lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <85963be10701040656o383c450dt9a652d223888c597@mail.gmail.com>
Date: Thu, 4 Jan 2007 14:56:10 +0000
From: "Ronald MacDonald" <ronald@...cd.com>
To: "Am Razak" <pinangs@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google's blacklisted url database (phishing
	url database)

> > 12. What information is sent to Google when I enable the Enhanced
> Protection Feature?
> >
> > When enabled, the entire URL of the site that you're visiting will be
> securely transmitted to Google for evaluation. In addition, a very condensed
> version of the page's content may be sent to compare similarities between
> authentic and forged pages. For example, if the condensed 'fingerprint' of
> the page you are visiting matches the 'fingerprint' of a popular bank's site
> but the page's URL is different, that's a good sign that the page you are on
> is designed to mislead users.

<snip>

well, there we go - that's google's response to the problem, and I
suppose it's hardly google's fault if we use crap passwords anyway.

BUT at the same time, it springs to mind, why would google opt for a
mechanism which sends all of this information, in plain text, to the
client? surely it would be possible to run the site checking mechanism
server-side, and if not, at least make it a bit more difficult to get
to the data?

I didn't spend too much time reading how the information was gathered,
but I'm guessing it was just your standard interception through a
paraos-type proxy. However, this begs the question of how much
personal data google should be allowed to store - let *alone* send it
to other users of the internet.

Regards,
Ronald.

-- 
Ronald MacDonald
http://www.rmacd.com/
0777 235 1655

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ