Aller au contenu
Korben, roi d’internet, logo bébé avec des lunettes en mode thug life

Two Things That Bother Me About Google’s New Firefox Extension

Source: blog O’reilly

"Here are two things that bother me about this extension:

1) Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to in clear-text, allowing someone on your network segment, or any router in between yourself and to sniff the information off the wire.

2) The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.

I am more worried about the issue #1. However, I do realize that web applications should be designed to use POST in order to send sensitive information, but the fact of the matter is that many web applications do not follow this guideline. Google’s extension makes this situation worse by transmitting this information over clear text (assuming the web application uses SSL). This extension is designed to help protect users from illegitimate resources, but the irony is that it has the potential to expose sensitive information about you when you visit legitimate resources!

So there you have it – my preliminary analysis of Google’s new Firefox extension."

Read More here…

and Firefox extension is here

Les articles du moment