Amazon's Kindle Fire Silk browser has serious security concerns

Amazon's Kindle Fire Silk browser has serious security concerns

Summary: Silk looks to be very fast and about as private as a bathroom stall without a door.

SHARE:

Amazon's Silk Web BrowserOK, here's the good stuff about the new Silk Web browser, which Amazon will be embedding in its new Amazon Kindle Fire tablets: From all reports it makes Web-browsing amazing fast on relatively low-end hardware. The bad news? It does it by watching all, and I mean all, of your Web activity through Amazon's cloud-based Amazon Web Services.

You don't have to take my word for it. Amazon states that, "All of the browser subsystems are present on your Kindle Fire as well as on the AWS cloud computing platform. Each time you load a web page, Silk makes a dynamic decision about which of these subsystems will run locally and which will execute remotely. In short, Amazon Silk extends the boundaries of the browser, coupling the capabilities and interactivity of your local device with the massive computing power, memory, and network connectivity of our cloud."

And to think I was worried because Facebook was tracking you on the Web whenever you were on a site with a Facebook like button on it! That, while sneaky and underhanded, was nothing. When you'll be using your Kindle Fire's Silk Web browser everything you do on the Web will be made part of your permanent record.

To be more precise what Amazon will be doing is using the Amazon Elastic Compute Cloud (EC2) to Web proxy. Thus, when you "go" to a site you're not actually connecting to the site. Instead you're viewing an EC2-based copy of the site. Local networks use proxy caches all the time to improve local Website performance of commonly accesses sites. While uncommon as a Web browser feature, Silk isn't the first to use this approach. The credit for this goes to the Opera Web browser.

In addition, and this is one of the neat things about Silk, whenever you visit the site, its content has been optimized for the Kindle Fire. This means you'll get better video and game performance from Silk than you would with another Web browser on a tablet with the same CPU horses. Last, but not least, so long as you're on the Web with Silk, Amazon keeps the connection between your Kindle Fire and EC2 open. The net effect of this is to reduce latency and improve connection times.

And, all you have to get all this is to let Amazon see every site you visit on the Web and watch over your ever move. What a deal!

Amazon Silk's terms and conditions state that Amazon will keep your the Web addresses you visit, the IP addresses you use, and your Kindle Fire's unique media access control (MAC) addresses for 30 days. With that information, Amazon can track your every Web move.

On top of that, when you lock into a site that uses Secure-Socket Layer (SSL) or HTTPS for security, EC2 will handle that for you as well. According to the Silk FAQ, "We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g. https://siteaddress.com). Amazon Silk will facilitate a direct connection between your device and that site. Any security provided by these particular sites to their users would still exist."

Amazon will do this by acting as man-in-the-middle (MTM) SSL proxy. That's fine if you trust Amazon. I'm not sure I do. I'm not crazy about extending my trust to any large corporation. I have to trust my ISP, they connect me with the net, I don't want to extend my trust much farther than my ISP.

Besides even if you did trust Amazon, you have to ask yourself, "Do you trust the U.S. government?" Since Amazon is a U.S. company with American data centers, any data kept on that site would be subject to American law.

As ZDNet's own Zack Whittaker has reported in detail, thanks to the U.S. Patriot Act, even if you're a European Amazon user your U.S. cloud-based records are subject to be grabbed by American legal authorities. Or, more mundanely, if your soon-to-be ex-wife, former business partner, whoever wants to check out your Web browsing habits and can get a court order, your EC2 Web history will be opened for their snooping.

If you're concerned with online privacy, I simply wouldn't use the Silk browser in its full mode. To Amazon's credit, you can opt out of Silk's cloud-enhanced mode. To quote Amazon, "You can also choose to operate Amazon Silk in basic or 'off-cloud' mode. Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers. As such, it does not take advantage of Amazon's cloud computing services to speed-up web content delivery."

That's all well and good, but maybe it's just me, but I'd preferred it if Amazon had Silk's cloud mode off by default. Then, it would be up to you and me if we thought saving a few milliseconds here and there was worth the price of giving Amazon a chance to play Big Brother.

Related Stories:

Biggest story from the Kindle Fire presser: Silk browser

Microsoft and Amazon: Two browsers, two clouds and two different paths taken

Amazon Silk - The biggest Kindle innovation is not hardware, it's software

Amazon's Kindle Fire: The ultimate integration, services channel

The Amazon Kindle Fire is no iPad Killer

Topics: Security, Amazon, Browser, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • Already being done... on a smaller scale of course

    The Skyfire browser that lets iOS users view flash does this same trick - compiling the page in the cloud. I haven't heard much about security issues from that implementation. Of course, it's small fish compared to what Amazon will end up collecting.
    scott.koegler
  • Not only 'privacy' is concern; security is also does not exist

    Amazon says it will handle secured connections, too -- like HTTPS. Because of this feature, <b>Amazon can see your HTTPS content</b>, since its Silk engine builds/draws the page that it sends to the tablet (or PC, shortly). The data which is SSLed is only secured on its way to Amazon, and from Amazon to the user. However, the data is decrypted on Amazon (or otherwise their engine would not be able to build/draw the "secured" internet page).

    So Amazon's solution does not provide neither privacy, nor security -- you can not even begin to compare it to ISPs, which never see your secured data decrypted (only you see it raw on your device).
    DDERSSS
    • RE: Amazon's Kindle Fire Silk browser has serious security concerns

      @DeRSSS

      Don't worry. The piece of aluminium folio you have on your head will bounce back all amazon requests trying to access sensitive data...
      tuneto
    • RE: Amazon's Kindle Fire Silk browser has serious security concerns

      @DeRSSS
      You are right.
      The solution is not to use it for any https related site. Specially ones related to bank accounts.

      Companies are made by employees, and you have no idea who might be scanning users connecting to bank accounts and saving user/passwords. So that when they leave the company, they got a bulk of user/passwords to use or sell in the black market.
      rxantos
  • Can you spell Paranoid?

    Really - don't you think that any clever hacker can track anything you are already doing - with evil intent? Google keeps all my searches - forever!!! My ISP - a very Large Corp - Verizon - know it all and does anyone really think they are "Safe". It is the Wild West on the Internet and to think otherwise is to stick your head in the sand. Get over it - Enjoy it and hope it never gets as "Safe" - read controlled like China - as you seem to want!!!

    BTW - a few Millisecs - times all the files/links/... should make a big difference!
    ZARDOZ_TX
    • ISP does not see your encrypted data, while Amazon does

      @ZARDOZ_TX: you can not even begin to compare ISPs to Amazon in this regard. In terms of the lack of security/privacy, nothing like this Amazon's way ever existed.

      Using HTTPS on this system, you are like: "I want my data secure for only myself (and a giant corporation)".
      DDERSSS
      • RE: Amazon's Kindle Fire Silk browser has serious security concerns

        @DeRSSS - Then turn it off - but Amazon already has all my credit cards and I am not planning on taking over the world - so I am really concerned???
        ZARDOZ_TX
  • RE: Amazon's Kindle Fire Silk browser has serious security concerns

    That's pretty alarming. There are a lot of reviews on this product but most of them seem to have a lot of negative view points. I was hoping for this tablet to be a great device. Here is a review that was a little more positive. http://easytechsite.com/slider/kindle-fire-review-the-new-kindle-tablet/
    sozbun
  • RE: Amazon's Kindle Fire Silk browser has serious security concerns

    I don't get it, what in the world are all these security fears coming from? I mean, are you that scared to death that a company knows what you're looking at on the net? Seriously? if you're that concerned, wth are you looking at that makes you that paranoid? DeRSSS is right, these companies already have my name, address, credit card info and bank info. What in the world are you so worried about? Please explain this fear to me.
    Godmocker
    • RE: Amazon's Kindle Fire Silk browser has serious security concerns

      @Godmocker Even using a secure connection (SSL), Amazon has certificates which allow them to decrypt all data during any connection you establish. This may not bother you on the surface, which is fine. Still, what is to stop Amazon or an individual employee from selling that data to third parties, or taking your credentials that thought were safe and using your email address, or your amazon account, bank account to buy goods/services which you didn't buy? What happens if their EC2 cloud is compromised by an outsider? Well, in that instance Amazon wouldn't be at fault, but in the former, they would be. If you don't have an issue with them knowing exactly what pages you are looking at, then its not a problem for you, but others still don't like the idea of a company having the ability to see whatever you do online.
      fairlane32
  • RE: Amazon's Kindle Fire Silk browser has serious security concerns

    The market for the Fire is the same folks that are posting their life history to Facebook. Security is a concern for those who care. Those who ignore the issues are likely to have the consequences from more than just 1 source.
    scott.koegler
    • RE: Amazon's Kindle Fire Silk browser has serious security concerns

      @scott.koegler Got it in one. Looked at correctly, this should catch all the stupid criminals (pedophiles, ad nauseum). My internet traffic goes over wireless and unless they have changed a bunch of things, it's easily read unless I bother to use SSL. I do tripwire as well as daily scan things here to prevent botting the machine, but other than that, read all you want, Mister Men in Black. 'Sheesh, there is so much more to worry about.

      I must admit though when I first read about Silk, handing over my data, credit cards, heck even my email accounts over to Amazon was a bit worrying. However, thinking along the lines of the average Joe or Jane, the potential security that Amazon can wrap around your EC2 Host Proxy will almost certainly what they normally have. Then there is the potential here to also have a continuous 'web persona' that could allow many things that we have wished for as well. Like a particular band? Your persona notes when and where it comes close to your area. Trip bookings (all types), eBay bid watching, appointments calendering as well as missed phone and chat messages? Again, serious potential to be developed here. I'm sure Microsoft is green with envy, not just green with money ;-).
      Brian J. Bartlett
  • Really, Steven?

    Are you not the same Steven who posts an article every week proclaiming Chrome to be the Best Browser on the Planet? So you think it is fine and dandy for Google to steal, er, "collect" all of your browsing data, but evil for Amazon to do the same? Which one are you, the Pot or the Kettle?
    itpro_z
  • What Will they Do with the Data?

    That is really the question that should be asked. Having the Amazon cloud system act as a proxy is one thing. They keep the data for 30 days and then it is gone - but what will they do with that data? Will they be mining it to target you with things to buy on Amazon? Which if you are a member of Amazon and login, they are already doing. Just having your browsing history is is only half the concern. It's what they do with that data that is the other half.
    jpr75_z
  • Really?

    SJVN loves Google (as we all know) and is concerned about privacy and security at Amazon.

    Using GMail really worked out for those Chinese dissidents (wherever they are now.)
    dazzlingd
  • All Banks will block the browser if they terminate SSL

    I work for a bank. If Silk does indeed terminate SSL, we will block this browser from accessing online banking. We block OperaMini browsers, which also terminate SSL, for exactly the same reason - your sign-on credentials will be IN THE CLEAR on a 3rd party site.
    As the bank is the one offering the security guarantee and talking the risk, we cannot afford to have credentials in the clear on some else's site -- ever.
    woodyanderson@...
  • RE: Amazon's Kindle Fire Silk browser has serious security concerns

    I don't have anything to hide, so why should I care? The only problem I would have is how secure is it from identity thieves and the like. That does not seem to be a problem.
    hayneiii@...
  • RE: Amazon's Kindle Fire Silk browser has serious security concerns

    Thanks for the article, i just bought a Kindle Fire!
    iLocosSur
  • RE: Amazon's Kindle Fire Silk browser has serious security concerns

    So you agonized A PAGE LONG about something that you can TURN OFF?

    Get a life...
    kintverbal
  • someone has an issue?

    So you agonized A PAGE LONG about something that you can TURN OFF?

    Get a life...
    kintverbal