Wednesday, August 12, 2009
Google Safe Browsing can be used to track users?
I was just looking at some HTTP requests using the TamperData extension for Firefox. There amongst the requests I wanted to look at was an unexpected request. It was an update request for Google Safe Browsing. In that request there was a long wrkey parameter. The server provides a shared secret key via HTTPS. Updates are then retrieved via ordinary HTTP, and the key can be used to verify that the update has not been tampered with. Unfortunately, the key can also be used to track individual users. Why couldn't they simply use HTTPS?