The cloud-based design of Amazon's Silk browser has positive security side effects because it encrypts all traffic between users and websites, especially important when connected over unprotected Wi-Fi networks where session hijacking attacks can occur easily, the company said.
Amazon developed Silk to increase browsing performance on its new Android-based tablet, the Kindle Fire, by leveraging the power of the company's AWS servers to process and optimize Web content requested by users.
Soon after its release, the browser came under criticism for the alleged risks it poses to user privacy and security. The main issues revolve around the browsing data logged by the company and its handling of SSL traffic.
In a dialog with digital rights watchdog the Electronic Frontier Foundation (EFF), Amazon tried to alleviate some of the fears associated with Silk's split-browser architecture. For one it clarified that HTTPS requests do not use cloud acceleration and are routed directly to users.
As for browsing data, the company said it keeps an anonymized record of visited URLs, along with corresponding timestamps and session tokens, for 30 days, and that information cannot be tied to individual users.
One interesting piece of information that came out of Amazon's talk with the EFF is the company's contention that Silk can actually increase security. "The persistent SPDY [networking protocol] connection between the user's tablet and Amazon's servers is always encrypted," the EFF said. "Accordingly, if you are using your tablet on an open WiFi network, other users on that network will not be able to spy on your browsing behavior."
This is a security layer that users normally implement by routing traffic through secure VPNs (virtual private networks) after they connect to open Wi-Fi access points.
Man-in-the-middle attacks that allow hackers to hijack user accounts are trivial to execute over unprotected wireless network. Browser extensions and other automated tools make these techniques accessible to non-technical users.
The EFF developed a Firefox extension in collaboration with The Tor Project called "HTTPS Everywhere," which forces HTTPS to be used on a large number of popular websites that support it.
However, this type of connection can cause problems with some services. For example, many third-party applications don't work over HTTPS on Facebook, and websites that load external resources have similar issues, because unsigned content is insecure.