Browser manufacturers make filtering of websites more difficult: Safety suffers

12/10/2019
G DATA Blog

Google has recently announced that it will be switching off the so-called webRequest API in the versions of Chrome it will release next year. This interface enables web content to be filtered. Microsoft has announced a similar move. Switching off the API makes effective filtering of web content virtually impossible - with serious consequences for security solutions, among other things.

Reasons for filtering websites

There are many reasons for filtering web content. Security solutions such as G DATA Total Security provide protection against malware, phishing attacks, and fraudulent content in the browser. On the other hand, filtering can be used to enforce compliance guidelines in companies, for instance to prevent surfing on gaming websites.

In addition, there is an understandable desire on the part of schools and parents to prevent minors from accessing age-inappropriate websites. These include, for example, pornographic websites and politically extreme websites, or content that encourages dangerous behaviour such as anorexia, self-harming or even suicide. Last but not least, the most common reason for filtering is the blocking of advertising by end users.

Commercial interests?

Adblockers could be a reason for disabling the interface. This is because adblockers in particular contradict the business model of Chrome provider Google. After all, the company generates billions of dollars in annual revenues primarily from advertising. By way of comparison, the average turnover generated by Google from advertising is higher than the gross domestic product of countries such as the Ukraine, Slovakia, and Luxembourg.

Whatever the actual reason for Google's shutdown ultimately is, the consequences for IT security are already foreseeable. If security solutions can no longer filter locally, other mechanisms are needed to protect the endpoint. This usually involves breaking encrypted connections, which has been criticised by many security experts.

Man in the middle? No thanks!

Instead of using appropriate APIs, various providers of filtering mechanisms, such as security providers, implement “man-in-the-middle” certificates. With this, the security certificate actually used by a website is ultimately replaced by software from a provider, so that the transmitted content can be read along with this.

The principle is similar to that used by criminals to access data without permission. We therefore reject this method for security reasons, as it unnecessarily interrupts the security chain and thus creates a potential vulnerability.

Lazy compromises

Google is not providing a viable alternative to the established procedure in its announcement. A general recommendation is to use the API declarativeNetRequest. The problem with this is that this API only enables user requests to be matched against a URL list. According to Google's current documentation , this list is limited to 30,000 entries, with Google reportedly  planning to increase it to 150,000 entries.

On the other hand, the malware “Conficker”, which appeared a decade ago, has already been generating up to 50,000 domain names per day using a so-called “Domain Generation Algorithm” (DGA). Against this background, effective blocking via a list of static entries might have been practicable 20 years ago, but it is not enough for modern needs.

DNS as a filtering mechanism?

Basically, security solutions could also start at a different point than filtering URLs in the browser. This would be in the name resolution of user queries to providers via the domain name service system. But, here again, far-reaching changes are currently taking place that have consequences for the security and privacy of users.

In addition to eliminating effective direct filtering mechanisms, browser providers are currently intensively converting the resolution of DNS names to the encrypted “DNS over HTTPS” (DoH) by default. Browser provider Mozilla is currently testing a corresponding service from CDN provider Cloudflare in its Firefox browser. The service is advertised as an additional “security measure” because DNS queries are now transmitted in encrypted form. Encrypted DNS queries have been the subject of discussion for years - most recently, providers have been demanding implementation by means of the DNSSec standard, although this has not been adopted by private customers.

The objection should be raised that private users and smaller companies typically use their provider’s resolver. Hence DNS queries do not leave the provider network. With the introduction of DoH, the provider - who, in European cases at least, complies with European data protection laws and concepts - is effectively and unnecessarily bypassed. Larger companies typically operate their own DNS resolvers. This would also be circumvented and the DNS data would be made available to third parties - typically in the USA - without any technical necessity. There is also the possibility that local DNS entries, such as intranet domains, might be leaked out to DoH providers. As a rule, the users concerned have not signed an agreement with the relevant service providers.

Permanent use of encrypted DNS queries is not a necessity for all users. Users who fundamentally mistrust their own ISP - such as those in totalitarian states - have a greater interest. There could also be a benefit in security and privacy in public WLANs. For private users or those in the business environment, DoH currently offers no added value.

In our opinion, the lack of added value is in fact countered by considerable risks. The DNS resolvers used by Mozilla are subject to certain conditions. However, these enable the personal storage of DNS resolutions for one day and do not impose any further conditions on use - except that the personal data may not be passed on. What is particularly interesting though, is what is not stated there - that use by the resolver itself for advertising purposes is not prohibited.

Microsoft has also recently announced that it will use DoH in Windows. However, only the DNS server configured by the user or administrator is checked here to see if it is also DoH-compatible. No third-party DoH server is simply tacitly configured, as with the browser providers.

Who gets to do security?

With Google Safe Browsing, Google enables itself to do what other security providers cannot. Google could even read the filter lists of plug-in providers in Chrome and use them for its own purposes. This would make Google a de facto monopolist for these filter lists, because providers of filter plug-ins would lose a large part of their business.

This is more than questionable under competition law. In addition, all Internet users will then be at the mercy of the US Company Google, with all the data protection consequences, and without the option of monitoring, or of an alternative. The realisation that such enforced restructuring is poisonous for the modern Internet still does not seem to be widespread.

Conclusion

Therefore we at G DATA declare that Google and Mozilla are currently pushing political concepts and purely commercial interests in their browsers - hidden behind a flimsy rhetorical fig leaf of data protection and privacy. The benefits for users are not clear at the moment, however, because they are only shifting the trust problem with, for example, DoH to another place.

Thomas Siebert
Software Engineer