BitDefender TrafficLight breaks your privacy

[m00nbl00d]

I've been waiting for this to be solved by BitDefender, and so I gave it a month for them to address the issue, as I don't think it would require a lot of time to address it, only will.

That said, if you're using BitDefender TrafficLight, you should be aware that whenever you perform a search or access a website, it will check with BitDefender's cloud to see if the URL is malicious/fraudulent. So far so good. The real issue is that, it does it so over HTTP and not HTTPS.

I just thought I should alert you about it, in case you didn't know it already.

BitDefender actually agreed with me that sending the info over HTTP breaks our privacy, and that they were already considering implementing the communication over HTTPS, instead of HTTP. Right.

Not only is the info sent over HTTP, but the actual search query is also sent to BitDefender. This was also one of my concerns, and I asked them to strip the information, and only send the URL, but not the search query.

So, I suppose this is the same old question: Security at what cost? Breaking our (=users in general) privacy?

[Page42]

Maybe I'll disable that extension, m00n.
Who needs this sort of behavior?
Thanks for posting.

[m00nbl00d]

Quote:

Originally Posted by Page42

Maybe I'll disable that extension, m00n.
Who needs this sort of behavior?
Thanks for posting.

It's kind sad that such a great extension works this way, and no change in the horizon so far. I have relatives using it, because they wouldn't handle default-deny setups and all that, and so protecting them at the browser level is the best bet. I just hope BitDefender has a change of heart.

Maybe if more users start complaining about it, to them, they'll change TL's behavior... or not.

[1chaoticadult]

Quote:

Originally Posted by m00nbl00d

I've been waiting for this to be solved by BitDefender, and so I gave it a month for them to address the issue, as I don't think it would require a lot of time to address it, only will.

That said, if you're using BitDefender TrafficLight, you should be aware that whenever you perform a search or access a website, it will check with BitDefender's cloud to see if the URL is malicious/fraudulent. So far so good. The real issue is that, it does it so over HTTP and not HTTPS.

I just thought I should alert you about it, in case you didn't know it already.

BitDefender actually agreed with me that sending the info over HTTP breaks our privacy, and that they were already considering implementing the communication over HTTPS, instead of HTTP. Right.

Not only is the info sent over HTTP, but the actual search query is also sent to BitDefender. This was also one of my concerns, and I asked them to strip the information, and only send the URL, but not the search query.

So, I suppose this is the same old question: Security at what cost? Breaking our (=users in general) privacy?

Thanks for the info.

[m00nbl00d]

By the way, anyone can easily verify it with Google Chrome. If you open chrome://net-internals/#events and then perform a search, you'll see quite a few connections to nimbus.bitdefender.net over HTTP, and one of them sends the full search query.

You don't need anything fancy like Wireshark.

[PaulyDefran]

Thanks for the info. Uninstalled.

PD

[popcorn]

this is inexcusable especially from a security firm but am I correct in thinking that as long as all my traffic is routing thru a VPN it will be encrypted regardless ?

[Amit]

Thank God I had remove it a month ago. Now I'm never gonna get it back.

[Hungry Man]

Quote:

Originally Posted by popcorn

this is inexcusable especially from a security firm but am I correct in thinking that as long as all my traffic is routing thru a VPN it will be encrypted regardless ?

Popcorn -> VPN -> Trafficlight servers

Popcorn -> VPN = Encrypted
VPN -> Trafficlight = Unencrypted

[popcorn]

er ok wow
uninstalled

[clocks]

I found Trafficlight destroyed my ping scores. Went from 20ms to 530ms. Also, I found that was extremely resource heavy, especially disk io and CPU time. I just uninstalled.

[LockBox]

I agree. Inexcusable. Thanks for the heads up!

[treehouse786]

Quote:

Originally Posted by clocks

I found Trafficlight destroyed my ping scores. Went from 20ms to 530ms. Also, I found that was extremely resource heavy, especially disk io and CPU time. I just uninstalled.

same here, quite ridiculous.

[Page42]

When m00n first shared his finding back on 5/31 I disabled the TL Chrome extension.
I just now removed it.
I think I'll email BD with a link to this thread and see if there is any response.

[Page42]

The BD contact said he had forwarded my message (essentially a link to this thread) to the TrafficLight team, and thanked me for the feedback.

[clocks]

Thanks

[x942]

Quote:

Originally Posted by m00nbl00d

I've been waiting for this to be solved by BitDefender, and so I gave it a month for them to address the issue, as I don't think it would require a lot of time to address it, only will.

That said, if you're using BitDefender TrafficLight, you should be aware that whenever you perform a search or access a website, it will check with BitDefender's cloud to see if the URL is malicious/fraudulent. So far so good. The real issue is that, it does it so over HTTP and not HTTPS.

I just thought I should alert you about it, in case you didn't know it already.

BitDefender actually agreed with me that sending the info over HTTP breaks our privacy, and that they were already considering implementing the communication over HTTPS, instead of HTTP. Right.

Not only is the info sent over HTTP, but the actual search query is also sent to BitDefender. This was also one of my concerns, and I asked them to strip the information, and only send the URL, but not the search query.

So, I suppose this is the same old question: Security at what cost? Breaking our (=users in general) privacy?

Thanks for posting! I've been doing some Reverse Engineering of TL but hadn't gotten far. I think I will be taking another look.

[m00nbl00d]

Quote:

Originally Posted by Page42

The BD contact said he had forwarded my message (essentially a link to this thread) to the TrafficLight team, and thanked me for the feedback.

How long has it been? A week? Maybe Romania has different time zones...

[Page42]

My guess is that, in the greater scheme of things, from their perspective, the backlash (in terms of loss of users) from your discovery isn't profound enough, and they just aren't motivated to change. Which is, of course, unfortunate.

[m00nbl00d]

Quote:

Originally Posted by Page42

My guess is that, in the greater scheme of things, from their perspective, the backlash (in terms of loss of users) from your discovery isn't profound enough, and they just aren't motivated to change. Which is, of course, unfortunate.

Unfortunately, I do have to agree with you. I wonder if anyone has contacts with major technology websites? Or even inside contacts with EFF? Maybe EFF could compare various security applications (which may also include browser extensions), and see how they break our privacy. This should be an awakening call... or not.

[Page42]

I hope you will try another test again at some point in the future, just in case they decide that complying with your suggestion is the right way to go! Wouldn't that be something?

[m00nbl00d]

Quote:

Originally Posted by Page42

I hope you will try another test again at some point in the future, just in case they decide that complying with your suggestion is the right way to go! Wouldn't that be something?

I actually visited Chrome Web Store moments ago, but there's no update for TrafficLight. The latest version dates from February. They need to upgrade the extension, to actually communicate over HTTPS as well. So, when an upgrade comes out, it may mean something. Let's hope. It's actually awful that a great extension like TL breaks our privacy.

[Page42]

I'll try to keep an eye on that too, m00n.

[lordraiden]

Seems that in a couple of weeks they will move to https
http://forum.bitdefender.com/index.php?showtopic=36504

[m00nbl00d]

Quote:

Originally Posted by lordraiden

Seems that in a couple of weeks they will move to https
http://forum.bitdefender.com/index.php?showtopic=36504

So, should we say about ~ Snipped as per TOS ~ time? Anyway, great news. TL is a great extension, and it was kind of mad to see that the query was done over HTTP.

They did not mention whether or not the new version will also strip search engine queries, and only send the domain itself. Hopefully, they will strip our search queries.

Anyway, I'm glad they will finally do something about it; something that should never have been an issue, and also something that should have been solved a long time ago.

Thanks for the heads up!