Re: [anti-abuse-wg] Google Privacy Abuse
Your assertion is wrong: Google safebrowsing works by comparing the URL to a local list, which the browser downloads from Google's Servers. Browser do not send the URL to Google for checking. See for example
https://superuser.com/questions/832608/what-is-being-send-to-received-from-s...
Some ISPs in the US collect URLs from http traffic, but not https traffic, the later does not work. THat is indeed concerneing, but has nothing to do with Google. What Google or other see, however is URLs going through URL shortners,, or the urls you click on a Google page. Also trackers, embedded in many websites deliver info back to Google (or whatever tracker site). This again something that should be made a bit more transparent. I do feel it is very important to base any discussions surrounding the important topics discussed on this list on verifiable facts and not on claims or fear. Best Serge On 15/03/2019 13:41, Fi Shing wrote:
/"And no, You are also wrong: Opera does not upload your visited URL's to a third party server."/
If opera (like chrome, edge or firefox) check the URL to see if it is "dangerous" (a phishing URL etc) then that is logged on their end, when it checks the database to see if the link has been flagged.
This is the price that people pay for "free" browsers.
Google protects you from "phishing websites", whilst archiving your website access, and then sells that as marketing data to who ever will buy it.
-------- Original Message -------- Subject: Re: [anti-abuse-wg] Google Privacy Abuse From: ac <ac@main.me <mailto:ac@main.me>> Date: Thu, March 14, 2019 8:16 pm To: anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>
Hi Esa,
No, you are wrong... the URL's are not available to anyone.
What is available to the ISP is the domain name lookup. (this is also available to the DNS servers, etc - just the domain name)
And no, You are also wrong: Opera does not upload your visited URL's to a third party server.
Up to now, nobody has even tried this as it is abuse / abusive
HTTPS URL's, themselves frequently contain personal data and other sensitive info, as the URL itself is supposes to be part of the encrypted session.
And, this is the whole point of all of this.
If Google starts saving all URL's and link that with the local cache (because they control the local software), the effect will be an increase in speed (as the media does not have to come over the encrypted session)
This will probably eventually FORCE Opera/Firefox/insert name here - to also operate in this fashion, as users will want the speed - and they will not know that it is less secure / less private, etc.
This is a major issue and not a small issue, it will eventually affect all of us.
for example, one of my bank URL at login is:
then, later in the session: https://nameofbank.com/?id=x&transfer=1 etc etc
This, right now, is not an issue as the URL itself is encrypted
it is a major invasion of privacy that a third party vendor, supplying "free" software is also now recording url's which gives them two advantages over the ethical software providers. Not only that but that their "innovation" of breaking the HTTPS protocol, may force other vendors to go down the same path as the "consumers" are too lazy or uninformed to understand what it happening.
If society does nothing about this case of a multinational leveraging people against people's bad behavior (or poor choices - as Ronald said: use a different browser) this will eventually affect us all.
On Thu, 14 Mar 2019 09:53:47 +0100 Esa Laitinen <esa@laitinen.org <mailto:esa@laitinen.org>> wrote:
> On Thu, Mar 14, 2019 at 6:05 AM ac <ac@main.me <mailto:ac@main.me>> wrote: > > > HTTPS protocol, by design, is secure and private. > > > > The average consumer expects this to be true. > > > > Google had to actually go and change, in an "under cover" way, the > > entire way and method that HTTPS works. This "change" is being sold > > as a "good thing" to poor people and/or people with low bandwidth > > and that Google is doing a "good thing" by making this change. > > > > Dear Andre > > The URLs you're accessing are also available for > > - your ISP > - your VPN provider (unless you've rolled your own) > and some information is also potentially stored by > - your DNS provider > > And Opera browser has been doing similar things when you've enabled > the bandwidth savings. > > or am I missing something? > > OK. I'm ignoring here that this particular thingi is using MITM > methods to do the optimization, which is for me a bit more worrying > than google having access to the URLs I browse. They have them mostly > anyway. > > But, it is a choice a user makes, it is not forced upon them. > > > Yours, > > esa > > >
-- Dr. Serge Droz Member of the FIRST Board of Directors Senior Advisor https://www.first.org https://www.ict4peace.org
this thread: Google Privacy Abuse has NOTHING to do with safebrowsing and you are either deliberately causing obfuscation or you are legit in your own confusion? Simply: In my original post I included a link to slashgear.com Please do read my initial post. Then, regarding https URL's: It is a simple technical fact that ISP's etc - Do Not Have, receive or are able to read the actual URL. - Please do see the https protocol itself, for additional information. You are correct in only one of your assertions and your feelings: I agree 100% that this is an important topic On Fri, 15 Mar 2019 20:37:04 +0100 Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Your assertion is wrong:
Google safebrowsing works by comparing the URL to a local list, which the browser downloads from Google's Servers. Browser do not send the URL to Google for checking.
See for example
https://superuser.com/questions/832608/what-is-being-send-to-received-from-s...
Some ISPs in the US collect URLs from http traffic, but not https traffic, the later does not work. THat is indeed concerneing, but has nothing to do with Google.
What Google or other see, however is URLs going through URL shortners,, or the urls you click on a Google page.
Also trackers, embedded in many websites deliver info back to Google (or whatever tracker site). This again something that should be made a bit more transparent.
I do feel it is very important to base any discussions surrounding the important topics discussed on this list on verifiable facts and not on claims or fear.
Best Serge
On 15/03/2019 13:41, Fi Shing wrote:
/"And no, You are also wrong: Opera does not upload your visited URL's to a third party server."/
If opera (like chrome, edge or firefox) check the URL to see if it is "dangerous" (a phishing URL etc) then that is logged on their end, when it checks the database to see if the link has been flagged.
This is the price that people pay for "free" browsers.
Google protects you from "phishing websites", whilst archiving your website access, and then sells that as marketing data to who ever will buy it.
-------- Original Message -------- Subject: Re: [anti-abuse-wg] Google Privacy Abuse From: ac <ac@main.me <mailto:ac@main.me>> Date: Thu, March 14, 2019 8:16 pm To: anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>
Hi Esa,
No, you are wrong... the URL's are not available to anyone.
What is available to the ISP is the domain name lookup. (this is also available to the DNS servers, etc - just the domain name)
And no, You are also wrong: Opera does not upload your visited URL's to a third party server.
Up to now, nobody has even tried this as it is abuse / abusive
HTTPS URL's, themselves frequently contain personal data and other sensitive info, as the URL itself is supposes to be part of the encrypted session.
And, this is the whole point of all of this.
If Google starts saving all URL's and link that with the local cache (because they control the local software), the effect will be an increase in speed (as the media does not have to come over the encrypted session)
This will probably eventually FORCE Opera/Firefox/insert name here - to also operate in this fashion, as users will want the speed - and they will not know that it is less secure / less private, etc.
This is a major issue and not a small issue, it will eventually affect all of us.
for example, one of my bank URL at login is:
then, later in the session: https://nameofbank.com/?id=x&transfer=1 etc etc
This, right now, is not an issue as the URL itself is encrypted
it is a major invasion of privacy that a third party vendor, supplying "free" software is also now recording url's which gives them two advantages over the ethical software providers. Not only that but that their "innovation" of breaking the HTTPS protocol, may force other vendors to go down the same path as the "consumers" are too lazy or uninformed to understand what it happening.
If society does nothing about this case of a multinational leveraging people against people's bad behavior (or poor choices - as Ronald said: use a different browser) this will eventually affect us all.
On Thu, 14 Mar 2019 09:53:47 +0100 Esa Laitinen <esa@laitinen.org <mailto:esa@laitinen.org>> wrote:
> On Thu, Mar 14, 2019 at 6:05 AM ac <ac@main.me > <mailto:ac@main.me>> wrote: > > HTTPS protocol, by design, is secure and private. > > > > The average consumer expects this to be true. > > > > Google had to actually go and change, in an "under cover" > > way, the entire way and method that HTTPS works. This > > "change" is being sold as a "good thing" to poor people > > and/or people with low bandwidth and that Google is doing a > > "good thing" by making this change. > > Dear Andre > > The URLs you're accessing are also available for > > - your ISP > - your VPN provider (unless you've rolled your own) > and some information is also potentially stored by > - your DNS provider > > And Opera browser has been doing similar things when you've > enabled the bandwidth savings. > > or am I missing something? > > OK. I'm ignoring here that this particular thingi is using > MITM methods to do the optimization, which is for me a bit > more worrying than google having access to the URLs I browse. > They have them mostly anyway. > > But, it is a choice a user makes, it is not forced upon them. > > > Yours, > > esa > > >
Dear Ac & Fi That was what I was replying to Fi's comment:
If opera (like chrome, edge or firefox) check the URL to see if it is "dangerous" (a phishing URL etc) then that is logged on their end, when it checks the database to see if the link has been flagged.
Re:
It is a simple technical fact that ISP's etc - Do Not Have, receive or are able to read the actual URL. - Please do see the https protocol itself, for additional information.
Read my answer again: It said they can see it if it is http, but not if it is https. Would you agree? Re Fi's Question:
Please provide your source of information that chrome browsers rely on a local blacklist.
See https://blog.chromium.org/2012/01/all-about-safe-browsing.html You can verify this yourself by looking at browser trafic with a MITM setup, e.h. using sslsplit Best Serge -- Dr. Serge Droz Member of the FIRST Board of Directors Senior Advisor https://www.first.org https://www.ict4peace.org
Serge, This thread is not about safebrowsing... - there is no problem/abuse with safebrowsing as the local list is compared by the browser to the visited URL. So: Safebrowsing is fine (No Abuse, afaik) I understand that you, and many others, thought that this post is about existing technology. No, it is "new" tech, that Google has introduced in only one version of it's Chrome product. Please do read my initial post? And yes, http anyone can see (it is not encrypted) It is good that we are discussing all this, as it helps even tech's to understand why the ABUSE by GOOGLE in this thread, is so dangerous and why it is so important What Google is now selling as "NEW technology: is in fact ABUSE and it threatens world freedom as them doing this will "force" other browsers to do the same in order to deliver faster speeds to their own users On Sat, 16 Mar 2019 09:45:03 +0100 Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Dear Ac & Fi
That was what I was replying to Fi's comment:
If opera (like chrome, edge or firefox) check the URL to see if it is "dangerous" (a phishing URL etc) then that is logged on their end, when it checks the database to see if the link has been flagged.
Re:
It is a simple technical fact that ISP's etc - Do Not Have, receive or are able to read the actual URL. - Please do see the https protocol itself, for additional information.
Read my answer again: It said they can see it if it is http, but not if it is https.
Would you agree?
Re Fi's Question:
Please provide your source of information that chrome browsers rely on a local blacklist.
See https://blog.chromium.org/2012/01/all-about-safe-browsing.html
You can verify this yourself by looking at browser trafic with a MITM setup, e.h. using sslsplit
Best Serge
participants (3)
-
ac -
Fi Shing -
Serge Droz