This is the sneaky URL that gets loaded upon the first launch of the web browser with a fresh install of Raspbian. It doesn’t show in history and quickly closes tab after success. You can see it for a brief moment or if you do not connect the RPi to the Internet.
UNIDENTIFIED is replaced with checksum of the serial number. The URL is found in /etc/chromium/master_preferences as part of first_run_tabs. This also happens in Firefox. /usr/bin/piwiz is the culprit.
Besides the obvious timestamp and IP address, it is possible they are executing a browser fingerprinter script. But this is unchecked.
Does it not send a hardware list when you use the package manager? To know which firmwares are, or are not, required?
I dont think they should register the devices with a unique token, and for sure should have it in the notifications/docs, but unless they give regular telemetry, just sounds like base stats.
Thanks for bringing that to my attention, am totally nonplussed, but others might be
$ curl --verbose --user-agent "Mozilla/5.0 (X11; Linux aarch64) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36" https://welcome.raspberrypi.com/raspberry-pi-os?id=suckmyballs
* Trying 18.245.86.63:443...
* TCP_NODELAY set
* Connected to welcome.raspberrypi.com (18.245.86.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=welcome.raspberrypi.com
* start date: Sep 25 00:00:00 2023 GMT
* expire date: Oct 23 23:59:59 2024 GMT
* subjectAltName: host "welcome.raspberrypi.com" matched cert's "welcome.raspberrypi.com"
* issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffd32308d0)
> GET /raspberry-pi-os?id=suckmyballs HTTP/2
> Host: welcome.raspberrypi.com
> user-agent: Mozilla/5.0 (X11; Linux aarch64) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 307
< content-type: application/json
< content-length: 0
< location: https://www.raspberrypi.com
< date: Sun, 28 Jan 2024 20:28:00 GMT
< x-amzn-requestid: aa63378f-bf5d-457a-b4e6-4c8452c3e7c8
< x-amz-apigw-id: SRHQpEpGLPEEKeA=
< x-amzn-trace-id: Root=1-65b6b8d0-1a0200075ffe4bbf0ef821ee;Sampled=0;lineage=8b89b0e1:0
< x-cache: Miss from cloudfront
< via: 1.1 e3f7f612cf7d05edb500a43ad2f70e96.cloudfront.net (CloudFront)
< x-amz-cf-pop: FRA60-P6
< x-amz-cf-id: va-j-HES1JsNajRN3PE7az58kZOs6a9cMV3nYyIF7tps03BmmOyVyA==
<
* Connection #0 to host welcome.raspberrypi.com left intact
I wouldn’t be too alarmed about it. Sure, the id seems weird, but we don’t know if they actually do anything nefarious with it. And you likely leave your IP and timestamp with them the first time you run apt update anyway, just without the serial checksum.
