Online Security extension: Destroying privacy for no good reason

[Gandalf_The_Grey]

These days it’s typical for antivirus vendors to provide you with a browser extension which is meant to improve your online security. I’ll say up front: I don’t consider any such browser extensions recommendable. At best, they are worthless. At worst, they introduce massive security issues.

As an example I took a brief look at the Online Security extension by ReasonLabs. No, there is no actual reason beyond its 7 million users. I think that this extension is a fairly typical representative of its craft.

TL;DR: Most Online Security functionality is already provided by the browser, and there is little indication that it can improve on that. It does implement its functionality in a maximally privacy-unfriendly way however, sharing your browsing history and installed extensions with the vendor. There is also plenty of sloppy programming, some of which might potentially cause issues.

Conclusion

As we’ve seen, Online Security provides little to no value compared to functionality built into browsers or available for free. At the same time, it implements its functionality in a massively privacy-invading way. That’s despite better solutions to the problem being available for more than a decade and being widely publicized along with their shortcomings.

At the same time, code quality issues that I noticed in my glimpse of the extension’s source code aren’t exactly confidence instilling. As so often with antivirus vendors, there is little expertise and/or priority developing browser extensions.

If you really want to secure your browsing, it’s advisable to stay away from Online Security and similar products by antivirus vendors. What makes sense is an ad blocker, possibly configured to block trackers as well. And the antivirus better stays outside your browser.

Mind you, Windows Defender is a perfectly capable antivirus starting with Windows 10, and it’s installed by default. There is little reason to install a third-party antivirus application.

Online Security extension: Destroying privacy for no good reason

Most Online Security functionality is already provided by the browser, and there is little indication that it can improve on that. It does implement its functionality in a maximally privacy-unfriendly way however, sharing your browsing history and installed extensions with the vendor. There is...

palant.info

 

[Azure]

So, that’s only one extension.

Want to see a similar test done on Emsisoft and Malwarebytes

 

[oldschool]

So, that’s only one extension.

Want to see a similar test done on Emsisoft and Malwarebytes

I'll bet these are the exception.

 

[Zero Knowledge]

Surely most security extensions only work from a blacklist of malicious sites. Unless I'm missing something?

I don't see how that's going to be a problem. With AV/AM extensions It's basically a add blocker with a malicious URL list.

 

[Trident]

Surely most security extensions only work from a blacklist of malicious sites. Unless I'm missing something?

I don't see how that's going to be a problem. With AV/AM extensions It's basically a add blocker with a malicious URL list.

Bitdefender for example, according to their SDK information offered to third parties, claims to be sending queries to the cloud. If you dig around, you’ll see that many actually do it. Using local block lists for malicious websites is not ideal for many reasons. There are many of them and the list will have to be updated every second. Then searching every visited website against a massive list is a huge performance impact.

The cloud allows for various factors such as reputation, popularity and whois data to be inspected as well. More informed decision is taken.

I don’t agree with the author of this post that it is not for a good reason.

https://download.bitdefender.com/resources/media/materials/2019/pan/en/Bitdefender-OEM-WebFiltering-SDK-Datasheet-creatent169-en_EN-Screen.pdf?

 

[Zero Knowledge]

But isn't that just a blocklist in the cloud? Wouldn't they have to add a malicious site to some sort of list to know it's malicious and warn users?

Sorry I'm not very knowledgeable on such extensions. You could say I have Zero Knowledge

 

[Trident]

But isn't that just a blocklist in the cloud? Wouldn't they have to add a malicious site to some sort of list to know it's malicious and warn users?

Sorry I'm not very knowledgeable on such extensions. You could say I have Zero Knowledge

The blacklist is accompanied by heuristics usually and reputation check as well.

 

[Wladimir Palant]

Using local block lists for malicious websites is not ideal for many reasons. There are many of them and the list will have to be updated every second. Then searching every visited website against a massive list is a huge performance impact.

Note: I am the author of this article.

All of these issues are solvable and have in fact been solved long ago (as I said: phishing protection in Firefox 2.0). Yes, one needs quite a bit of data. But I bet that you don’t even notice your browser downloading it. It doesn’t need to happen every second, the lists aren’t even being updated that often. And one can implement incremental updates to cut down download size.

Also you don’t “search … against a massive list,” that’s what hash tables are for – or other data structures that can process such lists efficiently.

Heuristics and reputation checks usually don’t result in website blocks immediately, that would lead to too many false positives. There is still someone checking these and adding websites to the overall list.

 

[Trident]

Heuristics and reputation checks usually don’t result in website blocks immediately, that would lead to too many false positives. There is still someone checking these and adding websites to the overall list.

That’s not really how it works. The purpose of checking reputation, performing just-in-time inspection and using various other automated methods (machine generated or validated), is to cut down on need for staff to double check. Phishing websites pop-up every second, by the time I write this post there are already thousands created. It is impossible even for behemoths with billions in revenue to employ enough staff and validate everything manually.

Also you don’t “search … against a massive list,” that’s what hash tables are for – or other data structures that can process such lists efficiently.

There are many methods that optimise searching processes from hash tables, to multi-threading to caching, whitelisting and whatnot. But end of the day this is a huge pile of always changing data. Using the cloud to do the heavy lifting has been implemented long time ago by many vendors across many different components, not only the web blocking.

doesn’t need to happen every second, the lists aren’t even being updated that often.

In this case the solution won’t be able to provide effective protection against phishing. Not that with the cloud vendors have managed to nail phishing protection.

And one can implement incremental updates

That’s quite obvious, but pages are short-lived and you can’t just append/prepend, you’ll need to constantly remove data as well.

 

[Wladimir Palant]

Want to see a similar test done on Emsisoft and Malwarebytes

Note: I am the author of this article.

I’d love to see that as well. Unfortunately, my possibilities are limited when most of the logic is inside a binary application. I’ve been writing about quite a few individual issues, but I cannot do a comprehensive analysis of what this application does.