A security expert is taking on Google. His innovative Firefox add-on prevents Google from tracking your whereabouts on the Internet.
# Date: January 25th, 2010
# Author: Michael Kassner
# Category: Security
Any security pundit worth their salt knows about Moxie Marlinspike. You may remember Marlinspike getting a lot of attention during the 2009 BlackHat convention, where he explained a new SSL attack vector.
Matter of privacy
Recently, Marlinspike turned his attention to a different subject. It seems he did not like what Eric Schmidt, CEO of Google said in an interview:
“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
For more details about the interview, refer to Chad Perrin’s post: Google: Being evil. For whatever reason, Schmidt felt like bringing the privacy issue to the forefront. To those not familiar, it’s all about what information Google captures, retains, and how they control it. To start, here is a partial list of information Google stockpiles, if you use their services:
* Search results that you ask for and click on.
* Directions to places that you query Google Maps for.
* Using Analytics, Google receives/retains information on visited Web sites.
* Gmail membership allows Google to retain the content of sent and received e-mail messages.
* Enabling My Location, enables Google to track your position real-time.
* If Public DNS is used, Google can retain your DNS lookups.
I realize many people are not apprehensive about Google retaining all this information. Still, others are concerned. Especially with Google’s “trust me” attitude. Remember what Eric Schmidt said during this Charlie Rose interview. Either way, it’s important to know what’s going on and what can be done about it if so desired.
GoogleSharing is Marlinspike’s answer. It could be construed as yet another anonymizing proxy service, but that’s not quite true. Proxies like Tor provide strong anonymity for all Internet communication. But, they are not the best option in this situation, because:
* A proxy will hide the user’s IP address, but not anonymize personal information in HTTP headers.
* Proxy applications are bandwidth hogs, slow enough to frustrate users into not using them.
GoogleSharing’s only purpose is to anonymize personal information, preventing Google from tracking movement on the Internet. Bandwidth is not an issue either, since GoogleSharing only deals with traffic being sent to Google.
GoogleSharing intermingles Google user requests. Doing so complicates making any association between the query and the requester’s personal information. The GoogleSharing Web site explains what the service accomplishes:
* Provide a system that will prevent Google from collecting information about you from services which don’t require a login.
* Make this system completely transparent to the user. No special websites, no change to your work flow.
* Leave your non-Google traffic completely untouched, un-redirected, and unaffected.
How it works
The GoogleSharing proxy creates several generic identities, all official in the eyes of Google as they have been issued a cookie. These identities will act as surrogates for users making queries of Google. For this to happen, the user must install the GoogleSharing add-on in Firefox. Just a FYI, for now Firefox 3.6 breaks this add-on along with several other security add-ons.
Once the add-on is installed, you will notice text in the lower right corner of the browser: Google Sharing Enabled (green letters). Tap the text once and it changes to Google Sharing Disabled (red letters).
If enabled, the add-on intercepts Google requests, redirecting them to the GoogleSharing proxy. The proxy removes all identifying information, replacing it with the surrogate identity. The request is then forwarded to Google.
The intermixing of identities comes into play, when the user makes another Google query. A completely different surrogate identity is used, with the previous identity being given to a different user.
GoogleSharing does not work for services that require a log in. Gmail, Checkout, and Chat are examples of such applications. More importantly, using GoogleSharing requires trusting Marlinspike and his application. That’s a decision you will have to make.
There is another option. Marlinspike has made the GoogleSharing software available for download. That way, you can create your own proxy. The GoogleSharing Web site has a FAQ page explaining how.
Update (26 Jan 2010)
I had a chance to exchange e-mail messages with Moxie Marlinspike about GoogleSharing. He has been following the comments and is concerned about the matter of trust. To his credit, he is already working on methods to improve the situation. I will let him explain:
“It seems like the biggest concern people have is the concentration of data at the default GoogleSharing proxy. Since there are no cookies involved, and since we don’t have any obvious financial incentive to collect data of that caliber, I didn’t think people would be as concerned about it as they have been. So right now the next stage of development is focusing on the ability to have the add-on distribute requests across a set of proxy servers, instead of just having to select one.
Then I hope to get a few different groups of people with strong reputations in this area to run proxies that will be in the default configuration of the add-on. That way nothing ends up in one place, people are dealing with names they already trust, and there are better availability guarantees in case something goes offline. This could also be a step in the direction of something that begins to approximate P2P.”
I would like to thank Moxie for taking the time to answer one of the concerns expressed by the TechRepublic members.
Marlinspike mentioned that normal Google queries do not use HTTPS, where as traffic redirected to the GoogleSharing proxy does. I’ve checked packets destined for Google with GoogleSharing enabled and disabled and that part is working.
Google retains user information, doing something about it is a personal choice. It appears Moxie Marlinspike is offering an alternative to complete trust in Google. What do you think?