Firefox 3 Antiphishing Sends Your URLs To Google

iritant writes "As we were discussing, Gran Paradiso — the latest version of Firefox — is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry — the feature is disabled by default."

Not new.

[garbletext]

This is a non-story. The ability to ask google about phishing has existed since 2.0, and was disabled then as well. Not that telling google every site you visit is a good thing.

Re:Not new.

Firefox 2 indeed has such a setting.
[ ] Tell me if the site I'm visiting is a suspected forgery
      (*) Check using a downloaded list of suspected sites
      ( ) Check by asking [Google] about each site I visit

And heck, when I try to enable Check by asking Google... a window asking me to accept or reject the terms of service comes up! It says exactly this:
"If you choose to check with Google about each site you visit, Google will receive the URLs of pages you visit for evaluation. When you click to accept, reject, or close the warning message that Phishing Protection gives you about a suspicious page, Google will log your action and the URL of the page. Google will receive standard log information, including a cookie, as part of this process. Google will not associate the information that Phishing Protection logs with other personal information about you. However, it is possible that a URL sent to Google may itself contain personal information. Please see the Google Privacy Policy for more information."
With two choices, accept or reject the terms of service, or I can cancel and it leaves it on my previous setting.

I wonder if Firefox 3 does the same, eh?

Re:Does a master list exist?

[42forty-two42]

By default firefox does not send URLs to google. It downloads a static list from google periodically, and checks against that.

Already there

[Todd+Knarr]

It's already in the version of Firefox I'm using, 2.0.0.6 downloaded directly from Mozilla's web site. In fact you've got the choice to enable it or leave it disabled, and if you enable it you've got the choice between downloading a list and doing the check internally or checking each URL interactively with a service (currently Google's the only one in the list, but more could easily be added).

Re:Really a fair deal?

[ronanbear]

Actually, it does explain it pretty well on FF2. If they changed that it would be news.

Did I miss the memo?

[LMacG]

Is this tin foil hat day or what? This isn't a new feature in FF3, it's already in FF2.

Wait, maybe it's sending server dumps and some developer said "if you don't like it, fork it." That must be it.

Do we get a "this is a non-story" correction to this post too?

Re:Did I miss the memo?

[Tim+C]

The difference appears to be that while FF2 periodically downloads a list from google, FF3 uploads every URL you visit.

The feature itself may not be new, but the implementation certainly seems to be.

Salt won't help you.

[SanityInAnarchy]

Salt helps for things like passwords, where two users with the same password will have it appear differently in the password file.

It makes no sense here. It would prevent a third-party from intercepting your browsing history -- but then, they can do that anyway, by simply being your ISP.

But if Google has the list of malware sites, obviously they know that foo.com resolves to a particular hash (with a particular salt). The only way this could possibly work is if Google stored a separate list for each user, each with its own salt, which would still require you trusting Google to be doing this and not to be keeping a mapping of hash+salt -> website.

There is no way hashes can solve this problem. The only solution is to either be smart, so you don't need a blacklist, or to download the entire blacklist periodically, which is an option, but not everyone likes it.

Re:And Google does it again!

[LMacG]

Ah, you mean the way it already works, then? Good idea!

No kidding

[Kelson]

The article is about as informative as one of those "Your computer is broadcasting an IP Address!" banners.

For the record:

• As you point out, Firefox 2 already does this, and it's disabled by default.
• IE7 does the same thing with servers at Microsoft. Disabled by default, but strongly encourages you to turn it on.
• Opera 9 does the same thing with servers at Opera. Enabled by default, IIRC, but can be turned off.
• Isn't Safari 3 supposed to get similar anti-phishing capabilities?

Re:Really a fair deal?

[xlv]

Actually, it does explain it pretty well on FF2. If they changed that it would be news.

FYI, here's the text in the popup for Firefox 2.0.0.7:

If you choose to check with Google about each site you visit, Google will receive the URLs of pages you visit for evaluation. When you click to accept, reject, or close the warning message that Phishing Protection gives you about a suspicious page, Google will log your action and the URL of the page. Google will receive standard log information, including a cookie, as part of this process. Google will not associate the information that Phishing Protection logs with other personal information about you. However, it is possible that a URL sent to Google may itself contain personal information. Please see the Google Privacy Policy for more information.

Phishing detection by unique URL no longer works.

[Animats]

It's not really enough to just check the URL against some phishing database. The phishing sites now use unique URLs for each phish going out. Some even use unique subdomains. An example is http://onlinesession-949076872.natwest.com.nigy3r.cn.

We've been struggling with this for SiteTruth, which, among other things, uses PhishTank's data. Originally, we used PhishTank's online query API, but that required an exact match on the URL, which was useless. Now we download their entire database every few hours and blacklist the entire base domain (what you buy from a domain registrar) if there's a verified, active phishing site anywhere in the domain.

That seems reasonable enough. But there's collateral damage. So, most days, we have AOL, Microsoft Live, and Yahoo blacklisted. That's because those major sites have "open redirectors" - URLs which will redirect to any specified site. For example,

• http://r.aol.com/cgi/redir?http://mgw1.haoyisheng.com/icons/asp.html
  A convenient, easy to use redirection script popular with phishers. Provides a URL that appears to be on AOL, but isn't. Interestingly, AOL treats as spam any email that uses their own redirector URL. So it's only useful for attacking non-AOL users.
• http://login.live.com/logout.srf?ct=1179231565
  &rver=4.0.1532.0&lc=1033&id=64855
  &ru=http:%2F%2Fby117w.bay117.mail.live.com%2Fmail%2Flogout.aspx%3Fredirect%3Dtrue
  %26logouturl%3Dhttp:%2F%2F62.49.9.117:443/HB.onlineserv.cgi/
  The "logout" page for Microsoft Live can be abused, with some effort, to make it appear as if some hostile site is on Microsoft Live. This looks like Microsoft tried "security through obscurity" and failed.
• http://rds.yahoo.com/_ylt=A0Je5VTi9_RDDbAA3TJXNyoA;
  _ylu=X3oDMTE2ZXYybGFuBGNvbG8DdwRsA1dTMQRwb3MDMQRzZWMDc3IEdnRpZANpMDIxXzQ3/SIG=15j5u6auo/
  EXP=1140214114/**http://hticketing.com/www.bankofamerica.com/sslencrypt218bit/online_banking/
  A Yahoo redirector URL intended to create the illusion of a Bank of America site. It may be possible to exploit this as a cross site scripting attack.

These were all active phishing sites an hour or two ago.

Yes, arguably the intelligent user should be able to visually parse the URLs above and realize that they're not really on the sites indicated. Or notice that a redirection took place. But most users don't notice that. Neither do many anti-phishing tools, especially if the attacker combines both techniques described above.

Phishing has reached the point that if you have an open redirector or proxy on your web site, someone will use it to borrow your reputation for their scam. Open redirectors are now like open mail relays - a nice Internet feature that had to be shut down because of exploits.

So fix those open redirectors, people, or expect to be listed as a phishing-friendly site.