Slashdot Mirror
Firefox 2 To Have Anti-Phishing Technology
Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."
I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?
Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.
Can say FF stole one of 'their' features.
FYI, IE 7 beta already as an anti-phishing filter .
One more issue to be considered is the way in which the phishing is implemented. If all the URls that I visit are going to be validated ( and hence stored) against a central repository, I won't be too happy about it !
That's an extreme stretch of the normal use of the term "technology". They thought of systematic way of warning people about phishing sites by compiling a list of them. Good for you. But computer programs, databases, and browsers have existed for a long time. This isn't a "new technology". It's a computer program. I know, you probably think it's a minor point, but keep in mind that Microsoft considers removing its own damn bugs to be "new technology" (NT).
Thinking up ways to warn people about phishing sites isn't "new technology".
Rank my idea: http://www.sinceslicedbread.com/node/531
It's sad, really, that the most important features regarding browsers nowadays all have to do with protecting the user against evil-doers.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
But each of those would have been avoided if the user either kept their machines patched or (at least) kept them behind a firewall.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Seriously, what the FUCK? Googles anti-phising filter (as in google toolbar) is the one who is constantly sending your HTTP requests to Googles servers. There was a slashdot post about this a while ago, but I cannot find it.
Unless you can disable this "feature" or it works completely differently, I'd consider Firefox 2 spyware.
I suspect you're posting a bit facetiously, but...
Will Firefox not pop up a warning, saying something akin to "Hey, you can go ahead and visit this site if you like, but we think it might be a bit fishy"? Doesn't seem that bad.
I would assume that Firefox won't prevent you from accessing a certain site, since I can't imagine the Mozilla Foundation wanting to coordinate universal white-/black-lists.
Couldn't the browser also include cookie theft prevention? Recently I had an online game spoiled when a scripter stole my cookie and thus accessed my account, via user-modifiable code on the game's site. While I suppose some times cookie redirection might be legitimate, I'd think it rare enough that some sort of configurable blocker would handle those few cases while making cookies safer in others.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
When are people going to realize that passwords are not secure. Ever. Even if you pick a "good" password and change it every 13 minutes like a good boy, they are still not secure.
Why? Its too easy to snag the password from social engineering or some other means or even by accident.
I walked out of the bank disgusted when I went to get a private lock box, and it did not have a key given to me, and the bank had the other key like before. No, now they wanted me to remember a password, and enter it into a computer to unlock my box.
OK. I made that up, because even banks are not stupid enough to do this, but they open up the account online to any bozo that has a password.
My bank recently initiated an "anti-phishing" technology where it uses cookies stored on my computer and if the bank does not recognize my computer it displays a picture that I set up in the past with a caption that I selected for the picture, and then its supposed to be OK to put in my password now because the site is providing evidence that the bank and not some guy from China or Russia is asking for my password.
However, I carry many bank cards in my wallet, and they work excellent at stores and ATMs, but they don't fit into any holes into my computer. The bank has already given me an excellent token that is much more difficult to replicate than a few random characters on a keyboard, but they refuse to use it.
OK, I have to go and change my passwords now, its that time of year....
My fear is similar, but not only that, most of the anti-spyware systems require external lookups which is a privacy risk. If we for every page we look at have to contact a 3rd party we are revealing our internal network structures as well as our use of internet. This is a gold mine for spammers, lawyers, and phishers among others...
One of the things I demand to use this system is the ability to limit how it is used, turn it off, switch it for an alternative system, or uninstall it. The best way it can be implemented is as an pre-installed plugin, making it easy to maintain for those who need need alternatives.
Firefox was always intended to be plugin based, so I hope they stick to that.
Fox may be a memory hog, but I have not seen it to be out of line in most modern systems. Plus, I get really low useage when i turn off all the extensions i have added to it for customizing.
Yeah well, the reply on the support forums to any memory problems is always "must be extensions at fault", and it's almost certainly true. The thing is, ask me to choose between Firefox without extensions and Opera, and there is no contest, Opera wins hands down.
I think the Firefox team should be focussing on ways to ensure that extensions behave. They could do any number of things. Put together a team of people whose job it is to check extensions for obvious flaws, and make a list of "approved" extensions that pass muster. Improve the APIs used by extension developers. Work on tools to help extension developers write robust code. Seems to me more useful than some of the stuff they're working for. That's not to say they haven't done a great job so far, I just think that would be a useful thing to focus on at this point.
Oh no... it's the future.
http://www.bankofamerica.com/ switched to sitekey months ago, and they still ask for your Passcode on their front page, before you get to see your sitekey image. Whoever is in charge there doesn't understand the point of what they're doing.
The biggest problem is still the weakest link in the system: Its user.
I very strongly disagree. There are currently many weaker links.
Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored...
Either I'm misunderstanding your statement or you are misinformed. Most infections do not currently involve human interaction measured both by number and bandwidth consumed.
Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.
Actually, there are also self-mutating trojans that have been demonstrated that are very good at hiding and there are trojans that interfere with anti-virus.
Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.
First, AV companies are not keeping up and we have seen several "zero-day" infections. More advanced intrusion detection software is becoming more and more responsible for finding new worms, viruses, and trojans on end users systems, a significant amount of time in advance of AV signatures. These systems are not only finding them, but creating and sharing signatures among major ISPs.
Second, your depiction of the average user as people who "click everything and anything and allow every program to do whatever it pleases" is very misleading. I know security experts who have been duped by a well crafted trojan or phishing e-mail and the truth of the matter is, users are making poor choices based upon the fact that they are given poor options. Right now the average user is given the option of "open this file if it is a file or run it if it is a program and let it do anything it wants" or "don't open this file or program." Since users want to view data and install software, eventually they are bound to make the wrong choice.
It will not be until users are given more control, information, and granularity by their tools that they will be given the option of being the weakest link. UI's need to let them know what is data and what is an executable. OS's need to run executables in sandboxes by default and only allow programs to do unusual things (log other program's keystrokes, modify the OS, access hardware directly, modify user files, connect to the internet, access the e-mail address book, access the buddy list, start a new service, modify other programs, etc.) after the user is informed in plain English and given a choice using a properly constructed UI. At this point, users will become the weakest link and not before.
As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).
First, the Web is only one vector and not even the most common vector for infection. Second, blacklists will never be able to keep up, although they will help.
I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.
Newer intrusion detection systems are they key to mitigating this. Propagation is detectable and if you have a relational model of your network abnormal activity can be flagged, detected
Two things I would like to see: ://www.citibank.com@42426842fdsafadsfasd.com/fhiud sahiufds?sdafdsfsdf
- colouring of URLs in the address bar, or something else, that would allow the novice user to easily identify the user name element of a URL. I have already see URLs of the form (http excluded):
- even in a window that has no tool bar or status bar, there should always be an status bar that displays the page's address.
Jumpstart the tartan drive.
Welcome to sharing your toys with the world. Hopefully you can understand that not everyone is clued in, and that the people at mozilla or at least smart enough to know that not everyone needs a digital drool cloth.
Slashdot: Where anecdotes and generalizations can be freely substituted for facts, logic, or intelligence
Just makes it harder - is there anything stopping me from making a site that takes in your user ID, logs into the real site with that ID, pulls out the image and title, and shows it to you?
The real answer. IMHO, is using public keys for authorisation, as you're then never sending anything that can be used again. Man in the middle attacks are still possible if you can persuade the user to accept the wrong server certificate, but it's as good as it gets, IMHO.
The user's key doesn't even have to be signed - just have the site remember the key you used first, much in the same way you'd set up a password.
The plugin system is also one of the ways to get a man in the middle phishing attack working.
This aside, I agree that it should be possible to turn it off. Even though this would essentially kill the security of the system, but I'm firmly against handing over responsibility over my system to someone else, who I'd have to trust implicitly. And what if I don't?
But I'd also recommend delivering it with a default ON setting on the security features. Just to make sure that all those who have no clue what's going on in their computer have it ON!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
open for 5 hours, constant browsing, currently using 55 MB. I don't know where everyone gets these problems. Maybe it's some extension. I've never seen Firefox go above 80 MB.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Anyway, I'd argue that Thunderbird needs it much more than Firefox. Most phishing starts with the inbox. Links in email that use dodgy hex encoding, raw IPs, IPv6, point to domains that differ than the anchor text etc. should be highlighted. And popular targets such as banks, ebay, Paypal, Amazon etc. should be explicitly identified. I'd also like Thunderbird to add a phishing filter rule so that I can automatically toss the 20+ phishing emails I get a day straight in the junk folder without accidentally training the bayesian filter to kill genuine emails from Amazon, PayPal etc.
Online banking is secure. At the bank's end, at least. I've never ever heard of a successful attack on online banking where the bank was the one who had a spy in its back seat.
The problem with online banking is that you have to trust an untrustworthy client: The one on the user's side. You have no control at all over his machine. Banks don't even know who they're talking to, the trojan or to the user? And they have no way of knowing.
Especially when dealing with man in the middle attacks (the ones going 'round now in the form of various trojans), there is no way for the bank to make sure that the data they're getting is REALLY from the user in front of the machine and not from the trojan inside the machine.
This is the real pain with these services. How do you verify the identity of someone when they are potentially using a tool that's been laced with an identity stealing program?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Open 5 or 6 IE windows, then add up the resource usage for IE, plus the resource usage of any and all spyware processes running, plus any plug-ins for IE. Compare this total usage to Firefox memory usage, having the same pages loaded in tabs.
THEN tell me Firefox is a memory hog.
Self-referential sigs are rarely entertaining.
As soon as the user believes what the mail tells him, he will do ANYTHING you tell him. He will grant you any permit you want, actually telling him what kind of security warnings he'll get even increases your credibility. Because, well, would an attacker tell him that?
This is not true in many cases. For example, if someone can successfully trick a user into thinking an executable is from their bank, they may still become suspicious when the program tries to do certain things. These things might include reading their IM buddy list, sending files via IM, reading their Word files, sending e-mail, modifying their anti-virus program, etc.
Further, that means the author has to trick the user into thinking it is from their bank. That limitation has already eliminated all the trojans disguised as data, spyware in widgets, trojans disguised as games or software from other sources, or spyware functions of existing software.
So yes, some users will do anything their "bank" tells them including granting a program specific access to do all of the things I mentioned above that might make a user suspicious, but not all users will and that leads to faster malware detection times and less propagation. It also leaves a much smaller area for attack that needs to be covered by education.
Right now a perfectly intelligent, informed, and reasonable person might run a program called spacemutant7.exe because they downloaded it somewhere and the authors assured the user it was a really fun game. The user must them make a gamble. Either it is a fun game or it is a trojan that will compromise their system or both. So they run it and hope it is not malware. Sometimes they are right and sometimes they are wrong, but just taking a guess is the best they can do. This is not sufficient. They should be able to confidently run it, knowing that by default it will not be able to read their taxes, mail porno pics of their wife anywhere, turn on their webcam, or modify the core of their OS.
Having a system like this is not perfect and their is still room for social engineering, but that room is greatly decreased and thus the amount of education required to be safe is similarly decreased. It is possible to educate people that their bank will never send them software and they should always verify e-mail from their bank. It is not really possible to educate people to never install or run any software or data on their computer, because that is why people have computers in the first place. Without that functionality, they are not very useful.
I want the user to be the weakest link, and then we can work on fixing users with a small amount of education. The problem is, they are not now the weakest link because they have tools that are deficient.
Ok, now do the same comparison with Firefox and Opera. "Better than IE" isn't exactly a high pinnacle in greatness. And besides, they could try to make it the best all-around instead of just settling for "better than IE".
I dream of a better world... one in which chickens can cross roads without their motives being questioned.