Something fishy about Google Chrome's Safe Browsing API, lab says
A research firm that measures the security effectiveness of browsers noticed something it thought might be fishy with the way Chrome was doing things. Turns out, there may currently be a privacy concern about Google's use of end user IP addresses as part of its Safe Browsing API.
February 07, 2012 — CSO —
From the start, Google's Safe Browsing API was designed to spot malicious web pages so users wouldn't get trapped in them. Google identifies these sites through its own algorithms and user notification.
Google Chrome isn't the only browser to do this. FireFox and Safari rely on the lists made available in the Safe Browsing API, and Microsoft has its Application Reputation with Internet Explorer, which essentially does the same thing.
This week, NSS Labs, a firm that specializes in the testing of security systems, found something in its monitoring that just didn't feel right.
According to NSS Labs, during the most recent period of testing, Nov. 21, 2011 through Jan. 5, 2011, they observed what appears to be a significant change in malicious website protection when contrasted with historical data. According to their report, "Did Google Pull a Fast One on Firefox and Safari Users?", Chrome's protection rate rose to more than 50 percent before falling back down to 20 percent, while at the same time the Firefox and Safari block rate remained stuck at 2 percent and then suddenly jumped to 7 percent on the same day Chrome's protection precipitously dropped.
The types of attacks NSS Labs evaluated during this period are what it calls "socially engineered malware," or malware that is downloaded by the user from the web. The lab will be testing so-called drive-by download attacks in a later report.
"Google has made very public statements that they don't withhold any data from their Safe Browsing API, so what could explain the results?" asks Vikram Phatak, chief technology officer at NSS Labs.
Perhaps it's the undocumented functionality NSS Labs believes Google has integrated into Chrome, but not Firefox or Safari.
Google strongly denies it's holding back anything from the API. In his blog, New SafeBrowsing Backend, Mozilla and Mobile Firefox developer Gian-Carlo Pascutto at first wrote that Firefox does not have permission to use the download protection list in the Safe Browsing API.
That statement has since been redacted following a response from Google, a response that highlights perhaps a deeper concern: privacy.
"We have offered the new Safe Browsing features to Mozilla in the past, so to say that we are holding back this functionality is inaccurate. From our conversations, our understanding is that Mozilla is still waiting for more data from Google about the effectiveness of our new technology, and is also considering the limited circumstances in which their users may send URLs to Google for scanning (this only happens if a page looks sufficiently suspicious). This new protection, which is designed to detect new phishing pages as well as malicious downloads, was highlighted recently on our Chromium Blog," wrote Ian Fette, senior product manager for Chrome.