Slashdot Mirror

← Back to Stories (view on slashdot.org)

10 Anti-Phishing Firefox Extensions

Posted by CowboyNeal on from the lock-the-windows dept.

An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"

6 of 129 comments (clear)

  1. Firefox 2 by SteveAyre · · Score: 3, Informative

    Or just upgrade to Firefox 2, which has the feature built in.

    1. Re:Firefox 2 by dteichman2 · · Score: 4, Informative

      Actually, FF3 uses less RAM than my FF2 install. So shove it.

      --


      Silence is golden... and duct tape is silver.
  2. Just a summary... by dclozier · · Score: 2, Informative

    I was hoping for a review of the extensions but only found a summary of what was available. More of the same information can be found by searching for 'phishing' extensions.

  3. Or you can just use OpenDNS by unassimilatible · · Score: 2, Informative

    Easy way to defeat the phishers, OpenDNS. Or you could actually look at the status bar to see what site you are clicking on...

    --
    Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
  4. The problem is the authentication mechanism! by SplatMan_DK · · Score: 3, Informative

    Most modern phising is done very professionally, and the pages totally mimic the real thing. I recently received a phising e-mail regarding PayPal accounts and out of curiosity I took a look at it. The result was shocking. The page I was directed to was an exact duplicate of the real PayPal system. The link I followed did not use scripting. It did belong to the wrong domain, but most normal users would not have noticed it. Copy-pasting the link would not have made any difference.

    The "fix" against phising is a better authentication method.

    For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc.

    The whole approach attempting to eliminate phising by filtering webpages, making fancy browser plugings or stuff a lot of security-bloatware on the computers is essentially wrong. The only reason simple phising attacks work is because the authentication mechanism is way too simple.

    Adding another factor of security to the systems is a trivial task in terms of programming and implementation. And it works - the European home banking systems are the proof of that.

    Phising gets a lot more difficult when SMS messages, encryption keys or physical tokens are involved in the logon procedure. Since all these methods have been well explained and documented in books ranging back to the early 80's, I really don't understand why these simple methods are so largely ignored...

    --
    My security clearance is so high I have to kill myself if I remember I have it...
  5. The PERFECT PHISHING by Giorgio+Maone · · Score: 2, Informative

    I guess ZoneAlarm registered customers may be surprised in finding how their own original login page works.

    Even if you're not a registered user, just follow the link above and enter fake credentials.

    The game becomes spicier if you have auto-completion enabled for that form...

    Have fun with those antiphishing toys ;)

    Original proof of concept courtesy of Elio, original XSS courtesy of .mario.

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript