security4all posted a comment about a potential disclosure of personal information when using Finjan. Thanks to him!
Once installed the Finjan Firefox add-on does not require any registration nor authentication on the Finjan web site. The service is available “as is” and relies on the HTTP protocol. Here follow more details about this service.
Finjan uses the following netblock:
inetnum: 82.166.163.0 - 82.166.163.31 netname: FINGAN-1 descr: Fingan Ltd country: IL admin-c: BPT2-RIPE tech-c: BPT2-RIPE status: ASSIGNED PA remarks: Send Spam and Abuse complains to abuse@013barak.net.il mnt-by: BARAK-MNT source: RIPE # Filtered
First, the URL checked are those returned by your search query. All of them are checked and Finjan does not know which one will be “clicked”. The only thing that can learn about you is what you are looking for (based on the search engine results).
Here is a typical client-server conversation (let’s assume my IP is 10.0.0.1). First a typical TCP session initialization:
10.0.0.1:12345 -> 82.166.163.10:80 | SYN 82.166.163.10:80 -> 10.0.0.1:12345 | SYN,ACK 10.0.0.1:12345 -> 82.166.163.10:80 | ACK
Then the HTTP request containing the URL to check:
10.0.0.1:12345 -> 82.166.163.10:80 | POST /advice/advise?\ rnd=pxTuhngd23711227301243150_eWaJTngF1227306376040&n=0&m=12&t=12 Line-based text data: application/x-www-form-urlencoded [truncated] version=1.333&url0=http%3A%2F%2Fwww.subserials.net\ %2F&url1=http%3A%2F%2Fwww.subserials.net%2Fhtml%2Fy1.html\ &url2=http%3A%2F%2Fwww.appzplanet.com%2F&url3=http%3A%2F%2F\ www.serialcrackz.com%2F&url4=http%3A%2F%2Fwww.cracktop.com%2F
In the text data, you will find the URLs returned by Google: www.subserials.net, www.appzplanet.com, www.serialcrackz.com, etc. Note that the rnd parameter is a randomly generated ID for your requests. Then the Finjan server replies:
82.166.163.10:80 -> 10.0.0.1:12345 | HTTP/1.1 200 OK (text/html) Line-based text data: text/html {"url0": {"category": "Hacking", "reason": "", "state": "safe"}, \ "url10": {"category": "Reference", "reason": "", "state": "safe"}, \ "url11": {"category": "Reference", "reason": "", "state": "safe"}}
To conclude the only information they grab about you are:
- your IP address
- your User-Agent
- the URLs returned by your search queries
If you’re paranoid, use a proxy to relay your requests to Finjan and fake your User-Agent.