You might have come across Google’s latest web experiment, fresh from their very hardworking labs.
According to the information on their website:
Google Safe Browsing is an extension to Firefox that alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That’s why it’s important to browse safely with Google Safe Browsing. By combining advanced algorithms with reports about misleading pages from a number of sources, Safe Browsing is often able to automatically warn you when you encounter a page that’s trying to trick you into disclosing personal information.
This kinda reminds me of the upcoming Microsoft IE 7 browser that was unveiled in a sneak preview at the HITB SecConf recently. It, too, is to have an anti-phishing tool that will alert the user of dodgy websites.
Anyway, it sounds like a noble endeavour – keeping us safe from the web’s wilder side and all. Technically, it isn’t available for users outside the US due to license resctrictions (see the FAQ), but you can still download it, of course.
The question is, should you download and install it?
I was going to do just that until I came across this article (“Two Things That Bother Me About Google’s New Firefox Extension“) by information security specialist, Nitesh Dhanjani (by way of Lockergnome) :
1) Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to http://www.google.com/safebrowsing/lookup in clear-text, allowing someone on your network segment, or any router in between yourself and google.com to sniff the information off the wire.
In plain English, what he’s saying there’s potential for some nasty dude out there to intercept private information that you submit online like credit card numbers.
2) The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.
Or in other words, all your private info are belong to Google.
Well, to me, there’s no confusion – I’m not in the US and my usage of the extension is not covered in the license, and therefore if anything should screw up, I’m up shit-creek without a paddle. But even if I was in the US, I still won’t download the extension until I get more info about how Google intends to address this security concern.
Of course, I’m sure they will address it – Google’s like that. We’ll wait till then.
In the meantime, I’m now curious about IE7’s own Phishing Filter. Does it have similar security issues too?