Security considerations

Cloud Application Metering is designed with data protection and user privacy in mind. Snow has minimized the amount of collected information to ensure that only required data points are stored. Importantly, there is no telemetry, usage data, or any other information that is transferred to Snow. Snow has no access to the raw data collected by the extension, which always remains secure at customer premises.

Data collected

The Cloud Application Metering extensions collect the following data points:

  • Full URL of a website visited by a user

  • A user logon name

  • A timestamp associated with the URL visit

The extension neither collects, examines, nor utilizes security headers, request body, or any other parameters.

After a short period of time (3-5 min), the collected information that is stored in an encrypted file (exception: Microsoft Edge Legacy where the content of the file is obfuscated), is processed by the agent, and in the resulting data set the URL details are removed. This is done to ensure that the visited URL information never leaves the user’s device. Instead, only the number of hits against a Cloud Application Metering rule (i.e. all visits to snowsoftware.com and subdomains) are saved. The rule itself is not stored in clear text, but is instead represented by a unique rule ID which has no details about which website it identifies. The matching is done in the Inventory Server data processing pipeline.

Data encryption

All collected and processed data is stored encrypted.

This includes:

  • Temporary storage of URLs, logins, and timestamps (AES-256)

  • Storage of rules with corresponding hit numbers (AES-256)

  • Generic Snow Inventory files that are used to package the data for sending (AES-128)

Extension permissions and functionality

In order to perform their tasks, browser extensions need to access browsing data. The different browsers will show warnings regarding what an extension does.

These are examples of warnings regarding browser extension permissions, as stated in respective browser store:

  • Chromium-based browsers Google Chrome and Microsoft Edge:

    • Read and change all your data on the websites you visit

    • Communicate with cooperating native applications

  • Apple Safari:

    • Web Page Content: Can read sensitive information from web pages, including passwords, phone numbers and credit cards. Can alter the appearance and behavior of web pages. This applies to all web pages.

    • Browsing History: Can see when you visit all web pages.

  • Mozilla Firefox:

    • Access your data for all websites

    • Exchange messages with programs other than Firefox

    • Access browser tabs

For example, Chromium-based browser extensions by design implement an “all-or-nothing” permission model for the extension that request access to all URLs visited by a user. For Snow Web Application Metering extension, it means that Chromium-based browsers give it permission to “Read and change all data on websites you visit”.

Important

The Cloud Application Metering extensions only require and collect information on the user-visited URLs. The extensions do not change or read the content of the visited web pages.

Unfortunately, a separate permission scope for “Read all URLs on the websites you visit” does not exist in the current permission model of Chromium-based browsers.

Security testing

Snow recognizes the importance of keeping the browser extensions secure as they are deployed to end-user computers and have access to websites the users visit. Therefore, Snow has started a bug bounty program, where security researchers are rewarded for finding and reporting security issues within the extensions. This facilitates continuous security assessment of the latest changes to the Cloud Application Metering extensions.