1

Is there anything stopping web browsers from snooping into our activities? I don't mean web history or any of that generic stuff (Chrome already collects them, right?), but is it technically possible for a web browser to intercept what is being entered in a secure page (or let's say the password field)?

Anders
  • 64,406
  • 24
  • 178
  • 215
Mayank Singh
  • 613
  • 1
  • 7
  • 11
  • 1
    We could always packet capture and note streams of data going back to the browser manufacture. However, then you need to determine what that data contains. Blacklisted URLs and some other communication already goes on normally. – StackAbstraction Jun 17 '16 at 17:59

2 Answers2

6

Is there anything stopping from web browsers snooping into our activities?

Nope, not really. That's a bit like asking

Is there anything stopping my keyboard from recording my keystrokes?

In theory, we are interacting directly with the keyboard / web browser, which in turn talks to other components for us, and we are trusting that it is acting in our best interest.

You could do as @StackAbstraction suggests and monitor the network traffic in and out of your browser looking for suspicious exfiltration, but you're going to lose this game since there are many many sneaky ways to exfiltrate data.

Fortunately, both Firefox and Chromium ("the open-source web browser project from which Google Chrome draws its source code." -- Wikipedia) are open source. With some google-diving, you can probably find 3rd party security audits of the source code.

P.S. If you think I'm being dramatic to draw a parallel with trusting your keyboard, check out the Razor "Stats & Heatmaps" feature that they quietly snuck into their Synapse 2.0 keyboard driver in 2012. It logs all your keystrokes and uploads them to a Razor server so you can "analyze your gameplay". They removed it due to public outcry, but according to this thread they've put it back at some point.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 2
    Wow, I had not heard that about Razor... What were they thinking? – Ijustpressbuttons Jun 17 '16 at 19:10
  • 1
    Note that you not only would need to audit their published source code, but also .to ensure that you are using that same code (ie. that the keylogger wasn't added for the compilation). This typically means either compiling it yourself or trusting a third-party not to do so, typically the browser company (Mozilla, Google...) or your OS distributor. – Ángel Jun 17 '16 at 23:02
  • @Ángel Great point. I'll leave a link to the 1984 paper "[Reflection on Trusting Trust](https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)". This paper shows how an infected compiler can inject malware into anything that it compiles. So a source-code audit actually isn't enough. – Mike Ounsworth Jun 18 '16 at 02:39
1

For most major browsers that are used in the tech community, the only thing stopping them from being evil is the fact that they rely on open source code, and are widely poked and prodded.

Unfortunately, these browsers also include add-ons and extensions, which are less likely to be well-vetted and so even more likely to be causing insecurity.

It is indeed technically possible for a browser to know what you enter in a password field.

Jedi
  • 3,906
  • 2
  • 24
  • 42