App Review Osprey Browser Protection Reviews

[Vitali Ortzi]

Actually, you don't need any data for false positives, just rank security vendors by popularity as the most popular ones tend to get very few FPs. But if you want data, take a look at already made tests by AV-Test and AV-Comparatives to determine "FP-free" security vendors. Both companies regularly test antivirus software and their web protection for false positives.

If you ask me, the three-level protection would function like this.

Spoiler

Easy: (almost no FPs)

1. Microsoft SmartScreen
2. Bitdefender Traffic Light
3. Emsisoft Web Protection
4. Quad9 Security DNS

Medium (security providers from easy +): (few FPs)

1. Symantec Browser Protection
2. Norton SafeWeb
3. GDATA WebProtection
4. Cloudflare Security DNS
5. CleanBrowsing Security DNS
6. AdGuard Security DNS

Hard: all security vendors (large number FPs)

False positives shouldn't be your job anyway. It's not like you're providing the protection service, you're just forwarding URLs to security vendors for analysis and showing the user result—that's it. This is the reason why I proposed those three levels of protection. Your job is only to warn users some security providers might wrongly detect safe websites and that's it. No need to scale down on security vendors; moreover, I'd add more of them.

Beside, protection levels make your extension extremely easy to use for all kinds of users. Because, currently, those security vendors mentioned in the extension don't mean anything to huge amount of people.

I agree
Btw about medium I think cloudflare is actually more like easy and I think that medium can be the default and then users can reduce or increase false positives based on their usage as a minority will need either easy or extreme settings like" high "

 

[Marko :)]

I agree
Btw about medium I think cloudflare is actually more like easy

I put Cloudflare in medium because they had incidents before where they blocked huge number of websites mistakenly. I don't know if they had any incidents recently though. If they got better, they could pass into easy category as well.

 

[Harputlu]

I'm content with the list of providers I have now, and I don't think it will change. They are all quite effective at blocking threats. There aren't any slouches in the lineup.
It's hard to do false-positive testing. If I had data for that, I would be able to set better default settings. I just don't have that kind of data.

I would like to ask a question if you don't misunderstand. Is there any legal problem in adding plugins of different companies to your own plugin? I hope it will not be a problem in the future.

 

[Vitali Ortzi]

I would like to ask a question if you don't misunderstand. Is there any legal problem in adding plugins of different companies to your own plugin? I hope it will not be a problem in the future.

You're allowed to do that and worst they will add auth to their api or limit it so you lose only one provider and not the whole extension as it will stay on the store since its fair use

On APIs, copyright protection and the fair use doctrine - The Cybergarden

What is an API? In simple terms, an API (Application Programming Interface) is a software intermediary that allows applications to talk to each other. For example, when you see a snippet with the weather forecast on the home screen of your mobile phone, this happens through an API which...

thecybergarden.com

Many examples of big tech doing the same and then referencing fair use

But it's up to a judge to decide what is fair use as it's a somewhat subjective metric and they all gain intelligence data from osprey (you send them url info , you vote on false positives ) and kinda free promotion(product and company that's blocking a site is mentioned)

 

[Marko :)]

I would like to ask a question if you don't misunderstand. Is there any legal problem in adding plugins of different companies to your own plugin? I hope it will not be a problem in the future.

That's a totally valid question; I myself wouldn't like to start using a service just so it would be shut down later.

Answer: if company made API publicly available and you're following their terms of usage, then it's completely legal for Osprey to use. But if the API isn't exactly publicly available and company didn't publish documentation for it, then it's illegal. Where does Osprey come in here? From what I see, it's a mixed bag.

When you open BrowserProtection.js file, there are all API URLs listed along with parameters. There's SmartScreen URL and by searching the web I couldn't find any information about Microsoft giving devs access to their SmartScreen APIs. The developer most likely captured requests made by Microsoft Edge along with parameters and added it to the extension. That isn't legal per se, because he never got Microsoft's approval to use it. Same goes for GDATA, Emsisoft and Bitdefender.

But not everything in this extension is illegal. Security DNS servers he uses as a source are completely legal and have their API URLs publicly available. They need to have them publicly available because DNS-over-HTTPS simply works this way.

Now... what are the consequences for Osprey? Of course security companies can always send him DMCA notice on Github, cease & desist letter or even start a lawsuit against him. But in reality, I don't see that happening. Though they could change the API URL in the future, stopping Osprey from checking URLs with them, or they could start using some kind of authorization. This obviously won't happen for now, but if the extension becomes really popular, that could become problem.

 

[nickstar1]

You should add malwarebytes browser guard!

 

[Marko :)]

You should add malwarebytes browser guard!

And Google Safe Browsing. They give access to their API for free.

Google Safe Browsing | Google for Developers

APIs to access the Google Safe Browsing lists of unsafe web resources.

developers.google.com

 

[Vitali Ortzi]

That's a totally valid question; I myself wouldn't like to start using a service just so it would be shut down later.

Answer: if company made API publicly available and you're following their terms of usage, then it's completely legal for Osprey to use. But if the API isn't exactly publicly available and company didn't publish documentation for it, then it's illegal. Where does Osprey come in here? From what I see, it's a mixed bag.

When you open BrowserProtection.js file, there are all API URLs listed along with parameters. There's SmartScreen URL and by searching the web I couldn't find any information about Microsoft giving devs access to their SmartScreen APIs. The developer most likely captured requests made by Microsoft Edge along with parameters and added it to the extension. That isn't legal per se, because he never got Microsoft's approval to use it. Same goes for GDATA, Emsisoft and Bitdefender.

But not everything in this extension is illegal. Security DNS servers he uses as a source are completely legal and have their API URLs publicly available. They need to have them publicly available because DNS-over-HTTPS simply works this way.

Now... what are the consequences for Osprey? Of course security companies can always send him DMCA notice on Github, cease & desist letter or even start a lawsuit against him. But in reality, I don't see that happening. Though they could change the API URL in the future, stopping Osprey from checking URLs with them, or they could start using some kind of authorization. This obviously won't happen for now, but if the extension becomes really popular, that could become problem.

Microsoft and google have done exactly the same and used other companies API without permission and judges agreed for it to fall under fair use and I can't see osprey case different except it doesn't have an army of lawyers in case a company decided to take legal action and unless osprey gets popular and you don't consider this to fall under fair use as I do and actual judges decided similar in many cases then only then and maybe a company will decide to take action and even then it will only give osprey a dmca notice to remove their api and comply and if he does you lose only one provider and probably people will already fork it and run forks (again not really illegal till a judge rules any fork is not actually fair use of that api but still the company that owns that api )



Btw many of apis used by osprey are allowed to be used for filtering some encourage their use and majority have some form of documentation about auth like usually apis do to make sure its not public well I don't think any apis used by osprey have any auth or are designed against public use

 

[Vitali Ortzi]

You should add malwarebytes browser guard!

It's on the list of unsupported providers because it downloads a list locally rather then using an API to do the filtering (logic and generally the size of the database will be a performance issue for a far less effective Malwarebytes)


Basically personally I wouldn't use Malwarebytes an to me it's either osprey only or adding checkpoint (or any extension that has a technology against zero days )

Actually maybe if someone knows how to get links that weren't published into intelligence providers then please test Some extensions against zero day pishing as anything remotely similar to popular pages will easily get blocked by checkpoint
But a fake web store that doesn't try to emulate a different page usually passes checkpoint easily (some technologies in osprey providers should in real time understand better against this types but generally fake stores are hard to detect)

 

[KnownStormChaser]

You should add malwarebytes browser guard!

And Google Safe Browsing. They give access to their API for free.

Google Safe Browsing | Google for Developers

APIs to access the Google Safe Browsing lists of unsafe web resources.

developers.google.com

Both are on the list of unsupported providers, so they can't be added to the extension.

Unsupported Providers

Browser extension that protects you from malicious websites. - Foulest/Osprey

github.com

 

[Vitali Ortzi]

And Google Safe Browsing. They give access to their API for free.

Google Safe Browsing | Google for Developers

APIs to access the Google Safe Browsing lists of unsafe web resources.

developers.google.com

He did try and was unable to but I will let him to re explain the reason
But only very a few browsers like edge will benefit from it as majority of browsers even Firefox , brave and other privacy ones include safe browsing and if you don't trust google with sending a url hash you wouldn't either what osprey does as it's the same except it can be tracked by the browser DNS since it isn't hashed

 

[Vitali Ortzi]

Both are on the list of unsupported providers, so they can't be added to the extension.

Unsupported Providers

Browser extension that protects you from malicious websites. - Foulest/Osprey

github.com

There are multiple providers that have done better in lab tests then google and osprey has them so even on edge with default smart screen (no osprey) you aren't missing anything as even smart screen in majority of tests does better then google

 

[TairikuOkami]

Anyway, the biggest mistake this extension made is the name, just like Opera and Vivaldi. It does not want to get popular, it just wants to exist. But it will fail, I will bet on it. Pure and simple.

 

[CyberDevil]

Anyway, the biggest mistake this extension made is the name, just like Opera and Vivaldi. It does not want to get popular, it just wants to exist. But it will fail, I will bet on it. Pure and simple.

What kind of failure can a hobby project suffer that parses third-party security services and costs nothing to either the creator or the user? о_О

 

[Vitali Ortzi]

What kind of failure can a hobby project suffer that parses third-party security services and costs nothing to either the creator or the user? о_О

Not just that it benefits the security providers so it's opposite as it's a benefit not a loss to them

 

[Foulest]

@Foulest, Requesting options to hide the "allow host" and "continue" buttons within the alert page.

I can add that in the next update.

 

[Foulest]

Actually, you don't need any data for false positives, just rank security vendors by popularity as the most popular ones tend to get very few FPs. But if you want data, take a look at already made tests by AV-Test and AV-Comparatives to determine "FP-free" security vendors. Both companies regularly test antivirus software and their web protection for false positives.

If you ask me, the three-level protection would function like this.

Spoiler

Easy: (almost no FPs)

1. Microsoft SmartScreen
2. Bitdefender Traffic Light
3. Emsisoft Web Protection
4. Quad9 Security DNS

Medium (security providers from easy +): (few FPs)

1. Symantec Browser Protection
2. Norton SafeWeb
3. GDATA WebProtection
4. Cloudflare Security DNS
5. CleanBrowsing Security DNS
6. AdGuard Security DNS

Hard: all security vendors (large number FPs)

False positives shouldn't be your job anyway. It's not like you're providing the protection service, you're just forwarding URLs to security vendors for analysis and showing the user result—that's it. This is the reason why I proposed those three levels of protection. Your job is only to warn users some security providers might wrongly detect safe websites and that's it. No need to scale down on security vendors; moreover, I'd add more of them.

Beside, protection levels make your extension extremely easy to use for all kinds of users. Because, currently, those security vendors mentioned in the extension don't mean anything to huge amount of people.

I can add something like that in the next update.

 

[badboy]

Thanks Shadowra! Just the other day I accidentally found out about this extension, but was confused by too few users. Now I see it more and more often in different IT blogs and channels. Of course, I installed it and activated all the engines.

I wonder another thing: are the engines from Symantec and Bitdefender really the best? Maybe other engines see bad links too, it's just that these two react faster? What do you think?

Yes, and also, dear Shadowra, it is possible to test each engine separately (disabling the others) on your little link build, isn't it? A test like this would be interesting.

 

[Vitali Ortzi]

Thanks Shadowra! Just the other day I accidentally found out about this extension, but was confused by too few users. Now I see it more and more often in different IT blogs and channels. Of course, I installed it and activated all the engines.

I wonder another thing: are the engines from Symantec and Bitdefender really the best? Maybe other engines see bad links too, it's just that these two react faster? What do you think?

Symantec(Broadcom ) and bitdefender did the best in my testing as well
So it's not a coincidence and they react faster then some other providers too hence you get faster results from them so they will detect a malicious page first before you get a response back from other providers but the difference is milliseconds

 

[Shadowra]

Thanks Shadowra! Just the other day I accidentally found out about this extension, but was confused by too few users. Now I see it more and more often in different IT blogs and channels. Of course, I installed it and activated all the engines.

I wonder another thing: are the engines from Symantec and Bitdefender really the best? Maybe other engines see bad links too, it's just that these two react faster? What do you think?

Symantec and Bitdefender are the most responsive

I don't know if I'll ever test the engines one by one, I'll have to think about it