Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3 Antiphishing Sends Your URLs To Google

Posted by kdawson on from the clickstream-of-the-world dept.

iritant writes "As we were discussing, Gran Paradiso — the latest version of Firefox — is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry — the feature is disabled by default."

16 of 296 comments (clear)

  1. And Google does it again! by lecithin · · Score: 4, Interesting

    Does anybody remember Google Web Accelerator? This also came out with the 'selling point' that it would help the customer:

    http://slashdot.org/article.pl?sid=05/05/04/2223238&tid=217

    Google has your mail. They have your searches. Now they are going for your browsing history.

    Add it all together and you have a lot of business intelligence. Time to target consumers and influence opinions?

    Smart yes, but still quite scary.

    What information are they going to collect next? What are they doing with all the information that they are already collecting?

    --
    It could be worse, it could be Monday.
    1. Re:And Google does it again! by cromar · · Score: 3, Interesting

      Also, they can already collect some of (if not a lot of) your browsing history by checking the IP making requests to Google Adwords, if I'm not mistaken.

    2. Re:And Google does it again! by TorKlingberg · · Score: 4, Interesting

      How about http://www.bankofarnerica.com/?

    3. Re:And Google does it again! by FuzzyDaddy · · Score: 2, Interesting
      So yes, actually, I would have expect that every few days

      Given that the phishing site goes up when the spam goes out, you'd want information much fresher than that. I imagine a phishing site's only good for a few hours after you send out the "bait". I occasionally check out phishing sites I get in my spam, and it seems that a lifetime of a few hours is typical. I think the banks/etc. are getting faster at getting them taken down.

      --
      It's not wasting time, I'm educating myself.
    4. Re:And Google does it again! by SIGALRM · · Score: 3, Interesting
      I know you're trolling, but GP ask an interesting (if somewhat reactionary) question:
      What are they doing with all the information that they are already collecting?
      Are there answers to his question in the EULAs? Should we pay careful attention to Terms of Service and Privacy Policies before agreeing to the terms? I think so. Even the "do no evil" guys can do evil and call it good.
      --
      Sigs cause cancer.
    5. Re:And Google does it again! by Sparr0 · · Score: 2, Interesting

      Didn't you hear? "m" is the new ligature for "rn"

      PS: Yes, I am making fun of the entire concept of ligatures. They are silly. I do not want "fi" replaced with a single glyph where the dot of the i is part of the - of the f. DO NOT WANT.

    6. Re:And Google does it again! by Zaatxe · · Score: 5, Interesting

      Here in Brazil, Petrobras gasoline stations have the brand BR over a green and yellow pair of stripes. And then somebody had the idea of branding their gasoline stations 13R, using a font almost impossible to tell the differrence between BR and 13R. And of course this 13R stations sell very low quality fuel...

      But you don't need to believe me, you can believe your own eyes. This is the 13R station and This is a real BR station.

      --
      So say we all
    7. Re:And Google does it again! by rajkiran_g · · Score: 2, Interesting

      With the site URL, Google will know the server and exact page.

      With only the IP address, they would only know the server.

      And given that most of these phishing sites seemed to be an PC on a broadband connection (botnet?), they only really need to know the IP address.
      While just the IP address may be sufficient to identify most phishing sites, there are some cases where the complete url would be required to identify a potential threat. An example that readily comes to my mind is a cross site scripting attack that would appear to come from a legitimate site. A url like https://www.myoriginalbank.com/account.jsp?message=Welcome%5Bsome hex characters containing an xss payload]. For the unsuspecting user, the url would appear rather innocent and any antiphishing tool relying on just the IP address would not be able to detect the threat.
      On the other hand, checking for this type of xss attacks should be built into web browsers rather than compromising privacy by sending the complete url to antiphishing sites. In firefox, the noscript extension does a good job of blocking xss attacks even if scripts are globally allowed.
  2. Re:Does a master list exist? by tgatliff · · Score: 2, Interesting

    Yes, but my thought would be to modify the feature so that you can pick the "carrier" for the feature... Meaning, have several instead of just using Google only...

  3. Re:Already there by ivan256 · · Score: 2, Interesting

    If you're going to do it interactively, why not use a hash of the URL (or the domain name/port) instead of sending the URL itself? Then even with live checking, google would only know which sites you went to if they were a match in their list of bad guys.

  4. Re:Uhh, how ELSE are you going to do this? by Schraegstrichpunkt · · Score: 3, Interesting

    You could do it by providing a bloom filter the browser, and then when there is a match, the browser could download a certain subset of the blacklist to verify that the match is not a false positive.

    --
    http://outcampaign.org/
  5. Re:Already there by Todd+Knarr · · Score: 4, Interesting

    Because http://thief.com/login.html and http://thief.com/Login.html both hash to radically different values, but both have in the plaintext a characteristic fingerprint of a phishing attempt. A service that gets the plaintext can trivially identify both, but a service that only gets a hash would be fooled by the second if it only had seen the first before.

  6. Re:Well.. by Midnight+Thunder · · Score: 2, Interesting

    Considering that Google is one of the major sponsors of FF, I'm not amazed. Sending the addresses to Yahoo, or MSN, well THAT would be newz.

    Like every other feature I think you should be given the option of choosing where you get taken to, if anywhere. For example if I have my own anti-phishing web site then I should be able to choose that.

    I support Google for many things, but I am getting more insecure about their privacy issues.

    --
    Jumpstart the tartan drive.
  7. Re:Just in case you weren't paying attention... by Skrapion · · Score: 2, Interesting

    Hopefully it at least is configurable, so that if someone else happens to offer an anti-phishing blacklist, it can use that instead. And based on the customizable search box in Firefox, and the customizable junk mail headers in Thunderbird, it seems Mozilla is generally really good in that regard. It's the beauty of open source. If somebody offers a patch to support a different blacklist, then hell, why not give the users more choice?

    I agree with the extensions, sort of, but it's not a perfect system. Sometimes it's easier, more efficient, or more stable (ie easier to test interoperability) to build the functionality directly into the browser, and the average user (the kind of user that would like this functionality) still isn't very comfortable with extensions. And rightly so; most Firefox extensions are very buggy. Perhaps it would be useful if the Firefox team started developing first-party extensions, and made it easier to install them. For instance, the option we're discussion could have no code in the core browser, but when you turn it on it prompts the user with a dialog that says "Firefox needs to download an extension to enable this feature. Would you like to continue?"
    --
    The details are trivial and useless; The reasons, as always, purely human ones.
  8. Re:Does a master list exist? by elyk · · Score: 5, Interesting

    In firefox 2.0, if you look in preferences > security, there are two options for antiphishing. One is the "use a downloaded list" option, and the other is the "check by asking google for each site I visit". But the word google is a dropdown box - it appears that there will eventually be more choices, but they haven't made deals with (or been offered money from, depending on how cynical you are) other providers yet.

    --
    MS-DOS: Most Severe Denial of Service
    Free Online Backup
  9. Re:Well... by Dhalka226 · · Score: 2, Interesting

    URL verification can be done with hashes and other techniques that do not invade privacy.

    Yes, if you assume that the only active protection is a 1:1 URL-to-badness mapping. That may be accurate right now, I'm not sure, but it likely won't last very long.

    For example, I probably wouldn't blacklist aol.com for some phishing pages on their domains because it's casting too large a net, but I might well do it for pages on evilhackerzphishingyourssn.com. It's trivial to set up anyrandomcombination.somedomain.com to show the same pages. Do I send a hash of the URL, then one of the domain, then one of the subdomain, then one of the sub-subdomain? Where do I stop? What about URLs with the same problems? Am I hashing just the domain, or a specific URL to a page on a domain?

    Without a way to examine the incoming data in a more meaningful way than "yes, I have seen this before" your level of protection is going to drop. It would not be hard to generate a unique URL in every phishing email (another poster says this already happens) and if all we're sending back is hashes there's no way for Google or whoever is running a list to notice. If those hashes are reversible, then there's really no added privacy at all -- particularly since they would be un-hashing them automatically to check for these sorts of things anyway.

    Like I said, I'm not sure that Google actually does any of this yet, but as with spam it is essentially an arms race. If the phishers haven't pushed them there yet, they likely will soon.

    No, the evil comes from the data being taken without informed consent.

    Would "informed consent" including checking the box next to "tell me if the site I'm visiting is a suspected forgery," then ticking the radio button next to "Check by asking [_______] about each site I visit" and selecting Google? (As opposed to either not ticking the "tell me" box or choosing the first radio button, "check using a downloaded list of suspected sites."

    Even the summary noted that this feature is off by default. I consider it fairly informed and definitely consent just by ticking those options, and if they want to be fully informed there is nothing stopping them from checking up on the privacy policies of any of the "ask [____]" options they might choose to use.

    Because there's no contract controlling what happens to the private information, and because there is no technical reason to collect the private information, it is evil.

    Well to use your smug bluntness: Wrong.

    If you go out of your way to agree to let me do something, my doing it is not evil. If you require a contract controlling what happens to the private information, either I provide one or I don't and your opt-in to the service is still your choice. It is not evil in the slightest. If you don't like it, hey, cool. Don't opt in by checking the box or telling it to ask Google. The assumption that those who do must just be too stupid or are getting fleeced is pure arrogance.