For some reason (don’t ask my why), I decided to install the Alexa toolbar for Chrome to try it out. It works well for what it does, and I didn’t see anything wrong with it besides the expected privacy violation (tracking) of them sending all your traffic to their servers.
So every time you visit a site, a request is made to their servers to query the site rank:
192.168.1.X.44210 > 107.22.173.51.80:
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=http%3A//sucuri.net/ HTTP/1.1
Host: data.alexa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*
If you are using it, you expect those requests to be made (wich is supposed to be anonymous), so not a problem.
However, I just noticed one big issue is that they also do that for all your HTTPS traffic. So if you are visiting a https site (which would be encrypted in the wire), you are also leaking the sites you are visiting via their rank requests. So if I go to gmail.com (https), a HTTP request is made at the same time:
192.168.1.X.47733 > 23.21.107.170.80:
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=https%3A//gmail.com HTTP/1.1
Host: data.alexa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*
I actually thought their plugin (extension) would not work for HTTPS or would at least have a setting to disable it. This is specially bad because now you are leaking all your encrypted traffic browsing for anyone that is watching the wire.
*I know, I know, if you are using that toolbar you probably don’t care about privacy, but it is something to keep in mind. A simple fix is to just remove it and move on.