Google Goofs On Firefox's Anti-Phishing List

Stephen writes "While phishing is a problem, giving one company the power to block any site that it wishes at the browser level never seemed like a good idea. Today Google blocked a host of legitimate web sites by listing mine.nu. mine.nu is available as a dynamic dns domain and anybody can claim a sub domain. All sub-domains are blocked regardless of whether phishing actually occurs on the sub-domain or not. Several Linux enthusiast sites are caught up in the net including Hostfile Ad Blocking and Berry Linux Bootable CD."

Remote monitoring possibilities

[fph+il+quozientatore]

Actually, it is even more scary than this. Have a look at the protocol: here's how it works:

1- Firefox automatically downloads a list of 32-bit hashes of "dangerous" addresses
2- when the user browses on a site matching one of these hashes, Firefox sends a request to Google for a 256-bit version of the same hash
3- does the site match the 256-bit hash? If yes, warn user; if not, continue silently.

Convinced? Well, here's how it really works:

1- <insert name here> tells Google to monitor www.terrorist.com
2- Google adds the 32-bit hash of www.terrorist.com to the list
3- when the browser sends a request for the 256-bit hash of www.terrorist.com, Google replies with a hash that does not match www.terrorist.com
4- the user notices nothing strange and continues browsing
5- Google sends <insert name here> a list of all the people browsing on www.terrorist.com, identified through cookies (including their GMail password).

Please forget the usual "??? - Profit!" jokes, and go warn the Firefox developers.