Enterprise Safe Browsing Analytics

Understanding employee browsing habits


The Chrome web browser has a powerful malicious website detection capability called Safe Browsing. It is powered by a team of Googlers who help detect millions of malicious websites, phishing attempts, and now even unwanted content. If you try to browse to a site the Safe Browsing team has deemed unsafe, you will see an alert similar to the one i’ve used in the top of this article. This free service probably does a better job than premium security services offered by Anti-Virus companies.

The problem with Safe Browsing is that in an enterprise environment, I cannot track which employees choose to dismiss the Safe Browsing alert and click-through to the malicious content. A Googler reports that roughly 62% percent of users click through SSL warning pages. I would like to know exactly which employees are getting Safe Browsing alerts, how often they get them, and how often they click-through them. This data can help me better protect these at-risk employees using other security technologies under my employ. So how can we capture Safe Browsing analytics? Let’s build a Chrome extension!

Building An Enterprise Safe Browsing Analytics Chrome Extension

I set out to build a Chrome extension that enterprise employees would install. It would report Safe Browsing data back to my Google Apps for Work Admin Dashboard. I don’t want to track which sites employees visit, but only care about tracking Safe Browsing Alerts. It should be easy, right!?

I tried hooking Chrome tabs to watch for Safe Browsing Alert pages using chrome.tabs.onUpdated.addListener, but the interstitial safe browsing page doesn’t trigger that callback.

I tried taking a screenshot of new web sites visited, hoping I would be able to capture the Safe Browsing alert using chrome.tabs.captureVisibleTab, but this threw aUnchecked runtime.lastError while running tabs.captureVisibleTab: The ‘activeTab’ permission is not in effect because this extension has not been in invoked.’ error. Drat!

I tried catching the outgoing website request before it was sent using both chrome.webRequest.onBeforeRequest and chrome.webNavigation.onBeforeNavigate but Safe Browsing alerts are ignored: We also do not observe navigation events from interstitial pages such as SSL certificate errors”

Then the idea of using the chrome debugging api came to mind, as a sort-of last ditch effort. By using chrome.debugger.attach, chrome.debugger.sendCommand(tabId, ‘Network.enable’), and listening for Network.requestWillBeSent events, I can see URLs that are ‘waiting’ for the Safe Browsing interstitial page. Score! This is not a suitable solution, as debugging each tab in employees Chrome browsers is a bad idea: performance would be significantly degraded.

A Compromise

What we can capture is the Click-Through-Rates of Safe Browsing alert pages using a combination of the Safe Browsing API and chrome.webNavigation.onCompleted. Any URLs that we see through onCompleted that are matches on the Safe Browsing API were clicked through by a user of our extension.

Wiring up the rest is left as an exercise to the reader. A few dashes of Google App Engine, a sprinkle of Google datastore JSON API, and the eye-watering processing of chopping OAuth onions and its done.

Deployment of this extension enterprise-wide across Linux, Mac, and Windows is quite easy using Group Policy.

Now I can track the click through rates of all employees who use the Enterprise Safe Browsing Extension. This leads to all sorts of interesting things like tuning my Intrusion Detection Systems to pay closer attention to these employees.

If you are interested in using this extension at your organization, I am considering offering it on the Chrome Web Store for a monthly fee. Please contact me at ryan@zenauth.com if you are interested.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.