Firefox 2 To Have Anti-Phishing Technology

Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."

Already there

[denisbergeron]

With Netcraft toolbar http://toolbar.netcraft.com/

Re:More appropriate as an extension?

[dyftm]

Actually, the code they are using started off as an extension (Google Safe Browsing). But, they decided that the users that most need protecting are the ones that have no idea what an extension is.

Re:More appropriate as an extension?

[tpgp]

I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?

TFA:

While Firefox 2 will get a phishing shield, no decision has been made on how it will be incorporated in Firefox, Shaver said

Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.

TFA:

"Google, like others who contribute to the project, has contributed code and expertise for us to experiment with," he said. "We haven't committed to a given approach, a given technology or a given partner."

Anti-phishing should be done at the website level

[scolby]

My bank, for example, recently introduced a feature called a site key for log ins to its online services. After entering your initial user id, it brings you to a screen that displays a user-chosen image and title. The rule is that if you recognize the image and the title, you enter your password. If you don't recognize one or both, you don't.
Companies should be responsible for protecting their users, and this struck me as a rather good way of doing that. Granted, if someone really wanted to, they could set up a site just to scarf your user id, log in with that id to snag your site key, then create another site with the site key included to gank your password - but that's a lot of work.

Re:Guess I have to change the browser then

[TrappedByMyself]

You must have missed the giant full page disclaimer during install that describes what the Googlebar's page rank service does. You must also have missed the option on that page that lets you select whether or not you want that feature enabled.

Google tells you exactly what the feature is, and throws the option to enable or disable it in your face, and yet you still whine about it.

Re:More appropriate as an extension?

[Anc]

That's exactly how they are going to do it. It will be an extension.

After all, the technology is a sole contribution of Google and their Safe Browsing extension http://www.google.com/tools/firefox/safebrowsing/.

For more detail regarding the implementation see http://wiki.mozilla.org/Safe_Browsing

Re:Good on ya

[thedbtree]

I also have trouble with Firefox eating up 100-150-200MB after being open for a while. There is a fix to this problem, however. Some of the comments from an older Slashdot article, Firefox Memory Leak is a Feature, will tell you how to fix it.

If I remember correctly, it's something to do with cacheing the pages. Firefox caches something like 25 previous pages you've been to... on each tab.

Maybe this isn't the actual problem -- I'm not a developer -- but it seems to have stopped the "memory leak" issue I have with Firefox 1.5+

Re:Open source a problem here?

[Haeleth]

Won't it be easier to defeat this anti-phishing scheme since Firefox is open source?
(Seriously. If not, please post why not and educate me.)

No, it won't, for the simple reason that obscurity does not provide security. Whether the source code is available or not, it's always possible for a smart hacker to figure out how a program works. So whenever you're doing anything related to security, you assume that the bad guy knows every last detail about your code does what it does. And you design your code so that that doesn't matter.

For example, if you're blocking phishing attempts by having a database of known phishing sites (which is how the Netcraft toolbar works, IIRC), then it doesn't really help the phishers to know the details of exactly how your browser connects to the database and looks up their URL in it. Because even though they know what's happening, there isn't actually anything they can do to stop it happening.

I suppose there are schemes that could be defeated by seeing the source. For example, a naive scheme that tried to identify phishing sites by running a fixed series of tests on them (check if site is in Russia but claims to be American bank, check URL to see if it contains dodgy characters, etc) would be slightly weaker in open source code because the tests would be visible for all to see. But such a scheme would be basically useless anyway - not because it's open source, but because it would be a fundamentally weak technique.

Re:Good on ya

[bunratty]

The "monkeys" at Mozilla are well aware there are memory leaks in Firefox. That's why they developed the leak-gauge tool to help find memory leaks. I'm using the leak tool, and I can see the latest nightly build of Firefox 1.5.x still leaks 1% or more of the DOM Windows it creates, and a leak of that severity could easily cause memory usage to increase by hundreds of megabytes over the course of many days.

No one is denying that there are memory leaks. However, they're not common (occuring on only about 1% of visited pages) and often very hard to reproduce reliably. You can help by using the memory leak tool and reporting good memory leak bugs.