Browser was blocking redirections to Google's HTTPS version

Jul 25, 2016 21:30 GMT  ·  By

Older versions of the built-in browser for all Amazon devices, called Silk, forced users to employ an insecure version of Google for their Internet searches if they had Google set up as their browser's search engine.

Silk is a Chromium-based Web browser that ships with Amazon Kindle and Fire devices. By default, the browser comes with Google as the main search provider, but users can also select from Bing and Yahoo if they wish to.

Silk used HTTP Google instead of HTTPS Google

Prior to its v51.2.1, the Silk browser sent user searches to Google via HTTP instead of HTTPS and also prevented an automatic redirection to the HTTPS version of the site when users accessed the HTTP version of Google.

While sending Google queries from the browser to the Google servers might seem like a developer's oversight, the second bug was more troubling.

By default, Google automatically redirects all users to the HTTP version of their site to the HTTPS version. Google handles this redirection, and only a severe technical issue on the user's part would have prevented this process.

Security researchers from Nightwatch Cybersecurity, who discovered the issues, said that accessing localized versions of the search engine, like Google.es or Google.jp via HTTP, would indeed redirect them to the HTTPS version.

This means that there was no technical difficulty when it came to working with SSL in the browser, and the HTTPS block for Google.com was not the result of a general error.

Users exposed to MitM snooping

The problem with this behavior is that it exposes a user's Google searches to anyone listening in on their Web traffic because all data would be sent in cleartext.

A user's Google searches are often used to infer information about that person and are a treasure trove of information for advertisers. Google itself uses this data for advertising as well.

Researchers notified Amazon, who fixed the issue in v50, and with a permanent fix in v51. "Other than a generic response we received initially, there has been no further communication from the vendor," the Nightwatch team notes in their blog, revealing that Amazon did not bother to explain why this strange issue was happening.

Amazon is no stranger to controversy. The Silk browser itself raised many privacy concerns when it launched in 2011 because it used the concept of cloud-based Web browsing, where all the data was being sent to Amazon's EC2 service for processing and then to the user's device.

Amazon said this was done to save power on the device by outsourcing CPU-heavy operations (like JavaScript) to its powerful cloud computers and serving the finished Web page at the end. Since then, the concept of a cloud browser has spread to other companies as well, such as Opera.

An Amazon spokesperson told Softpedia that "Silk started proxying 11 non-secure domains in October of 2015. Our terms of service explicitly call out that we do not proxy SSL traffic through the cloud."

Silk's search settings
Silk's search settings

Photo Gallery (2 Images)

Amazon's Silk browser
Silk's search settings
Open gallery