Slashdot Mirror
Firefox 2 To Have Anti-Phishing Technology
Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."
Good idea. This way they can make sure that the only thing stolen through FireFox is memory space.
[rimshot]
Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7
Site Blocked: www.google.com has been placed on a list of sites that link to potentially unsafe and / or phishing sites.
The biggest problem is still the weakest link in the system: Its user.
Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored. This starts with Mails that urge him to open something "really urgently", covers various plugins for Browsers that come filled with spyware (which, in turn, is a perfect door for other malware) and goes to bogus files on various P2P networks that claim to be some crack, hack or other "goodie" to lure the P2P user into starting it.
Now, you can walk the same way that antivirus companies go, you wait for the threat to unfold and grab it at its neck when you find it lurking in the system once your update covers it. That's fine as long as your releases at least match the speed of trojan development, if there is some intersection between the moment you update your anti-trojan signatures and the moment the trojan goes into a new generation.
And that window is closing. Fast. We're now facing trojans with update cycles that make you wonder when and how they create them. Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.
Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.
As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).
I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.
My hope is that Firefox will have a different approach to the problem. Self-checking processes (to avoid injections), close scrutiny of its BHOs, etc. I hope they will not try to use AV techniques, but instead concentrate on the entry points for such a program, and try to detect it there.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I do hope this works well for the average Jane or Joe... I'd like to see less incedences where my mom forwards mails to me (thinking she's either been doing something wrong {like, her bank account is overdrafted, please go to this special web page and fix it}, or has gotten something great for free).
A Passionate Independent Musician
I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?
Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.
Can say FF stole one of 'their' features.
I dunno about you but, phishing always seems so easy to identify. I can see it being very good for the grandma's out there, but some of the things I like about firefox is the fact that its lightweight (when tuned correctly) If things like this keep happening could turn into a cluster
Wait, let me get this straight. Netscape is still putting out releases? Why?
Looks like Microsoft (IE) will have to play catch up again. You will soon here this amazing new technology in Vista, or not so new.......
With the scams changing so rapidly moving detection to a web browser just makes sense. When these things aren't tagged by the users email server (ClamAV is excellent for this) or client, this would be a great 'saftey net' from stopping me...err...grandma from entering her login info for PayPal/eBay/etc. Plus with FF online updating I could see them having a plugin/extention that would have .dat files with the latest Phishing definitions they could download and update to daily; ala virus checkers.
fak3r.com
With Netcraft toolbar http://toolbar.netcraft.com/
Ceci n'est pas une Signature !
FYI, IE 7 beta already as an anti-phishing filter .
One more issue to be considered is the way in which the phishing is implemented. If all the URls that I visit are going to be validated ( and hence stored) against a central repository, I won't be too happy about it !
The various phishing shields use a variety of techniques to protect against the online scams. These include blacklists of known fraudulent Web sites, white lists of good sites and analyses of Web addresses and Web pages. Firefox 2 might be different, since the developers aren't married to those approaches, Shaver said.
Verisign already has this kind of techology, the question is, will Firefox 2 make Verisign obsolete?
Verisign's advice: The best way to avoid becoming a victim of phishing is to never respond to unsolicited emails asking for personal information or directing you to a Web site where you are asked to enter personal information--even if it looks TOTALLY official.
He who knows best knows how little he knows. - Thomas Jefferson
Enter information and click OK to find out
Name:_________________________________
Billing Address:__________________________________
Credit Card Type:________________
Credit Card Number:_______________________________
Expiration Date:___/___
Now be an idiot and click OK to let me steal your info.
What's the matter, James? No glib remark? No pithy comeback?
Will Firefox adopt an approach that doesn't compromise the user's privacy as much as IE 7 (its solution being to send every URL to Redmond)?
That's an extreme stretch of the normal use of the term "technology". They thought of systematic way of warning people about phishing sites by compiling a list of them. Good for you. But computer programs, databases, and browsers have existed for a long time. This isn't a "new technology". It's a computer program. I know, you probably think it's a minor point, but keep in mind that Microsoft considers removing its own damn bugs to be "new technology" (NT).
Thinking up ways to warn people about phishing sites isn't "new technology".
Rank my idea: http://www.sinceslicedbread.com/node/531
It's sad, really, that the most important features regarding browsers nowadays all have to do with protecting the user against evil-doers.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Check this out. This may answer some of your questions regarding that issue
http://weblogs.mozillazine.org/ben/archives/00974Seriously, what the FUCK? Googles anti-phising filter (as in google toolbar) is the one who is constantly sending your HTTP requests to Googles servers. There was a slashdot post about this a while ago, but I cannot find it.
Unless you can disable this "feature" or it works completely differently, I'd consider Firefox 2 spyware.
svelte? you must be kidding me I've got 3 tabs open no flash installed no adobe installed or running and the caching "feature" turned off and firefox is still consuming 400MB of RAM and increasing albeit more slowly. When I had the caching "feature" turned on firefox would regualrly bloat up to 3GB and completely consume all of my main memory and then kill my VM. How about they just continue on with the 1.X line and fix these memory issues before going onto 2.X? Just a thought.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
> Microsoft plans to include features to protect Web surfers
> against online scams in Internet Explorer 7
Wouldn't it have been easier just to not program the online scams into Internet Explorer 7 in the first place? I just don't understand Microsoft's new security procedures at all!
Time for a fork.
Seriously, I'll tell you the only anti-phishing technology we need: our damn heads, with a side of common sense.
I don't want my browser to have stupid coddling features like this that will just get in the way of a decent, savvy surfer. That's the problem with popularity - it leads to diluting the quality. I'd rather have a *good* browser only used by 3% of the people out there. Hell, the mere minority status might even make it *better* - now that Firefox is popular, more and more sites are finding ways of advertising specifically to it.
If Firefox 2 does have this, then it better be easy to fully disable, otherwise I'm definitely not upgrading.
I have been forced to test IE 7 for my company, and the fact that Firefox 2 will have this will give us no reason to use IE 7.
I'm not a troll, but I play one on Slashdot.
I suspect you're posting a bit facetiously, but...
Will Firefox not pop up a warning, saying something akin to "Hey, you can go ahead and visit this site if you like, but we think it might be a bit fishy"? Doesn't seem that bad.
I would assume that Firefox won't prevent you from accessing a certain site, since I can't imagine the Mozilla Foundation wanting to coordinate universal white-/black-lists.
Couldn't the browser also include cookie theft prevention? Recently I had an online game spoiled when a scripter stole my cookie and thus accessed my account, via user-modifiable code on the game's site. While I suppose some times cookie redirection might be legitimate, I'd think it rare enough that some sort of configurable blocker would handle those few cases while making cookies safer in others.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Won't it be easier to defeat this anti-phishing scheme since Firefox is open source?
(Seriously. If not, please post why not and educate me.)
Expected time to finish is 1 hour and 60 minutes.
My bank, for example, recently introduced a feature called a site key for log ins to its online services. After entering your initial user id, it brings you to a screen that displays a user-chosen image and title. The rule is that if you recognize the image and the title, you enter your password. If you don't recognize one or both, you don't.
Companies should be responsible for protecting their users, and this struck me as a rather good way of doing that. Granted, if someone really wanted to, they could set up a site just to scarf your user id, log in with that id to snag your site key, then create another site with the site key included to gank your password - but that's a lot of work.
So they should include an ad-blocker first of all.
When are people going to realize that passwords are not secure. Ever. Even if you pick a "good" password and change it every 13 minutes like a good boy, they are still not secure.
Why? Its too easy to snag the password from social engineering or some other means or even by accident.
I walked out of the bank disgusted when I went to get a private lock box, and it did not have a key given to me, and the bank had the other key like before. No, now they wanted me to remember a password, and enter it into a computer to unlock my box.
OK. I made that up, because even banks are not stupid enough to do this, but they open up the account online to any bozo that has a password.
My bank recently initiated an "anti-phishing" technology where it uses cookies stored on my computer and if the bank does not recognize my computer it displays a picture that I set up in the past with a caption that I selected for the picture, and then its supposed to be OK to put in my password now because the site is providing evidence that the bank and not some guy from China or Russia is asking for my password.
However, I carry many bank cards in my wallet, and they work excellent at stores and ATMs, but they don't fit into any holes into my computer. The bank has already given me an excellent token that is much more difficult to replicate than a few random characters on a keyboard, but they refuse to use it.
OK, I have to go and change my passwords now, its that time of year....
do you have Bank of America? I like my site picture. .. I wish it allowed custom pics so I can have a 80x80 pixel pair of boobies instead!
Now, I think you may not know that I am the lawyer of the late Prince of Nigeria.....
"'It is another example of the energy that has returned to the browser market,' Shaver said."
It's an example of "we had no choice". I'm certain everyone would have preferred to not having to invest energy in this direction.
Once again, IE is way behind Netscape, just as they were with Java, Javascript, frames, print preview, built-in FTP capabilities, etc., etc.
See here: http://www.google.com/tools/firefox/safebrowsing/
It basically checks websites you visit against its database and tells you if they are considered dangerous or what have you.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
http://www.bankofamerica.com/ switched to sitekey months ago, and they still ask for your Passcode on their front page, before you get to see your sitekey image. Whoever is in charge there doesn't understand the point of what they're doing.
Next version of Firefox to have twice as many capital letters in its name.
"I'll say it again for the logic-impaired." -- Larry Wall.
Go to a site, get phished, find the jackasses behind it, round them up together, and beat them with a stick...
Let it go, Mr Andressen. You lost.
Two things I would like to see: ://www.citibank.com@42426842fdsafadsfasd.com/fhiud sahiufds?sdafdsfsdf
- colouring of URLs in the address bar, or something else, that would allow the novice user to easily identify the user name element of a URL. I have already see URLs of the form (http excluded):
- even in a window that has no tool bar or status bar, there should always be an status bar that displays the page's address.
Jumpstart the tartan drive.
A pop-up? Like...
"The website certificate has changed, do you want to proceed anyway?"
or
"This website would like to run the application superspy.exe. Doing this could be harmful to your computer. Accept?"
God knows how useless these questions are. Every time you ask the user an OK/Cancel question, you're basically asking them if they want to get it wrong.
That is SiteKey's major fallback. I enter a fake password into the front page to get me to my sitekey, then login correctly. That gets around BOA's stupidity.
Just makes it harder - is there anything stopping me from making a site that takes in your user ID, logs into the real site with that ID, pulls out the image and title, and shows it to you?
The real answer. IMHO, is using public keys for authorisation, as you're then never sending anything that can be used again. Man in the middle attacks are still possible if you can persuade the user to accept the wrong server certificate, but it's as good as it gets, IMHO.
The user's key doesn't even have to be signed - just have the site remember the key you used first, much in the same way you'd set up a password.
That's a little bit too long for "most" users, which have entered the habit of clicking on everything.
The correct prompt to open up is "Are you a terrorist? \n Only terrorists may access this site.", with yes/no. This prompt is accurrate, since these phishers probably support some gang or terrorism group. In addition, you'd have to be the equivalent of a terrorist to knowingly support the owners of those websites.
As long as this is somehow documented with an option to disable on otherwise change back into a normal prompt (e.g. if you visit sites that auto-reloads 10 iframes to various Phishing sites), it will not be a problem.
Here is a some design documentation for the safe browsing add-on: http://wiki.mozilla.org/Safe_Browsing:_Design_Docu mentation
Here is the Bugzilla bug for turning on the feature. Remember that you have to copy and paste the link into the address bar because Bugzilla blocks slashdot. https://bugzilla.mozilla.org/show_bug.cgi?id=32929 2
From what I understand, the idea is to make the feature an extension that is installed by default, kind of like the talkback error reporting tool. In "normal mode", the extension will make decisions on phishing sites based on a blacklist file that is downloaded from an update server, and every address that you visit will NOT be sent to Google or Mozilla for verification. If the user goes to turn on Enhanced Mode, a warning dialog will pop up telling them that information WILL be sent to Google or someone else, for the purposes of finding new sites to add to the blacklist files and online blacklist database. I don't think that enhanced mode will be turned on by default, but there are still a lot of things that are undecided.
Google sucks. They are too prolific. I don't like their technology nor the way they desire to tke over everything and have their fingers in every pie. Why can't companies just do one or two things well and leave things to the people that do them best. I'll have to switch from Gnome/Firefox or to Gnome/Epiphany or to KDE/Konqueror. I refuse to use anything Google has touched. Why can't Google just develop it's own browser and leave Mozilla alone? Not everyone is endeared with Google. It's bad enough Apple has somewhat co-opted Konqueror, which is arguably the best browser in the world after Firefox.
Who will be running this Phishing database?
Is this anything like the SiteAdvisor tool we have now?
Is it possible they could fix the memory issues we currently see instead of rehashing features we already have? I just had to close a 400MB session on FF1.5.0.1 that is currenty at 55MB after a restart. I'm not sure if they're getting the message, but this is not a feature as they have claimed before. If it's really a feature, please give me a way to turn that crap off.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
D'oh! So much for anonymity. ;)
And speaking of anti-phishing, how about a program that floods the phishing site with bogus info? For example, when I get a message to update my Paypal info, which points to a computer someplace in Brazil, why not just analyze the bogus Paypal site and send a zillion fake, but very real sounding names and passwords? A good program would spoof it's IP for each GET/POST.
Another solution requires the financial organization associated with the phish, like Citibank and Paypal, to take a more proactive approach. Let's say I get a phish to update my Paypal account. I got to the real Paypal and request a special, but totally bogus, "anti-phish" user id and password. I then go to the phish site and enter this special info. When Paypal detects someone trying to use this ID and password combo, they take "special measures" to try detect or identify the sender. I have absolutely no idea of what "special measures" would entail - account xfer audit trails? .... it's kinda like that comic with the 2 guys standing in front of a huge blackboard full of equations, pointing to the last entry, and one says "Then a miracle occurs"....
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Anyway, I'd argue that Thunderbird needs it much more than Firefox. Most phishing starts with the inbox. Links in email that use dodgy hex encoding, raw IPs, IPv6, point to domains that differ than the anchor text etc. should be highlighted. And popular targets such as banks, ebay, Paypal, Amazon etc. should be explicitly identified. I'd also like Thunderbird to add a phishing filter rule so that I can automatically toss the 20+ phishing emails I get a day straight in the junk folder without accidentally training the bayesian filter to kill genuine emails from Amazon, PayPal etc.
I have the same bank and I fucking HATE sitekey.
Why does it ask me to log in, then to - essentially - log in again?
And bookmarks to the sitekey login page do not work.
I use online banking way too much to tolerate such bullshit. I thought about switching banks to get away from sitekey!
Almost as annoying as their autotimeout, which thankfully my friend wrote a greasemonkey script to nullify.
They put so much effort into making their site secure and hard to phish that they made it a royal fucking pain in the ass to all their customers.
I emailed them several times about it and they didn't give a crap.
Question everything
The users most susceptible to phishing are also the ones least likely to seek out and install an extension...
But the users most susceptible to phishing are also the ones least likely to seek out and install an alternative browser.
This is all you need:
Verbatim from the site:
About SiteAdvisor
SiteAdvisor is a consumer software company founded in April 2005 by a group of MIT engineers who wanted to make the Web safer for their family and friends. Having spent one too many holiday breaks trying to clean a mess of spam, adware, and spyware from our families' computers, we decided to take action.
We realized there was a gaping hole in existing Web security products. While traditional security companies had gotten relatively good at addressing technical threats like viruses, they were failing to prevent a new breed of "social engineering" tricks like spyware infections, identity theft scams, and sites which send excessive e-mail.
To address this challenge, we built a system of automated testers which continually patrol the Web to browse sites, download files, and enter information on sign-up forms. We document all these results and supplement them with feedback from our users, comments from Web site owners, and analysis from our own employees.
Our easy to use software for Internet Explorer and Firefox summarizes our safety results into intuitive red, yellow and green ratings to help Web users stay safe as they search, browse and transact online.
Our goal is to pioneer a new approach to Web safety and make the Internet safer for everyone.
Simple Unexpected Concrete Credible Emotional Stories
I think you mean authentication, not authorisation, and I'm afraid I don't get your point about not sending anything that can be used again.
You seem to be talking about mutual authentication protocols. Public key cryptography is often used in these. Mutual authentication is often combined with key exchange protocols (e.g. the Station to Station protocol). These are great to establish a secure shared session between two parties, but as you point out, who checks the server certificate? It's a secure tunnel... to who? It's just too damn complex for most users.
I quite like the PetNames tool - users enter some personal text for any secure web sites they visit, and it gets prominently displayed in the main toolbar if they visit it again. Not perfect, but useful.
Look who's playing catch up now? Good job IE 7 team. Way to lead the way! Linux elitists rock!
Public/private key allows for authentication (yeah, was using the wrong term, well spotted) tokens that cannot be re-used, by having each side of the conversation send a piece of data, randomly generated for that conversation, which the other party signs, and returns. The sending party can now check that the signature matches the public key it's been given, and knows that the other entity has the private key if they do match.
On the server side, it would then check that the key's certificate match the registered certificate for a user, and allow them access if so. On the client side, it can check at the certificate for the server's key has been signed by a certificate authority they trust, to verify who it is talking to.
Did that make any sense, 'cos I'm not very good at this? Key point is, you generate authentication tokens that are valid for only one conversation, by having randomly generated data signed by each party.
I wish Firefox had a "Send Page As Email" option. IE has it, FF only has "Send Link As Email". This is useless when the web page you're looking at may only have a short lifespan and you want to nab a copy of it exactly as you are currently viewing it and send it to some email addy. Just sending the current URL alone would be tantamount to sending a URL to a 404 error. Why can't I send the whole WYSIWYG webpage I'm looking at right now to some email addy with FireFox?
I dunno about you but, phishing always seems so easy to identify.
You haven't been paying attention over the past year, then. Phishing sites are becoming better and better at imitating the look and feel of the banks, stores, etc. that they're imitating, and they've gotten very polished, sometimes even using SSL certs to trigger "security" indicators. Add in the use of browser and email client vulnerabilities to disguise the location of the website and links, and unless you're fluent in HTML+Javascript, it gets down to one question:
Would PayPal/Amazon/my bank actually be asking me for this information?
The days of "Plees giv us yore passwerd and soshul" are long over.
The problem with your premise is that Goodger was bullshitting you. If not, then how come Opera doesn't have this problem?
Coloured URLs?
They're African-American URLs!
Anyway, I'd argue that Thunderbird needs it much more than Firefox. Most phishing starts with the inbox. Links in email that use dodgy hex encoding, raw IPs, IPv6, point to domains that differ than the anchor text etc. should be highlighted.
Thunderbird 1.5 doesn't highlight the individual links, but those are its exact criteria for scam detection (plus embedded forms in HTML). It puts a warning bar at the top of the message that "Thunderbird thinks this message might be an email scam."
Unfortunately the false positive rate is annoyingly high, especially with mailings that include feedback forms. I think your idea of specifically identifying popular targets would be much more effective.
Just makes it harder - is there anything stopping me from making a site that takes in your user ID, logs into the real site with that ID, pulls out the image and title, and shows it to you?
+1, Insightful
I'm wondering if anybody has an answer to that question, too.
Let's not forget about it stealing the CPU. Until they fix the glitch that suddently makes it take up 100% of my CPU i'll stay with Opera.
It hurts to leave Firefox but I just can't work when it randomly brings my computer to a screeching hault.
I run WIN2K. I do not want to upgrade my OS. Will IE7 run on it?
Didn't think so. Another reason to stay with FF.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Yes, that makes sense - a challenge-response authentication protocol. There's normally some sort of key establishment mixed in there too to allow them to communicate over a secure channel.
the question is, will Firefox 2 make Verisign obsolete?
Anything that makes the services of VeriSign and other root CAs less necessary will force a bit more competition in the market for SSL certs and code signing certs, making it easier for developers who are not affiliated with a major corporation to become able to afford to deploy their solutions, especially now that Windows Vista 64-bit will require all kernel mode code to be signed.
Google's safe-browsing extension that was landed on the trunk has 2 modes. The standard mode, downloads a blacklist of sites and the sites are looked up locally. The enhanced mode, sends every URL to Google. Mozilla has not committed to either of these modes.
If I were implementing this, I would have it break up the blacklist into 65,536 mini-blacklists based on two bytes of the hash of the host name. Then there wouldn't be much of a privacy violation, nor would the user notice much of a delay (as it would only happen alongside a DNS lookup anyway).
Bravo, I hate the relentless use of this word as well. I've seen 'AJAX' said to be a 'AJAX technology'. No it isn't.
The law treats trademarks as adjectives. Some writers feel that that they have to use a generic term such as "technology" after every unfamiliar term for fear that 1. the unfamiliar term is a trademark and 2. the trademark holder may come out of the woodwork and implicate the writer in the trademark's genericide.
I'm not a Microsoft fanboy, but their InfoCard system is clearly the right answer for Firefox. InfoCard built into Firefox would not only put it on equal ground with Vista/IE 7, it would provide a consistent user experience and user control over identity when visiting web sites, and most importantly would offer bulletproof protection against phishing.
........ kris
InfoCard would accomplish this by using the OASIS-ratified WS-Trust protocol to pass tokens generated from InfoCard meta-data through an identity selector that positively identifies web sites running instances of a security token service that signs the tokens using a public/private key pair. If the InfoCard-enabled user visits a web site that is masquerading as a valid web site, the identity selector on the local machine pops up a dialog box informing the user that the keys don't match and gives the user a choice whether to divulge his/her identity.
This is strong-ass protection against phishing, and InfoCard/STS/WS-Trust/IE7 will ship with every copy of Vista, quickly becoming a de facto standard as Vista takes hold. If Firefox wants to play with the next generation of Internet identity and security, it needs InfoCard support, period. The only hangup is that InfoCard is proprietary to Microsoft, but I'm sure someone will get around to building an open source reference implementation for Firefox . . . I can think of a group who is up to the task.
"I thought I could organize freedom. How Scandinavian of me."
What you're talking about is user authentication using nonces and it has its uses, but it has a host of problems in a situation like this as well. Many people would like to do online banking or what have you on more than one computer. People have a hard enough time remembering passwords and are not likely to remember a cryptographic key. How are they going to transfer their credentials between machines?
There are ways to generate keys from passwords, but if these were used, you'd probably type your passowrd into a web page which would locally hash it up and use that as the key to process the nonce. But wait, if you type your password into a webpage, you're vulnerable to fishing again!
You could have someone use a key fob with their key in it, either based on the time or where they enter your nonce on the fob and type in what the fob shows them. But then many people would have multiple fobs, and you have to deal with distributing and maintaining them, and what hapens if they're stolen?
NO NO NO NO NO! So many times in IE have I opened a new window and then instantly regretted it as my computer bogged down opening another instance of Acrobat, or restarted all the stupid flash ads, or restarted the Quicktime video, or launched a new Java applet. Or, in none of these cases, fucked up my session state on a web site that's too brittle to allow two pages open at once.
/really/ what the user wanted, they can open a link and go back, or first go back then open the link that lead them to the current.
The user shouldn't get "penalized" for opening a new window when the current window is at a certain state. And besides, how often do you open a new window because you want two of the same window open? Pretty rarily.
Now, I would agree cloning history is a good thing, but only when opening a link in a new window. Then, if two of the same page is