Slashdot Mirror
Google Goofs On Firefox's Anti-Phishing List
Stephen writes "While phishing is a problem, giving one company the power to block any site that it wishes at the browser level never seemed like a good idea. Today Google blocked a host of legitimate web sites by listing mine.nu. mine.nu is available as a dynamic dns domain and anybody can claim a sub domain. All sub-domains are blocked regardless of whether phishing actually occurs on the sub-domain or not. Several Linux enthusiast sites are caught up in the net including Hostfile Ad Blocking and Berry Linux Bootable CD."
While phishing is a problem, giving one company the power to block any site that it wishes at the browser level never seemed like a good idea
Actually, giving a single company this kind of authority is usually not a bad idea. Spamhaus and email, for example.
The issue is about trust. Even with this goofup, I trust google ( although their response to this could change that ). Hell, I trust MS here too, to a limited extent.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Granted, I can see there are opportunities for abuse here, but if the owners of dynamic dns domains don't properly police their "customers" and spammers and/or other malicious websites start using it, then Google has every right to blacklist the entire domain. Of course, it's arguable exactly how much can be done to prevent it, but if you're really concerned about not getting your site blocked, go ahead and blow the $7 a year on your own domain, or use a smaller ddns service that can actually pay attention to the nature of the hosts it's serving.
As far as having any one third party responsible for maintaining a blacklist, exactly how else do you intend to do it? You can always create your own blacklist, but that would first require you to "enjoy" the sites you would prefer get blocked automatically. You'll just have to trust someone to make that reasonable decision for you. Sure, there will be some mistakes, but that's the price you pay for protection.
-Restil
Play with my webcams and lights here
Yeah. While I reflexively rankle at the idea of blocking a whole swathe of domains like that, it's unfortunately clear that services like dyndns and mine.nu are going to be overrun with phishers and scammers because they're just as convenient to them as they are to non-malicious Internet users.
In my mind giving this power to Google is the most objectionable thing related to the company. I know somebody who has had his legitimate business ruined because Google mistakenly added his site to this list. Why? Because it was hosted on the same physical server as a truly objectionable web site.
People need to stop childishly sneering at Windows users and take their focus away from Microsoft. The terrible Goliath is clearly Google now. Even when it's not being evil it causes trouble just by being *clumsy*.
This is the first time we've heard about Google (or any others) making a bad block. As long as Google fixes this expediently, I'd say that it's an acceptable margin of error and the amount of phishing sites blocked is by far worth it. Now, if wikileaks suddenly gets blocked for 'phishing', something is definitely awry.
Any maintained blacklist of any reasonable size is going to end up with false positives. It's one of those things you just have to accept. People notice and report it, the entry gets removed, and we move on.
Presumably if Google thinks some subdomains are malicious, they actually know which ones are in fact malicious? Owing to the fact that they found them in the first place? I'm wondering if the reason they just blocked the entire domain was because some attackers are just registering lots of subdomains as a fast-flux method.
Um, no. The list is supplied by Google. When Firefox blocks a site, press the 'Why was this site blocked?' button to see Google's warning about it (http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://mine.nu/ in this case).
We need to educate users to check the URL before entering anything. Any time you rely on a technological solution to a social problem you end up with woes.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
Some years back "general network administration" made it impossible for me to see mail that came from Asia. That caused huge problems for me. The fuckwit that did this made the same argument you just did. If you are going to accept that sort of power you should learn the maxim "first, do no harm."
Note that the anti-phishing feature makes Firefox slow over time.
Putting anti-phishing filters into browsers just shifts the responsibility of good security practices from the user to some blacklisting company. What incentive is there to be weary about suspicious sites if you can count on the almighty Google to hold your hand while you browse the Web? This makes about as much sense as someone installing parental controls in their machine and declaring that their Internet connection is now "kid-friendly."
I've never had these filters turned on, and I've never exposed my financial data to others by accident. Usually this has something to do with me hovering the mouse over links and checking the URL in the status bar.
If you're serious about blocking phishing sites, you have to accept some collateral damage. Blocking by URL stopped working last year; most attacks have unique URLs now. Many have unique subdomains. So you have to block at the second-level domain level to be effective.
We publish a list of major domains being exploited by phishing scams. Today, there are 46 domains listed. eBay, for example, is on the list, because eBay has an open redirector exploit. Click on that URL. It says "ebay.com", right? It looks like eBay, right? It's not.
On the other hand, "tinyurl.com", which used to be popular with phishers, has been able to get off the blacklist by cracking down on misuse of their service. It's possible to do redirection competently.
When we started our list last year, it had about 175 exploited domains. After some serious nagging and an article in The Register, we're down to 46. And only 11 have been on the list for more than three months; the others come and go as exploits are reported and holes plugged. So this is a problem that can be solved.
I'm glad to see Google taking a hard line on this. It's necessary that sites that do redirection feel the pain when they accept redirects to hostile sites. Google can apply much more pain that we can. Few sites will want to be on Google's blacklist for long.
This is something that strikes me as the first time Firefox really pushed something out by default that shouldn't be. Just for one example, people who are on LTSP networks, say, 200 users, will ALL download anti-phishing, anti-malware blacklists from Google, each in their own home directory. There's no way that I know of, anyway, to share this data - SQLite seems to make it impossible. That's the first mistake in creating a compatible, light web browser.
The second mistake is enabling website blocking based on 3rd party blacklists by default. This is basically Microsoft UI thinking - "You *need* this because you don't know any better." Screw that. I mean, make it a checkbox on setup - "Use Google-provided anti-malware blacklists" Simple as that. I spent weeks trying to find out why, after just a few Firefox instances were launched on an LTSP server, none more would load - part of this was because every user logging in was trying to download the anti-malware stuff from Google, saturating the line, and preventing Firefox from loading for the first time.
I hope the Firefox devs will take all scenarios into account when making changes. It seems lame that every user needs all of the stuff in places.sqlite. And even if you argue with that, at the LEAST make it cross-DB compatible, so you can put everyone's in a nice big central MySQL database.
It is pitch black. You are likely to be eaten by a grue.
Never ascribe to malice what can be equally ascribed to incompetence.
The corollary of this is, of course, that you should still be wary of single points of failure, even if you do not believe they will fail you on purpose.
Please correct me if I got my facts wrong.
I don't know anything about the FWT site; it may be fine. However, do remember that just because a site is trustworthy over time doesn't mean it is trustworthy today , on this visit.
I just had that driven home for me the other day. In my off time, I am a youth soccer coach. The website for our league has been fine for several years. Last week I visited it and got the malware warning from FireFox. I checked with the webmaster and sure enough, they had gotten hit with a SQL injection attack and had indeed gotten malware of some sort hosted on the site.
So, FWT may be a false positive - but it is at leat possible that they also got successfully attacked.
We really don't have a good system to evaluate trust on the fly due to the dynamic nature of internet content. A page that was fine 20 minutes ago may attack you now.
Shit happens. Yes, it sucks, but it happens. Now, should we try to blow up the googleplex? No. Google are not blocking based on a secret agenda here, and you can bypass it or turn off the feature. OK, it'd be nice if you could choose who provides the service, but overall, it's not that big a deal.
-- Lattyware (www.lattyware.co.uk)
It's just not going to happen. We like to think that "everyone" is capable of understanding what is going on when they browse the web, but that's wishful thinking.
It will be a LONG time until you can ever hope that the general public is as smart as the malicious few out there. Until then technology solutions will continue to be needed, desired and our best bet in combating this. Hell, they always will.
Well, there's a pair of boobies poking out at you on the mine.ru page.
Get your own free personal location tracker
Safe Browsing
Diagnostic page for mine.nu/
What is the current listing status for mine.nu/?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 4329 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 09/21/2008, and suspicious content was never found on this site within the past 90 days.
Malicious software includes 7523 scripting exploit(s), 2911 trojan(s). Successful infection resulted in an average of 0 new processes on the target machine.
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, mine.nu/ appeared to function as an intermediary for the infection of 183 site(s) including culportal.info, mipt.ru, baikal-discovery.ru.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 932 domain(s), including bernard-becker.com, mipt.ru, dhammasara.com.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Having a distributed system where individuals are responsible for rating resources (other individuals, websites, basically _anything_ with a unique ID or URI) would go a long way not just to combat phishing and malware, but other sorts of scams, trolls, etc. I call that system a "reputation system."
We need a system where I can rate a site as vapid (ie, experts-exchange is a waste of my time in search results) and then people who choose to subscribe to my ratings will see those sites may not be worth their time.
The key is to make it extensible such that it can encompass the internet at large and even things in real life like menu items in restaurants.
It's one thing to get feedback about something from one or a handful of people. It is more valuable to have a large graph of opinions which you can prune at will to give you the best information available.
-HobophobE
Nothing laughs forever.
"There's no way that I know of, anyway, to share this data - SQLite seems to make it impossible."
Well, I doubt it's SQLite that makes it impossible, it's more that you don't want ordinary users writing to a single shared blacklist. Because if a user can download and write good data to it, they can write bad data to it.
Suddenly all it takes is for one user to click on the dancing bunnies, and they're running a daemon without knowing it that writes bad data to the blacklist, monitors the list for changes, and rewrites it if any of the other users change it back to what it "should" be. That fucks things up for *everyone*, which kind of defeats the whole idea of having separate user accounts that protect everyone from each other.
"The second mistake is enabling website blocking based on 3rd party blacklists by default."
If you don't do that then non-geeks - the people who need this most - will never find it to switch it on. If you're a geek and you don't like it and are smart enough to spot phishing attempts yourself (and good luck with that by the way; I've seen reports of many trials here on /. where even seasoned network admins don't get a 100% success rate at spotting them) then you're probably smart enough to find the checkbox to disable it.
"And even if you argue with that, at the LEAST make it cross-DB compatible, so you can put everyone's in a nice big central MySQL database."
Bleargh! You want a DB-abstraction layer so that ... everyone can write to the same DB? That will add bloat and do nothing to fix the problem.
If you make the database writable only by root/Administrator and have a separate daemon/service that runs as that user to update, with all users having read-only access, that would solve your problem. But then someone else would complain that this service was running and creating network traffic uselessly when no-one was actually running firefox, or even logged in.
For a home user, what they've got makes sense. If you're running a reasonable-sized network, or have something like LTSP, you should be able to set up Squid proxy (or similar) so that only one user causes the list to be fetched from the network and everyone else loads your cached copy.
Make it do the right thing for n00bs out of the box. Experts can configure it differently for themselves because, well, they're experts.
Why doesn't the gene pool have a life guard?
I do not recognize any proof or intention to proof that information is harmful (to child).
Never, mind, people just use their power. Do you?