Slashdot Mirror
Firefox 2 To Have Anti-Phishing Technology
Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."
Good idea. This way they can make sure that the only thing stolen through FireFox is memory space.
[rimshot]
Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7
Site Blocked: www.google.com has been placed on a list of sites that link to potentially unsafe and / or phishing sites.
The biggest problem is still the weakest link in the system: Its user.
Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored. This starts with Mails that urge him to open something "really urgently", covers various plugins for Browsers that come filled with spyware (which, in turn, is a perfect door for other malware) and goes to bogus files on various P2P networks that claim to be some crack, hack or other "goodie" to lure the P2P user into starting it.
Now, you can walk the same way that antivirus companies go, you wait for the threat to unfold and grab it at its neck when you find it lurking in the system once your update covers it. That's fine as long as your releases at least match the speed of trojan development, if there is some intersection between the moment you update your anti-trojan signatures and the moment the trojan goes into a new generation.
And that window is closing. Fast. We're now facing trojans with update cycles that make you wonder when and how they create them. Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.
Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.
As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).
I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.
My hope is that Firefox will have a different approach to the problem. Self-checking processes (to avoid injections), close scrutiny of its BHOs, etc. I hope they will not try to use AV techniques, but instead concentrate on the entry points for such a program, and try to detect it there.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I do hope this works well for the average Jane or Joe... I'd like to see less incedences where my mom forwards mails to me (thinking she's either been doing something wrong {like, her bank account is overdrafted, please go to this special web page and fix it}, or has gotten something great for free).
A Passionate Independent Musician
I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?
Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.
With the scams changing so rapidly moving detection to a web browser just makes sense. When these things aren't tagged by the users email server (ClamAV is excellent for this) or client, this would be a great 'saftey net' from stopping me...err...grandma from entering her login info for PayPal/eBay/etc. Plus with FF online updating I could see them having a plugin/extention that would have .dat files with the latest Phishing definitions they could download and update to daily; ala virus checkers.
fak3r.com
With Netcraft toolbar http://toolbar.netcraft.com/
Ceci n'est pas une Signature !
The various phishing shields use a variety of techniques to protect against the online scams. These include blacklists of known fraudulent Web sites, white lists of good sites and analyses of Web addresses and Web pages. Firefox 2 might be different, since the developers aren't married to those approaches, Shaver said.
Verisign already has this kind of techology, the question is, will Firefox 2 make Verisign obsolete?
Verisign's advice: The best way to avoid becoming a victim of phishing is to never respond to unsolicited emails asking for personal information or directing you to a Web site where you are asked to enter personal information--even if it looks TOTALLY official.
He who knows best knows how little he knows. - Thomas Jefferson
Enter information and click OK to find out
Name:_________________________________
Billing Address:__________________________________
Credit Card Type:________________
Credit Card Number:_______________________________
Expiration Date:___/___
Now be an idiot and click OK to let me steal your info.
What's the matter, James? No glib remark? No pithy comeback?
Will Firefox adopt an approach that doesn't compromise the user's privacy as much as IE 7 (its solution being to send every URL to Redmond)?
That's an extreme stretch of the normal use of the term "technology". They thought of systematic way of warning people about phishing sites by compiling a list of them. Good for you. But computer programs, databases, and browsers have existed for a long time. This isn't a "new technology". It's a computer program. I know, you probably think it's a minor point, but keep in mind that Microsoft considers removing its own damn bugs to be "new technology" (NT).
Thinking up ways to warn people about phishing sites isn't "new technology".
Rank my idea: http://www.sinceslicedbread.com/node/531
It's sad, really, that the most important features regarding browsers nowadays all have to do with protecting the user against evil-doers.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Seriously, what the FUCK? Googles anti-phising filter (as in google toolbar) is the one who is constantly sending your HTTP requests to Googles servers. There was a slashdot post about this a while ago, but I cannot find it.
Unless you can disable this "feature" or it works completely differently, I'd consider Firefox 2 spyware.
> Microsoft plans to include features to protect Web surfers
> against online scams in Internet Explorer 7
Wouldn't it have been easier just to not program the online scams into Internet Explorer 7 in the first place? I just don't understand Microsoft's new security procedures at all!
Time for a fork.
Seriously, I'll tell you the only anti-phishing technology we need: our damn heads, with a side of common sense.
I don't want my browser to have stupid coddling features like this that will just get in the way of a decent, savvy surfer. That's the problem with popularity - it leads to diluting the quality. I'd rather have a *good* browser only used by 3% of the people out there. Hell, the mere minority status might even make it *better* - now that Firefox is popular, more and more sites are finding ways of advertising specifically to it.
If Firefox 2 does have this, then it better be easy to fully disable, otherwise I'm definitely not upgrading.
I have been forced to test IE 7 for my company, and the fact that Firefox 2 will have this will give us no reason to use IE 7.
I'm not a troll, but I play one on Slashdot.
I suspect you're posting a bit facetiously, but...
Will Firefox not pop up a warning, saying something akin to "Hey, you can go ahead and visit this site if you like, but we think it might be a bit fishy"? Doesn't seem that bad.
I would assume that Firefox won't prevent you from accessing a certain site, since I can't imagine the Mozilla Foundation wanting to coordinate universal white-/black-lists.
Couldn't the browser also include cookie theft prevention? Recently I had an online game spoiled when a scripter stole my cookie and thus accessed my account, via user-modifiable code on the game's site. While I suppose some times cookie redirection might be legitimate, I'd think it rare enough that some sort of configurable blocker would handle those few cases while making cookies safer in others.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Won't it be easier to defeat this anti-phishing scheme since Firefox is open source?
(Seriously. If not, please post why not and educate me.)
Expected time to finish is 1 hour and 60 minutes.
My bank, for example, recently introduced a feature called a site key for log ins to its online services. After entering your initial user id, it brings you to a screen that displays a user-chosen image and title. The rule is that if you recognize the image and the title, you enter your password. If you don't recognize one or both, you don't.
Companies should be responsible for protecting their users, and this struck me as a rather good way of doing that. Granted, if someone really wanted to, they could set up a site just to scarf your user id, log in with that id to snag your site key, then create another site with the site key included to gank your password - but that's a lot of work.
When are people going to realize that passwords are not secure. Ever. Even if you pick a "good" password and change it every 13 minutes like a good boy, they are still not secure.
Why? Its too easy to snag the password from social engineering or some other means or even by accident.
I walked out of the bank disgusted when I went to get a private lock box, and it did not have a key given to me, and the bank had the other key like before. No, now they wanted me to remember a password, and enter it into a computer to unlock my box.
OK. I made that up, because even banks are not stupid enough to do this, but they open up the account online to any bozo that has a password.
My bank recently initiated an "anti-phishing" technology where it uses cookies stored on my computer and if the bank does not recognize my computer it displays a picture that I set up in the past with a caption that I selected for the picture, and then its supposed to be OK to put in my password now because the site is providing evidence that the bank and not some guy from China or Russia is asking for my password.
However, I carry many bank cards in my wallet, and they work excellent at stores and ATMs, but they don't fit into any holes into my computer. The bank has already given me an excellent token that is much more difficult to replicate than a few random characters on a keyboard, but they refuse to use it.
OK, I have to go and change my passwords now, its that time of year....
Insightful?
The summary already states that this kind of antiphishing is already available in Nestcape 8, Opera and several toolbars and extensions.
At least the grand parent said 'their' meaning that only fools will believe that this is original to MS.
What the hell are you babbling about? RSS icon? um IE adopted it to be standardized, and that was seen as a GOOD thing you twit.
The phrase "more better" is acceptable English. suck it grammar Nazis
It basically checks websites you visit against its database and tells you if they are considered dangerous or what have you.
So it reports my surfing to google's database? Thanks but no thanks. I've never fallen pray to phishing attacks, and don't want a feature like that logging all the pr0n sites I visit. Wait, the only pr0n site I need is google images now anyway haha!
Why should we trust google? They are looking out for their shareholder, not the end user.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Two things I would like to see: ://www.citibank.com@42426842fdsafadsfasd.com/fhiud sahiufds?sdafdsfsdf
- colouring of URLs in the address bar, or something else, that would allow the novice user to easily identify the user name element of a URL. I have already see URLs of the form (http excluded):
- even in a window that has no tool bar or status bar, there should always be an status bar that displays the page's address.
Jumpstart the tartan drive.
Just makes it harder - is there anything stopping me from making a site that takes in your user ID, logs into the real site with that ID, pulls out the image and title, and shows it to you?
The real answer. IMHO, is using public keys for authorisation, as you're then never sending anything that can be used again. Man in the middle attacks are still possible if you can persuade the user to accept the wrong server certificate, but it's as good as it gets, IMHO.
The user's key doesn't even have to be signed - just have the site remember the key you used first, much in the same way you'd set up a password.
Here is a some design documentation for the safe browsing add-on: http://wiki.mozilla.org/Safe_Browsing:_Design_Docu mentation
Here is the Bugzilla bug for turning on the feature. Remember that you have to copy and paste the link into the address bar because Bugzilla blocks slashdot. https://bugzilla.mozilla.org/show_bug.cgi?id=32929 2
From what I understand, the idea is to make the feature an extension that is installed by default, kind of like the talkback error reporting tool. In "normal mode", the extension will make decisions on phishing sites based on a blacklist file that is downloaded from an update server, and every address that you visit will NOT be sent to Google or Mozilla for verification. If the user goes to turn on Enhanced Mode, a warning dialog will pop up telling them that information WILL be sent to Google or someone else, for the purposes of finding new sites to add to the blacklist files and online blacklist database. I don't think that enhanced mode will be turned on by default, but there are still a lot of things that are undecided.
Anyway, I'd argue that Thunderbird needs it much more than Firefox. Most phishing starts with the inbox. Links in email that use dodgy hex encoding, raw IPs, IPv6, point to domains that differ than the anchor text etc. should be highlighted. And popular targets such as banks, ebay, Paypal, Amazon etc. should be explicitly identified. I'd also like Thunderbird to add a phishing filter rule so that I can automatically toss the 20+ phishing emails I get a day straight in the junk folder without accidentally training the bayesian filter to kill genuine emails from Amazon, PayPal etc.