Google Chrome “under the hood” connections

I’ve heard a few people complain about Google Chrome “calling home” during browsing. So I grabbed the latest Fiddler and set out to explore. I’m by no means a security expert, but here’s what I’ve found.

First of all, every request sent to Google contains two unknown values (cookies). I guess these are what has some people worried most, so we’ll start with them.

  • NID, which is a long list of apparently jumbled characters, and it is the identification of your Google Account. This is every paranoid’s red flag, if you do not want Google to know what you’ve done, do not log in. However, it is worth mentioning that every browser that uses Google’s phishing database, which also includes Opera & Firefox, does the same thing, so if you’re logged into Google from any of these browsers, Google probably knows most of what you’ve done online.
  • PREF, which looks something like FF=1:LD=en:NR=20:CR=4:TM=2440682586:LM=7854321690:S=ajJRL9dTY2PKmr51. This appears to be the cookie that saves your Google searching preferences, like language, content filter, etc. It gets set and is sent to Google every time you visit any of their pages in any browser, so there’s nothing special about the same thing happening with Google Chrome.

And now for the actual requests themselves.

  • Whenever you pause while entering something in the address bar, Google starts a background Google search using what you’ve written as keywords. For example, I typed “jonathancoulton.com”, pausing after “jonathan”. Chrome made two background requests:
    GET /complete/search?client=chrome&output=chrome&hl=en-US&q=jonathan HTTP/1.1
    and
    GET /complete/search?client=chrome&output=chrome&hl=en-US&q=jonathancoulton.com HTTP/1.1
    The reply to the first one was:
    ["jonathan",["http://www.cainer.com/","jonathan cainer","jonathan rhys meyers","jonathan brandis"],["Jonathan Cainer's Zodiac Forecasts","57,800 results","1,700,000 results","209,000 results"],[],{"google:suggesttype":["NAVIGATION","QUERY","QUERY","QUERY"]}]
    Similar but with less elements was the second reply.
  • From time to time, Google Chrome makes a background HTTPS request to a Google toolbar server. No data is sent however:
    CONNECT toolbarqueries.google.com:443 HTTP/1.0
    Host: toolbarqueries.google.com:443
    Content-Length: 0
    Proxy-Connection: Keep-Alive

    That is the full request. The reply is equally plain, containing nothing but properties for SSL connection and certificates. I’m fairly certain this is just some sort of HTTP ping to check if the server is up. Maybe if I had Google Toolbar installed, there would be some data in there, but Chrome itself sends and receives nothing.
  • And then there’s the phishing site lookup, the same that’s done by Opera & Firefox. The request to static.cache.l.google.com looks something like this:
    GET /safebrowsing/rd/goog-malware-shavar_a_6186-6190:6186-6188 HTTP/1.1
    and the reply is equally unimpressive:
    HTTP/1.1 200 OK
    Cache-Control: public,max-age=21600
    Content-Type: application/vnd.google.safebrowsing-chunk
    Date: Sun, 07 Sep 2008 10:36:13 GMT
    Server: HTTP server (unknown)
    Content-Length: 1009 

    a:6186:4:5
    �h�

So that’s about it. If you really don’t like Google knowing what you’ve searched for (linking it to your Google account), then you shouldn’t have gotten a Google account in the first place, now should you? :) But eh, a simple client-side proxy (like the aforementioned Privoxy) is your friend, though if you’re paranoid enough to use it that way, you probably already have it on, cookies turned off and are standing on a street corner with a cardboard sign trying to convince people to treat Google as a government aided alien invasion. :)

Advertisements

~ by Shadowbird on 2008-09-07.

One Response to “Google Chrome “under the hood” connections”

  1. […] Google Chrome dara fonā? Filed under: programmas — MO @ 16:07 Shadowbird ir uzrakstījis tehnisku aprakstu par to, ko tad īsti Google Chrome sūta un saņem no Google serveriem, neprasot lietotājam (un […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: