Google just released a new Firefox extension called “Safe Browsing for Firefox”. From the “Introduction” section of the plug-in website, here is what it does:
“Google Safe Browsing is an extension to Firefox that alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That’s why it’s important to browse safely with Google Safe Browsing. By combining advanced algorithms with reports about misleading pages from a number of sources, Safe Browsing is often able to automatically warn you when you encounter a page that’s trying to trick you into disclosing personal information.”
Good enough. I clicked on the FAQ section of the web-site to learn how the extension works, and here is the explanation given:
“6. How does Google know a page is bogus?
We use several techniques to determine whether a page is genuine, including the use of a blacklist containing pages that have been identified as suspicious and/or misleading based on automated detection or user reports. Our software also examines pages’ content and structure in order to catch potentially misleading pages. Google Safe Browsing can’t offer perfect protection, so you should always be on the lookout for indications that a site isn’t what it appears to be. But Google Safe Browsing can help identify and protect you against many of the sites designed to trick users.”
Great – but what information does the extension send to Google? To find out, I intercepted the traffic between my Firefox browser and
google.com. For every request you make, the extension invokes
http://www.google.com. So, if you were to goto cnn.com with the extension enabled, here is the HTTP GET request that will be sent to
GET /safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client=navclient-auto-ape&q=http%3A%2F%2Fcnn.com%2F HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
http://cnn.com is a legitimate domain name,
http://www.google.com/safebrowsing/lookup sends the following back:
HTTP/1.1 200 OK
Server: TrustRank Frontend
Date: Thu, 15 Dec 2005 10:16:55 GMT
And all is well. To test what happens when you do come across a ‘phishy’ website, I logged into my Yahoo! account and looked at one of the billion Paypal phishing emails I get everyday, and found the following URL:
http://mail.teleline.hu/%20/https:/www.paypal.com/cgi-bin/webscr/update.html. This is obviously a phishing attempt, and sure enough, the Google extension caught it:
The following response was sent back by
http://www.google.com/safebrowsing/lookup to the Firefrox extension when I visited the above website:
HTTP/1.1 200 OK
Server: TrustRank Frontend
Cache-Control: private, x-gzip-ok=""
Date: Thu, 15 Dec 2005 10:04:47 GMT
So, in a nutshell, the extension looks for the
phishy:1:1 response from
http://www.google.com/safebrowsing/lookup and alerts the user.
Here are two things that bother me about this extension:
1) Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to
http://www.google.com/safebrowsing/lookup in clear-text, allowing someone on your network segment, or any router in between yourself and
google.com to sniff the information off the wire.
2) The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.
I am more worried about the issue #1. However, I do realize that web applications should be designed to use POST in order to send sensitive information, but the fact of the matter is that many web applications do not follow this guideline. Google’s extension makes this situation worse by transmitting this information over clear text (assuming the web application uses SSL). This extension is designed to help protect users from illegitimate resources, but the irony is that it has the potential to expose sensitive information about you when you visit legitimate resources!
So there you have it – my preliminary analysis of Google’s new Firefox extension.