Slashdot Mirror

← Back to Stories (view on slashdot.org)

10 Anti-Phishing Firefox Extensions

Posted by CowboyNeal on from the lock-the-windows dept.

An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"

6 of 129 comments (clear)

  1. if only by wizardforce · · Score: 5, Insightful

    For most Internet users, defending against phishing attacks is a top priority.

    unfortunately it isnt, a lot of people ignore security measures designed to protect them from phishing. case in point, banks that used images/etc to show the authenticity of the website their customers use was largely ignored, few noticed it and similar studies show few have such security as one of their concerns. these extensions might have done good if people listened to them but the real fix for phishing is to educate people on ways to avoid going to the sites in the first place. typing in addresses instead of following links, paying attention to what comes after the tld and disabling javascript for starters.
    --
    Sigs are too short to say anything truly profound so read the above post instead.
  2. And the top #1... by funkdancer · · Score: 5, Insightful

    Is my bloody brain and eye superfilter combo. With these, I don't need any stinking slow-me-down-even-further plugins.

    --
    ISO certified == THX certified
  3. Blacklists don't work any more. by Animats · · Score: 5, Interesting

    Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.

    PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.

    It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.

    The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.

    We (SiteTruth), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.

    "On the Internet, no one knows if you're a dog" just isn't good enough any more.

  4. Coming soon: metalists! by aerthling · · Score: 5, Funny

    I can't wait for the top 10 'Top 10 Firefox Extension' list.

  5. Helpful article or payola scam? by macraig · · Score: 5, Interesting

    Did anyone else notice that all of the promoted extensions but the last one seem to be the work of commercial enterprises, and apparently tied in some way to their for-profit motives? Is it possible that the author or security-hacks.com got some perks or quid pro quo for the journalistic promotion of these extensions and the commercial entities behind them?

    I'm often too skeptical for my own britches, but that also why I do in fact pay attention to my bank's "sitekey" and why I don't these products to avoid phishing attacks. All but the last one just seem to be trading one form of ignorance - of phishing - for another - of capitalism.

  6. Pointless by quokkapox · · Score: 5, Insightful

    All of these anti-phishing tools are a waste of time. The real problem is educating users about safe computing practices.

    People simply need to learn that you just don't click on a link in an unsolicited email supposedly from your bank, any more than you would deposit your paycheck into a newly opened bank branch in the nasty part of town, with shoddily painted signage and shifty-looking tellers.

    98% of people can learn principles of safe computing. The remaining 2% are a lost cause. Instead of coddling people's ignorance, we should focus on education. Crooks are always going to be out there trying to take advantage of people. This problem is not going to go away or be solved by technological safeguards. It is counterproductive to devise and improve ways for people to continue ignorant, careless behaviour, "La la la, click on whatever links I see," download and run this, that and the next thing, rather than teaching them how to be careful about what code they run and where they type their password.

    --
    it's a blue bright blue Saturday hey hey