Slashdot Mirror
Firefox 2 To Have Anti-Phishing Technology
Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."
I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?
Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.
It's sad, really, that the most important features regarding browsers nowadays all have to do with protecting the user against evil-doers.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
But each of those would have been avoided if the user either kept their machines patched or (at least) kept them behind a firewall.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Seriously, what the FUCK? Googles anti-phising filter (as in google toolbar) is the one who is constantly sending your HTTP requests to Googles servers. There was a slashdot post about this a while ago, but I cannot find it.
Unless you can disable this "feature" or it works completely differently, I'd consider Firefox 2 spyware.
Couldn't the browser also include cookie theft prevention? Recently I had an online game spoiled when a scripter stole my cookie and thus accessed my account, via user-modifiable code on the game's site. While I suppose some times cookie redirection might be legitimate, I'd think it rare enough that some sort of configurable blocker would handle those few cases while making cookies safer in others.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
When are people going to realize that passwords are not secure. Ever. Even if you pick a "good" password and change it every 13 minutes like a good boy, they are still not secure.
Why? Its too easy to snag the password from social engineering or some other means or even by accident.
I walked out of the bank disgusted when I went to get a private lock box, and it did not have a key given to me, and the bank had the other key like before. No, now they wanted me to remember a password, and enter it into a computer to unlock my box.
OK. I made that up, because even banks are not stupid enough to do this, but they open up the account online to any bozo that has a password.
My bank recently initiated an "anti-phishing" technology where it uses cookies stored on my computer and if the bank does not recognize my computer it displays a picture that I set up in the past with a caption that I selected for the picture, and then its supposed to be OK to put in my password now because the site is providing evidence that the bank and not some guy from China or Russia is asking for my password.
However, I carry many bank cards in my wallet, and they work excellent at stores and ATMs, but they don't fit into any holes into my computer. The bank has already given me an excellent token that is much more difficult to replicate than a few random characters on a keyboard, but they refuse to use it.
OK, I have to go and change my passwords now, its that time of year....
Insightful?
The summary already states that this kind of antiphishing is already available in Nestcape 8, Opera and several toolbars and extensions.
At least the grand parent said 'their' meaning that only fools will believe that this is original to MS.
My fear is similar, but not only that, most of the anti-spyware systems require external lookups which is a privacy risk. If we for every page we look at have to contact a 3rd party we are revealing our internal network structures as well as our use of internet. This is a gold mine for spammers, lawyers, and phishers among others...
One of the things I demand to use this system is the ability to limit how it is used, turn it off, switch it for an alternative system, or uninstall it. The best way it can be implemented is as an pre-installed plugin, making it easy to maintain for those who need need alternatives.
Firefox was always intended to be plugin based, so I hope they stick to that.
Fox may be a memory hog, but I have not seen it to be out of line in most modern systems. Plus, I get really low useage when i turn off all the extensions i have added to it for customizing.
Yeah well, the reply on the support forums to any memory problems is always "must be extensions at fault", and it's almost certainly true. The thing is, ask me to choose between Firefox without extensions and Opera, and there is no contest, Opera wins hands down.
I think the Firefox team should be focussing on ways to ensure that extensions behave. They could do any number of things. Put together a team of people whose job it is to check extensions for obvious flaws, and make a list of "approved" extensions that pass muster. Improve the APIs used by extension developers. Work on tools to help extension developers write robust code. Seems to me more useful than some of the stuff they're working for. That's not to say they haven't done a great job so far, I just think that would be a useful thing to focus on at this point.
Oh no... it's the future.
The biggest problem is still the weakest link in the system: Its user.
I very strongly disagree. There are currently many weaker links.
Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored...
Either I'm misunderstanding your statement or you are misinformed. Most infections do not currently involve human interaction measured both by number and bandwidth consumed.
Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.
Actually, there are also self-mutating trojans that have been demonstrated that are very good at hiding and there are trojans that interfere with anti-virus.
Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.
First, AV companies are not keeping up and we have seen several "zero-day" infections. More advanced intrusion detection software is becoming more and more responsible for finding new worms, viruses, and trojans on end users systems, a significant amount of time in advance of AV signatures. These systems are not only finding them, but creating and sharing signatures among major ISPs.
Second, your depiction of the average user as people who "click everything and anything and allow every program to do whatever it pleases" is very misleading. I know security experts who have been duped by a well crafted trojan or phishing e-mail and the truth of the matter is, users are making poor choices based upon the fact that they are given poor options. Right now the average user is given the option of "open this file if it is a file or run it if it is a program and let it do anything it wants" or "don't open this file or program." Since users want to view data and install software, eventually they are bound to make the wrong choice.
It will not be until users are given more control, information, and granularity by their tools that they will be given the option of being the weakest link. UI's need to let them know what is data and what is an executable. OS's need to run executables in sandboxes by default and only allow programs to do unusual things (log other program's keystrokes, modify the OS, access hardware directly, modify user files, connect to the internet, access the e-mail address book, access the buddy list, start a new service, modify other programs, etc.) after the user is informed in plain English and given a choice using a properly constructed UI. At this point, users will become the weakest link and not before.
As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).
First, the Web is only one vector and not even the most common vector for infection. Second, blacklists will never be able to keep up, although they will help.
I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.
Newer intrusion detection systems are they key to mitigating this. Propagation is detectable and if you have a relational model of your network abnormal activity can be flagged, detected
The plugin system is also one of the ways to get a man in the middle phishing attack working.
This aside, I agree that it should be possible to turn it off. Even though this would essentially kill the security of the system, but I'm firmly against handing over responsibility over my system to someone else, who I'd have to trust implicitly. And what if I don't?
But I'd also recommend delivering it with a default ON setting on the security features. Just to make sure that all those who have no clue what's going on in their computer have it ON!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Anyway, I'd argue that Thunderbird needs it much more than Firefox. Most phishing starts with the inbox. Links in email that use dodgy hex encoding, raw IPs, IPv6, point to domains that differ than the anchor text etc. should be highlighted. And popular targets such as banks, ebay, Paypal, Amazon etc. should be explicitly identified. I'd also like Thunderbird to add a phishing filter rule so that I can automatically toss the 20+ phishing emails I get a day straight in the junk folder without accidentally training the bayesian filter to kill genuine emails from Amazon, PayPal etc.
Open 5 or 6 IE windows, then add up the resource usage for IE, plus the resource usage of any and all spyware processes running, plus any plug-ins for IE. Compare this total usage to Firefox memory usage, having the same pages loaded in tabs.
THEN tell me Firefox is a memory hog.
Self-referential sigs are rarely entertaining.