Slashdot Mirror
Firefox 3 Antiphishing Sends Your URLs To Google
iritant writes "As we were discussing, Gran Paradiso — the latest version of Firefox — is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry — the feature is disabled by default."
Does anybody remember Google Web Accelerator? This also came out with the 'selling point' that it would help the customer:
http://slashdot.org/article.pl?sid=05/05/04/2223238&tid=217
Google has your mail. They have your searches. Now they are going for your browsing history.
Add it all together and you have a lot of business intelligence. Time to target consumers and influence opinions?
Smart yes, but still quite scary.
What information are they going to collect next? What are they doing with all the information that they are already collecting?
It could be worse, it could be Monday.
Considering that Google is one of the major sponsors of FF, I'm not amazed. Sending the addresses to Yahoo, or MSN, well THAT would be newz.
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
Hashes? That wouldn't stop Google if they wanted the URL.
My thought would be if a master list exists for someone to put up a master site that does not keep up with the information, and put a patch into Firefox to have it pull from this site...
There is no secret to why Mozilla Firefox wants this feature. I suspect Google has agreed to pay then for the feature to be in Firefox, as I would think this data would be quite lucrative....
This is a non-story. The ability to ask google about phishing has existed since 2.0, and was disabled then as well. Not that telling google every site you visit is a good thing.
A "blacklist" of phishing sites needs to be stored somewhere, and you need to be able to do queries against it.
It changes too fast, and is too large, for it to be stored locally.
So SOMEBODY needs to provide a database interface to it, and unless you are willing to tolerate the voodoo cryptography and serious performance penalty to do privacy-preserving searches, how else is this supposed to be done?
Test your net with Netalyzr
Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?
What will this mean? Probably that google will continue to improve their search engines, their advertising programs and other services, and they will all stay free.
Damn, go smoke some more pot, your not paranoid enough.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
Google already know almost everything about us... Hopefully they go on using it for good things: I like video recommendations according to my searches!
Marc Garcia is the best expert in GNU/Linux Debian, Apache, MySQL, and Python!
Doesn't running the leading search engine already give you a pretty good idea about which sites are popular?
It's already in the version of Firefox I'm using, 2.0.0.6 downloaded directly from Mozilla's web site. In fact you've got the choice to enable it or leave it disabled, and if you enable it you've got the choice between downloading a list and doing the check internally or checking each URL interactively with a service (currently Google's the only one in the list, but more could easily be added).
Google are going to find out what websites are popular. That's information that they simply couldn't otherwise find out unless they ... oooh ... operated the world's most popular search engine.
Everybody panic!
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Breaking news: Cheese gives you cancer!!
Oh wait, no it doesn't... You might still get cancer though...
Fair deal? Not to worry -- the feature is disabled by default."
But does the "enable" interface inform the user that Google gets their browsing history as a side-effect of providing the blacklist?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
As much as I hate things phoning home, with a phishing filter there's really not much of a choice. It has to check the site against SOMETHING, and as Google is the closest to being the standard repository of URLs, then I think it makes the most sense.
Just think about it. When you want information about a certain bug or scam, what's the first place you go? Generally, its Google. Yes, Google is probably paying Mozilla for it, but who cares? Even if they weren't, its the most logical choice anyway. Plus, the feature is off by default, and you have to deliberately turn it on. There's no deception going on here.
These aren't the droids you're looking for. Move along.
Good job my fear mode's set to off by default or I might've actually cared about this non-news.
SQL programmer goes to a bar. Walks up to two tables and says 'Excuse me, may I join you?'.
Why not send a hash with a salt ? It makes it fast to check if the url is in the malware blacklist but if Google wants to know the list of websites you visited, they have considerably more work to do. You could also send fake hashes along each request.
\u262D = \u5350
Why does this need to be included by default? Am I the only one who finds the anti-phishing stuff to be annoying? Fine, some people want it, make a plugin or an extension, but stop adding tangential stuff to the codebase! Adding a piece of "functionality" to a web browser that does a name check on every website you load is bound to add a huge chunk of overhead.
Am I the only one who remembers The Kitchen Sink? Adding stuff like this into a pure vanilla install is ridiculous. I don't care if they want to make a "secure" version with plugins already installed and enabled, but don't make it a part of the
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
wait aint this the same google that pays people per firefox download (thats conveniently bundled with google toolbar which sends every url to google)...
What about a user downloadable "Definition Update" for the Antiphishing engine similar to what scanning engines in Norton, McAfee, AVG, Ad-Aware, SS&D, etc.. do?
I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress...wait, firefox...dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Edit > Preferences > Security > Tell me if the site I'm visiting... >
.. oh no other one in this dropdown] about each site I visit.
[X] Check using a downloaded of suspected sites
[ ] Check by asking [Google,
Also saves your bandwidth.
It seems to me that the users who most need anti-phishing protection are the ones least likely to change their defaults.
This isnt digg you know, its not a good thing to post articles that are thinly veiled flamebait.
Where is your evidence that it sends every url to google?
Is it just how you think it can be implemented or a transparent opportunity to spread FUD about privacy issues, google and firefox?
... so, dump your google cookies from time to time if you're concerned about this. FF is open source, there no reason you can't break google's session tracking at will.
Please, this is non-news.
Because the people who put it in FF are acting like idiots by assuming average users are dumb and won't learn a couple of simple instructions. Hence, the idiots (i.e. many people in IT) don't even bother to suggest proper URL usage and instead concoct convoluted and invasive crap based on what a central authority considers socially acceptable for web browsing (and don't tell me the blacklist won't be expanded beyond suspected phishers-- you know it will).
The best thing they could do, IMO, is to render every URL in the address bar with the domain in red BOLD letters. Then, on first-use of Firefox the user gets a popup baloon coming out of the address bar advising them to always keep an eye on the domain field. This has the added benefit of making SSL certificates worthwhile, since certificates only work if you pay attention to the domain you are connecting to.
Teaching basic URL awareness also assumes that people who don't bother to spell correctly (or blithely click 'OK' on certificate warnings) will get what they deserve.
This feature could make me switch away from Firefox.
Pull down the entire blacklist periodically, and then just query the local copy.
I bet we wouldn't have half the problems we do now if people just stopped automatically trusting everything they see.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Is this tin foil hat day or what? This isn't a new feature in FF3, it's already in FF2.
Wait, maybe it's sending server dumps and some developer said "if you don't like it, fork it." That must be it.
Do we get a "this is a non-story" correction to this post too?
Slightly disreputable, albeit gregarious
Salt helps for things like passwords, where two users with the same password will have it appear differently in the password file.
It makes no sense here. It would prevent a third-party from intercepting your browsing history -- but then, they can do that anyway, by simply being your ISP.
But if Google has the list of malware sites, obviously they know that foo.com resolves to a particular hash (with a particular salt). The only way this could possibly work is if Google stored a separate list for each user, each with its own salt, which would still require you trusting Google to be doing this and not to be keeping a mapping of hash+salt -> website.
There is no way hashes can solve this problem. The only solution is to either be smart, so you don't need a blacklist, or to download the entire blacklist periodically, which is an option, but not everyone likes it.
Don't thank God, thank a doctor!
And could you elaborate on the "performance penalty" when the time to do an MD5/SHA would be several orders of magnitude less than the round-trip to the server for validation?
same company and most people here probably firewalled them off years ago,
how long till google goes into dev>null ?
According to several mac rumor sites and this link by Apple, Safari 3 will also have similar functionality. http://www.apple.com/pr/library/2006/aug/07leopard.html
...accessing the list through TOR?
Fact is, I don't have to, because a LOT of people already have -- the people responsible for developing and shipping Firefox, for example.
"May as well be closed"? Maybe, if no one outside the development team looks at it. But the difference is between a diverse development team, everyone paid by a different group, some not paid at all for their Firefox work, and a single, homogeneous team, working for one company, who may not even care what spyware goes in.
By the way, if you'd bothered to check, this feature is off by default. Do you honestly think Google could've gotten it in if the feature was enabled by default?
Don't thank God, thank a doctor!
Only a matter of time until those things from Half-Life 2 are flying around my apartment gathering data about what I eat, wear, and do on my spare time. Then start spitting out ads. I quit.
A better way to do it would be to just maintain a database of phishing sites that the browser downloads and checks *LOCALLY* to see if it is phishing.
Instead of every page hit being set to Google or $SERVER, it checks Google or $SERVER to see if the database has changed since last downloaded. If it has, it downloads a binary update and inserts it into the database. Then it checks the LOCAL database to see if this is a phishing site.
Such a mechanism is just as up-to-date as submitting the URL to the remote site, and much more secure. And the binary form of such database updates would be minuscule, on average each request would likely take *LESS* time this way since you are only checking last-modified headers on a file instead of initiating a full HTTP GET/POST.
main(a) should be main(p) ? %c%s% c could be %c%s%c ? --- I type this every time.
There's really no reason to be up in arms about this. You can put your torch and pitchfork down.
Firefox is open-source. They're not trying to hide anything. One of the side-effects of FOSS is that the developers can't hide anything in the code without someone looking through it and pointing it out. This has happened countless times in the past (Azureus, etc.), but we've got no indication that they're actually trying to keep it from us. Actually, quite the opposite is true; they seem to be making it public knowledge.
Another effect of being open source is that you are free to fork it if you like. If y'all don't like this new direction, then why not produce something better?
This blog post from a few years back explains how/why one might run a system like this: http://blogs.msdn.com/ie/archive/2005/08/31/458663.aspx (blogs.msdn.com)
Python is a lot like Java but with less typing
The way the laws are these days, even if you're Mother Teresa, you're probably doing something illegal, even if you don't think of it as illegal or even realize it. (Ever downloaded VLC or Handbrake? Bought discount smokes? Played a little online poker? Bought something without paying your state's sales tax?) Sure, the FBI normally has bigger fish to fry than you and me, but there's no reason that'll always be the case. The tools that are used for terrorism now will be used for narcotics tomorrow, and copyright enforcement the day after that, and eventually it'll trickle down until it's being used against something you're doing. And information compiled in databases has a tendency to stick around (at least, when it's not being misplaced or stolen). Your browsing habits today could come back to seriously haunt you in a decade or two.
And it's not just the government that you have to worry about, or Google's official policy as a corporation. You also have to consider how much the people who actually deal with this data are paid. How much would it cost to get one of them to give someone malicious access to the database? A whole lot less than the database would be worth, I suspect. Even if you're not doing anything illegal (which, again, I doubt; most people break a half-dozen laws before they get to work in the morning), you're a rare person if there's not something going on in your life that you'd prefer to keep private. Medical conditions, sexual preferences
There aren't really any analogues in the pre-computer world to the size and scope of databases like Google's, in terms of both the breadth and depth of information it could contain on individuals. This is not something that we have much societal experience with, and the limited track record we do have is decidedly mixed. It's not especially paranoid to want to take a "wait and see" approach.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This feature is available in FF 2, and is disabled by default, and as has to modes of enablement, only one of which sends data to Google? So now people shouldn't even be allowed to choose to send their data to Google? Does kdawson and iritant not use Firefox and see this feature here for ages now?
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Next thing you'll tell me is that my mail server is sending domain names of people who email me to Spamhaus! Is there no safe haven?
This is something that is OK if you choose to add it, to put it in the actual firefox deliverable is not OK, even if it is off default.
:(
Plus as people are pointing out, why the #!()%/)#(/%(#/! is it sending info *to* google? You should retrieve an updated list of those sites to *your* computer where it is checked. Imagine what they could do with this technology in let's say... China? Yes, not so much fun anymore is it? How about the feds?
How come the Firefox developers came to agree to this in the first place? I just don't get it. This seems to be the total opposite of what free software is about
Just do a Google search for "Ad-Aware" or "Spybot" and check out how many of the sponsored links are actually links to scam or malware programs masquerading as these spyware cleaners.
Until Google stops doing business with outright criminals, I'm not going to trust them to tell me who is a criminal and who is legitimate.
I use Google web history anyway. So who cares?
O... M... G...
Can you imagine the outrage if Microsoft put an anti-phishing filter into IE7 which would phone home every page you went to into their MSN Search database? Even if it were opt-out? You would literally have Lunix users lighting themselves on fire in protest.
But when Firefox/Google team up... well, not so much outcry. Because, you see, Google is not Microsoft. They even say "Don't be evil" every chance they get, and go to great lengths to parrot that at every opportunity. So OBVIOUSLY Google isn't going to abuse that huge data mine they are building which profiles the entire internet and every single user on it!
Yep, nice to see the FOSSie community has their priorities hard at work!
The details are trivial and useless; The reasons, as always, purely human ones.
- As others have pointed out, there's nothing innately wrong with using Google for antiphishing. They have a large userbase, and can easily detect a mass of users flocking to a really sketchy site. Would it be a huge deal if they plugged into PhishTank?
- The submission does reflect this, but the feature isn't on by default. Instead, Firefox appears to use a static master black list that it redownloads periodically.
- I can't trigger it now, but I'm pretty sure that you're asked to confirm when you select Google that you're aware of the URL sending and other various privacy implications. The user will not be uninformed when they make this choice
- The feature is already present in Firefox 2. It is not new to Firefox 3. It's been well publicized before, and there haven't been any major problems since.
This is a pretty stupid low to go for some anti-Google hits.The article is about as informative as one of those "Your computer is broadcasting an IP Address!" banners.
For the record:
Wouldn't it be better from a privacy perspective to integrate FF with OpenDNS instead ?
:-)
The end result is the same. But it effectively prevents the service provider from cross-correlating these URL lookups with the rest of the data it accumulated for an HTTP cookie.
And, yes, I have *.google-analytics.com null routed
3.243F6A8885A308D313
I am legitimately not trying to troll here.
Could Slashdot editors please have a group discussion about accuracy and integrity in journalism? First it was the WordPress piece, that was rightly amended, and now there's this. Both deal with a fear that "someone" is spying on us. Anyone who deals with computer security deals with that fear on a regular basis, but those fears should not be expressed in the journalism: Facts should.
As many have mentioned, this feature can be found in the Firefox 2.0.0.7 security tab under "Tell me if the site I'm visiting is a suspected forgery." The summary is flat-out misleading, and contains links to a general page about all Firefox 3 features (which does not mention Google in the slightest), and the entire discussion about Firefox 2 memory leaks, not the relevant posts the author seems to reference.
There literally is no "FA" to "R" in the first place, and the summary is inaccurate, not only in its facts, but because it is summarizing nothing.
This editorial behavior gives Slashdot a bad name, and moves it a step towards the irrelevancy of The National Inquirer. I've been bringing buckets of salt to take with this site in the past weeks, and would like to see these trends reversed.
Please discuss it.
(I've shut off the Karma bonus on this post, it should fly on its own merits. I'm not posting "AC," because if I'm out of line here, I'm willing to pay the price for it.)
--
Toro
This story is so inaccurate that it's not funny.
Let's start with the headline, Firefox 3 Antiphishing Sends Your URLs To Google. Anti-phishing is old hat. It's been around since the Firefox 2 launch last year. And by default it doesn't send URLs to Google. It checks them against a blacklist (automatically downloaded from Google around once every thirty minutes). It only sends URLs to Google for real-time checking if you explicitly enable it. When you turn on this option, a brief description of what gets sent to Google is displayed and you're asked to confirm that this is okay. You can also turn off the anti-phishing feature altogether, which prevents the download of the blacklist.
Anyway, that's old. The shiny new thing in Firefox 3 is malware protection (warning against sites that host viruses/spyware or try to exploit vulnerabilities in browsers/plug-ins). This only uses a downloaded blacklist (downloaded from Google, who have been collating this data as part of their StopBadware.org initiative); there is no mode that sends your URLs to Google.
There are some potentially controversial issues about the malware protection feature: there's currently no way to turn it off in the GUI and it's not possible to ignore the warning and visit the dodgy site anyway (you can ignore the phishing warnings). This does basically give Google a way to block access to any site in Firefox, which may be a matter for debate.
However, no URLs are sent to Google as part of the malware protection feature and URLs are only sent to Google for phishing protection if you explicitly enable it.
The article summary is basically codswallop.
All As far as I'm concerned, I do not think that Google Inc. should be polled in regards to malicious content held via Web sites. Google Inc., as has been written, stores a large amount of personal information as it is however allowing the Corporation to decide as to whether or not a Web site is malicious is controversial in my opinion. Google Inc. is not a Certificate Authority. The Corporation does not issue Personal Certificates nor indeed does it issue Server Certificates to verify the validity of a Web site; the aforementioned role is performed by Thawte Inc. and VeriSign Corp. amongst other Certificate Authorities. Opera ASA's Opera Web Browser boasts a dedicated AntiPhishing implementation via GeoTrust Corp. It is GeoTrust Corp who should validate the authenticity of a Server Certificate because of the fact that it is a Certificate Authority, it is it's role. Google Inc. should not be either liaising with Certificate Authorities or performing its own validity implementation; Certificate Authorities are independent organizations, and because of the fact that Thawte Inc., VeriSign Corp. and GeoTrust Corp. are independent Corporations, it ensures that there is minimal risk in a Server Certificate being issued incorrectly or incorrectly interpreted as malicious in itself.
Can't see any comment on it.
The problem is that now:
* Google knows your searches
* Google reads your mail
* Google knows what parts of the world you're looking at
And so far, your statement is correct, they know everything about us, but they don't know much about intranets.
Not that it's enough as a security advice, but a *lot* corporations use more or less open intranets, with a "weird" path in the url. Google will silently be collecting them.
Also, let's say a company (extremely bad, but extremely common) uses url parameters to identify company "objects" (orders, items, goods, financial reports etc)... All these "names" will be sent to google, even before the user gets to see the page.
What google is doing now, is preparing to get an enourmous knowledge about how businesses all over the world, use their intranets, and if google turns from looking-good-but-silently-a-bit-evil into plain-evil, what will this information be used for? Downloading (public, therefore legally) information from the companies, since they know the companies' internal id's/names of the url paramters, or maybe just plain files.
Surely parts of this is already possible if the intranet *links* to the outside world from a sensitive url, but that's not as common. This case *Google* will get *each and every url path* employees (with this feature enabled) will visit. That's much worse than knowing how often Jon Doe reloads a fake nude pic of Britney. It's actually a whole lot scarier than what google knows today, which is scary enough.
From Gustaf, Sweden
Every time I read a Wikipedia article, Konqueror sends a packet to Wikipedia's servers. It's fucking creepy!
"Believe me!" -- Donald Trump
> Also saves your bandwidth.
Ah yes, good point. The 1MB of URLs per month that will be sent to Google will really eat into my unlimited bandwidth. I'd better download the "small" file of known phishing sites instead. I can't imagine that there could be that many URLs on it. 640 scam sites should be enough for anyone.
I'll probably be modded down for this...
If you want to be shocked and appalled, check out:
http://alert.bankofamerica.com/images/client/bankofamerica/email_masthead_top.jpg
Now figure out what's wrong with that URL. (Hint: use nslookup twice. Warning: You might fall out of your chair when you realize that 63.251.12.137 resolves as b35.par3.com.)
I've reported this to the real Bank of America three different ways last Monday: by email to the abuse@ address, by talking to a customer service rep on the 1-800 number, and by going to an actual bank lobby. It's still not fixed, and I got another phishing mail that uses that URL today, so I reported it again.
p.s. Mods, help me get this some publicity so it'll get fixed ASAP. Posting anonymously to avoid karma bonus.
Several sites I have visited, having found via a Google search, get flagged as dangerous. It seems that ANY site in Russia is flagged. If you never have stumbled upon one of Google's "Malware Warning" pages, they more or less block you from accessing the page. Sure, they give you the URL, and you can manually type it (or copy and paste) it into the address bar, but that's just annoying. Everytime I've see this page, it has been a false alarm, while Google happily links to thousands of obvious malware sites on more common and general searches.
A prime example that happened to me only a couple of weeks back while I was researching the Ural Wolf motorcycle. It was designed in cooperation with the Russain biker "gang" Night Wolves MG. Of course, Google flags the site as malware (so visit at your own risk).
Maybe with my Firefox with AdBlock and NoScript on FreeBSD combo, I've save from whatever nasty Windows targeted crud is on the site. Or maybe Google is just full of shit.
Beyond the inappropriate flagging of content concern, this moves Firefox deeper into the realm of bloatware. Quite honestly, "Google Anti-Phishing" belongs as a addon, not in the browser itself. I'm sure it would be hugely popular as a download, but instead will become the feature most often disabled by users.
Number of addresses on the net:
2^32 = 4 294 967 296
Info needed to white list an ip
1 bit
Size of a full white list:
2^32 bit = 512 megabytes
Number of Reserved IP addresses RFC3300:
(8 * (2^24)) + (4 * (2^16)) + (2^20) + (4 * (2^8)) + (2^15) + (2 * (2^28)) = 672 433 152
Number of bytes needed for a 1-to-1 white list
(2^32-672 433 152) / 8 = 430 megabytes
Bytes needed for a 64-to-1 white list
452 816 768 / 16 = 27 megabytes
if it passes the white list then don't send to google..
The issue is that a.) They could send the blacklist to us. Thus, ridding the logging they do of all our websites. b.) Their is no privacy policy implemented, what are they going to do with our URL's? Are they going to combine it with our usernames? Are they going to keep the data?
>A "blacklist" of phishing sites needs to be stored somewhere, and you need to be able to do >queries against it.
>
>It changes too fast, and is too large, for it to be stored locally.
It can be updated.
Example:
[1031939.139]
aaa.com
aab.com
aac.com
FF check version, only 1031939.139? Next version.
[1031939.140]
[1031939.141]
>Why is everyone so concerned about a company having their URL history? I mean, they already have >your searches(google), your email(gmail) and your documents(google docs), what does it matter?
>What will this mean? Probably that google will continue to improve their search engines, their >advertising programs and other services, and they will all stay free.
>Damn, go smoke some more pot, your not paranoid enough.
You're an idiot.
Read this:
http://yro.slashdot.org/article.pl?sid=07/07/10/2054219
Here's some quotes from the comments:
* If I'm not doing anything wrong, then you have no cause to watch me.
* Because the government gets to define what's wrong, and they keep changing the definition.
* Because you might do something wrong with my information.
* Who watches the watchers?
* Absolute power corrupts absolutely.
* arrest you because you have a history of doing it and they can now probably pin it on you
* get some big men in dark suits to accost you in the street and remind you that what you did on the 22nd March last year is now illegal
* Flag you for extra surveillance involving 24 hour watching on CCTV and a camera strategically positioned in your bathroom
* Put around the story that you did it before it was illegal and sociopathic perverts like you can't help themselves from doing it again now that it is illegal
>What about a user downloadable "Definition Update" for the Antiphishing engine similar to what >scanning engines in Norton, McAfee, AVG, Ad-Aware, SS&D, etc.. do?
Exactly.
>...
>
>The best thing they could do, IMO, is to render every URL in the address bar with the domain in >red BOLD letters. Then, on first-use of Firefox the user gets a popup baloon coming out of the >address bar advising them to always keep an eye on the domain field. This has the added benefit of >making SSL certificates worthwhile, since certificates only work if you pay attention to the >domain you are connecting to.
>Teaching basic URL awareness also assumes that people who don't bother to spell correctly (or >blithely click 'OK' on certificate warnings) will get what they deserve.
>This feature could make me switch away from Firefox.
Correct, there's a firefox extension that does this. I think it's called URL.
In ending, I agree with this guy.
All As far as I'm concerned, I do not think that Google Inc. should be polled in regards to malicious content held via Web sites. Google Inc., as has been written, stores a large amount of personal information as it is however allowing the Corporation to decide as to whether or not a Web site is malicious is controversial in my opinion. Google Inc. is not a Certificate Authority. The Corporation does not issue Personal Certificates nor indeed does it issue Server Certificates to verify the validity of a Web site; the aforementioned role is performed by Thawte Inc. and VeriSign Corp. amongst other Cer
MS currently transmits all this same info to their server. The difference is that with Google it is by choice, with MS, it is not your choice.
I prefer the "u" in honour as it seems to be missing these days.
It didn't last like that for long.
fencepost
just a little off
You have the option of using a downloaded list of possible phishing sites or Google. Personally, I don't have a problem using Google as they are probably more up to date than a list and, as far as them collecting more info on me, they already have my 'Web History' from my iGoogle page anyway. Hopefully, they will never turn on their users.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
par3.com is now 'the Varolii corporation', which looks to be a legitimate communications company, from their site: Currently, Varolii is partnered with six of the ten largest US banks and financial institutions, 25+ government departments and agencies, the five largest wireless companies, and four of the top ten PBMs and retail pharmacies.
It's kinda hard to verify URL's if you don't compare them to a massive database.
Is anyone surprised? How is it evil? The evil would only come from the data being misused. Obviously they NEED the data, or rather, the dudes running the database need it. That's not the evil part.
Beware: In C++, your friends can see your privates!
The image link given is from a phishing email, and the site that hosts the image is not Bank of America. If it was legit, the reverse DNS entry would say .bankofamerica.com instead of .par3.com.
Oh yeah, and they'd return an error code on deep linking to images.
Google have no information at the moment about what websites people go to, even though they run the biggest search engine on the planet. Get over it.
That extension looks interesting. I am not sure that removing the protocol is a good idea, though.
What do you think?
It's not really enough to just check the URL against some phishing database. The phishing sites now use unique URLs for each phish going out. Some even use unique subdomains. An example is http://onlinesession-949076872.natwest.com.nigy3r.cn.
We've been struggling with this for SiteTruth, which, among other things, uses PhishTank's data. Originally, we used PhishTank's online query API, but that required an exact match on the URL, which was useless. Now we download their entire database every few hours and blacklist the entire base domain (what you buy from a domain registrar) if there's a verified, active phishing site anywhere in the domain.
That seems reasonable enough. But there's collateral damage. So, most days, we have AOL, Microsoft Live, and Yahoo blacklisted. That's because those major sites have "open redirectors" - URLs which will redirect to any specified site. For example,
A convenient, easy to use redirection script popular with phishers. Provides a URL that appears to be on AOL, but isn't. Interestingly, AOL treats as spam any email that uses their own redirector URL. So it's only useful for attacking non-AOL users.
&rver=4.0.1532.0&lc=1033&id=64855
&ru=http:%2F%2Fby117w.bay117.mail.live.com%2Fmail%2Flogout.aspx%3Fredirect%3Dtrue
%26logouturl%3Dhttp:%2F%2F62.49.9.117:443/HB.onlineserv.cgi/
The "logout" page for Microsoft Live can be abused, with some effort, to make it appear as if some hostile site is on Microsoft Live. This looks like Microsoft tried "security through obscurity" and failed.
_ylu=X3oDMTE2ZXYybGFuBGNvbG8DdwRsA1dTMQRwb3MDMQRzZWMDc3IEdnRpZANpMDIxXzQ3/SIG=15j5u6auo/
EXP=1140214114/**http://hticketing.com/www.bankofamerica.com/sslencrypt218bit/online_banking/
A Yahoo redirector URL intended to create the illusion of a Bank of America site. It may be possible to exploit this as a cross site scripting attack.
These were all active phishing sites an hour or two ago.
Yes, arguably the intelligent user should be able to visually parse the URLs above and realize that they're not really on the sites indicated. Or notice that a redirection took place. But most users don't notice that. Neither do many anti-phishing tools, especially if the attacker combines both techniques described above.
Phishing has reached the point that if you have an open redirector or proxy on your web site, someone will use it to borrow your reputation for their scam. Open redirectors are now like open mail relays - a nice Internet feature that had to be shut down because of exploits.
So fix those open redirectors, people, or expect to be listed as a phishing-friendly site.
The anti-email spam guys figured out a distributed way to publish blacklists for IPs AND domains years ago.
Use DNS.
I assume that spamhaus.org et. al are using a customized DNS server, but whatever it is, it works reasonably well. For those who've never had to flag spam using a DNSBL, the gist is that the spam scrubber get's the IP address of a website via a "normal" dns lookup, then runs the IP or host name against the DNS blacklist by looking up a coded host name, something like: blacklist.spamhaus.org.xxx.xxx.xxx.xxx. (i don't have the format memorized, so the syntax is probably wrong). Depending on how that that special DNS lookup resolves, it's either spam or probable spam, or not listed.
This has the benefit of being anonymous (more or less) and distributed and mostly time-tested.
And on both it's disabled by default. You people are sheep.
What's the point of focusing with Firefox v3 as it is already here with FFv2? Just take a look at your preferences, in the security tab. You got the choice whether to check for suspected forgery or not and if so, to look against a downloaded list or to give your privacy to some organization (google is the only one listed). So is this news? Maybe I missed something?
I can think of a certain company, lets call it "macrohard", that could learn a thing or two from google. You see, when you play nice with open source you reap all kinds of benefits!
To be honest, I don't actually mind. If the end result is a safer browsing experience, and my personal information is not isolated and used by individuals, then I support the measure. It's good to see Google working with Open Source Software initiatives.
What happens if Google chooses to be malicious? Do we suddenly get msn.com coming up as phishing? In other words, why does a company so powerful get to basically censor us from viewing sites (even though it's turned off by default)? Assuming the "we do no evil"... Another thought, Google has the power to store this history and basically create some sort of metric to determine how clued in you are to internet use. For example, by simply computing the average pagerank of sites you visit, you might possibly determine that a user goes to well establilshed sites and is therefore less likely to become a phishing target. How does this help Google? I don't know...
Read student loan information quickly.
also knows every domain you query unless you have a caching server. Do you ever read their terms of use/eula to see what they do with that?
You want fun, go home and buy a monkey!
Great post - very informative.
Seems to me that we need a redirection block (if that is possible) whereby the browser doesn't accept a redirection without a user prompt (unless the redirection is whitelisted).
That would seem to be the way that you could nuke redirection - at the web browser. (I presume that redirection requires the browser to accept a request for redirection)
Michael
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
Firefox 2 sends your URLs to Google if you turn on the feature. It's right there in the preferences, under security. It's even clearly marked to indicate that's what it does: "Tell me if the site I'm visiting is a suspected forgery > Check by asking [Google] about each site I visit" So how is the new Firefox more evil?
I don't care, but don't let that stop you from trying to tell me anyway.
I like your idea, but don't like requiring two steps. How about we make it into one by taking a one-way hash function of the URL of suspect sites and using it as the key to a sparsely populated but fairly small hash table (say, a million entries). When Google finds a bad domain, they put it into the appropriate row in the hash table (concatenating with all the ones already there). When I check a URL, I say "Yo Google, give me row 0xDEADBEEF", and then I iterate through the handful of entries I just got back to check against my URL. Can Google reverse from 0xDEADBEEF back to the site I am visiting? No, because there are only a million buckets in the hash table, and there would be thousands of sites in that bucket if I were recording all legitimate sites, ranging from www.vatican.va to www.ienjoylickingstrawberryjamoffgoats.com and everything in between, with no rhyme or reason to the categorizations.
You can expire the domains in the hash table after they've been down for 6 months, to save bandwidth on the requests.
P.S. Thank you, observant Slashdot reader, I know 0xDEADBEEF is more than a million. But I like old bad jokes.
Help poke pirates in the eyepatch, arr.
Go to google and type "linux" (without the quotes). I get 320 million results back.
Go to ask.com and type "linux" (without quotes). I get 180.9 million results back.
The question you have to ask yourself is this - how many 100 million results do I really need? If you don't like Google - use a different search engine.
If you don't like Firefox, use a different browser.
What if the URL I'm visiting is a "secret". Some of the URLs that I use for work are not linked to by anyone else so that google will never track it so that other labs won't have access to our programs/files. Will this feature just track all URLs and give the world access to things it should not have access to?
Remember the Train Job? They were enroute to Paradiso...with MALware, to steal a crate of pascaline-D to keep the miners healthy...and wound up taking the load back to the sheriff.
God, I miss that show. But a day with this kinda pun? Enjoyable.
--- For a good time mail uce@ftc.gov
it only send hashed urls. Would you prefer no phishing protection for all the idiots out there?
Comment removed based on user account deletion
I don't know all the nuts and bolts of redirection, but from the examples above, I think that your browser really is connected to the phishing site via AOL, Live, or Yahoo, so that solution would not work. Well, maybe it can choke on links that seem to have domains or URLs embedded in them.
To wit "As we were discussing, Gran Paradiso -- the latest version of Firefox -- is nearing release."
They have not fixed the infamous "untitled window" problem, which is pretty clearly defined at this state. I believe that problem has been documented for over 3 years! I can also take Firefox down in a number of ways by simply ulimiting the amount of available memory.
Any individual who views "Gran Paradiso", as it currently exists as a "quality product" should be put up on stake in Yugoslavia, Romania, *wherever*, and I will be more than happy to fire bullets as they are slowly being impaled.
I made a similar observation at Oracle over 20 years ago, it worked pretty well then but now people may be more comfortable with being impaled now.. Or perhaps they are simply more comfortable with releasing crap.
Assertion. Release a new version of Firefox when you have all of the old bugs fixed. Otherwise you are playing off of the developer egos to release the next "new great thing" --- and they are so transparent to some of us who have been around for a while.
Comment removed based on user account deletion
FYI: It is NOT enabled by default in Opera.
Options - [uncheck] Enable Meta Refresh
I found this browser off of http://tinyapps.org/ years ago, and it's a great minimalist browser.
they can convert all links to lowercase and then hash them. Easy ;-)