• United States



Security Researchers: ‘Did Google Pull a Fast One on Firefox and Safari Users?’

Feb 08, 20125 mins
Data and Information SecurityEnterprise ApplicationsInternet Explorer

A new report from NSS Labs raises questions about Google's Safe Browsing API and proprietary protections to block malicious downloads -- malware protections allegedly not offered to Firefox and Safari browsers which also use Google's Safe Browsing API.

Social engineering comes in all flavors, from white hats pen testing enterprise security to plain old criminals — who happen to play in the cyber world — so cyber criminals who want you to click on a link for a drive-by-download, otherwise convince you to download malware, or who use phishing attacks to bait you into believing lies and inputting vital life, sensitive business, or financial information. It is that brand of lowlife conman and type of being maliciously tricked that makes cyber surfing potentially unsafe. All of the major web browsers have some sort of protection built in. Google’s Safe Browsing API is used by Chrome, Firefox and Safari. Microsoft uses Application Reputation. Google recently updated its Safe Browsing mechanism and then released Chrome Beta to improve “speed and security.” But in regard to the Safe Browsing API, NSS Labs, an independent security research and testing firm, published a new report, “Did Google Pull a Fast One on Firefox and Safari Users?”

NSS Labs analysis states, “At the end of 2011, Chrome’s protection rate steadily climbed to just over 50% before suddenly falling back to 20%. At the same time, Firefox and Safari’s block rate moved in the opposite direction. Chrome, Firefox and Safari all use Google’s Safe Browsing API, and Google has publicly stated that it has not withheld data from their Safe Browsing feed. So what should end users make of the results?”

While Google claims that the new “Safe Browsing” protocol has nothing on backend that that differs in proprietary protection, the NSS Labs Findings [PDF] state, “Despite claims to the contrary, Google has developed proprietary functionality via Safe Browsing to block malicious downloads. This functionality is not available to the other Safe Browsing API v2 browsers (Firefox and Safari)…. Google and Mozilla agreed on terms of their search agreement December 20, 2011. On December 21-22, 2011 NSS Labs observed a reorientation of protection whereby proprietary protection offered by Chrome dropped dramatically while shared Safe Browsing protection within Chrome, Firefox and Safari increased. While these events may not be related, the timing raises questions.”

This is one of the graphs included in the NSS Labs report “Did Google Pull a Fast One on Firefox and Safari Users?”

You can decide what you make of that as NSS Labs also claims that “Internet Explorer 9 remains the most effective at blocking traditional malware downloads (a.k.a. social-engineered malware).” Furthermore, “while NSS does not recommend switching browsers based on the results of these tests alone, if you currently have a free choice of browser then Internet Explorer 9 offers the most comprehensive protection from these particular threats.” Alrighty then, but keep in mind what a Mobile Mozilla Firefox coder, Gian-Carlo Pascutto, said about Microsoft. “False positive control is an important part of effective malware detection. Internet Explorer flags many malware sites, but it also flags legitimate sites, undermining the true effectiveness.”

Meanwhile over at Boing Boing, Adam Levin, the chairman and cofounder of and Identity Theft 911, took aim at Google’s Privacy Policy — more specifically, the section about sharing user info “for legal reasons” such as “meet any applicable law, regulation, legal process or enforceable governmental request.” Levin wrote:

What exactly constitutes an “enforceable governmental request?” This sentence should read: “We will share information with a Governmental entity only when presented with a valid search warrant issued by a court of competent jurisdiction.” Such a provision would make it obvious that by giving information to Google, you do not intend to waive your constitutional rights, and it would make it clear that despite the fact that your information was shared willingly with a private sector entity, you reasonably retained an expectation of privacy against Government intrusion. If everyone’s privacy policy had language of this type, sooner or later every court — and every legislature — would remember all that stuff about the Fourth Amendment.

Times are hard in this economy. What is the price you put on your privacy? Google believes it is a maximum of $25. Would you sell your privacy soul for $25? Well if you’ve given up on privacy completely, then Google has a new program called Screenwise in which you surf the web on Chrome and you give up the right to privacy. In return, Google will give you $5 on a Amazon card for signing up, then another $5 Amazon gift card code every three months up to $25. You add a browser extension to Chrome and it tells Google, and “panel management partner Knowledge Networks,” everything about the “sites you visit and how you use them” in order to help make Google better.

Like this? Here’s more posts:

  • Backdoor in TRENDnet IP Cameras Provide Real-Time Peeping Tom Paradise?
  • 25 More Ridiculous FBI Lists: You Might Be A Terrorist If . . .
  • Firesheep moment for SCADA: Hacking critical infrastructure systems now as easy as pushing a button?
  • Irony: Surveillance Industry Objects to Spying Secrets & Mass Monitoring Leaks
  • Privacy Advocates Sue DHS for Big Bro Fake ‘Friends’ Monitoring Social Media
  • Huge 4th Amendment Win for Privacy: Supreme Court Requires Warrant for GPS Tracking
  • DreamHost database hacked: Change your FTP/shell access and email passwords
  • DARPA’s Spy Telescope Will Stream Real-Time Video from Any Spot on Earth
  • Busted! DOJ says you might be a felon if you clicked a link or opened email
  • Privacy Freaks Rejoice: Privacy to be a ‘Hot Job Skill’ in 2012
  • Social Media Monitoring on Gov’t Steroids: Anything might come back to bite you
  • Woz on smartphones: Wishes his iPhone could do all his Android can
  • Data Privacy Day: Social media ‘private’ data is fair game for e-discovery in court
  • Do you give up a reasonable expectation of privacy by carrying a cell phone?

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.