Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Browsers
Web Extensions
Bitdefender Trafficlight still transmits every site in clear text?
Message
<blockquote data-quote="MacDefender" data-source="post: 873047" data-attributes="member: 83059"><p>Once the URLs leave your machine, you lose control over what it's used for. Whether that's okay to you is a matter of your trust and personal preference -- I'm personally concerned but I err on the side of extreme caution when it comes to my privacy and trusting vendors with my private data. Examples of how this information can be abused:</p><p></p><ul> <li data-xf-list-type="ul">How well is the destination controlled to BitDefender? Is it certificate pinned? Is it correctly checking certificate chains to begin with? Could it be combined with something like an enterprise SSL filtering system to reveal your URLs to parties other than BitDefender?</li> <li data-xf-list-type="ul">Who within BitDefender has access to the scanning server? Could they hire an unscrupulous employee or intern and use that as a way of monitoring your browser history?</li> <li data-xf-list-type="ul">What else is or could BitDefender do with this data if they get acquired or money gets tight? Privacy Policies usually allow for them to be modified with just a notification to you to read the lengthy document again.</li> <li data-xf-list-type="ul">Who could compel BitDefender to give away this data?</li> </ul><p>All in all, if the only visibility you have (which it is unless you work there) is a Privacy Policy, which is virtually meaningless. How many times has a breach or vulnerability resulted in a company inadvertently violating those promises to you? Do they get punished for it? (not really, very inconsequential in most cases).</p><p></p><p></p><p>Finally you have to consider whether or not URLs are private to you. While at first glance they don't seem super private, there are cases where they could be:</p><ul> <li data-xf-list-type="ul">The time and location from which you accessed a URL could be just as sensitive as the URL itself. This might reveal whether you are home or on your phone, or whether you're looking at personal or non-personal stuff while at work, etc etc etc.</li> <li data-xf-list-type="ul">Many services (Facebook photos, OneDrive, many cloud photo viewer services) send photos to you as a long URL where a randomly generated key in the URL is basically the only form of authentication. They assume that by delivering this URL to you via HTTPS, if you were able to produce this URL again, you must be the original user since nobody else could've seen it. As a result, they will usually grant you access to private photos/files simply by producing the URL, without any cookies or anything else around it.</li> <li data-xf-list-type="ul">Some services leak information about you via the URL. For example, this reply page I'm typing of has a unique asset request for <strong>macdefender.83059/ </strong>to deliver me my avatar and profile info. The size of the asset in the title bar is unique to the fact that I'm logged in, as opposed to just viewing a post by me. This could be used to deanonymize you.</li> <li data-xf-list-type="ul">Some services give a ton of information about what you're doing as part of the URL scheme -- I've seen banking sites contain URLs that include your checking / routing account numbers, or video players say exactly what time you paused some TV show, or send out an analytics URL frame like that every time you tap. For example, almost every streaming TV service reports their ratings this way to their own analytics server. By transmitting those URLs to BitDefender, you've given them personal information that was only intended to be given to your streaming TV services. You might be okay with saying "Ok NetFlix knows what I watched and when, it's impossible for me to hide that from them", but are you okay extending that to BitDefender as well?</li> <li data-xf-list-type="ul">This data is transmitted whether or not it's an internal or external website. Company intranets tend to have a lot more private information. What if your next secret product has an internal wiki and you're sending the title of those wiki pages over to BitDefender?</li> </ul><p></p><p>Just some stuff to think about. For some people maybe you genuinely are okay with this. For others, this might give you more pause. By default, your URLs over HTTPs are reasonably private. Most browsers' have a built in SmartScreen or URL screening service but they tend to use tiered hashes and they tend to fetch packs of hashes in a way that does not reveal when you visited what.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 873047, member: 83059"] Once the URLs leave your machine, you lose control over what it's used for. Whether that's okay to you is a matter of your trust and personal preference -- I'm personally concerned but I err on the side of extreme caution when it comes to my privacy and trusting vendors with my private data. Examples of how this information can be abused: [LIST] [*]How well is the destination controlled to BitDefender? Is it certificate pinned? Is it correctly checking certificate chains to begin with? Could it be combined with something like an enterprise SSL filtering system to reveal your URLs to parties other than BitDefender? [*]Who within BitDefender has access to the scanning server? Could they hire an unscrupulous employee or intern and use that as a way of monitoring your browser history? [*]What else is or could BitDefender do with this data if they get acquired or money gets tight? Privacy Policies usually allow for them to be modified with just a notification to you to read the lengthy document again. [*]Who could compel BitDefender to give away this data? [/LIST] All in all, if the only visibility you have (which it is unless you work there) is a Privacy Policy, which is virtually meaningless. How many times has a breach or vulnerability resulted in a company inadvertently violating those promises to you? Do they get punished for it? (not really, very inconsequential in most cases). Finally you have to consider whether or not URLs are private to you. While at first glance they don't seem super private, there are cases where they could be: [LIST] [*]The time and location from which you accessed a URL could be just as sensitive as the URL itself. This might reveal whether you are home or on your phone, or whether you're looking at personal or non-personal stuff while at work, etc etc etc. [*]Many services (Facebook photos, OneDrive, many cloud photo viewer services) send photos to you as a long URL where a randomly generated key in the URL is basically the only form of authentication. They assume that by delivering this URL to you via HTTPS, if you were able to produce this URL again, you must be the original user since nobody else could've seen it. As a result, they will usually grant you access to private photos/files simply by producing the URL, without any cookies or anything else around it. [*]Some services leak information about you via the URL. For example, this reply page I'm typing of has a unique asset request for [B]macdefender.83059/ [/B]to deliver me my avatar and profile info. The size of the asset in the title bar is unique to the fact that I'm logged in, as opposed to just viewing a post by me. This could be used to deanonymize you. [*]Some services give a ton of information about what you're doing as part of the URL scheme -- I've seen banking sites contain URLs that include your checking / routing account numbers, or video players say exactly what time you paused some TV show, or send out an analytics URL frame like that every time you tap. For example, almost every streaming TV service reports their ratings this way to their own analytics server. By transmitting those URLs to BitDefender, you've given them personal information that was only intended to be given to your streaming TV services. You might be okay with saying "Ok NetFlix knows what I watched and when, it's impossible for me to hide that from them", but are you okay extending that to BitDefender as well? [*]This data is transmitted whether or not it's an internal or external website. Company intranets tend to have a lot more private information. What if your next secret product has an internal wiki and you're sending the title of those wiki pages over to BitDefender? [/LIST] Just some stuff to think about. For some people maybe you genuinely are okay with this. For others, this might give you more pause. By default, your URLs over HTTPs are reasonably private. Most browsers' have a built in SmartScreen or URL screening service but they tend to use tiered hashes and they tend to fetch packs of hashes in a way that does not reveal when you visited what. [/QUOTE]
Insert quotes…
Verification
Post reply
Top