Google Safe-Browsing and Chrome Privacy Leak

One of the other things Jabra and I talked about that worried a lot of people was the fact that Google’s Safe Browsing software (build into Firefox and Chrome) could be used to track them. Safe Browsing is designed to protect you from phishing and malware sites by using a blacklist approach that gets downloaded to your browser on a regular basis. In an experiment that I let run for 24 hours, I watched the amount of connections Firefox made out to Google. It averaged around 30 times an hour. It was more like 12 times and then 30 minutes later there would be 18 more and so on. So it wasn’t precise. Also, it may not have been a completely valid experiment because I may not have had the whole list in place since I never use Safe Browsing. The browser may have been trying to download the whole thing, which is why it was sending so much traffic. That said, it still sends an awful lot of traffic, from what I saw.

Now, that may not be so bad, except that it also gets a cookie with a unique crypto string that it sends back to the Google on each request so that Google can send it back a portion of the encrypted anti-phishing/anti-malware lists. That cookie though, is the problem. The cookie is unique per browser. So let’s say an attacker has been using their browser for a while, and then an attacker hops on a wireless network a few miles away to do their hacking. The cookie is still phoning home to Google periodically. So if the company they’re hacking into gets the Feds to issue a warrant/court-order, Google can theoretically track the attacker back to their original IP address not just the one of the wireless. They do this by correlating the IP that attacked the company back to Google, seeing which cookie was used by that IP during that time frame and then looking at what other IP addresses that cookie used. So it becomes critical for an attacker to blow the cookie away not only when starting their new network connection with the wireless, but also when they tear it down again before starting a new one, if they want to remain anonymous.

Now, I could probably be convinced by people who claimed that this was just a side effect of how it is supposed to work. Sure, when you travel to Google again it is sending the same cookie, but it’s easier to use Google.com instead of safebrowsingbygoogle.com or something that wouldn’t have the additional privacy issues associated with sending this cookie when just normally using Google’s website. They already have google.com set up with load balancing and all the other snazzy stuff. Sure, I could believe all that. But here’s where I have a hard time believing it’s not for tracking.

When I started looking at Chrome I noticed two additional pieces of information that were being phoned home outside of Safe Browsing. This time, instead of it being 30 times an hour, it was more like once every 5 hours, which is still quite a bit if you ask me. The two extra pieces of data were “machineid” and “userid” - both computed information based on machine/user information. This information is sent along with a bunch of other browser information to ask Google if they should download an update. Now here’s the real question: why would Google need to know my machineid and userid to give me an update - wouldn’t the version number of my browser be enough to make that decision? I just can’t believe this isn’t used for tracking. There’s no more plausible deniability. What a perfect way to spy on people too… use their own browser against them in the name of security.

Anyway, Safe Browsing is a great feature since it protects you from phishing and malware sites. It’s too bad it comes with the baggage of anti-privacy. It doesn’t matter if Google’s privacy policy says they don’t use this information in this way or that way. In the face of a court order all that policy hand waving is irrelevant. They have the right/responsibility and ability to track you any anyone else who uses their products if they are told to by a court of law. Now the international implications of this are unknown to me, because I am definitely not an international lawyer, but I would suggest that legal systems work differently in China and elsewhere in the world, where Google also does business. All I can say is that this extra feature of their technology makes my skin crawl. Incidentally if you want to turn it off in Firefox go to Tools->Options->Security and uncheck both “Block reported attack sites” and “Block reported web forgeries.” I don’t think there’s a way to turn off sending your machine or userid from within Google Chrome. So my advice for Google Chrome is: don’t use it.

From: Google Safe-Browsing and Chrome Privacy Leak ha.ckers.org web application security lab

 

Thanx for posting.

Yes very strange indeed !

I also recently found out that having these enabled "Block reported attack sites" and "Block reported web forgeries" in Tools->Options-> Security, meant that Google was being contacted to provide the data, so i disabled them.

Also another vector for info exchange is via FF's RSS feeds and news headlines updates etc etc. We wouldn't be able to receive those if there was no 2 way communication between FF and their servers.






So how to also disable these uninvited/unwanted comms in FF?

 

Is this a problem with Iron as well? I assume Iron uses googles database for its own anti-phishing and anti-malware protection. But does it store a cookie and does it send it back to google everytime it calls back.

 

Looks like Microsoft Internet Explorer 8 is finally going to get the respect and recognition that it deserves.


HKEY1952

 

Hi duk thanks for the info...


Is this information still being communicated if I don't allow Google to set a cookie on my computer (which I never have)?

 

On another note, will google anonymizer also prevent this google cookie from tracking me?

 

That's the thing with Google, everything they do that they claim "is good for the user" has a coincidental side effect of gathering data.

But how good is it really?

I have been testing it for a while, and i've found it to be shi.. extremely poor. For example on the 20th Symantec published an article on Yahoo news titled The top 100 most dangerous websites for your PC enlisted. Most of them have multiple exploits for example see the Safeweb Listing.

I just visited the top 10 malware sites with Chrome with Safe Browsing enabled, Google Chrome let me go to 9 out of the top 10 sites with no warning.



These sites were published 5 days ago in the mainstream article, and no doubt identified as malware domains by the various antivirus companies long before that.

Their search engine also only shows "This site may harm your computer" on 1 out of the top 10 domains. For the past few months i've noticed the same patterns, site contains malware and it's 1-3 weeks before Google Safe Browsing starts blocking the page. Meanwhile the malware authors have done their deeds and moved on.

For the excessive data exchanges as you pointed out, the delay is quite odd. I personally don't believe Google cares about protecting you, just the browsing data.

 

Thanks for all of this information. I disabled the two items that you suggested. (block reported sites). I also added the "better Privacy" addon. I guess it blocks any long term cookies. Thanks for the information.

 

Good question.

 

caspian

Thanx, but can Anyone tell us the answer

 

I would, i have a packet sniffer but my "Bookmarks Toolbar" pop-out is empty and i have nothing there neither in my main Firefox or my stock standard portable.

So.. If you can tell me what you done, or added to that option so i can replicate your setup i can run a trace on the connections.

 

1boss1

Hi,

I'm not aware that i've actually enabled anything to create the "Bookmarks Toolbar" pop-out, as shown in my screenie ?

As far as i know, that's how it came out o da box when i installed it a few weeks ago. The version i'm using is 3.0.13 not v3.5, if that makes any difference ?

If you could download and run either the portable version, or install, v3.0.13 which are both still available, and sniff away, that would be great.

Hope you can, then we'll find out more about those FF comms talking.

TIA

 

Ahh ok, i just installed v3.0.13 and yes i remember it now i always delete those added extras before i start loading on my stuff.

Anyhow, it all looks benign. I won't embed the image in the board, it's about 1000px wide to fit all the details.

http://i26.tinypic.com/2005xlc.png

As you can see, Firefox booted up and called the Mozilla start page which is just a redirect to Google search. It then calls 2 URL's from fxfeeds.mozilla.com which are only redirects to the BBC.

If you visit here you will see the exact raw content the feed calls from.

There is no dedicated tracking scripts (such as Analytics etc) on any URL's involved in the feed fetching. The reason it calls Mozilla and redirects to BBC is no doubt if they change agreements with the BBC and use another news source they can just change the redirect location instead of trying to bring millions of existing installations up to date.

But.. Looks fine to me.

 

1boss1

Trying - http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml - with Scripting etc disabled in FF i get



IE6 with Scripting etc disabled no probs ?

Anyway,

I'm not happy about anything just automatically communicating or redirecting etc, without my permission/knowledge.

You said " i always delete those added extras before i start loading on my stuff. " HOW exactly would we achieve this, just right clicking on the Bookmarks Toolbar thingy from Bookmarks and deleting it or ?


Thanx for taking the time to do the download + tests, i appreciate it.

S

 

That's odd, an .XML document is essentially a text document and should be viewable without scripting.

Edit: I see the problem, the path in your address bar is wrong you have FirefoxC:\ so you C drive letter is joined to Firefox so you don't have a folder by that name.

Anyhow, yes if you just Right Click and Delete the feed entry it's gone no more connections are made.