Online Security extension: Destroying privacy for no good reason

Gandalf_The_Grey

Level 79
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,849
These days it’s typical for antivirus vendors to provide you with a browser extension which is meant to improve your online security. I’ll say up front: I don’t consider any such browser extensions recommendable. At best, they are worthless. At worst, they introduce massive security issues.

As an example I took a brief look at the Online Security extension by ReasonLabs. No, there is no actual reason beyond its 7 million users. I think that this extension is a fairly typical representative of its craft.

TL;DR: Most Online Security functionality is already provided by the browser, and there is little indication that it can improve on that. It does implement its functionality in a maximally privacy-unfriendly way however, sharing your browsing history and installed extensions with the vendor. There is also plenty of sloppy programming, some of which might potentially cause issues.
Conclusion

As we’ve seen, Online Security provides little to no value compared to functionality built into browsers or available for free. At the same time, it implements its functionality in a massively privacy-invading way. That’s despite better solutions to the problem being available for more than a decade and being widely publicized along with their shortcomings.

At the same time, code quality issues that I noticed in my glimpse of the extension’s source code aren’t exactly confidence instilling. As so often with antivirus vendors, there is little expertise and/or priority developing browser extensions.

If you really want to secure your browsing, it’s advisable to stay away from Online Security and similar products by antivirus vendors. What makes sense is an ad blocker, possibly configured to block trackers as well. And the antivirus better stays outside your browser.

Mind you, Windows Defender is a perfectly capable antivirus starting with Windows 10, and it’s installed by default. There is little reason to install a third-party antivirus application.
 
Last edited:

Trident

Level 30
Verified
Top Poster
Well-known
Feb 7, 2023
1,956
Surely most security extensions only work from a blacklist of malicious sites. Unless I'm missing something?

I don't see how that's going to be a problem. With AV/AM extensions It's basically a add blocker with a malicious URL list.
Bitdefender for example, according to their SDK information offered to third parties, claims to be sending queries to the cloud. If you dig around, you’ll see that many actually do it. Using local block lists for malicious websites is not ideal for many reasons. There are many of them and the list will have to be updated every second. Then searching every visited website against a massive list is a huge performance impact.

The cloud allows for various factors such as reputation, popularity and whois data to be inspected as well. More informed decision is taken.

I don’t agree with the author of this post that it is not for a good reason.
 

Trident

Level 30
Verified
Top Poster
Well-known
Feb 7, 2023
1,956
But isn't that just a blocklist in the cloud? Wouldn't they have to add a malicious site to some sort of list to know it's malicious and warn users?

Sorry I'm not very knowledgeable on such extensions. You could say I have Zero Knowledge :cool:
The blacklist is accompanied by heuristics usually and reputation check as well.
 

Wladimir Palant

Level 1
Oct 29, 2020
11
Using local block lists for malicious websites is not ideal for many reasons. There are many of them and the list will have to be updated every second. Then searching every visited website against a massive list is a huge performance impact.
Note: I am the author of this article.

All of these issues are solvable and have in fact been solved long ago (as I said: phishing protection in Firefox 2.0). Yes, one needs quite a bit of data. But I bet that you don’t even notice your browser downloading it. It doesn’t need to happen every second, the lists aren’t even being updated that often. And one can implement incremental updates to cut down download size.

Also you don’t “search … against a massive list,” that’s what hash tables are for – or other data structures that can process such lists efficiently.

Heuristics and reputation checks usually don’t result in website blocks immediately, that would lead to too many false positives. There is still someone checking these and adding websites to the overall list.
 
  • Like
Reactions: Azure

Trident

Level 30
Verified
Top Poster
Well-known
Feb 7, 2023
1,956
Heuristics and reputation checks usually don’t result in website blocks immediately, that would lead to too many false positives. There is still someone checking these and adding websites to the overall list.
That’s not really how it works. The purpose of checking reputation, performing just-in-time inspection and using various other automated methods (machine generated or validated), is to cut down on need for staff to double check. Phishing websites pop-up every second, by the time I write this post there are already thousands created. It is impossible even for behemoths with billions in revenue to employ enough staff and validate everything manually.

Also you don’t “search … against a massive list,” that’s what hash tables are for – or other data structures that can process such lists efficiently.
There are many methods that optimise searching processes from hash tables, to multi-threading to caching, whitelisting and whatnot. But end of the day this is a huge pile of always changing data. Using the cloud to do the heavy lifting has been implemented long time ago by many vendors across many different components, not only the web blocking.

doesn’t need to happen every second, the lists aren’t even being updated that often.
In this case the solution won’t be able to provide effective protection against phishing. Not that with the cloud vendors have managed to nail phishing protection.

And one can implement incremental updates
That’s quite obvious, but pages are short-lived and you can’t just append/prepend, you’ll need to constantly remove data as well.
 

Wladimir Palant

Level 1
Oct 29, 2020
11
Want to see a similar test done on Emsisoft and Malwarebytes
Note: I am the author of this article.

I’d love to see that as well. Unfortunately, my possibilities are limited when most of the logic is inside a binary application. I’ve been writing about quite a few individual issues, but I cannot do a comprehensive analysis of what this application does.
 
  • Like
Reactions: Azure

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top