Two Things That Bother Me About Google’s New Firefox Extension

by Nitesh Dhanjani

Google just released a new Firefox extension called “Safe Browsing for Firefox”. From the "Introduction" section of the plug-in website, here is what it does:

"Google Safe Browsing is an extension to Firefox that alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That's why it's important to browse safely with Google Safe Browsing. By combining advanced algorithms with reports about misleading pages from a number of sources, Safe Browsing is often able to automatically warn you when you encounter a page that's trying to trick you into disclosing personal information."

Good enough. I clicked on the FAQ section of the web-site to learn how the extension works, and here is the explanation given:


"6. How does Google know a page is bogus?
We use several techniques to determine whether a page is genuine, including the use of a blacklist containing pages that have been identified as suspicious and/or misleading based on automated detection or user reports. Our software also examines pages' content and structure in order to catch potentially misleading pages. Google Safe Browsing can't offer perfect protection, so you should always be on the lookout for indications that a site isn't what it appears to be. But Google Safe Browsing can help identify and protect you against many of the sites designed to trick users."


Great – but what information does the extension send to Google? To find out, I intercepted the traffic between my Firefox browser and google.com. For every request you make, the extension invokes /safebrowsing/lookup on http://www.google.com. So, if you were to goto cnn.com with the extension enabled, here is the HTTP GET request that will be sent to http://www.google.com:


GET /safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client=navclient-auto-ape&q=http%3A%2F%2Fcnn.com%2F HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: [deleted]


Since http://cnn.com is a legitimate domain name, http://www.google.com/safebrowsing/lookup sends the following back:

HTTP/1.1 200 OK
Content-Type: text/plain
Server: TrustRank Frontend
Content-Length: 0
Date: Thu, 15 Dec 2005 10:16:55 GMT


And all is well. To test what happens when you do come across a ‘phishy’ website, I logged into my Yahoo! account and looked at one of the billion Paypal phishing emails I get everyday, and found the following URL: http://mail.teleline.hu/%20/https:/www.paypal.com/cgi-bin/webscr/update.html. This is obviously a phishing attempt, and sure enough, the Google extension caught it:

image

The following response was sent back by http://www.google.com/safebrowsing/lookup to the Firefrox extension when I visited the above website:


HTTP/1.1 200 OK
Content-Type: text/plain
Server: TrustRank Frontend
Cache-Control: private, x-gzip-ok=""
Date: Thu, 15 Dec 2005 10:04:47 GMT
Content-Length: 11

phishy:1:1


So, in a nutshell, the extension looks for the phishy:1:1 response from http://www.google.com/safebrowsing/lookup and alerts the user.

Here are two things that bother me about this extension:

1) Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to http://www.google.com/safebrowsing/lookup in clear-text, allowing someone on your network segment, or any router in between yourself and google.com to sniff the information off the wire.

2) The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.

I am more worried about the issue #1. However, I do realize that web applications should be designed to use POST in order to send sensitive information, but the fact of the matter is that many web applications do not follow this guideline. Google's extension makes this situation worse by transmitting this information over clear text (assuming the web application uses SSL). This extension is designed to help protect users from illegitimate resources, but the irony is that it has the potential to expose sensitive information about you when you visit legitimate resources!

So there you have it – my preliminary analysis of Google’s new Firefox extension.

8 Comments

nickpicker
2005-12-15 06:51:37
Public disclosure
There's yet another aspect:


Google provides a publicly available real-time "API" to retrieve the "phishiness" of a given URL. Hence any scammer could use the API to fine-tune his scam, i.e. automatically probe the API until a given URL is considered safe from the scammer's business point of view. While the users of the extension will soon update Google's database by notifying them of the phishiness, there remains a timespan when perhaps 0.01% of the extension's users fall for the scam because they trust the tool.


Note to Google:


You do realize that services facilitated by your tools are visible to everyone else, too, don't you?

Tdot
2005-12-15 11:33:41
Google's Cookie again
Thanks for the excellent analysis of Google's protocol!


The last line from the GET method suggests that you replaced the actual data with [deleted] and that Google's for ever lasting Cookie is submitted with every URL. That means that every user "voluntarily" submits the complete record of visited websites! At the bottom line this makes a wonderful user profile for user targeted advertising.


It is becoming more and more important to educate users about the increasing problems with Google.
For another example see http://tdot.blog-city.com/google_print_and_society.htm

Walt_Stoneburner
2005-12-15 19:33:52
And tracking... don't forget tracking....
Since Google knows who you are, whether from GMail, Orkut, or a host of other wonderful services, and now you're beaming each URL you visit to them -- this gives them an awful lot of information about your viewing habits (and therefore you). From a business standpoint, it would be nice to know where people are visiting and what they are looking at....
Asick
2005-12-15 20:20:32
excellent
Yea I realized this a few hours after it was released. I noticed that it was also easy to intercept this request from the extension and that a simple php site could be devised to send back the tags necessary for the extension to state that the site was legitimate. I won't post the code here, but it's relatively simple stuff.
webaugur
2005-12-15 21:58:58
Umm, you failed to mention...
You have to intentionally enable the "Enhanced Mode" feature you are complaining about. This feature is disabled by default.


To enable "Ehanced Mode" you must ignore the giantic red warning dialog explaining the dangers of enhanced mode, manually select the "Enhanced mode" radio button and then dismiss the dialog.

niteshd
2005-12-15 22:09:36
Umm, you failed to mention...
It isn't disabled by default, but it isn't enabled either. When you restart Firefox after installing the extension, you are asked if you want to enable or disable the Enhanced Mode, and I can bet that most people will go ahead and enable Enchanced Mode.
h0ba
2005-12-16 02:25:27
They done it again
Well, most people don't realise that a similar function and therefore similar problem is already in Googles toolbar (both IE and Firefox).


If you enable the view of Pagerank for the visited page you always send a similar query to Googles servers and they can also track your surfing behaviours (the long existing cookie has already been mentioned in another comment).


A similar query, a similar problem.

webaugur
2005-12-16 15:12:36
Umm, you failed to mention...
Yes, I'm sure someone somewhere at Google hopes, if not expects, enhanced mode will be enabled without thought for the information it is feeding them. But the big red text does explain what enhanced mode will do. I sniffed the packets with ethereal and it doesn't seem to do anything beyond exactly what it suggests.


It's a true shame Google doesn't at least use SSL. Or, better, prevent SSL encrypted URLs from being passed in enhanced mode. Websites with legitimate SSL certificates are, in theory, much less likely to be used for phishing.