Skip to main content

security-issues-with-googles-anti-phishing-tool

There is a great post by Nitesh Dhanjani over at O'Reilly about his security concerns about their Safe Browsing for Firefox extension.

The extension sends the URL of every web site you visit to Google. They check it against a blacklist and check the page for obvious trickery. Nitesh points out two problems:

1) Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to http://www.google.com/safebrowsing/lookup in clear-text, allowing someone on your network segment, or any router in between yourself and google.com to sniff the information off the wire.

2) The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.

As pointed out in a comment, Google also retrieves your perma-cookie, indicating that they are probably logging all your browsing.

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom