Amazon’s Silk Raises Privacy, Security Concerns

Remember Amazon’s new web browser Silk that is being included with the Kindle Fire? Well, it’s gotten some security and privacy experts to start thinking!

In a short FAQ about Silk, Amazon conveyed that it will handle the encrypted traffic between consumers and websites secured with SSL (secure socket layer), such as log in pages, other shopping sites, and online banking sessions.

This makes Amazon like your ISP. Every site, everything you do online through Silk will go through Amazon. That’s a new role for someone like them, and I don’t think it’s at all clear that Amazon can step into that, or that it will be apparent to consumers. – Aaron Brauer-Rieke of the Center for Democracy & Technology (CDT)

Chet Wisniewski, a security researcher for Sophos, interpreted that to mean that Amazon will install a trusted certificate in Silk that lets them provide a man in the middle SSL proxy to accelerate users’ SSL browsing.

Furthermore, in the Silk terms and conditions statement that Amazon has published on its website, it has acknowledged that it will temporarily log URLs for the pages it serves, as well as record the originating IP (Internet protocol) or MAC (media access control) addresses, which would identify the network used by the browser, or the individual Fire device.

Such information is not kept for more than 30 days according to Amazon, however. Users will also be able to run Silk without the connection to Amazon’s servers if they want, the company confirmed in its FAQ.

[Thanks, Sebastian]