May 28

Firefox’s “safe browsing” feature leaks information to Google

Category: Linux,WWW   — Published by tengo on May 28, 2010 at 5:53 am

Firefox’s “safe browsing” feature leaks information to Google As a privacy concerned person you might walk away from Google as your primary search engine. You just don't feel comfortable about how they store or keep your searching habits?

You have switched to Linux as you regard it as more stable, more secure and more streamlined than other OSs?

You promote the open-source movement and have chosen Firefox as your primary browser? You think it's safer and does not leak information to third parties?

Then wait a second! Firefox has a "phoning home" feature, echoing back your visited URLs to Google, built in!

For years now, Google offers a safe browsing feature (little notes besides potentially risky websites) on their search results pages. This service has been extended and is now available as an API which interested developers might use from inside their apps. Applications currently using the service are obviously Google's Chrome browser and the nice and friendly Firefox.

You can read about the Google-API Firefox uses here, and dig into big G's Firefox specific privacy policy here. Still, some users have found evidence for concerns about wheather Google is really just helping the community without using the gathered information in some other way:

Joshua "Jabra" Abraham, [...] sais

The good news [...] is that Google only retains the data for two weeks, and then stores it in aggregate form. "But having this IP address, this cookie, and this timestamp is enough information to decloak someone for a [hacking] incident they did two years ago," he says. "So if you use Firefox or Chrome, you should know the risks" of the Safe Browsing feature, he says.

But a Google spokesperson said IP addresses and cookies are not combined with data from other services, nor used for tracking. "All such data is deleted after two weeks" and not anonymized, the spokesperson said.

Mozilla, meanwhile, says it has specific agreements with what Google can and cannot do with users' information. Third-party service providers such as Google can't use "any data or other information about or from users of Firefox for purposes other than to provide and maintain their service" nor can they "correlate any Firefox user data with any other data collected through other products, services or web properties of that provider," according to Mozilla's privacy policy.

Some commenters doubt this view on things is right, as Firefox tries to stay away from Google's servers as much as possible. Okay. And Firefox hashes dubious URLs prior to sendeing them to Google, adding a bit of steganography by sending 4 other random URLs with the request. Okay.
Well, I don't knwo which hashing algorithm is used to hash the URLs but as Google more or less knows all URLs out there via their search service, they would potentially be able to reverse the hashing just like it can be done with known MD5 hashes.
What remains is the Firefox-specific Google uses to cover the processed data. Do you think they stick to that? Than it should be safe to keep the malware/phishing features enabled...

Anyway, the best way to be dead sure is by disabling the enabled-by-default safe browsing features in Firefox is by unchecking Settings > Privacy > anti-phishing and anti-malware options. Although this is a bit heavy handed...

The bummer is you're turning off a great service," he says. "It protects you from malware" and other threats

sais Robert "RSnake" Hansen, CEO of SecTheory LLC.