Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 2.0 Wins Phishfight Against IE7

Posted by Zonk on from the hi-ya dept.

An anonymous reader writes "A new study that pitted the anti-phishing technology in Firefox 2.0 against that of IE7 generated some interesting results. From the Washingtonpost.com story: 'Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 locked 117 sites that Firefox did not.' Microsoft responded by pointing to its own supposed comparison study that put it in front of Mozilla and others in phish fighting, but the story notes: '3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."'"

42 of 181 comments (clear)

  1. You have to consider... by otacon · · Score: 5, Interesting

    that most phising sites are designed to circumvent Internet Explorer, since it is the most common internet browser, and practically the only browser for 'clueless' users, especially the ones that would be victims to a phishing site.

    --
    In a world of acronyms, the words are the real victims.
    1. Re:You have to consider... by flyingsquid · · Score: 4, Funny

      Also, should "www.firefox.com" and "www.mozilla.com" really be included in IE7's tally of phishing sites blocked?

    2. Re:You have to consider... by LiquidCoooled · · Score: 3, Interesting

      I thought the aim of a phishing site was to circumvent the user?
      Its not specifically aimed to run a machine exploit (though some will involve overflowing the address bar), but to convince the user they are on a site they assume is safe.

      slashdot.com.au might get some folks others might be fooled by slashdot.info or some other variation (like the whitehouse.com former porn site).
      The attack vector is all in your head.

      --
      liqbase :: faster than paper
    3. Re:You have to consider... by frodo+from+middle+ea · · Score: 2, Insightful

      I never get this argument...
      If Linux/Firefox/(your favorite OSS product) was as popular as Windows/IE/(any proprietary Product), it will be attacked more, and will be equally vulnerable and would have equal # of security flaws.
      Fact is I don't care, What I want is something that is secure and really don't care if it is not as popular. In fact, "security by insignificance" works for me.

      --
      for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
    4. Re:You have to consider... by AdamKG · · Score: 2, Funny

      Ok. Now- how would you explain away your homepage link?

      --
      groupthink: It's good for self-esteem.
    5. Re:You have to consider... by Trails · · Score: 2, Insightful

      We're testing out new(ish) anti-phishing technology. At least, new enopugh that the argument that IE7 is the "incumbent" doesn't really hold unless the sites are exploiting leftovers from IE6. Then the point becomes obvious - if MS is pushing IE7's relative security over "previous browsers" (read: IE6), they should have fixed these holes.

    6. Re:You have to consider... by foamrotreturns · · Score: 4, Insightful

      No, you are dead wrong. Firefox gets patched more often, and since it is open source, that is the main reason that vulnerabilities are being found in it. Sooner or later, all the bugs in Firefox will be ironed out, and it will be considered bulletproof, while IE remains closed source and unavailable for third party code audits, which leaves it wide open to security breaches. Wouldn't you rather have a house that was built by one contractor and then inspected by thousands of others who were able to find and fix some issues with it than a house that was only inspected by the same contractor who built it? There is some correlation between popularity and number of exploits, but you make it sound like it's a 2-dimensional plane. It's not. There are other factors. The very same goes for Linux versus Windows. Until Windows and IE are open source, they will always be miles behind in security.
      BTW, security through insignificance is the same as security through obscurity, which is just a false sense of security. Just because something is out of the limelight does not mean that no one has the intention of messing with it.

    7. Re:You have to consider... by cosminn · · Score: 4, Insightful

      Sooner or later, all the bugs in Firefox will be ironed out, and it will be considered bulletproof

      You must be new to software engineering :) This will never happen with any software. The only way that would be possible is if you freeze the code, then ONLY fix bugs. Even then you have the possibility of creating a new bug from fixing a bug.

      That's never going to happen tho. And the more features you add, the more bugs you add, regardless of open/closed source.

      My problem is not that bugs exist, it's unavoidable, it's how they're handled that's important.

    8. Re:You have to consider... by owlstead · · Score: 2, Insightful

      "Wouldn't you rather have a house that was built by one contractor and then inspected by thousands of others who were able to find and fix some issues with it than a house that was only inspected by the same contractor who built it?"

      Are you trying to be funny? Because I would never like to live in that first house. First of all, it would never get finished, disputes will break out and I would never get one ounce of peace. Fortunately, even with such hugely successfull applications, the number of real developers and fixers will be rather small. But other than that rather flawed analogy, I get your point :0

  2. MS will always struggle here by Timesprout · · Score: 5, Insightful

    The risk of litigation inspired by false positives means they will always have to be a little more circumspect with who they classify as a phisher.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
    1. Re:MS will always struggle here by LordSnooty · · Score: 4, Insightful

      And why couldn't someone sue the Mozilla Corporation and/or Foundation in the same circumstances?

    2. Re:MS will always struggle here by IDontAgreeWithYou · · Score: 2, Insightful

      They could, but I imagine that it is slightly more lucrative to sue Microsoft.

      --
      Finding other idiots on /. that agree with your opinion doesn't make it any less stupid.
    3. Re:MS will always struggle here by muukalainen · · Score: 2, Insightful

      > And why couldn't someone sue the Mozilla Corporation and/or Foundation in the same circumstances?

      Probably because a) It's not a multi billion corporation with deep pockets and b) Because probably, being free, the application gives no warranties about the correctness of its phishing detection system, whereas c) In an American court, you can demand compensation for almost about everything, if you paid for a service; but if you didn't, probably you can't.

      --
      Tuntematon Muukalainen
    4. Re:MS will always struggle here by houghi · · Score: 2, Insightful

      Perhaps for the lawers. I would try and pick my battles. I rather have 100.000 in my backaccount then being denied 100.000.000 because they played the game better.

      Lucrative is only what you keep in the end.

      --
      Don't fight for your country, if your country does not fight for you.
  3. PhishFight! by Anonymous Coward · · Score: 4, Funny

    /slap Microsoft

    * Anonymous Coward slaps Microsoft around a bit with a large trout.

    I win, I win!

  4. Firefox, or IE7? by smittyoneeach · · Score: 2, Interesting

    Firefox, or IE7?
    Which way finds one
    The phish-free heaven?
    Let browser, like foam
    Be lynx: sans leaven
    Burma Shave

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  5. It's really Google vs. Microsoft by SimplexO · · Score: 5, Informative

    It's really Google vs. Microsoft because Firefox 2 essentially integrated Google's Safe Browsing extension into the core browser. And while Firefox has the ability to change phishing-list providers (Tools -> Options -> Security), the only one it ships with is from Google.

    --
    Get Firefox!
    1. Re:It's really Google vs. Microsoft by LiquidCoooled · · Score: 3, Informative

      No, firefox ships with an automatically updating local database of phishing sites.
      You don't need to test every site with google, just use the built in one.

      Read more here

      --
      liqbase :: faster than paper
    2. Re:It's really Google vs. Microsoft by aitan · · Score: 2, Informative

      That list is currently provided only by Google, so the grandparent is right.

  6. He mentions a whitelist. He must be joking. by Viol8 · · Score: 3, Interesting

    The author of the piece suggests a whitelist must be more practical.
    Hmm , so that would mean checking against a list of a few billion web
    pages as opposed to a few hundred for the scam pages. Anyone spot the
    teensy problem? I do wish that just occasionally journos would have a
    small amount of knowledge in the area they're writing about.

    1. Re:He mentions a whitelist. He must be joking. by Timesprout · · Score: 3, Informative

      Actually he mentions a banking whitelist which is not a bad idea at all and not impractical to implement. In fact I can imagine in the future the banks will request this themselves as their liability incurred for customers duped by phishing scams increases.

      --
      Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
      What truth?
      There is no dupe
    2. Re:He mentions a whitelist. He must be joking. by mattwarden · · Score: 2, Funny

      I do wish that just occasionally journos would have a small amount of knowledge in the area they're writing about.

      Yeah, and I wish vicodin wasn't prescription-only. Talk about pie-in-the-sky!

    3. Re:He mentions a whitelist. He must be joking. by Bill+Dimm · · Score: 2, Interesting

      First, it would be a list of domain names rather than webpages, so millions instead of billions. Second, it is only really important to whitelist sites where sensitive information is entered (banks, sites taking credit cards, etc.), so even fewer sites. Finally, the browser could cache the lookup results for the sites you've visited in the past, so it would only need to do a lookup when you visit a site you haven't been to before, like when you accidently go to mybanc.com when you should be at mybank.com. Not really worse than the lookups your browser does to translate domain names into IP addresses.

    4. Re:He mentions a whitelist. He must be joking. by jrsp · · Score: 2, Informative

      And now virus makers and phishers team up to hack your local copy of "safe" sites. "Why yes, young man, www.sitibank.com IS the right address."

      The problem, as always, is trusting the data. If you request it from a known source via a secure channel you're good. Once you save it you expose it to other attacks.

  7. Opera? by elcid73 · · Score: 2, Interesting

    I didn't RTA, nor do I have OPera's 9.1TP installed with fraud protection, but I'd be interested in how it fares.

  8. Phishfight by digitaldc · · Score: 3, Funny

    And I thought a Phishfight is what happens after you criticize Trey for falling off his trampoline during a 'smokin' rendition of 'You Enjoy Myself'

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  9. Re:A suggested improvement by LiquidCoooled · · Score: 4, Informative

    Its pretty hard to miss.

    Here is the hard-coded example of a phishing site from firefox: its-a-trap!.

    The info is here

    --
    liqbase :: faster than paper
  10. Re:If these are known phishing sites... by jfengel · · Score: 4, Informative

    They come and go very quickly. Shutting something down legally is a tremendous hassle. You have to go to a judge and get a court order to do it. You have to find the ISP responsible for hosting it, assuming its in a jurisdiction you can get a hold of. You have to get the ISP to pay attention to you in the first place.

    It's probably a few hours of work, and then 30 seconds later the same site appears elsewhere. Marking it as "phishing" in a database doesn't have any due process protections, but it's not as severe as shutting it down.

  11. Re:A suggested improvement by smooth+wombat · · Score: 2, Insightful
    I suggest programmers introduce one that is clearly visible or change the color of the location bar background when such a site is hit.


    The clearly visible one would be better since there are people who are completely color-blind (i.e. see things only in shades of gray) or who are color-blind to certain colors.

    A combination of what you suggest would be the most effective way of getting someones attention since it would be color-independent. Have the address bar flash between two different colored backgrounds which could be readily discerned to those who are color-blind yet understood by everyone else. How about red and yellow. They would show up to color-blind folks as dark gray and light gray.

    Or, have an actual warning message appear and overwrite the page with a message about the page not being a real page and do you want to continue, then showing the real page if someone says yes, they want to proceed.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  12. That's probably the first time... by petrus4 · · Score: 4, Funny

    ...I've honestly ever seen the words "robust," and "Microsoft," in the same sentence.

    1. Re:That's probably the first time... by Volante3192 · · Score: 4, Funny

      I've honestly ever seen the words "robust," and "Microsoft," in the same sentence.

      You don't read their marketing materials much, do you?

    2. Re:That's probably the first time... by mgblst · · Score: 2, Funny

      Here is another for you: Microsoft products are about as robust as a bucket of water, without the bucket.

      Ah, the magic of the english language.

  13. Re:That's wonderful by TheThiefMaster · · Score: 3, Informative

    The repeated crashes I had with FF2.0 all disappeared when I disabled the google toolbar add-in. With the integrated Google search, spellchecker and anti-phishing, there's very little for the google toolbar to do anyhow. Although, the buttons for finding/highlighting the search terms in the page are very useful.

  14. Firefox antiphising is far from perfect... by diegocgteleline.es · · Score: 4, Interesting

    ...at least until they fix bug #356355 , which "jumps" the antiphising filter

    fe, if you go to http://200.119.135.99/ebay/login5878/ the pishing filter will warn you

    but if you encode the IP with a unusual encoding

    http://0xc8.0x77.0x87.0x63/ebay/login5878/

    the phising filter will not kick in

    1. Re:Firefox antiphising is far from perfect... by Ash-Fox · · Score: 3, Informative
      fe, if you go to http://200.119.135.99/ebay/login5878/ the pishing filter will warn you
      Confirmed.
      but if you encode the IP with a unusual encoding

      http://0xc8.0x77.0x87.0x63/ebay/login5878/

      the phising filter will not kick in

      It does.
      --
      Change is certain; progress is not obligatory.
  15. Conspiracy time by ChubZee · · Score: 2, Insightful

    This seems to me like another bonus for Google and Microsoft in tracking users browsing habits. If every time someone visit a site using FF2.0 or IE7 it 'phones home' to find out of the page is a phishing site or not, won't these companies be able to build a more concise and accurate profile of web users? Just a thought...

  16. Re:Thanx! by LiquidCoooled · · Score: 2, Insightful

    I get spam but delete it without ever clicking.
    I've learnt never to click links or open attachments in unsolicited mails.

    --
    liqbase :: faster than paper
  17. False Positives? by aardwolf64 · · Score: 3, Insightful

    As the article points out, false positives were not addressed at all in this study. Without testing for false positives, those numbers are useless. If Firefox listed 100% of websites as phishing sites, the fact that it caught more than IE7 isn't all that impressive.

  18. Re:Thanx! by ack154 · · Score: 3, Insightful
    Never get spam do you? Really?

    I get spam all the time... but I too had never seen this thing before. Just because people get spam and phishing emails doesn't mean they're dumb enough to click them. I don't even do it out of curiosity.
  19. They don't look for the obvious by cvd6262 · · Score: 3, Interesting

    I teach a college course for teaching majors. Each year I do a phishing demonstration where I post a bunch of links on my blog, including one to the university's intranet. The links are all full paths (http://...), but the href in the intranet link points to a different server. When the students try to login, they get a message about phishing.

    This semester I was a bit worried because I had heard IE 7 had new "anti-phishing technology." I thought IE would obviously check the text of the link against the target address, but that didn't happen. FireFox 2 doesn't either.

    How hard would it be to check the text of a link against a regex for urls, then, if it is a url, check that the target is the same?

    --

    I'd rather have someone respond than be modded up.

  20. Re:Just to play Devil's Advocate. by foamrotreturns · · Score: 2, Insightful
    Allowing everyone to see the code allows the problems to be found quicker and be patched faster. With MS, a hole can go unnoticed (private exploits, anyone?) for long periods of time. All the while, the baddies can have their fun and no one would be the wiser. With OSS, the bug is usually discovered quite quickly, and the patch is usually not far behind. Even if the original programmer doesn't want to make the patch, someone else can do it because they have the source. OSS is simply more conducive to good security. It's not a panacea, but it's a good start.

    those involved in open source never get around to programming what most users want. Only what they want. Dont bitch cuz Gates is giving the market what it wants. Fight fire with fire.

    Really? Tell that to all the critics raving about Firefox, Amarok, and OpenOffice.org, among others. I don't have to list my satisfaction points with these products here because they'd only be repeats of what others have said. If you're curious, look up the testimonials. The devs of these projects are fighting fire with fire. They're releasing a technologically superior (arguable for OO.o, I know) product for free. What's not fiery about that?

    As for gaming, plenty of us don't use Windows because we don't use our computers for gaming. There are plenty of fun games that are native to the Linux platform, but I rarely play them because my computer is for getting things done, not putting off the things that need to get done. I have a PS2 for games. For everything else, including the simpler install (Ubuntu install is 300x easier than Windows to install) and the simpler, more intuitive UI (I didn't much care for GNOME until I actually tried using it - It really rocks) Linux is more than sufficient, and has become the only OS on my desktop and the "98% of the time" OS on my dual-booted lappy.

    But above all, use what works for you. If you don't like Linux, don't use it. But I will warn you: *nix is becoming more and more prevalent. Just this year, my school replaced all its public terminals with Sun workstations. You can complain about lack of support for games all you want, but you'll eventually be forced to use something other than Windows.
  21. More is not winning by DesertBlade · · Score: 2

    Microsoft maintains there on database of phishing sites and they are focused on reducing False Positives. It is still relativly new.

    If a bank is falsely blocked by Firefox they will simply tell users to use IE.

    If IE falsely blocks a bank site they would simply sue Microsoft.

    Both browser still have a margin of error of 20-40%. While IE blocks some that FireFox misses, FireFox blocks some that IE misses. Firefox is doing better, but I wouldn't say they are winning yet.

    --
    Half of writing history is hiding the truth.