Slashdot Mirror
Firefox 2 To Have Anti-Phishing Technology
Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."
Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7
Site Blocked: www.google.com has been placed on a list of sites that link to potentially unsafe and / or phishing sites.
The biggest problem is still the weakest link in the system: Its user.
Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored. This starts with Mails that urge him to open something "really urgently", covers various plugins for Browsers that come filled with spyware (which, in turn, is a perfect door for other malware) and goes to bogus files on various P2P networks that claim to be some crack, hack or other "goodie" to lure the P2P user into starting it.
Now, you can walk the same way that antivirus companies go, you wait for the threat to unfold and grab it at its neck when you find it lurking in the system once your update covers it. That's fine as long as your releases at least match the speed of trojan development, if there is some intersection between the moment you update your anti-trojan signatures and the moment the trojan goes into a new generation.
And that window is closing. Fast. We're now facing trojans with update cycles that make you wonder when and how they create them. Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.
Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.
As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).
I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.
My hope is that Firefox will have a different approach to the problem. Self-checking processes (to avoid injections), close scrutiny of its BHOs, etc. I hope they will not try to use AV techniques, but instead concentrate on the entry points for such a program, and try to detect it there.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?
Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.
With the scams changing so rapidly moving detection to a web browser just makes sense. When these things aren't tagged by the users email server (ClamAV is excellent for this) or client, this would be a great 'saftey net' from stopping me...err...grandma from entering her login info for PayPal/eBay/etc. Plus with FF online updating I could see them having a plugin/extention that would have .dat files with the latest Phishing definitions they could download and update to daily; ala virus checkers.
fak3r.com
With Netcraft toolbar http://toolbar.netcraft.com/
Ceci n'est pas une Signature !
The various phishing shields use a variety of techniques to protect against the online scams. These include blacklists of known fraudulent Web sites, white lists of good sites and analyses of Web addresses and Web pages. Firefox 2 might be different, since the developers aren't married to those approaches, Shaver said.
Verisign already has this kind of techology, the question is, will Firefox 2 make Verisign obsolete?
Verisign's advice: The best way to avoid becoming a victim of phishing is to never respond to unsolicited emails asking for personal information or directing you to a Web site where you are asked to enter personal information--even if it looks TOTALLY official.
He who knows best knows how little he knows. - Thomas Jefferson
Enter information and click OK to find out
Name:_________________________________
Billing Address:__________________________________
Credit Card Type:________________
Credit Card Number:_______________________________
Expiration Date:___/___
Now be an idiot and click OK to let me steal your info.
What's the matter, James? No glib remark? No pithy comeback?
Will Firefox adopt an approach that doesn't compromise the user's privacy as much as IE 7 (its solution being to send every URL to Redmond)?
It's sad, really, that the most important features regarding browsers nowadays all have to do with protecting the user against evil-doers.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
And I cannot emphasize enough how great it is for my parents. By switching them to Fox and Bird, I have stopped my monthy trip up to remove all new spyware/viruses... now I just go for dinner. That gets an A+ in my book.
If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.-TJ
Seriously, what the FUCK? Googles anti-phising filter (as in google toolbar) is the one who is constantly sending your HTTP requests to Googles servers. There was a slashdot post about this a while ago, but I cannot find it.
Unless you can disable this "feature" or it works completely differently, I'd consider Firefox 2 spyware.
> Microsoft plans to include features to protect Web surfers
> against online scams in Internet Explorer 7
Wouldn't it have been easier just to not program the online scams into Internet Explorer 7 in the first place? I just don't understand Microsoft's new security procedures at all!
Time for a fork.
Seriously, I'll tell you the only anti-phishing technology we need: our damn heads, with a side of common sense.
I don't want my browser to have stupid coddling features like this that will just get in the way of a decent, savvy surfer. That's the problem with popularity - it leads to diluting the quality. I'd rather have a *good* browser only used by 3% of the people out there. Hell, the mere minority status might even make it *better* - now that Firefox is popular, more and more sites are finding ways of advertising specifically to it.
If Firefox 2 does have this, then it better be easy to fully disable, otherwise I'm definitely not upgrading.
Couldn't the browser also include cookie theft prevention? Recently I had an online game spoiled when a scripter stole my cookie and thus accessed my account, via user-modifiable code on the game's site. While I suppose some times cookie redirection might be legitimate, I'd think it rare enough that some sort of configurable blocker would handle those few cases while making cookies safer in others.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Won't it be easier to defeat this anti-phishing scheme since Firefox is open source?
(Seriously. If not, please post why not and educate me.)
Expected time to finish is 1 hour and 60 minutes.
My bank, for example, recently introduced a feature called a site key for log ins to its online services. After entering your initial user id, it brings you to a screen that displays a user-chosen image and title. The rule is that if you recognize the image and the title, you enter your password. If you don't recognize one or both, you don't.
Companies should be responsible for protecting their users, and this struck me as a rather good way of doing that. Granted, if someone really wanted to, they could set up a site just to scarf your user id, log in with that id to snag your site key, then create another site with the site key included to gank your password - but that's a lot of work.
When are people going to realize that passwords are not secure. Ever. Even if you pick a "good" password and change it every 13 minutes like a good boy, they are still not secure.
Why? Its too easy to snag the password from social engineering or some other means or even by accident.
I walked out of the bank disgusted when I went to get a private lock box, and it did not have a key given to me, and the bank had the other key like before. No, now they wanted me to remember a password, and enter it into a computer to unlock my box.
OK. I made that up, because even banks are not stupid enough to do this, but they open up the account online to any bozo that has a password.
My bank recently initiated an "anti-phishing" technology where it uses cookies stored on my computer and if the bank does not recognize my computer it displays a picture that I set up in the past with a caption that I selected for the picture, and then its supposed to be OK to put in my password now because the site is providing evidence that the bank and not some guy from China or Russia is asking for my password.
However, I carry many bank cards in my wallet, and they work excellent at stores and ATMs, but they don't fit into any holes into my computer. The bank has already given me an excellent token that is much more difficult to replicate than a few random characters on a keyboard, but they refuse to use it.
OK, I have to go and change my passwords now, its that time of year....
Insightful?
The summary already states that this kind of antiphishing is already available in Nestcape 8, Opera and several toolbars and extensions.
At least the grand parent said 'their' meaning that only fools will believe that this is original to MS.
Fox may be a memory hog, but I have not seen it to be out of line in most modern systems. Plus, I get really low useage when i turn off all the extensions i have added to it for customizing.
Yeah well, the reply on the support forums to any memory problems is always "must be extensions at fault", and it's almost certainly true. The thing is, ask me to choose between Firefox without extensions and Opera, and there is no contest, Opera wins hands down.
I think the Firefox team should be focussing on ways to ensure that extensions behave. They could do any number of things. Put together a team of people whose job it is to check extensions for obvious flaws, and make a list of "approved" extensions that pass muster. Improve the APIs used by extension developers. Work on tools to help extension developers write robust code. Seems to me more useful than some of the stuff they're working for. That's not to say they haven't done a great job so far, I just think that would be a useful thing to focus on at this point.
Oh no... it's the future.
If I remember correctly, it's something to do with cacheing the pages. Firefox caches something like 25 previous pages you've been to... on each tab.
Maybe this isn't the actual problem -- I'm not a developer -- but it seems to have stopped the "memory leak" issue I have with Firefox 1.5+
It most likely was not really using 200Mb of memory. It's far more likely that you simply do not know how Linux memory management works and what the figures in 'ps' mean..
It's most likely you just don't know how to read. The phrase "when Windows starts paging" it has nothing to do with 'ps' or Linux memory management.
Anyway, I'd argue that Thunderbird needs it much more than Firefox. Most phishing starts with the inbox. Links in email that use dodgy hex encoding, raw IPs, IPv6, point to domains that differ than the anchor text etc. should be highlighted. And popular targets such as banks, ebay, Paypal, Amazon etc. should be explicitly identified. I'd also like Thunderbird to add a phishing filter rule so that I can automatically toss the 20+ phishing emails I get a day straight in the junk folder without accidentally training the bayesian filter to kill genuine emails from Amazon, PayPal etc.
What does Linux memory management have to do with Windows?
This is Slashdot. Linux has everything to do with everything, newbie.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Open 5 or 6 IE windows, then add up the resource usage for IE, plus the resource usage of any and all spyware processes running, plus any plug-ins for IE. Compare this total usage to Firefox memory usage, having the same pages loaded in tabs.
THEN tell me Firefox is a memory hog.
Self-referential sigs are rarely entertaining.
No one is denying that there are memory leaks. However, they're not common (occuring on only about 1% of visited pages) and often very hard to reproduce reliably. You can help by using the memory leak tool and reporting good memory leak bugs.
What a fool believes, he sees, no wise man has the power to reason away.
"I have a good idea why it's hard to verify programs. They're usually wrong." --Manuel Blum, FOCS 94