What "googleapis.com" exceptions are needed for Google sites to work with HTTPS/DPI?

I had an exception for *.googleapis.com to allow unrestricted access, probably made a long time ago when I had a memory and I thought it was needed for something (the exception, not the memory!).

I just asked a client for samples of scam emails so that I could use them in a demo of how a Firebox can provide additional protection. The one he sent had a target of https://storageDOTgoogleapisDOTcom/pmail/storeDOThtm (DOT used to keep anyone from clicking a real link), and that site is listed as known-malicious phishing by my Trend Micro WFBS antivirus software. I Googled and found several mentions similar to "Malicious site like Storage.googleapis.com is known for distributing various kinds of adware, malware, and potentially unwanted program."

So, I removed the *.googleapis.com exception for now.

What "googleapis.com" exceptions are needed for Google sites to work with HTTPS/DPI? Now that I know that malicious software can be hosted there, what is need for legit sites that use googleapis.com to work? Or is this going to be another wild game of whack-a-mole?

Gregg

Gregg Hill

Comments

  • Looks to me that Google (or something) uses storage.googleapis.com for updates.

    I can't find anything on the Internet to indicate what storage.googleapis.com/update-delta is user for.

    This is TCP port 80 access:
    storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/77.224.200/77.223.200/a9cc3a50560eb579ea2e3644cf0380b77e9eed7ab9a30d717228d7d73898d55f.crxd

    As I have not blocked this TCP port 80 access, no idea the impact of doing so.

    I do see a lot of HTTPS access to these. Again, no idea what happens if they get denied/blocked.

    fonts.googleapis.com
    safebrowsing.googleapis.com
    clientservices.googleapis.com

    clientservices.googleapis.com access happens when I start Chrome which auto-opens Gmail

    A number of other ...googleapis.com sites are accessed when I do the above.

  • Hi, Bruce!

    I think I created the original *.googleapis.com exception years ago for the same reasons you noted, but it's too broad now that I know that malware is also hosted at storage.googleapis.com.

    Eventually, I think that we are not going to be able to use DPI without daily babysitting of our Fireboxes.

    I dropped the wildcard exception and will run that way for a while and fine tune what's needed, then do the same for my clients.

    Thank you for your help!

    Gregg

    Gregg Hill

Sign In to comment.