Security Researchers: 'Did Google Pull a Fast One on Firefox and Safari Users?'

A new report from NSS Labs raises questions about Google's Safe Browsing API and proprietary protections to block malicious downloads -- malware protections allegedly not offered to Firefox and Safari browsers which also use Google's Safe Browsing API.

Social engineering comes in all flavors, from white hats pen testing enterprise security to plain old criminals -- who happen to play in the cyber world -- so cyber criminals who want you to click on a link for a drive-by-download, otherwise convince you to download malware, or who use phishing attacks to bait you into believing lies and inputting vital life, sensitive business, or financial information. It is that brand of lowlife conman and type of being maliciously tricked that makes cyber surfing potentially unsafe. All of the major web browsers have some sort of protection built in. Google's Safe Browsing API is used by Chrome, Firefox and Safari. Microsoft uses Application Reputation. Google recently updated its Safe Browsing mechanism and then released Chrome Beta to improve "speed and security." But in regard to the Safe Browsing API, NSS Labs, an independent security research and testing firm, published a new report, "Did Google Pull a Fast One on Firefox and Safari Users?"

NSS Labs analysis states, "At the end of 2011, Chrome's protection rate steadily climbed to just over 50% before suddenly falling back to 20%. At the same time, Firefox and Safari's block rate moved in the opposite direction. Chrome, Firefox and Safari all use Google's Safe Browsing API, and Google has publicly stated that it has not withheld data from their Safe Browsing feed. So what should end users make of the results?"

While Google claims that the new "Safe Browsing" protocol has nothing on backend that that differs in proprietary protection, the NSS Labs Findings [PDF] state, "Despite claims to the contrary, Google has developed proprietary functionality via Safe Browsing to block malicious downloads. This functionality is not available to the other Safe Browsing API v2 browsers (Firefox and Safari).... Google and Mozilla agreed on terms of their search agreement December 20, 2011. On December 21-22, 2011 NSS Labs observed a reorientation of protection whereby proprietary protection offered by Chrome dropped dramatically while shared Safe Browsing protection within Chrome, Firefox and Safari increased. While these events may not be related, the timing raises questions."

This is one of the graphs included in the NSS Labs report "Did Google Pull a Fast One on Firefox and Safari Users?"

You can decide what you make of that as NSS Labs also claims that "Internet Explorer 9 remains the most effective at blocking traditional malware downloads (a.k.a. social-engineered malware)." Furthermore, "while NSS does not recommend switching browsers based on the results of these tests alone, if you currently have a free choice of browser then Internet Explorer 9 offers the most comprehensive protection from these particular threats." Alrighty then, but keep in mind what a Mobile Mozilla Firefox coder, Gian-Carlo Pascutto, said about Microsoft. "False positive control is an important part of effective malware detection. Internet Explorer flags many malware sites, but it also flags legitimate sites, undermining the true effectiveness."

Meanwhile over at Boing Boing, Adam Levin, the chairman and cofounder of and Identity Theft 911, took aim at Google's Privacy Policy -- more specifically, the section about sharing user info "for legal reasons" such as "meet any applicable law, regulation, legal process or enforceable governmental request." Levin wrote:

What exactly constitutes an "enforceable governmental request?" This sentence should read: "We will share information with a Governmental entity only when presented with a valid search warrant issued by a court of competent jurisdiction." Such a provision would make it obvious that by giving information to Google, you do not intend to waive your constitutional rights, and it would make it clear that despite the fact that your information was shared willingly with a private sector entity, you reasonably retained an expectation of privacy against Government intrusion. If everyone's privacy policy had language of this type, sooner or later every court -- and every legislature -- would remember all that stuff about the Fourth Amendment.

Times are hard in this economy. What is the price you put on your privacy? Google believes it is a maximum of $25. Would you sell your privacy soul for $25? Well if you've given up on privacy completely, then Google has a new program called Screenwise in which you surf the web on Chrome and you give up the right to privacy. In return, Google will give you $5 on a Amazon card for signing up, then another $5 Amazon gift card code every three months up to $25. You add a browser extension to Chrome and it tells Google, and "panel management partner Knowledge Networks," everything about the "sites you visit and how you use them" in order to help make Google better.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.