The URL bar completion and search feature of the Chrome causes the full typed URL to be send to Google's servers. This feature occurs if the URL is typed or even pasted in. It occurs even if the URL starts with HTTPS. It even includes all of the GET parameters. The URL data is sent to Google's servers over an HTTP connection.
Hopefully the issue is already clear, but this means that information like usernames, passwords, account numbers, session IDs, etc that were never meant to be in the clear are now being sent across the internet for all to read. With everyone doing deep packet inspection these days, it likely means the data is not only exposed, but stored and searchable. Nobody expects their search strings to be secure. But one of the key features of HTTPS is that the URL itself is not exposed. This feature is putting Chrome users at jeopardy. Here are some suggestions to reduce the vulnerability: 1) Don't provide this functionality if the URL starts with HTTPS (Best complete solution) 3) Don't send GET parameters (partial solution, some sides do use directory names as data parameters) 2) If the URL starts with HTTPS, send the URL data to Google using HTTPS (Do users really trust Google with their usernames, passwords, account numbers, etc when Google has no need for them?) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~----------~----~----~----~------~----~------~--~---
