbar is visible.
- Google Toolbar: Opens initial connection to a Google-owned IP address. If PageRank display is enabled, or was earlier in the session, maintains continuous connections—even when the toolbar is hidden!
- Yahoo! Toolbar: Opens initial connections to a Yahoo server and to unknown.Level3.net (which, based on traceroute, appears to be on the way from here to Yahoo). Sometimes the latter remains open for a long time before closing. It does not appear to reconnect on its own.
- StumbleUpon: Only connects when you press its buttons.
Overall, these toolbars seem to behave in a privacy-friendly way. But it was disturbing that the Google toolbar keeps a connection open even when it’s hidden, and that disabling PageRank display doesn’t seem to stop the connections until you restart Firefox. (Maybe it does eventually, and I didn’t wait long enough.) If I’ve hidden the toolbar, I don’t need the functionality right then. There’s no reason to hold a network connection open until I re-show the toolbar.
If I only want to use these toolbars occasionally, I can just hide most of them through the View→Toolbars submenu. But to keep the Google Toolbar from phoning home, I have to either disable PageRank and restart Firefox, or disable the toolbar in the Extensions—and restart Firefox.