Amazon Silk browser removes Google’s default encryption
Google’s good intentions of keeping searches made via its search engine protected through default encryption have been stymied by Amazon.
A bug in the Amazon Silk browser, which is based on the open source Chromium project and comes pre-loaded on the company’s line of Kindle Fire tablets and Fire phones, made Google searches executed through the browser’s omnibox be without SSL protection.
“Furthermore, going to http://www.google.com which normally would redirect to the SSL version, stayed in HTTP mode and prevented redirection,” the researchers found.
“All other Google international domains (like google.ru, google.fr, etc.) automatically redirected to the SSL versions.”
The bug has been unearthed in version v49.3.1 of the browser, and has been silently fixed by Amazon in version v51.2.1, so users who haven’t yet upgraded to the latest version are advised to do so now.
And while this bug could be exploited in man-in-the-middle attacks, it’s also good for users to remember that, in order to speed up the loading of web pages, the traffic between the browser and web servers passes by default through Amazon’s EC2 servers – effectively making Amazon a man-in-the-middle that knows your browsing preferences.
Fortunately, this particular option can be switched off. Unfortunately, not many users will be even aware of all of this in the first place.