What is Digg?46 Comments
- Otto, on 10/12/2007, -0/+1When you first install the extension (and restart FF to make it install), it offers you an option to Enable Advanced Features or to not enable them. As I recall, not enabling them was the default choice.
In any case, if you turn that advanced functionality off, then this security issue no longer exists. Instead of hitting google's servers, it uses it's own internal algorithims to guess if a site is phishy or not. - datamike, on 10/12/2007, -0/+1Someone please explain to me the need for this anti-phishing tool bar? Here's an idea: type in the name of the website you want to go to and forget about phishing. If you're clicking on links contained in emails etc., you deserve what you get.....
- crapiolio, on 10/12/2007, -1/+2"anti-phishing apps are 4 teh n00bs."
true true! - mattdiggme, on 10/12/2007, -0/+1snowboarder: Yes.. but if I use this extension, I will have to start looking auditing all commerical apps I use to make sure none of them are badly designed to send this stuff via GET. No thanks :-D
- bdonlan, on 10/12/2007, -0/+1data64: SSL does protect the GET request - unless you have this extension installed of course.
- mesostinky, on 10/12/2007, -0/+0And within seconds Google fanboys Report the story so it will go away...
- snowboarder, on 10/12/2007, -1/+1I dont think its the extension, its the person website who is passing values through a query string... what an idiot.
stealit.com/checkout.php?action=steal+my+card&49535098345908435345&cardtype=visa&exp=08/07 - toasterwaffle, on 10/12/2007, -0/+0"Sorry...
Google Safe Browsing for Firefox is only available for download for users within the US.
If you are seeing this page from within the US, please contact Google at labs+safebrowsing@google.com
" - FarcicalFart, on 10/12/2007, -0/+0That's not much of a security issue, no apparent harm can come to the user.
- dizdaz89, on 10/12/2007, -0/+0Honestly; I could care less if some random person knows what pages I'm browsing. The chances are slim that the information could ever be used to against me. I do think Google should make use of SSL though.
I think it's perfectly fine to continue running the extension. - mattdiggme, on 10/12/2007, -0/+0snowboarder: If the website passes the parameters via SSL, then its not a problem. However, the google extension will pass these paramters to google.com to check against the blacklist using HTTP (non-ssl). Please RTFA before calling someone an idiot.
- Kriz, on 10/12/2007, -0/+0Just disable the enhanced protection.
- peerk, on 10/12/2007, -1/+1"Honestly; I could care less if some random person knows what pages I'm browsing."
It's "couldn't care less" - mattdiggme, on 10/12/2007, -0/+0snowboarder: the person USING a website is not passing the value, it is the web application - how web applications work (such as a banking app) are beyond the control of users. This is still not a problem if the web app uses SSL, but with the extension, this info is transmitted to Google (entire URL) over HTTP - thus defeating the SSL protection... the problem I have with your argument is that there are thousands of badly designed web apps, and this extension makes the situation worse
- tennisballg, on 10/12/2007, -0/+0mattdiggme, the point is that nobody who knows what they are doing would send sensitive private information via query string, as has been illustrated in the post you ignorantly bashed.
- aresef, on 10/12/2007, -1/+1Digg needs a category for irony.
- majik, on 10/12/2007, -1/+1^that comment is somewhat pointless. it is obvious about enabling this option when the extension is being installed. it's not as if it's enabled by default and you don't get a chance to disable it durring the install. you get a big window explaining the difference.
the link on this digg *is* worth reading though. - mattdiggme, on 10/12/2007, -0/+0tennisballsg: yes but if your grandmothers Banking app sends this information, do you expect your grandmother to know and correct this? yes the application itself is at fault, but it is still OK of its via SSL, however the extension transmits this information via clear text to Google. Most users of the extension aren't savy enough to know their private information is being trasmit via GET requests over HTTP thanks to the extension, and most users do not have control over the web applications they use, however badly designed they may be
- lava, on 10/12/2007, -0/+0ok, question... wouldn't this extension warn you before you start putting your personal information?
Also, if there's any application that submits any sensitive information via a GET request... damn, then that site should get blacklisted, IMO - snowboarder, on 10/12/2007, -0/+0exactly, lava, they are the retarted one. This is a security issue even without google's extension in the equation
- johnnyhay, on 10/12/2007, -0/+0Yeah and the odds of someone having this on their system? 1 out of ...
- ssaha, on 10/12/2007, -0/+0BETA???
- mattdiggme, on 10/12/2007, -0/+0Otto: Yes there are, just search bugtraq.
- snowboarder, on 10/12/2007, -0/+0what commerical app may this be so I can delete my account?
- data64, on 10/12/2007, -0/+0mattdiggme: if you are using or writing commericial apps that send sensitive information via GET, they you will have far bigger problems than anything this extension will cause. In the first case (as others have already pointed out), when you use GET to send information SSL is bypassed for that information. So any proxy servers, etc. will see the information in plain text.
- Otto, on 10/12/2007, -0/+0mattdiggme: I've used several online banking apps, and I'm unaware of *any* that pass info sensitive information through GET. It's just not done. Yes, it'd be secure via https, but it wouldn't be secure from people looking over your shoulder and reading the URL...
No bank does it. It just doesn't happen enough to have a legitimate concern there. And they have to pass SSL URLs, because phishing sites frequently use SSL to appear more real. - snowboarder, on 10/12/2007, -0/+0Well then I suggest you don't shop on such sites if there are these sites. FYI I build ecom sites for a fortune 500 company. And the people who developed these sites need to go back to programming school 101.
- snowboarder, on 10/12/2007, -0/+0For you information i wasnt calling you an idiot so back down. I did read the article FYI, and I program every day and GET request is info passed through the querystring which is everything after "?" in the link. Thus the person who is passing valueable info through the link is an idot.
chill - tennisballg, on 10/12/2007, -0/+0exactly, SSL does nothing for what's in your address bar. If someone can come along behind you, type in the first few characters of your bank's website, hit the drop down and get every single query then that's probably the most insecure you can get, you don't even need to know how to sniff packets.
- siouxmoux, on 10/12/2007, -0/+0Or another category, This thing is In BETA! Its not finish yet.
- hogrod, on 10/12/2007, -0/+0everyone seems to agree that this firefox extention is for noobs, but there is a slight problem with that concept.... the people who actually need this extention wouldn't know how to install it and are probably still running Internet explorer. good idea, BUT would make more sense if it was built in to the browser like the anti-phishing filter in IE 7.
- mattdiggme, on 10/12/2007, -0/+0data64: _I_ am not writing these apps but badly designed apps exist, and if I use this extension it will become my responsibility to look at each applcation I log into to make sure it is not snding my password using GET.
Okay thats it, I'm done posting to this story. I'd adivse most people to RTFA - amitpagarwal, on 10/12/2007, -0/+0http://digg.com/links/Install_Google_Safe_Browsing_from_Outside_the_US
- nnonix, on 10/12/2007, -0/+0This is serious people ... even if it hurts your little feelings to know Google just did something incredibly stupid.
- heehaw, on 10/12/2007, -0/+0"Wow, I just love how all digg users get along so good."
That should be "get along so well." - Echo5ive, on 10/12/2007, -0/+0The main issue would be Google not allowing me to download it in the first place.
"Google Safe Browsing for Firefox is only available for download for users within the US."
Screw you too, Google. - DisposableRob, on 10/12/2007, -0/+0Wow, this is probably the first thread I've seen on Digg that actually had some useful information and wasn't full of fanboyism. If I had karma to give, I'd be doing so now. This site's growing up.
- Otto, on 10/12/2007, -0/+0"Firstly, yes I think we've all come to terms with the fact that sending sensitive data via GET is a bad idea, but people still do it."
Okay, it's fair enough to suggest Google use https for their communication. Eliminates the sniffing issue, but see, that doesn't matter because the conspiracy freaks out there will just say Google is stealing your information or something.
This isn't about privacy or security, it's about people not liking Google. Admittedly, it is a legitimate concern, but the underlying flaw is not Google's, it's these piss poor applications people are running.
I mean, a guy up above even says that he would hate to have to audit his apps for not passing private data via GET. That's the stupidest thing I've ever heard. If apps are passing data via GET that they shouldn't be, then you shouldn't use them. Like somebody else said, these are often listed on bugtraq, because *it's a security hole*. Browsers log GET requests in history files. Even if they are SSL. People can SEE the information on your screen. They can see it via cameras pointed at the screen. They can even pick it up with Van Eck phreaking if it came right down to it. There's a lot of ways to exploit such a hole if you're paranoid enough. So he should be auditing his applications for known security problems anyway. This is one of those sorts of problems. - kuza55, on 10/12/2007, -0/+0Firstly, yes I think we've all come to terms with the fact that sending sensitive data via GET is a bad idea, but people still do it.
Its not google's fault that other applications do it, but there are still legitimate concerns here, if possible it *would* be a good idea to use SSL to connect to google when the site you are viewing is using SSL, but probably only using it for sites which use SSL, since there is no reason to use SSL when its not needed, and SSL takes more time/resources, and when its not needed....
And like a few people have mentioned: its still in beta, so hopefully google's engineers will see the problem and implement some kind of fix before the final release, but I don't think its anything worth getting excited over.
Personally I think that, while all these tools are great, there is nothing like common sense when entering your personal details.... - lnxaddct, on 10/12/2007, -0/+0This is dumb. Any secure site sending personal information through get requests probably has other problems too because the developers don't know what the hell to do. Regardless, if someone can intercept your transmission, its uaually only another step or two to implementing a full blown MITM attack, at which point you can use all the encryption you want and its all pointless (assuming the attacker was there from the start).
- Incognito, on 10/12/2007, -1/+0Bwahaha. OMG an extension isn't secure. Quick lets post this on digg.
You should probably find some novice to go tell about this. - EagleY, on 10/12/2007, -3/+1anti-phishing apps are 4 teh n00bs.
- dizdaz89, on 10/12/2007, -3/+0DIZDAZ89: "Honestly; I could care less if some random person knows what pages I'm browsing."
PEERK: It's "couldn't care less"
-
Sorry I'm not as smart as you (peerk). I didn't know I was required to use perfect English online. It looks like you have a lucrative editing career ahead of you. All those years spent trolling the internet for grammatical error, will pay off. I'm sure you have a ton of friends due to your uncanny ability to find grammatical errors.
You make the internet a better place, We salute you, really we do.
Wow, I just love how all digg users get along so good. - drewcurtis, on 10/12/2007, -3/+0google will implode within ten years -- mark my words.
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is