Re: Technical Safebrowsing Questions

[Ian Fette (イアンフェッティ)]

This is a list for questions about the API, not a specific implementation. You're more likely to get answers if you ask on a firefox development list. That said, I'll try to answer what I can, but please realize that I don't work at Mozilla and these are not authoritative from that respect.

1. I believe it's stored in urlclassifier3.sqlite in your profile directory for Firefox, but am not 100% sure. Again, ask Mozilla.

2. Not to my knowledge. The goal is to keep the list up to date such that when you do browse, you're browsing with an up-to-date list for protection. Again though, ask Mozilla.

3. If by "supercookie" you mean the message authentication code (MAC / wrapped key) a MITM could block updates but should not be able to insert/remove a specific site from the list. There's now an option to use the protocol entirely over HTTPS and ditch the MAC / "wrapped key", which is now in use by Chrome. As for Firefox's plans to migrate, again, ask Mozilla.

4. Depends if you mean "deleting the database Firefox stores" or "the protocol sends instructions for the client to delete its data", either way though eventually yes the client will download fresh data, for more detail you're better off asking Mozilla about their implementation.

5. No, you can request a new MAC key w/o invalidating the previous list data, but it's probably easier just to use the protocol over HTTPS and not use MAC keys at all. I notice that doesn't appear to be reflected in the documentation though... we should update that.

On Fri, Mar 22, 2013 at 11:36 AM, spaghetti <an0n1...@gmail.com> wrote:

Hi,
I have a few questions about the safebrowsing feature in Firefox.
Answering any of these questions would be extremely helpful.

1. How does one clear the safebrowsing data?
2. Does Firefox stop fetching safebrowsing data if the browser is
inactive? The spec says the list is updated every 30 minutes, but
doesn't say anything about user activity.
3. The data itself is authenticated, but it is also served over HTTP,
and the protocol supports requesting specific lists and segments. This
might introduce the ability of websites to repeatedly block list
segments in an attempt to create a "supercookie" in the client. This
"supercookie" looks like it can persist for up to 6 hours (based on
the retry behavior in
https://wiki.mozilla.org/Phishing_Protection:_Design_Documentation#Client_Backoff).
Is there a way for websites to read this supercookie at will? If so,
is there a way to prevent it/clear it?
4. Clearing the list data might also cause an immediate re-download of
all lists and segments. Does it?
5. Say I needed to clear the MAC key. How do I do that? Does doing so
invalidate the previous list data?

Again, any answers to these questions would be very helpful.
______

Thanks In Advance,
Spaghetti

--
You received this message because you are subscribed to the Google Groups "Google Safe Browsing API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-safe-browsi...@googlegroups.com.
To post to this group, send email to google-safe-...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-safe-browsing-api?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[spaghetti]

Thanks for answering those questions! I'll take a look at the Firefox security mailing list, and see what they say.

Thanks again,
Spaghetti