Slashdot Mirror
Firefox 3 Antiphishing Sends Your URLs To Google
iritant writes "As we were discussing, Gran Paradiso — the latest version of Firefox — is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry — the feature is disabled by default."
Does anybody remember Google Web Accelerator? This also came out with the 'selling point' that it would help the customer:
http://slashdot.org/article.pl?sid=05/05/04/2223238&tid=217
Google has your mail. They have your searches. Now they are going for your browsing history.
Add it all together and you have a lot of business intelligence. Time to target consumers and influence opinions?
Smart yes, but still quite scary.
What information are they going to collect next? What are they doing with all the information that they are already collecting?
It could be worse, it could be Monday.
This is a non-story. The ability to ask google about phishing has existed since 2.0, and was disabled then as well. Not that telling google every site you visit is a good thing.
By default firefox does not send URLs to google. It downloads a static list from google periodically, and checks against that.
A "blacklist" of phishing sites needs to be stored somewhere, and you need to be able to do queries against it.
It changes too fast, and is too large, for it to be stored locally.
So SOMEBODY needs to provide a database interface to it, and unless you are willing to tolerate the voodoo cryptography and serious performance penalty to do privacy-preserving searches, how else is this supposed to be done?
Test your net with Netalyzr
Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?
What will this mean? Probably that google will continue to improve their search engines, their advertising programs and other services, and they will all stay free.
Damn, go smoke some more pot, your not paranoid enough.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
It's already in the version of Firefox I'm using, 2.0.0.6 downloaded directly from Mozilla's web site. In fact you've got the choice to enable it or leave it disabled, and if you enable it you've got the choice between downloading a list and doing the check internally or checking each URL interactively with a service (currently Google's the only one in the list, but more could easily be added).
Google are going to find out what websites are popular. That's information that they simply couldn't otherwise find out unless they ... oooh ... operated the world's most popular search engine.
Everybody panic!
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Breaking news: Cheese gives you cancer!!
Oh wait, no it doesn't... You might still get cancer though...
Fair deal? Not to worry -- the feature is disabled by default."
But does the "enable" interface inform the user that Google gets their browsing history as a side-effect of providing the blacklist?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It seems to me that the users who most need anti-phishing protection are the ones least likely to change their defaults.
I bet we wouldn't have half the problems we do now if people just stopped automatically trusting everything they see.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Is this tin foil hat day or what? This isn't a new feature in FF3, it's already in FF2.
Wait, maybe it's sending server dumps and some developer said "if you don't like it, fork it." That must be it.
Do we get a "this is a non-story" correction to this post too?
Slightly disreputable, albeit gregarious
Salt helps for things like passwords, where two users with the same password will have it appear differently in the password file.
It makes no sense here. It would prevent a third-party from intercepting your browsing history -- but then, they can do that anyway, by simply being your ISP.
But if Google has the list of malware sites, obviously they know that foo.com resolves to a particular hash (with a particular salt). The only way this could possibly work is if Google stored a separate list for each user, each with its own salt, which would still require you trusting Google to be doing this and not to be keeping a mapping of hash+salt -> website.
There is no way hashes can solve this problem. The only solution is to either be smart, so you don't need a blacklist, or to download the entire blacklist periodically, which is an option, but not everyone likes it.
Don't thank God, thank a doctor!
The way the laws are these days, even if you're Mother Teresa, you're probably doing something illegal, even if you don't think of it as illegal or even realize it. (Ever downloaded VLC or Handbrake? Bought discount smokes? Played a little online poker? Bought something without paying your state's sales tax?) Sure, the FBI normally has bigger fish to fry than you and me, but there's no reason that'll always be the case. The tools that are used for terrorism now will be used for narcotics tomorrow, and copyright enforcement the day after that, and eventually it'll trickle down until it's being used against something you're doing. And information compiled in databases has a tendency to stick around (at least, when it's not being misplaced or stolen). Your browsing habits today could come back to seriously haunt you in a decade or two.
And it's not just the government that you have to worry about, or Google's official policy as a corporation. You also have to consider how much the people who actually deal with this data are paid. How much would it cost to get one of them to give someone malicious access to the database? A whole lot less than the database would be worth, I suspect. Even if you're not doing anything illegal (which, again, I doubt; most people break a half-dozen laws before they get to work in the morning), you're a rare person if there's not something going on in your life that you'd prefer to keep private. Medical conditions, sexual preferences
There aren't really any analogues in the pre-computer world to the size and scope of databases like Google's, in terms of both the breadth and depth of information it could contain on individuals. This is not something that we have much societal experience with, and the limited track record we do have is decidedly mixed. It's not especially paranoid to want to take a "wait and see" approach.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The people who have no idea about about extensions and plugins(the average user), are the people who want the anti-fishing features. Being the more advanced user, it is far easier for you to turn it off than it is for the average user to seek, install, and maintain(update) a plugin.
I would agree that it is annoying for me as well though - I do not need the help of the browser to ward off phishing, especially at the cost of a performance hit. That said, Firefox is not a pet project of the geek world anymore. FF is aggressively seeking the mind and market share of the everyday user, so they must produce a product those users want. Outside of security, what is the real benefit of abandoning IE6 and more importantly IE7? Pages rendering correctly/standard compliance is not an issue with the average user, not in the least. So that only really leaves security, interface/usability, and I suppose can throw in the great extension selection as a motivator to switch as well. This is a move in the direction of better security to offer its users who value it.
Invexi - a Phoenix, AZ based web design and web development company.
- As others have pointed out, there's nothing innately wrong with using Google for antiphishing. They have a large userbase, and can easily detect a mass of users flocking to a really sketchy site. Would it be a huge deal if they plugged into PhishTank?
- The submission does reflect this, but the feature isn't on by default. Instead, Firefox appears to use a static master black list that it redownloads periodically.
- I can't trigger it now, but I'm pretty sure that you're asked to confirm when you select Google that you're aware of the URL sending and other various privacy implications. The user will not be uninformed when they make this choice
- The feature is already present in Firefox 2. It is not new to Firefox 3. It's been well publicized before, and there haven't been any major problems since.
This is a pretty stupid low to go for some anti-Google hits.The article is about as informative as one of those "Your computer is broadcasting an IP Address!" banners.
For the record:
I am legitimately not trying to troll here.
Could Slashdot editors please have a group discussion about accuracy and integrity in journalism? First it was the WordPress piece, that was rightly amended, and now there's this. Both deal with a fear that "someone" is spying on us. Anyone who deals with computer security deals with that fear on a regular basis, but those fears should not be expressed in the journalism: Facts should.
As many have mentioned, this feature can be found in the Firefox 2.0.0.7 security tab under "Tell me if the site I'm visiting is a suspected forgery." The summary is flat-out misleading, and contains links to a general page about all Firefox 3 features (which does not mention Google in the slightest), and the entire discussion about Firefox 2 memory leaks, not the relevant posts the author seems to reference.
There literally is no "FA" to "R" in the first place, and the summary is inaccurate, not only in its facts, but because it is summarizing nothing.
This editorial behavior gives Slashdot a bad name, and moves it a step towards the irrelevancy of The National Inquirer. I've been bringing buckets of salt to take with this site in the past weeks, and would like to see these trends reversed.
Please discuss it.
(I've shut off the Karma bonus on this post, it should fly on its own merits. I'm not posting "AC," because if I'm out of line here, I'm willing to pay the price for it.)
--
Toro
In firefox 2.0, if you look in preferences > security, there are two options for antiphishing. One is the "use a downloaded list" option, and the other is the "check by asking google for each site I visit". But the word google is a dropdown box - it appears that there will eventually be more choices, but they haven't made deals with (or been offered money from, depending on how cynical you are) other providers yet.
MS-DOS: Most Severe Denial of Service
Free Online Backup
It's kinda hard to verify URL's if you don't compare them to a massive database.
Is anyone surprised? How is it evil? The evil would only come from the data being misused. Obviously they NEED the data, or rather, the dudes running the database need it. That's not the evil part.
Beware: In C++, your friends can see your privates!
It's not really enough to just check the URL against some phishing database. The phishing sites now use unique URLs for each phish going out. Some even use unique subdomains. An example is http://onlinesession-949076872.natwest.com.nigy3r.cn.
We've been struggling with this for SiteTruth, which, among other things, uses PhishTank's data. Originally, we used PhishTank's online query API, but that required an exact match on the URL, which was useless. Now we download their entire database every few hours and blacklist the entire base domain (what you buy from a domain registrar) if there's a verified, active phishing site anywhere in the domain.
That seems reasonable enough. But there's collateral damage. So, most days, we have AOL, Microsoft Live, and Yahoo blacklisted. That's because those major sites have "open redirectors" - URLs which will redirect to any specified site. For example,
A convenient, easy to use redirection script popular with phishers. Provides a URL that appears to be on AOL, but isn't. Interestingly, AOL treats as spam any email that uses their own redirector URL. So it's only useful for attacking non-AOL users.
&rver=4.0.1532.0&lc=1033&id=64855
&ru=http:%2F%2Fby117w.bay117.mail.live.com%2Fmail%2Flogout.aspx%3Fredirect%3Dtrue
%26logouturl%3Dhttp:%2F%2F62.49.9.117:443/HB.onlineserv.cgi/
The "logout" page for Microsoft Live can be abused, with some effort, to make it appear as if some hostile site is on Microsoft Live. This looks like Microsoft tried "security through obscurity" and failed.
_ylu=X3oDMTE2ZXYybGFuBGNvbG8DdwRsA1dTMQRwb3MDMQRzZWMDc3IEdnRpZANpMDIxXzQ3/SIG=15j5u6auo/
EXP=1140214114/**http://hticketing.com/www.bankofamerica.com/sslencrypt218bit/online_banking/
A Yahoo redirector URL intended to create the illusion of a Bank of America site. It may be possible to exploit this as a cross site scripting attack.
These were all active phishing sites an hour or two ago.
Yes, arguably the intelligent user should be able to visually parse the URLs above and realize that they're not really on the sites indicated. Or notice that a redirection took place. But most users don't notice that. Neither do many anti-phishing tools, especially if the attacker combines both techniques described above.
Phishing has reached the point that if you have an open redirector or proxy on your web site, someone will use it to borrow your reputation for their scam. Open redirectors are now like open mail relays - a nice Internet feature that had to be shut down because of exploits.
So fix those open redirectors, people, or expect to be listed as a phishing-friendly site.