Skip the navigation

Amazon's Silk browser raises privacy, security eyebrows

The Kindle Fire browser's connection to Amazon's servers prompts concerns from experts

September 29, 2011 04:17 PM ET

Computerworld - Amazon's new Silk browser has raised some eyebrows among privacy and security experts.

"This makes Amazon like your ISP," said Aaron Brauer-Rieke of the Center for Democracy & Technology (CDT), Washington D.C.-based advocacy group. "Every site, everything you do online [through Silk] will go through Amazon. That's a new role for someone like them, and I don't think it's at all clear that Amazon can step into that, or that it will be apparent to consumers."

On Wednesday, Amazon introduced its new Kindle Fire touch-based tablet, and the browser that will run on the Android-powered device: Silk.

The browser, which is based on the open-source WebKit engine -- the same that is the foundation of both Google's Chrome and Apple's Safari -- will by default connect to the company's cloud service, which will handle much of the work of composing Web pages, pre-rendering and pre-fetching content, and squeezing the size of page components. That, claimed Amazon, will speed up browsing and let low-powered processors like those in the Fire render sites faster than other mobile browsers and devices.

To do that, Amazon will maintain an open connection between Silk on the Fire and its Elastic Compute Cloud (EC2) service, and will act as a middle-man proxy on all page requests.

In other words, said Chet Wisniewski, a security researcher for Sophos, "Web connections from your tablet will connect directly to Amazon, rather than the destination web page."

In a short FAQ about Silk, Amazon intimated that it will also handle the encrypted traffic between consumers and websites secured with SSL (secure socket layer), such as log-in pages, other shopping sites and online banking sessions.

"We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL," Amazon said.

Wisniewski interpreted that to mean that Amazon will install a trusted certificate in Silk that lets them provide a man-in-the-middle SSL proxy to accelerate users' SSL browsing.

Brauer-Rieke, a former Web developer who is currently a Fellow at CDT, applauded the technology Amazon's described.

"This sounds like a potentially very smart proxy that uses the cloud service to make intelligent decisions, that can predict what site you'll visit," said Brauer-Rieke. "But there is a proxy under this, and that is something new."

And that's why he has questions.

"I have a lot of questions, not about collecting personal information, because Amazon has said it will not do that, but about aggregate information collection," he said.

In the Silk terms and conditions statement that Amazon has published on its website, it has acknowledged that it will temporarily log URLs for the pages it serves, as well as record the originating IP (Internet protocol) or MAC (media access control) addresses, which would identify the network used by the browser, or the individual Fire device.



Our Commenting Policies