Something fishy about Google Chrome's Safe Browsing API, lab says

From the start, Google's Safe Browsing API was designed to spot malicious web pages so users wouldn't get trapped in them. Google identifies these sites through its own algorithms and user notification.

Google Chrome isn't the only browser to do this. FireFox and Safari rely on the lists made available in the Safe Browsing API, and Microsoft has its Application Reputation with Internet Explorer, which essentially does the same thing.

This week, NSS Labs, a firm that specializes in the testing of security systems, found something in its monitoring that just didn't feel right.

According to NSS Labs, during the most recent period of testing, Nov. 21, 2011 through Jan. 5, 2011, they observed what appears to be a significant change in malicious website protection when contrasted with historical data. According to their report, " Did Google Pull a Fast One on Firefox and Safari Users?", Chrome's protection rate rose to more than 50 percent before falling back down to 20 percent, while at the same time the Firefox and Safari block rate remained stuck at 2 percent and then suddenly jumped to 7 percent on the same day Chrome's protection precipitously dropped.

The types of attacks NSS Labs evaluated during this period are what it calls " socially engineered malware," or malware that is downloaded by the user from the web. The lab will be testing so-called drive-by download attacks in a later report.

"Google has made very public statements that they don't withhold any data from their Safe Browsing API, so what could explain the results?" asks Vikram Phatak, chief technology officer at NSS Labs.

Perhaps it's the undocumented functionality NSS Labs believes Google has integrated into Chrome, but not Firefox or Safari.

Google strongly denies it's holding back anything from the API. In his blog, New SafeBrowsing Backend, Mozilla and Mobile Firefox developer Gian-Carlo Pascutto at first wrote that Firefox does not have permission to use the download protection list in the Safe Browsing API.

That statement has since been redacted following a response from Google, a response that highlights perhaps a deeper concern: privacy.

"We have offered the new Safe Browsing features to Mozilla in the past, so to say that we are holding back this functionality is inaccurate. From our conversations, our understanding is that Mozilla is still waiting for more data from Google about the effectiveness of our new technology, and is also considering the limited circumstances in which their users may send URLs to Google for scanning (this only happens if a page looks sufficiently suspicious). This new protection, which is designed to detect new phishing pages as well as malicious downloads, was highlighted recently on our Chromium Blog," wrote Ian Fette, senior product manager for Chrome.

"We believe this is a reasonable solution for Chrome users, and Microsoft takes a similar approach in Internet Explorer that involves sending URLs to Microsoft. The offer remains for Mozilla to have access to our new APIs for Firefox should they choose that it's in the best interests of their users," he wrote.

According to that Chromium Blog post from last week, " All About Safe Browsing" Google does not hold any personally identifiable information for more than two weeks, that the data isn't used anywhere else within Google, and that users can turn the Safe Browsing features off.

Mozilla doesn't appear to be fully swayed -- yet. "Our partnership with Google's safe browsing team is a positive one. Their team has made phishing and malware detection services available to our users and these are already implemented in Firefox. Their new services communicate more information back to Google about a user's browsing history, and we are still evaluating the merits of that approach," said Johnathan Nightingale, Mozilla's director of Firefox engineering, in a statement to CSOonline.

While Google and FireFox figure out the privacy implications, end users are left with a number of questions. The first is what level of privacy do they want to give up to improve browsing security, and secondly why -- at its best -- is Safe Browsing technology only 50 percent effective against these threats?

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place