What happened to the Google's Trust API

Millions in Germany spied on via browsers - what to do?

Millions in Germany spied on via browsers - what to do?

How exactly are people spied on by their own computer while surfing the net? The NDR journalist Svea Eckert gained access to traded data and revealed how the apparently useful browser extension "Web of Trust" (WOT) monitors everyone who has installed the program.

1. The browser extension "Web of Trust"
2. WOT isn't the only add-on that reveals your data
3. Google Safe Browsing - a risk-benefit analysis
3.1 Deactivate URL control in Mozilla Firefox
3.2 Deactivate URL control in Google Chrome
3.3 Disable URL control in Safari
3.4 Deactivate URL control in Microsoft programs
3.5 Android apps can also use the “Safe Browsing API” from Google
4. State surveillance is based on commercial surveillance
5. What Else Can You Do?
6. What others report

The browser extension "Web of Trust"

The evaluation platform "Web of Trust" (WOT) offers a browser extension of the same name that promises its users to show when surfing whether they can trust a website or not.

Caution: The "Web of Trust" add-on has nothing to do with the signature network of the same name for PGP keys!

In truth, however, the software breaks with its own privacy policy and sends the addresses of all pages visited to data dealers who make a profit with it. Millions of people are affected, including politicians, entrepreneurs, police officers, politically active people, judges and journalists. According to the manufacturer, the program has been downloaded more than 140 million times. The promised anonymization is easy to overturn, as the NDR research shows. Those affected can be analyzed privately and professionally and put under pressure. The browser extension "Web of Trust" should be removed - but that alone is not enough ...

WOT isn't the only add-on that reveals your data

WOT isn't the only browser extension purporting to make surfing the web safer while invading surfers' privacy in the process. Other examples are Norton Safe Web and McAfee SiteAdvisor. You should definitely ban them from your computers. Also Microsoft's URL filter SmartScreen was programmed without observing data protection (source). Unfortunately, SmartScreen is an integral part of current Windows operating systems. Giga.de, for example, describes how to deactivate its URL control in various Microsoft applications.

Google Safe Browsing - a risk-benefit analysis

Actually, in recent years it has been completely unnecessary to install an add-on such as WOT, Norton Safe Web or McAfee SiteAdvisor, because almost all web browsers have such a function built in: Google Chrome, Mozilla Firefox and Apple Safari already use the The “Google Safe Browsing API” programming interface is automatically set on delivery.

This interface is designed in such a way that Google almost never receives a direct message about which web document is currently being requested by the browser. Instead, browsers regularly download a list of all URLs known to be dangerous. This list is also consulted for downloads, but in this case it can happen that, in unclear cases, a further query is made to Google with precise information on the downloaded file. Only then will the URL of the download file be sent directly to Google. (This summary is based on the description in a technical document by the developers of Mozilla Firefox.) So Google has tried to protect the privacy of API users, but researchers from the renowned French institute INRIA published a study from February 2015 [PDF , English] demonstrated that this was not entirely successful. At least in certain cases, Google has a chance of finding out the URL called up (by analyzing which parts of the list mentioned are reloaded during the check). The same goes for a very similar service from the Russian search engine Yandex. Provided that the content of the malware list has a particularly favorable structure for the analysis, the study believes that this service can "turn into an invisible tracker that is embedded in several software solutions."

"Google Safe Browsing" is deactivated from the start in the gate browser - of course also on our privacy dongle. Tor users are believed to know what they are doing and to value privacy. Interestingly, on the other hand, Tor would be one of the most promising ways to anonymously use the Safe Browsing API. To do this, Tor would have to be built into the common browsers, which would be quite feasible.

Decide for yourself whether you want to make the decision on which website to visit with or without outside help! Please keep in mind: There is currently no completely anonymous support for checking URLs.

Disable URL control in Mozilla Firefox

Like Google's “Safe Browsing” in Firefox acan be switched, is here: https://support.mozilla.org/de/kb/wie-funktioniert-schutz-vor- Betrugsversuchen-und-schadprogramme. However, this is already switched on by default. If the URL control is to be deactivated, the opposite must be done and the checkmarks in the red-framed boxes must be removed, i.e.:

☰ → Settings → Security → Deactivate "Block website if it has been reported as attacking"

☰ → Settings → Security → Deactivate "Block website if it has been reported as attempted fraud"

Depending on how you weigh up the risks (protection against harmful websites and downloads on the one hand, and a possible chance for Google to identify a URL on the other), you can continue to use these functions. There is also the option of only preventing the last detailed request to Google to clarify any last doubt. This is how it works:

  1. Enter "about: config" in the address bar and confirm
  2. Confirm any reminder to be careful
  3. Enter "browser.safebrowsing.downloads.remote.enabled" in the search field, the list below the search field then contains only one entry
  4. To switch off, set the value to "false" (double click on the entry toggles between "true" and "false")

A possible result of this risk assessment could also be to use these security functions to the fullest extent possible for the best possible protection against malware. In this case, the standard settings do not have to be changed.

Disable URL control in Google Chrome

The corresponding settings can be found in the Chrome browser as follows:

⋮ → Settings → “Show advanced settings” → “Data protection” → “Protect me and my device from harmful websites”

⋮ → Settings → “Show advanced settings” → “Data protection” → “Automatically send details of possible security incidents to Google”

However, there are indications that Chrome continues to communicate with the "Safe Browsing" API, unimpressed. If you do not want this, you have to forbid your computer to contact the servers safebrowsing.clients.google.com and safebrowsing-cache.google.com - for example in the firewall or through entries in the hosts file. Or better yet, you're saying goodbye to Chrome entirely, as we've long recommended.

Disable URL control in Safari

⚙ → Settings… → Security → Switch off "Warn about fraudulent content"

Disable URL control in Microsoft programs

We do not recommend using Microsoft browsers, but if you need to use them, here are tips on how to disable SmartScreen.

Android apps can also use the “Safe Browsing API” from Google

Not only web browsers are affected, but also any Android apps can use Google's “Safe Browsing API”. What the mobile operating system does not have, however, is a setting option that prevents contact with this Google interface. Technically savvy owners of “root” devices can add appropriate entries to the hosts file, just like under Linux.

State surveillance is based on commercial surveillance

As was made known through presentations (PDF from eff.org) that Edward Snowden freed from the NSA, the NSA and GCHQ secret services use the cookies set by the "Safe Browsing" function and the globally unique number (GooglePREFID) contained therein, to clearly identify computers and smartphones. Ed Felten, professor of computer science and public affairs at Princeton University, told the Washington Post:

This shows a connection between the tracking done for web statistics and online advertising and the attacks by the NSA. Those who allow themselves to be monitored for advertising purposes make themselves more susceptible to such attacks.

In Firefox, delete Google cookies as follows:

☰ → Settings → Data protection → “Show cookies” → Enter “Google” in the search box and click “Remove selected cookies” until all are gone

What else can you do

  • On our page on digital self-defense, we explain how people can leave fewer traces on the internet while surfing: Leave fewer traces on the internet - anti-tracking tools
  • If you happen to be programming web applications, please make sure not to use any personally identifiable information such as login and name as part of the URL. Because URLs find their way into log files more often than other Internet data. Do you prefer POST instead of GET.

What others report

Text: CC BY 4.0 Christian Pietsch, Friedemann Ebelt and Sebastian Lisken with input from the digital courage working group on digital self-defense

Image: CC BY-SA 2.0fsse8info

  • Sign in to post comments
Published on 11/10/2016