ICANN/GNSO GNSO Email List Archives

[ga]

<<< Chronological Index >>>    <<< Thread Index >>>

[ga] Privacy alert: Google and add-ons cause security concerns

  • To: ga@xxxxxxxxxxxxxx
  • Subject: [ga] Privacy alert: Google and add-ons cause security concerns
  • From: jwkckid1@xxxxxxxxxxxxx
  • Date: Fri, 1 Jun 2007 12:48:00 -0500 (GMT-05:00)
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=gbLSh3pgP24M+sBOw42RqgTxopDTsgQ5tmPPvrK1ZPh/74LZYBhWHIoCZWxx1tYr; h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
  • Reply-to: jwkckid1@xxxxxxxxxxxxx
  • Sender: owner-ga@xxxxxxxxxxxxxx
All GA members,

  Google is again in the news as being bad for consumers
privacy and security.  

See: http://blog.washingtonpost.com/securityfix/2007/05/bungled_addon_updates_endanger.html
http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html


"Many makers of extensions or add-ons for Firefox are 
introducing ways for bad guys to hijack the Web browser,
new research suggests. A great many add-ons are updated 
over insecure (non https://) connections, providing an 
avenue for attackers to replace the extension with an evil 
update. *Google's add-ons* are particularly vulnerable, 
because they update automatically without notifying the user.
>From the story: '[I]f an attacker were to hijack a public 
Wi-Fi hot spot at a coffeehouse or bookstore a fairly 
trivial attack given the myriad free, point-and-click hacking 
tools available today he could also intercept this update 
process and replace a Firefox add-on with a malicious one.'" 
Here is security researcher Chris Soghoian's description of 
the vulnerability and a video,  http://www.cs.indiana.edu/~csoghoia/google-mitm.mov of a simulated takeover.



Regards,

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
Registered Email addr with the USPS Contact Number: 214-244-4827
<<< Chronological Index >>>    <<< Thread Index >>>