What happened to the Google's Trust API
Millions in Germany spied on via browsers - what to do?
Millions in Germany spied on via browsers - what to do?
How exactly are people spied on by their own computer while surfing the net? The NDR journalist Svea Eckert gained access to traded data and revealed how the apparently useful browser extension "Web of Trust" (WOT) monitors everyone who has installed the program.
1. The browser extension "Web of Trust"
2. WOT isn't the only add-on that reveals your data
3. Google Safe Browsing - a risk-benefit analysis
3.1 Deactivate URL control in Mozilla Firefox
3.2 Deactivate URL control in Google Chrome
3.3 Disable URL control in Safari
3.4 Deactivate URL control in Microsoft programs
3.5 Android apps can also use the “Safe Browsing API” from Google
4. State surveillance is based on commercial surveillance
5. What Else Can You Do?
6. What others report
The browser extension "Web of Trust"
The evaluation platform "Web of Trust" (WOT) offers a browser extension of the same name that promises its users to show when surfing whether they can trust a website or not.
WOT isn't the only add-on that reveals your data
WOT isn't the only browser extension purporting to make surfing the web safer while invading surfers' privacy in the process. Other examples are Norton Safe Web and McAfee SiteAdvisor. You should definitely ban them from your computers. Also Microsoft's URL filter SmartScreen was programmed without observing data protection (source). Unfortunately, SmartScreen is an integral part of current Windows operating systems. Giga.de, for example, describes how to deactivate its URL control in various Microsoft applications.
Google Safe Browsing - a risk-benefit analysis
Actually, in recent years it has been completely unnecessary to install an add-on such as WOT, Norton Safe Web or McAfee SiteAdvisor, because almost all web browsers have such a function built in: Google Chrome, Mozilla Firefox and Apple Safari already use the The “Google Safe Browsing API” programming interface is automatically set on delivery.
This interface is designed in such a way that Google almost never receives a direct message about which web document is currently being requested by the browser. Instead, browsers regularly download a list of all URLs known to be dangerous. This list is also consulted for downloads, but in this case it can happen that, in unclear cases, a further query is made to Google with precise information on the downloaded file. Only then will the URL of the download file be sent directly to Google. (This summary is based on the description in a technical document by the developers of Mozilla Firefox.) So Google has tried to protect the privacy of API users, but researchers from the renowned French institute INRIA published a study from February 2015 [PDF , English] demonstrated that this was not entirely successful. At least in certain cases, Google has a chance of finding out the URL called up (by analyzing which parts of the list mentioned are reloaded during the check). The same goes for a very similar service from the Russian search engine Yandex. Provided that the content of the malware list has a particularly favorable structure for the analysis, the study believes that this service can "turn into an invisible tracker that is embedded in several software solutions."
"Google Safe Browsing" is deactivated from the start in the gate browser - of course also on our privacy dongle. Tor users are believed to know what they are doing and to value privacy. Interestingly, on the other hand, Tor would be one of the most promising ways to anonymously use the Safe Browsing API. To do this, Tor would have to be built into the common browsers, which would be quite feasible.
Disable URL control in Mozilla Firefox
Like Google's “Safe Browsing” in Firefox acan be switched, is here: https://support.mozilla.org/de/kb/wie-funktioniert-schutz-vor- Betrugsversuchen-und-schadprogramme. However, this is already switched on by default. If the URL control is to be deactivated, the opposite must be done and the checkmarks in the red-framed boxes must be removed, i.e.:
☰ → Settings → Security → Deactivate "Block website if it has been reported as attacking"
☰ → Settings → Security → Deactivate "Block website if it has been reported as attempted fraud"
Depending on how you weigh up the risks (protection against harmful websites and downloads on the one hand, and a possible chance for Google to identify a URL on the other), you can continue to use these functions. There is also the option of only preventing the last detailed request to Google to clarify any last doubt. This is how it works:
- Enter "about: config" in the address bar and confirm
- Confirm any reminder to be careful
- Enter "browser.safebrowsing.downloads.remote.enabled" in the search field, the list below the search field then contains only one entry
- To switch off, set the value to "false" (double click on the entry toggles between "true" and "false")
A possible result of this risk assessment could also be to use these security functions to the fullest extent possible for the best possible protection against malware. In this case, the standard settings do not have to be changed.
Disable URL control in Google Chrome
The corresponding settings can be found in the Chrome browser as follows:
⋮ → Settings → “Show advanced settings” → “Data protection” → “Protect me and my device from harmful websites”
⋮ → Settings → “Show advanced settings” → “Data protection” → “Automatically send details of possible security incidents to Google”
However, there are indications that Chrome continues to communicate with the "Safe Browsing" API, unimpressed. If you do not want this, you have to forbid your computer to contact the servers safebrowsing.clients.google.com and safebrowsing-cache.google.com - for example in the firewall or through entries in the hosts file. Or better yet, you're saying goodbye to Chrome entirely, as we've long recommended.
Disable URL control in Safari
⚙ → Settings… → Security → Switch off "Warn about fraudulent content"
Disable URL control in Microsoft programs
We do not recommend using Microsoft browsers, but if you need to use them, here are tips on how to disable SmartScreen.
Android apps can also use the “Safe Browsing API” from Google
Not only web browsers are affected, but also any Android apps can use Google's “Safe Browsing API”. What the mobile operating system does not have, however, is a setting option that prevents contact with this Google interface. Technically savvy owners of “root” devices can add appropriate entries to the hosts file, just like under Linux.
State surveillance is based on commercial surveillance
As was made known through presentations (PDF from eff.org) that Edward Snowden freed from the NSA, the NSA and GCHQ secret services use the cookies set by the "Safe Browsing" function and the globally unique number (GooglePREFID) contained therein, to clearly identify computers and smartphones. Ed Felten, professor of computer science and public affairs at Princeton University, told the Washington Post:
This shows a connection between the tracking done for web statistics and online advertising and the attacks by the NSA. Those who allow themselves to be monitored for advertising purposes make themselves more susceptible to such attacks.
In Firefox, delete Google cookies as follows:
☰ → Settings → Data protection → “Show cookies” → Enter “Google” in the search box and click “Remove selected cookies” until all are gone
What else can you do
- On our page on digital self-defense, we explain how people can leave fewer traces on the internet while surfing: Leave fewer traces on the internet - anti-tracking tools
- If you happen to be programming web applications, please make sure not to use any personally identifiable information such as login and name as part of the URL. Because URLs find their way into log files more often than other Internet data. Do you prefer POST instead of GET.
What others report
Text: CC BY 4.0 Christian Pietsch, Friedemann Ebelt and Sebastian Lisken with input from the digital courage working group on digital self-defense
Image: CC BY-SA 2.0fsse8info
- Sign in to post comments
- Is Skrill Safe to Use in India?
- What is the full form of MWI
- What are the darkest truths about Europe
- What are the most influential technological media
- Who is the grandfather of india
- Is the Grand Canyon overrated
- 3D printing is getting easier
- Is the Xbox One JTag out
- Simple questions of interest with solution
- Why is EV starting an unprofitable business
- What is educational philosophy in Hinduism
- Why doesn't CarryMinati post so often anymore
- Where is the best dentist in Faisalabad
- How are homosexuals treated in Italy
- What can FMCG startup in India be like
- Why do I feel happier when I am deprived of sleep?
- Call someone a white hacker-racist
- Are quarter horses warm or hot-blooded?
- Thinking consumes energy
- How do you start fasting longer?
- Who created Lord Shiv
- Is it true that prisons are a prison
- Where can I find scripts for Abaqus
- Who was Lancelot in the story of King Arthur