Google Safe-Browsing and Chrome Privacy Leak

Monday, August 24, 2009

One of the other things Jabra and I talked about that worried a lot of people was the fact that Google’s Safe Browsing software (build into Firefox and Chrome) could be used to track them. Safe Browsing is designed to protect you from phishing and malware sites by using a blacklist approach that gets downloaded to your browser on a regular basis. In an experiment that I let run for 24 hours, I watched the amount of connections Firefox made out to Google. It averaged around 30 times an hour. It was more like 12 times and then 30 minutes later there would be 18 more and so on. So it wasn’t precise. Also, it may not have been a completely valid experiment because I may not have had the whole list in place since I never use Safe Browsing. The browser may have been trying to download the whole thing, which is why it was sending so much traffic. That said, it still sends an awful lot of traffic, from what I saw.

Now, that may not be so bad, except that it also gets a cookie with a unique crypto string that it sends back to the Google on each request so that Google can send it back a portion of the encrypted anti-phishing/anti-malware lists. That cookie though, is the problem. The cookie is unique per browser. So let’s say an attacker has been using their browser for a while, and then an attacker hops on a wireless network a few miles away to do their hacking. The cookie is still phoning home to Google periodically. So if the company they’re hacking into gets the Feds to issue a warrant/court-order, Google can theoretically track the attacker back to their original IP address not just the one of the wireless. They do this by correlating the IP that attacked the company back to Google, seeing which cookie was used by that IP during that time frame and then looking at what other IP addresses that cookie used. So it becomes critical for an attacker to blow the cookie away not only when starting their new network connection with the wireless, but also when they tear it down again before starting a new one, if they want to remain anonymous.

Now, I could probably be convinced by people who claimed that this was just a side effect of how it is supposed to work. Sure, when you travel to Google again it is sending the same cookie, but it’s easier to use instead of or something that wouldn’t have the additional privacy issues associated with sending this cookie when just normally using Google’s website. They already have set up with load balancing and all the other snazzy stuff. Sure, I could believe all that. But here’s where I have a hard time believing it’s not for tracking.

When I started looking at Chrome I noticed two additional pieces of information that were being phoned home outside of Safe Browsing. This time, instead of it being 30 times an hour, it was more like once every 5 hours, which is still quite a bit if you ask me. The two extra pieces of data were “machineid” and “userid” - both computed information based on machine/user information. This information is sent along with a bunch of other browser information to ask Google if they should download an update. Now here’s the real question: why would Google need to know my machineid and userid to give me an update - wouldn’t the version number of my browser be enough to make that decision? I just can’t believe this isn’t used for tracking. There’s no more plausible deniability. What a perfect way to spy on people too… use their own browser against them in the name of security.

Anyway, Safe Browsing is a great feature since it protects you from phishing and malware sites. It’s too bad it comes with the baggage of anti-privacy. It doesn’t matter if Google’s privacy policy says they don’t use this information in this way or that way. In the face of a court order all that policy hand waving is irrelevant. They have the right/responsibility and ability to track you any anyone else who uses their products if they are told to by a court of law. Now the international implications of this are unknown to me, because I am definitely not an international lawyer, but I would suggest that legal systems work differently in China and elsewhere in the world, where Google also does business. All I can say is that this extra feature of their technology makes my skin crawl. Incidentally if you want to turn it off in Firefox go to Tools->Options->Security and uncheck both “Block reported attack sites” and “Block reported web forgeries.” I don’t think there’s a way to turn off sending your machine or userid from within Google Chrome. So my advice for Google Chrome is: don’t use it.

Original Source:
Possibly Related Articles:
General Vulnerabilities Webappsec->General
Federal Service Provider
Google HTTP Security Legal
Post Rating I Like this!