Cannot believe the chutzpah

[dfskoll]

Google owns Chrome. So what's to prevent it from installing its own root certificate and MITMing all of your web browsing? Even if Google is able to restrain itself from acquiring all that juicy data (HAHA! As if...), it still collects oodles of metadata about someone's browsing habits.

This is a privacy and security nightmare, and I can't believe the cynicism of the Google marketing team that calls this a "privacy-enhancing" feature.

You all should be thoroughly ashamed of yourself. "Don't be evil" is now a sick joke.

[darkpixel]

Seconded. I don't want all my browsing traffic going through Google-controlled servers.
I certainly don't want it to "initially" be an option followed by "later" being a requirement or even a default.

This doesn't have anything to do with security. This is all about control, harvesting data, and ensuring Google's position as the advertising leader on the internet.

[bahbarnett]

I feel as if Google is literally taunting policy makers, politicians, privacy groups. How could such an inane thought process, be exhibited?

This demonstrates how out of touch Google is, or alternatively, its sheer audacity. Google is the single greatest threat to privacy that has ever existed. Ever.

Insane!

[WiredTombstone]

This, in it's entirety, should be shut down today. I will be writing the FCC about this as well.

Make sure you report this repo as a phishing kit to Github, because that's exactly what it is: google's phishing kit.

[DavidSchinazi]

Hi folks, thanks for your input. This feature tunnels traffic through two proxies (one run by Google, one by another company). That ensures that Google cannot see browsing data even if it were logging data on the proxy - which it isn't. All traffic is encrypted onion-style between Chrome and the proxies, so the Google proxy has no information about what websites are being browsed. Additionally, we're using blinded authentication tokens to minimize access to user identifiers at the proxies. So to recap, all the Google proxy can see is that an unknown client at a specific IP is using the proxy system. No information about websites visited or ads loaded is available.

[n-k]

Even after having read the above comment by @DavidSchinazi , as they say, the devil is in the details.
Unless there is a way to see exactly what the agreement is between Google and the intermediary, both legal (hah) and technical (hahahahaha), and how it is enforced (rofl), its just PR-speak.

As @dfskoll has already pointed out, there will be no way, for an unsuspecting user, to know Google has not MITM'd a connection.

Lets ignore the technical details for a bit and see where this leads: with this feature, google will have a veto on anyone building a competing tracking system.

--
written in FF

[darkpixel]

I'm not buying @DavidSchinazi's comment.

Even if you provided public copies of the contracts and signed assurances, I still don't want my data going through those servers.

"Trust us" is "black box" security.

Regardless, the first hop is always going to know who I am. I don't care if it gets obfuscated by multiple hops only knowing the IP of the previous proxy.

[dmdabbs]

See also Apple's two-hop proxy feature: https://support.apple.com/en-us/102602.

[dfskoll]

A few comments on some previous comments:

1. I don't trust Apple either.
2. However, to my knowledge, Apple does not have a business unit that generates profits by collecting data on its users and supplying it to advertisers. If anyone is looking for an anti-trust reason to break up Google, this feature in Chrome would be Exhibit A.
3. If Google really cared about privacy, it would make Chrome directly support TOR and let users enable it if they wished, using the existing TOR infrastructure that is not under Google's control.

[dfskoll]

That ensures that Google cannot see browsing data

If the first proxy is owned by Google, it ensures no such thing.
If the second proxy is owned by Google, it also ensures no such thing.

Either proxy can MITM the connection. And also, who is the "other company" and why should we trust it?

[WiredTombstone]

@DavidSchinazi - Stop. Implementing. Moats. For. Google's. Ad. Business. This is not a privacy feature, this is anticompetitive BS.

[dfskoll]

All traffic is encrypted onion-style between Chrome and the proxies, so the Google proxy has no information about what websites are being browsed.

• Law enforcement has entered the chat

So you're saying if Google received a subpoena because someone was browsing child pornography, there's no way you could/would assist law enforcement?

Yeah, right.

[darkpixel]

So you're saying if Google received a subpoena because someone was browsing child pornography, there's no way you could/would assist law enforcement?

Not that that's acceptable, and law enforcement should be involved.

But it starts the slippery slope. Getting traffic when a murder happens is also probably a good thing.

Hey--let's also go after people who skip child support.

Then it's people who drive more than 5 MPH over the speed limit.

If the tool is there, governments will start out by saying they will only use it to catch the "worst of the worst"...and over time they'll keep moving the goalposts.

EDIT: I mean...anyone remember when you could order a rifle from a mail-order catalog? You certainly can't do that in the US now.

[DavidSchinazi]

To address some of the technical points made here:

• Neither proxy can MITM the client-origin connection because that connection uses TLS/QUIC end-to-end. These properties come from the WebPKI and are independent of the IP Protection feature. The certificate in use is visible from the Chrome UI, and so is the list of root certificate authorities.
• Google isn't able to trace a given connection back to a user as the information just isn't there. That's true regardless of who would want to do it.

[dfskoll]

• Neither proxy can MITM the client-origin connection because that connection uses TLS/QUIC end-to-end. These properties come from the WebPKI and are independent of the IP Protection feature. The certificate in use is visible from the Chrome UI, and so is the list of root certificate authorities.

Google owns Chrome and Google owns the proxy. There's an inherent conflict there. If Google wanted to, it could make the Chrome UI say anything it chooses.

• Google isn't able to trace a given connection back to a user as the information just isn't there. That's true regardless of who would want to do it.

Google can determine the original IP, which is what this whole thing is supposed to hide.

Why do not not simply add support for TOR directly into Chrome and leave it at that? Then people who want to hide their IP can just enable TOR.

[Kuldran]

@DavidSchinazi would it be possible to have a more technical spec with Diagrams of what your planning traffic routing decision tree for one would be nice.

• How would a user know if traffic is or is not being proxied.
  • Following up on this point how would one know if Google or it's partners are stopping traffic to a site or url?
  • Who would have say on who is or is not allowed to see something?
• How will a company know
• How would complaints be handled SLA, decision body, etc.

I personally have many reservations on this giving Google this much control on a user and it's data is not my cup of tea. As honest as the teams/individual think they are being, Google is not known to play with things that are not in there interest. So I will ask the dumbest question I know will be ignored if we are planning to cut tracking and identification how will ad-sense work from that point on because we said Google will not be tracking users.