Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-enable download protection remote lookups #6267

Closed
fmarier opened this issue Oct 1, 2019 · 2 comments · Fixed by brave/brave-core#6763
Closed

Re-enable download protection remote lookups #6267

fmarier opened this issue Oct 1, 2019 · 2 comments · Fixed by brave/brave-core#6763
Assignees
@fmarier
Labels
feature/download feature/safebrowsing OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy/feature User-facing privacy- & security-focused feature work. privacy QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include
Projects
Security & Privacy
Milestone
1.17.x - Release #1

Comments

@fmarier
Copy link
Member

fmarier commented Oct 1, 2019
edited

In #4341, we disabled download protection entirely due to its leaking URLs to a remote server.

Once we have reduced the metadata sent to the reputation server, we should re-enable this protection in Brave.

Security review: https://github.com/brave/security/issues/180
@fmarier fmarier assigned fmarier and unassigned fmarier Oct 1, 2019
@fmarier fmarier mentioned this issue Oct 2, 2019
Merged
33 tasks
@bsclifton bsclifton added feature/download privacy/feature User-facing privacy- & security-focused feature work. labels Oct 2, 2019
@fmarier fmarier changed the title Enable download protection remote lookups Re-enable download protection remote lookups Nov 27, 2019
@pes10k pes10k added the priority/P2 A bad problem. We might uplift this to the next planned release. label Jun 9, 2020
@fmarier fmarier added this to Untriaged Backlog in Security & Privacy via automation Jun 18, 2020
@fmarier fmarier moved this from Untriaged Backlog to In Progress in Security & Privacy Jun 18, 2020
@fmarier fmarier mentioned this issue Sep 1, 2020
Closed
5 tasks
fmarier added a commit to brave/brave-core that referenced this issue Oct 2, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
3b1d675 
…ave-browser#6267)
fmarier added a commit to brave/brave-core that referenced this issue Oct 2, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
de932af 
…ave-browser#6267)
fmarier added a commit to brave/brave-core that referenced this issue Oct 2, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
0793300 
…ave-browser#6267)
@fmarier fmarier mentioned this issue Oct 2, 2020
Merged
33 tasks
fmarier added a commit to brave/brave-core that referenced this issue Oct 8, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
590f13c 
…ave-browser#6267)
fmarier added a commit to brave/brave-core that referenced this issue Oct 8, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
b0aee64 
…ave-browser#6267)
fmarier added a commit to fmarier/brave-core that referenced this issue Oct 14, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
c76949c 
…ave-browser#6267)
fmarier added a commit to brave/brave-core that referenced this issue Oct 14, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
a8edead 
…ave-browser#6267)
fmarier added a commit to brave/brave-core that referenced this issue Oct 16, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
8306a54 
…ave-browser#6267)
fmarier added a commit to brave/brave-core that referenced this issue Oct 19, 2020
@fmarier
Filter personal data out of download protection pings (fixes brave/br…
fd247c8 
…ave-browser#6267)
Security & Privacy automation moved this from In Progress to Completed Oct 19, 2020
@fmarier fmarier added this to the 1.17.x - Nightly milestone Oct 19, 2020
@fmarier
Copy link
Member Author

fmarier commented Oct 19, 2020

Documentation updated: https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)/_compare/925a8b29de3ac9867c986fcc3445e3a7328aebf1...aa7d5fa3c157f344818f36e19a3040600a97ef41

@LaurenWags
Copy link
Member

LaurenWags commented Oct 29, 2020
edited by GeetaSarvadnya

Verified passed with

Brave | 1.17.55 Chromium: 86.0.4240.111 (Official Build) dev (x86_64)
-- | --
Revision | b8c36128a06ebad76af51591bfec980224db5522-refs/branch-heads/4240@{#1290}
OS | macOS Version 10.14.6 (Build 18G6032)

Verified test plan from brave/brave-core#6763

Confirmed files listed in the PR are allowed/blocked as expected:
Screen Shot 2020-10-29 at 7 46 44 AM

Confirmed files from Desktop Download Warnings section of https://testsafebrowsing.appspot.com/ are blocked as expected:
Screen Shot 2020-10-29 at 7 50 42 AM

Ran Fiddler Everywhere while attempting downloads above and confirmed only observed the proxied calls to sb-ssl.brave.com.

Note - on macOS the reasons for blocking file downloads as mentioned under Desktop Download Warnings section don't match. However, the reasons do match what Chrome shows 👍

Verification passed on

Brave 1.17.59 Chromium: 86.0.4240.183 (Official Build) dev (64-bit)
Revision 0b568b034b8f7994697cb341eeca5979b84151cc-refs/branch-heads/4240@{#1374}
OS Ubuntu 18.04 LTS

Verified test plan from brave/brave-core#6763

Confirmed files listed in the PR are allowed/blocked as expected:
image

Confirmed files from Desktop Download Warnings section of https://testsafebrowsing.appspot.com/ are blocked as expected:
image
image

Verified that all the lookups are proxied through sb-ssl.brave.com

Verification passed on

Brave | 1.17.68 Chromium: 87.0.4280.49 (Official Build) (64-bit)
-- | --
Revision | f77f85899646b42a1d3c8ff36794e00becab9171-refs/branch-heads/4280@{#1115}
OS | Windows 10 OS Version 2004 (Build 19041.572)

Verified test plan from brave/brave-core#6763

Confirmed files listed in the PR are allowed/blocked as expected:
image

Confirmed files from Desktop Download Warnings section of https://testsafebrowsing.appspot.com/ are blocked as expected:
image
image
Verified that all the lookups are proxied through sb-ssl.brave.com

@LaurenWags LaurenWags mentioned this issue Nov 18, 2020
Closed
@735trv 735trv mentioned this issue Sep 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
feature/download feature/safebrowsing OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy/feature User-facing privacy- & security-focused feature work. privacy QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include
Projects
Security & Privacy
  
Completed
Milestone
1.17.x - Release #1
Development

Successfully merging a pull request may close this issue.

Re-enable Safe Browsing download protection brave/brave-core
6 participants
@pes10k @fmarier @bsclifton @LaurenWags @btlechowski @GeetaSarvadnya