New Update Bitdefender Trafficlight still transmits every site in clear text?

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Btw, if you check Fabian's comment, he never really said that Trafficlight sends every url back to them in clear text. He just said they send every url. Here's the comment: Privacy Alert - Mozilla removes all Avast Firefox extensions
I myself tested back then and it was same as now. The data was being sent encrypted. Personally I'm okay with urls being sent back to them because they're not sending any personal data and not selling users data like Avast.
 

Pat MacKnife

Level 15
Verified
Top Poster
Well-known
Jul 14, 2015
725
Read this statement on BD forum :

Bitdefender TrafficLight monitors the HTTP traffic and sends the URL links to our labs for analysis purposes. If you access a malicious website, TrafficLight will detect it and will block it.

The content of a web page is scanned (read), but TrafficLight doesn't collect passwords, phone numbers or credit card information.

Rest assured that Bitdefender monitors data only to protect your computer against malicious attacks. You can find more information about data collection in the End User License Agreement attached to this mail.



 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Read this statement on BD forum :

Bitdefender TrafficLight monitors the HTTP traffic and sends the URL links to our labs for analysis purposes. If you access a malicious website, TrafficLight will detect it and will block it.

The content of a web page is scanned (read), but TrafficLight doesn't collect passwords, phone numbers or credit card information.

Rest assured that Bitdefender monitors data only to protect your computer against malicious attacks. You can find more information about data collection in the End User License Agreement attached to this mail.



Do you happen to know if it can/does scan malicious scripts in a webpage?
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Btw, if you check Fabian's comment, he never really said that Trafficlight sends every url back to them in clear text. He just said they send every url. Here's the comment: Privacy Alert - Mozilla removes all Avast Firefox extensions
I myself tested back then and it was same as now. The data was being sent encrypted. Personally I'm okay with urls being sent back to them because they're not sending any personal data and not selling users data like Avast.
This is the same case with smartscreen I believe.
 

Tiamati

Level 12
Thread author
Verified
Top Poster
Well-known
Nov 8, 2016
574
Btw, if you check Fabian's comment, he never really said that Trafficlight sends every url back to them in clear text. He just said they send every url. Here's the comment: Privacy Alert - Mozilla removes all Avast Firefox extensions
I myself tested back then and it was same as now. The data was being sent encrypted. Personally I'm okay with urls being sent back to them because they're not sending any personal data and not selling users data like Avast.

The problem with that post is that it gave me the impression (in the first moment) that the clear text could be read by anyone. Furthermore, i saw a lot of people in this forum and others considering that BTL should not be used because it was sending clear text (meaning it was not encrypted). However when i checked, i realized that it was not exactly that. So i made THIS post to make it clear to everyone. The urls are sent in clear text indeed but through encrypted connection and under a restrict privacy policy. Not so bad as Fabian made it sound.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
The problem with that post is that it gave me the impression (in the first moment) that the clear text could be read by anyone. Furthermore, i saw a lot of people in this forum and others considering that BTL should not be used because it was sending clear text (meaning it was not encrypted). However when i checked, i realized that it was not exactly that. So i made THIS post to make it clear to everyone. The urls are sent in clear text indeed but through encrypted connection and under a restrict privacy policy. Not so bad as Fabian made it sound.
The fact that both BTL and Smartscreen check full urls and have some of the best results in testing may not be a coincidence.
;)
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
The problem with that post is that it gave me the impression (in the first moment) that the clear text could be read by anyone. Furthermore, i saw a lot of people in this forum and others considering that BTL should not be used because it was sending clear text (meaning it was not encrypted). However when i checked, i realized that it was not exactly that. So i made THIS post to make it clear to everyone. The urls are sent in clear text indeed but through encrypted connection and under a restrict privacy policy. Not so bad as Fabian made it sound.
Hmm you're right. It's nice that you created this thread. Any confusion anyone had should be clear now.

This is the same case with smartscreen I believe.
Hmm I think so.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Once the URLs leave your machine, you lose control over what it's used for. Whether that's okay to you is a matter of your trust and personal preference -- I'm personally concerned but I err on the side of extreme caution when it comes to my privacy and trusting vendors with my private data. Examples of how this information can be abused:

  • How well is the destination controlled to BitDefender? Is it certificate pinned? Is it correctly checking certificate chains to begin with? Could it be combined with something like an enterprise SSL filtering system to reveal your URLs to parties other than BitDefender?
  • Who within BitDefender has access to the scanning server? Could they hire an unscrupulous employee or intern and use that as a way of monitoring your browser history?
  • What else is or could BitDefender do with this data if they get acquired or money gets tight? Privacy Policies usually allow for them to be modified with just a notification to you to read the lengthy document again.
  • Who could compel BitDefender to give away this data?
All in all, if the only visibility you have (which it is unless you work there) is a Privacy Policy, which is virtually meaningless. How many times has a breach or vulnerability resulted in a company inadvertently violating those promises to you? Do they get punished for it? (not really, very inconsequential in most cases).


Finally you have to consider whether or not URLs are private to you. While at first glance they don't seem super private, there are cases where they could be:
  • The time and location from which you accessed a URL could be just as sensitive as the URL itself. This might reveal whether you are home or on your phone, or whether you're looking at personal or non-personal stuff while at work, etc etc etc.
  • Many services (Facebook photos, OneDrive, many cloud photo viewer services) send photos to you as a long URL where a randomly generated key in the URL is basically the only form of authentication. They assume that by delivering this URL to you via HTTPS, if you were able to produce this URL again, you must be the original user since nobody else could've seen it. As a result, they will usually grant you access to private photos/files simply by producing the URL, without any cookies or anything else around it.
  • Some services leak information about you via the URL. For example, this reply page I'm typing of has a unique asset request for macdefender.83059/ to deliver me my avatar and profile info. The size of the asset in the title bar is unique to the fact that I'm logged in, as opposed to just viewing a post by me. This could be used to deanonymize you.
  • Some services give a ton of information about what you're doing as part of the URL scheme -- I've seen banking sites contain URLs that include your checking / routing account numbers, or video players say exactly what time you paused some TV show, or send out an analytics URL frame like that every time you tap. For example, almost every streaming TV service reports their ratings this way to their own analytics server. By transmitting those URLs to BitDefender, you've given them personal information that was only intended to be given to your streaming TV services. You might be okay with saying "Ok NetFlix knows what I watched and when, it's impossible for me to hide that from them", but are you okay extending that to BitDefender as well?
  • This data is transmitted whether or not it's an internal or external website. Company intranets tend to have a lot more private information. What if your next secret product has an internal wiki and you're sending the title of those wiki pages over to BitDefender?

Just some stuff to think about. For some people maybe you genuinely are okay with this. For others, this might give you more pause. By default, your URLs over HTTPs are reasonably private. Most browsers' have a built in SmartScreen or URL screening service but they tend to use tiered hashes and they tend to fetch packs of hashes in a way that does not reveal when you visited what.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
The problem with that post is that it gave me the impression (in the first moment) that the clear text could be read by anyone. Furthermore, i saw a lot of people in this forum and others considering that BTL should not be used because it was sending clear text (meaning it was not encrypted). However when i checked, i realized that it was not exactly that. So i made THIS post to make it clear to everyone. The urls are sent in clear text indeed but through encrypted connection and under a restrict privacy policy. Not so bad as Fabian made it sound.
Guess it's the comparison between products that send full URLs and those don't. And if Bitdefender actually needs to send URLs.

My question is, does anyone know if sending hashes would reduce Bitdefender's protection?
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Just for anyone wondering, looking at the headers for Malwarebytes Browser Guard they seem to send hashes instead of full urls if I am reading the content properly. They also use TLS 1.3. I'd say if you are using Bitdefender as your AV and don't want HTTPS inspection then BD Trafficlight is a good addition, they could abuse your data anyway so you must trust them to run their AV. If you don't then MBG may be the way to go.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
A lot of browsers have this functionality built in, including Google Chrome. And most browsers implementing these use the second form of the Safe Browsing APIs where you download hashed prefixed packs of URLs, Overview | Safe Browsing APIs (v4) | Google Developers

As a result, instead of a single hashed URL lookup, your browser will download a large pack of definitions that encompass a lot of different URLs with the same prefix, adding a bit of extra anonymity and also resulting in fewer repeat lookups if you are visiting similar sites.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
A lot of browsers have this functionality built in, including Google Chrome. And most browsers implementing these use the second form of the Safe Browsing APIs where you download hashed prefixed packs of URLs, Overview | Safe Browsing APIs (v4) | Google Developers

As a result, instead of a single hashed URL lookup, your browser will download a large pack of definitions that encompass a lot of different URLs with the same prefix, adding a bit of extra anonymity and also resulting in fewer repeat lookups if you are visiting similar sites.
However in our own @Evjl's Rain 's testing it seems SafeBrowsing isn't as effective as Malwarebytes Browser Guard, WD BrowserProtection, and Trafficlight.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
However looking back over the old tests Chrome was just barely behind the top extensions, and really none of these sites stay live for very long anyway. So, you are probably right, extensions at least with Chrome, FF, or Edge may be mostly redundant.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
However in our own @Evjl's Rain 's testing it seems SafeBrowsing isn't as effective as Malwarebytes Browser Guard, WD BrowserProtection, and Trafficlight.

That's very much possible and believable. Factors could range from the quality of Google's databases compared to premium third party products, to the kind of caching they have to do to give you downloadable packs of URL hashes.

A lot of it boils down to the balance between privacy, trust, and protection that the user desires.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Just for anyone wondering, looking at the headers for Malwarebytes Browser Guard they seem to send hashes instead of full urls if I am reading the content properly. They also use TLS 1.3. I'd say if you are using Bitdefender as your AV and don't want HTTPS inspection then BD Trafficlight is a good addition, they could abuse your data anyway so you must trust them to run their AV. If you don't then MBG may be the way to go.
According to Fabian, he considers Malwarebytes Browser Guard to be one of the privacy-concious extensions.

So not only MBG does really good in testing but it's also good for privacy.
 

Tiamati

Level 12
Thread author
Verified
Top Poster
Well-known
Nov 8, 2016
574
Just for anyone wondering, looking at the headers for Malwarebytes Browser Guard they seem to send hashes instead of full urls if I am reading the content properly. They also use TLS 1.3. I'd say if you are using Bitdefender as your AV and don't want HTTPS inspection then BD Trafficlight is a good addition, they could abuse your data anyway so you must trust them to run their AV. If you don't then MBG may be the way to go.


I checked and despite i run some sites, MBG only connected to one url for update. It was in clear text and used TLS 1.2.

1587079850582.png


The url was:


The "Console" tab showed that it was inspecting pages and whitelisting them, probably based on its local database. However i can't confirm that. But, if i'm correct, the requested url would be a way to update the mentioned database. Maybe, if Malwarebytes acts comparing and processing your sites/files/images/scripts with a list locally, it would explain why so many people complain about its impact in performance and loading pages. If you visit a few pages and check the console tab, you'll see that it does a LOT more process than BTL

1587078674311.png


However it's not clear if the database updated by MBG contains a whole list of sites, or only the ones you visit. It seems to be the first option, cause after the update, i loaded a few pages without any further requests from MBG. Despite that, after some digging, and exploring less known pages, MBG requested some info using hashs and TLS 1.3.

There is no way i can confirm, but i would assume that MBG works locally with a database of frequently asked pages. But if you access anything that is not usual, it will request it through TLS 1.3 using hashs. That's good. Maybe someone could help me to confirm that. Maybe @Fabian Wosar

extensions at least with Chrome, FF, or Edge may be mostly redundant.
Indeed. However we must keep attention with browsers not fully compatible with AV, like Brave. For example, it can't be protected by kaspersky antipishing protection, but it can use BTL for that.

According to Fabian, he considers Malwarebytes Browser Guard to be one of the privacy-concious extensions.

Good to know. Unfortunately, it's heavy. =[
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
I checked and despite i run some sites, MBG only connected to one url for update. It was in clear text and used TLS 1.2.

View attachment 237506

The url was:



The "Console" tab showed that it was inspecting pages and whitelisting them, probably based on its local database. However i can't confirm that. But, if i'm correct, the requested url would be a way to update the mentioned database. Maybe, if Malwarebytes acts comparing and processing your sites/files/images/scripts with a list locally, it would explain why so many people complain about its impact in performance and loading pages. If you visit a few pages and check the console tab, you'll see that it does a LOT more process than BTL

View attachment 237504

However it's not clear if the database updated by MBG contains a whole list of sites, or only the ones you visit. It seems to be the first option, cause after the update, i loaded a few pages without any further requests from MBG. Despite that, after some digging, and exploring less known pages, MBG requested some info using hashs and TLS 1.3.

There is no way i can confirm, but i would assume that MBG works locally with a database of frequently asked pages. But if you access anything that is not usual, it will request it through TLS 1.3 using hashs. That's good. Maybe someone could help me to confirm that. Maybe @Fabian Wosar


Indeed. However we must keep attention with browsers not fully compatible with AV, like Brave. For example, it can't be protected by kaspersky antipishing protection, but it can use BTL for that.



Good to know. Unfortunately, it's heavy. =[
That’s interesting. I turned it on for the first time in a while and it connected to the same URL several times, but under security it listed TLS 1.3. However I didn’t check all of the connections to see the security. Also, I bet if I leave it on and go back it’ll just make the one connection like you noted to update. Definitely a lot going on under the hood. It doesn’t give me many problems browsing. I just turn off the very poor ad blocking when I’m using it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top