Something Fishy About Google Chrome's Safe Browsing API, Lab Says

A research firm that measures the security effectiveness of browsers noticed something it thought might be fishy with the way Chrome was doing things. Turns out, there may currently be a privacy concern about Google's use of end user IP addresses as part of its Safe Browsing API.

By George V. Hulme
Tue, February 07, 2012
. What's this?

CSO — From the start, Google's Safe Browsing API was designed to spot malicious web pages so users wouldn't get trapped in them. Google identifies these sites through its own algorithms and user notification.

Google Chrome isn't the only browser to do this. FireFox and Safari rely on the lists made available in the Safe Browsing API, and Microsoft has its Application Reputation with Internet Explorer, which essentially does the same thing.

This week, NSS Labs, a firm that specializes in the testing of security systems, found something in its monitoring that just didn't feel right.

According to NSS Labs, during the most recent period of testing, Nov. 21, 2011 through Jan. 5, 2011, they observed what appears to be a significant change in malicious website protection when contrasted with historical data. According to their report, " Did Google Pull a Fast One on Firefox and Safari Users?", Chrome's protection rate rose to more than 50 percent before falling back down to 20 percent, while at the same time the Firefox and Safari block rate remained stuck at 2 percent and then suddenly jumped to 7 percent on the same day Chrome's protection precipitously dropped.

The types of attacks NSS Labs evaluated during this period are what it calls " socially engineered malware," or malware that is downloaded by the user from the web. The lab will be testing so-called drive-by download attacks in a later report.

"Google has made very public statements that they don't withhold any data from their Safe Browsing API, so what could explain the results?" asks Vikram Phatak, chief technology officer at NSS Labs.

Perhaps it's the undocumented functionality NSS Labs believes Google has integrated into Chrome, but not Firefox or Safari.

Google strongly denies it's holding back anything from the API. In his blog, New SafeBrowsing Backend, Mozilla and Mobile Firefox developer Gian-Carlo Pascutto at first wrote that Firefox does not have permission to use the download protection list in the Safe Browsing API.

That statement has since been redacted following a response from Google, a response that highlights perhaps a deeper concern: privacy.

"We have offered the new Safe Browsing features to Mozilla in the past, so to say that we are holding back this functionality is inaccurate. From our conversations, our understanding is that Mozilla is still waiting for more data from Google about the effectiveness of our new technology, and is also considering the limited circumstances in which their users may send URLs to Google for scanning (this only happens if a page looks sufficiently suspicious). This new protection, which is designed to detect new phishing pages as well as malicious downloads, was highlighted recently on our Chromium Blog," wrote Ian Fette, senior product manager for Chrome.

Continue Reading

Originally published on www.csoonline.com. Click here to read the original story.
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
Best Practices for Implementing a Data Warehouse on Oracle Exadata
Increasingly companies are recognizing the value of an enterprise data warehouse (EDW). A true EDW provides a single 360-degree view of the business and a powerful platform for a wide spectrum of business intelligence tasks ranging from predictive analysis to near real-time strategic and tactical decision support throughout the organization. Ensuring the EDW will get the desired performance and will scale out as your data grows you need to get three fundamental things correct, the hardware configuration, the physical data model and the data loading process. By correctly designing these three corner stones you will be able to create an EDW that can seamlessly scale without constant tuning or tweaking of the system.

By using the Oracle Exadata Database Machine as your data warehouse platform you have a balanced, high performance hardware configuration. This paper focuses on the other two corner stones, data modeling and data loading, providing a set of best practices and examples for deploying a data warehouse on the Oracle Exadata Database Machine.
Oracle: Big Data for the Enterprise
Analyzing new and diverse digital data streams can reveal new sources of economic value, provide fresh insights into customer behavior and identify market trends early on. But managing this influx of new data can be a challenge. To derive real business value from big data, you need the right tools to ca! pture and organize a wide variety of data types from different sources, and be able to easily analyze it with your enterprise data. By using the Oracle Big Data Appliance with Oracle Exadata, enterprises can acquire, organize and analyze all their enterprise data to make the most informed decisions.
Oracle Database 11g Product Family
By deploying Oracle Database 11g within their IT architecture, organizations can leverage the power of the world's leading database to reduce their server and storage costs and improve quality of service. Read this white paper to get an overview of the Oracle Database family of products and learn how you can transform your business, budgets, and service levels with Oracle Database 11g Release 2.
Oracle Real Application Testing 11g Release 2
Real Application Clusters with Oracle Database 11g, enables a single database to run across a cluster of servers, providing unbeatable fault tolerance, performance, and scalability with no application changes necessary. This white paper provides a technical overview of Oracle Real Application Clusters 11g Release 2 with an emphasis on the features and functionality that can be implemented to provide the highest availability and scalability for your enterprise applications.
Backup and Recovery Performance and Best Practices for Exadata Cell and the Sun Oracle Database Machine
The Sun Oracle Database Machine is an easy to deploy, out-of-the-box solution for hosting the oracle Database and delivers the highest levels of performance available. It is a "grid in a box" that is composed of database servers running Oracle Database, Sun Oracle Exadata Storage Servers (Exadata), an InfiniBand fabric for storage networking, and all the other components required to host an Oracle Database. Exadata delivers outstanding I/O and SQL processing performance for online transaction processing (OLTP), data warehousing (DW), and consolidation of mixed workloads. One of the key operational aspects of deploying a Sun Oracle Database Machine is to ensure that database backups are performed and restoration of the Oracle Database is possible if disaster strikes. This paper describes the best practices for setting up the optimal backup and recovery strategy to protect your mission-critical data.
BDW IDC White Paper
In this white paper, IDC highlights the latest research about demand for and benefits of integrated data warehousing solutions. Data warehousing solutions such as integrated hardware and software appliance as well as predefined reference configurations are discussed as two key options for deployment. The paper introduces joint HP and Microsoft data warehousing solutions and provides recommendations for large organizations evaluating data warehousing solutions for the purpose of supporting improved decision-making processes
Webcasts »
Appliance video
The first appliance in the industry which consolidates and manages thousands of databases, integrates hardware, software and support and is scalable to meet your changing business needs.
Database Consolidation-SQL Server Appliance and Building Your Private Cloud
Please join guest speaker IDC Analyst Carl Olofson as he discusses Enterprise Data Center challenges and why database consolidation is important and necessary. And hear from HP expert Joe Sullivan, who will discuss the HP Database Consolidation Appliance and how it addresses enterprise industry challenges. Joe will provide an overview of product architecture and details on how the appliance enables companies to build their own private cloud. This webcast will provide the latest information for simplifying your data management needs while reducing costs.
Gaining A Competitive Advantage With Your Data
Fact: The demand to respond faster and with greater insight to business demands, based on data, is increasing. Fact: More organizations are turning to business intelligence (BI) and data warehousing for insightful decision-making.
BMC Control-M - Single Point of Control Demo
With BMC Control-M, you schedule and manage everything - down to the very last platform and application - from one simple interface. It's the foundation of workload automation, really - the ability to run application and business processes as one. Siloed job schedulers can't do it. BMC Control-M can.
Sun Chemical Customer Success Story
Sun Chemical, the world's largest producer of printing inks and pigments, quadrupled its complex batch environment with zero extra headcount using BMC Control-M's Automated File Transfer features.
Spear Phishing and the Modern Cyber Attack
Learn how IT teams can protect against spear phishing tactics. Harry Sverdlove, chief technology officer of Bit9 offers a frank discussion about spear phishing - the most common technique used in today's advanced attacks. Learn how spear phishing works and three recommendations for IT to protect against modern threats.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Best Practices for Implementing a Data Warehouse on Oracle Exadata

Oracle: Big Data for the Enterprise

Oracle Database 11g Product Family

Oracle Real Application Testing 11g Release 2

Backup and Recovery Performance and Best Practices for Exadata Cell and the Sun Oracle Database Machine

BDW IDC White Paper

An Introduction to the HP Business Decision Appliance

EDW Solution Brief

BDA solution brief

HP Business Data Warehouse Appliance

The CFO Guide to Budgeting Software

Transition from Spreadsheet Budgets to Packaged Application

Better Cash Flow Management: Recession-Proof Your Business

Deliver Cost-Effective Business Continuity with Extreme Capacity

Workload Automation Challenges and Opportunities

Six Characteristics of an Effective Solution

The Keys To Distributed & Agile Application Development

SAS High Performance Analytics

Stop Hackers Before They Attack

A Proactive Approach to Server Security
Sponsored Links

High performance. Delivered. Click to see Accenture's client successes

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

Akamai Kona Security. Web security so you can innovate fearlessly

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Managed Hosting Buyer's Guide - Benefits to key considerations

Click to see how Accenture has delivered high performance to clients

Learn how Accenture helps clients become high-performing businesses.

Click to see how Accenture has delivered high performance to clients

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Learn how Accenture helps clients become high-performing businesses

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Gain cutting-edge insights at MIT in 2-5 day executive programs.

See how Accenture helps clients perform at the highest levels

Connect with global CIOs now at Enterprise CIO Forum

Resource Center
buy a link »
Ads by TechWords