Two Things That Bother Me About Google’s New Firefox Extension


Here are two things that bother me about this extension:

1) Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to http://www.google.com/safebrowsing/lookup in clear-text, allowing someone on your network segment, or any router in between yourself and google.com to sniff the information off the wire.

2) The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.

I am more worried about the issue #1. However, I do realize that web applications should be designed to use POST in order to send sensitive information, but the fact of the matter is that many web applications do not follow this guideline. Google's extension makes this situation worse by transmitting this information over clear text (assuming the web application uses SSL). This extension is designed to help protect users from illegitimate resources, but the irony is that it has the potential to expose sensitive information about you when you visit legitimate resources! Two Things That Bother Me About Google’s New Firefox Extension

Linked by shanmuga Friday, 16th December 2005 4:16AM