Firefox 2 To Have Anti-Phishing Technology

Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."

Already there

[denisbergeron]

With Netcraft toolbar http://toolbar.netcraft.com/

Re:Privacy concerns?

Well, some people have expressed concern about the privacy implications of using such a service from Google. The same worries surfaced in the actual bug report too. Snippet from the first link (I'm not sure if this is limited to just the standalone extension, though): "1) Every request is transmitted to Google over HTTP, i.e. in clear-text."

Re:More appropriate as an extension?

[dyftm]

Actually, the code they are using started off as an extension (Google Safe Browsing). But, they decided that the users that most need protecting are the ones that have no idea what an extension is.

Re:More appropriate as an extension?

[tpgp]

I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?

TFA:

While Firefox 2 will get a phishing shield, no decision has been made on how it will be incorporated in Firefox, Shaver said

Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.

TFA:

"Google, like others who contribute to the project, has contributed code and expertise for us to experiment with," he said. "We haven't committed to a given approach, a given technology or a given partner."

Anti-phishing should be done at the website level

[scolby]

My bank, for example, recently introduced a feature called a site key for log ins to its online services. After entering your initial user id, it brings you to a screen that displays a user-chosen image and title. The rule is that if you recognize the image and the title, you enter your password. If you don't recognize one or both, you don't.
Companies should be responsible for protecting their users, and this struck me as a rather good way of doing that. Granted, if someone really wanted to, they could set up a site just to scarf your user id, log in with that id to snag your site key, then create another site with the site key included to gank your password - but that's a lot of work.

Re:Guess I have to change the browser then

[TrappedByMyself]

You must have missed the giant full page disclaimer during install that describes what the Googlebar's page rank service does. You must also have missed the option on that page that lets you select whether or not you want that feature enabled.

Google tells you exactly what the feature is, and throws the option to enable or disable it in your face, and yet you still whine about it.

Re:More appropriate as an extension?

[Anc]

That's exactly how they are going to do it. It will be an extension.

After all, the technology is a sole contribution of Google and their Safe Browsing extension http://www.google.com/tools/firefox/safebrowsing/.

For more detail regarding the implementation see http://wiki.mozilla.org/Safe_Browsing

Re:Good on ya

[thedbtree]

I also have trouble with Firefox eating up 100-150-200MB after being open for a while. There is a fix to this problem, however. Some of the comments from an older Slashdot article, Firefox Memory Leak is a Feature, will tell you how to fix it.

If I remember correctly, it's something to do with cacheing the pages. Firefox caches something like 25 previous pages you've been to... on each tab.

Maybe this isn't the actual problem -- I'm not a developer -- but it seems to have stopped the "memory leak" issue I have with Firefox 1.5+

Re:Open source a problem here?

[Haeleth]

Won't it be easier to defeat this anti-phishing scheme since Firefox is open source?
(Seriously. If not, please post why not and educate me.)

No, it won't, for the simple reason that obscurity does not provide security. Whether the source code is available or not, it's always possible for a smart hacker to figure out how a program works. So whenever you're doing anything related to security, you assume that the bad guy knows every last detail about your code does what it does. And you design your code so that that doesn't matter.

For example, if you're blocking phishing attempts by having a database of known phishing sites (which is how the Netcraft toolbar works, IIRC), then it doesn't really help the phishers to know the details of exactly how your browser connects to the database and looks up their URL in it. Because even though they know what's happening, there isn't actually anything they can do to stop it happening.

I suppose there are schemes that could be defeated by seeing the source. For example, a naive scheme that tried to identify phishing sites by running a fixed series of tests on them (check if site is in Russia but claims to be American bank, check URL to see if it contains dodgy characters, etc) would be slightly weaker in open source code because the tests would be visible for all to see. But such a scheme would be basically useless anyway - not because it's open source, but because it would be a fundamentally weak technique.

Mozilla's Current Documentation

[Elder+Young]

Here is a some design documentation for the safe browsing add-on: http://wiki.mozilla.org/Safe_Browsing:_Design_Docu mentation

Here is the Bugzilla bug for turning on the feature. Remember that you have to copy and paste the link into the address bar because Bugzilla blocks slashdot. https://bugzilla.mozilla.org/show_bug.cgi?id=32929 2

From what I understand, the idea is to make the feature an extension that is installed by default, kind of like the talkback error reporting tool. In "normal mode", the extension will make decisions on phishing sites based on a blacklist file that is downloaded from an update server, and every address that you visit will NOT be sent to Google or Mozilla for verification. If the user goes to turn on Enhanced Mode, a warning dialog will pop up telling them that information WILL be sent to Google or someone else, for the purposes of finding new sites to add to the blacklist files and online blacklist database. I don't think that enhanced mode will be turned on by default, but there are still a lot of things that are undecided.

Re:More appropriate as an extension?

[SimplexO]

Even better, from the bug report (copy and paste URL to location bar). This is Fritz Schneider, a Google employee speaking:

> Will google continue releasing the extension as part
> of Google Labs, or a product offering?

Great question. We're end-of-lifing the stand-alone extension as it is
released on Labs. Instead, we've integrated this feature into the
Google Toolbar for Firefox and it will go out in the next
release. Then one of two things happens. Case one is this feature (or
something like it) makes it into Firefox, in which case we rip it out
of the Toolbar and do all new development in Moz cvs tree. Case two is
that this feature does not make it into Firefox, in which case we
continue to support it in the Toolbar.

So, to answer your question, we'd very much like active development to
move into Moz cvs tree. But we won't force it.

Re:Coloured URLs and URLs displayed always

[porneL]

Opera solves it by displaying "You're about to go to address containing username" and displays which one is username and which is server name.

Re:Privacy concerns?

[richwklein]

Google's safe-browsing extension that was landed on the trunk has 2 modes. The standard mode, downloads a blacklist of sites and the sites are looked up locally. The enhanced mode, sends every URL to Google. Mozilla has not committed to either of these modes.

Re:Good on ya

[MauricioC]

Not on each tab. See Ben Goodger's blog for more details:

http://weblogs.mozillazine.org/ben/archives/009749 .html

Re:Good on ya

[bunratty]

The "monkeys" at Mozilla are well aware there are memory leaks in Firefox. That's why they developed the leak-gauge tool to help find memory leaks. I'm using the leak tool, and I can see the latest nightly build of Firefox 1.5.x still leaks 1% or more of the DOM Windows it creates, and a leak of that severity could easily cause memory usage to increase by hundreds of megabytes over the course of many days.

No one is denying that there are memory leaks. However, they're not common (occuring on only about 1% of visited pages) and often very hard to reproduce reliably. You can help by using the memory leak tool and reporting good memory leak bugs.

Re:Good on ya

[bunratty]

No one said memory leaks were caused by a feature. Ben Goodger explained that the obvious increased memory use of Firefox 1.5 was casued by the Back-Forward cache feature. He also stated explictly that all versions of Firefox leak memory -- and of course memory leaks are bugs, not features.

The Back-Forward cache causes immediate increased use of memory, just after loading a few pages. The increased memory due to memory leaks doesn't become apparent until after visiting hundreds of pages and several DOM Windows have leaked. That's why he said that the increased memory use people were complaining about is a feature, not a bug.

I hope the difference between the Back-Forward cache (a feature) and memory leaks (bugs) is now clear. Just because both cause Firefox 1.5 to use more memory does not mean both are bad. The feature is good, and the bugs are bad.

No one is lying, except possibly you. Enjoy Opera, the browser of whiners.