Firefox 2.0 Update To Remove Phishing Detection

An anonymous reader writes "Computerworld and others are reporting that Firefox 2.0.0.19, the last security update to be released before 2.0 goes end-of-life, will remove the phishing detection at the request of Google. The browser is using an older version of the Safe Browsing protocol that Google will discontinue. According to the latest NetApplications report, about 25% of all Firefox users were still on version 2.0. This move ought to result in an increased adoption of Firefox 3.0 and other browsers, unless it goes unnoticed by most users."

A security update that reduces security

[mysidia]

Hrm.. I don't think that's the intended use of security updates that causes users to be willing to accept and enable such updates.

In a way, it's a breach of trust if they were intentionally holding back on upgrading to 3.0. Users would be in slightly better shape if they refused to accept this update (at least until Google finally does turn it off).

I anticipate not necessarily a massive increase in users updating to Firefox 3.0, but more likely a massive increase in phishing targetting 2.0 users who still think they're protected (they didn't pay attention to the update release notes).

Re:A security update that reduces security

[dafrazzman]

Even a minor increase in 3.0 adoption would be worth it, as the phishing detection won't matter once google turns it off. I think Mozilla is doing well by making one last effort to move people towards Firefox 3.

At least the version 2 users are being given some warning, as opposed to just being left out to dry without any heads up at all.

Re:A security update that reduces security

[theaveng]

I disagree. I already tried Firefox 3 and it ran very poorly, so that's why I went back to Firefox 2.

IMHO rahter than disable the feature, thereby making users vulnerable to scams, the correct solution is to upgrade the anti-phishing to v2. Toturn it off completely is somewhat akin to a AntiVirus 2.0.0.19 program deciding to turn-off its scanner, to force users to move to AntiVirus 3. The ends do NOT justify leaving users vulnerable to attack.

Re:A security update that reduces security

[gparent]

It's going to End of Life. They won't upgrade an obsolete product. Either they turn it off in the next update and get some people to upgrade, or they leave it on giving a false sense of security since it won't even work.

Re:A security update that reduces security

[Tubal-Cain]

Uhhh... Google's turning off the servers.
Your FF 2.0.18 won't have any phishing protection, either.

Re:A security update that reduces security

[mR.bRiGhTsId3]

I guess the question is, if people are so against upgrading to 3.0 (which I find worlds better btw), how long will it take someone to write an extension for 2.0 that supports the new format.

Re:A security update that reduces security

[hairyfeet]

The problem is we are talking about a piece of dead code here. Mozilla has decided that the Firefox 2 code base is EOL, and frankly I don't blame them. The memory leaks in the code just never seemed to get fixed and the memory management in FF3 is simply light years better. And Google has already made it clear they are pulling the plug on the v1.0 Phishing filter, which would cause folks to think they had protection that they didn't actually have.

You mention MSFT, but lets be honest here. Most folks didn't have a living shit fit when they EOLed the Win9X line after giving it an extension to give folks time to switch. Why? Because those of us that knew anything about Operating Systems knew that trying to keep that mess of a codebase patched and functional was like pissing in the wind. At least with FF2 you HAVE a choice.

If you believe there are enough users out there that for one reason or another need FF2 you can set up a website and try to build a community around the FF2 code. Since the code is Open Source anyone who feels strongly about it can build a community of like minded individuals and keep it going. Just look at how Seamonkey continues to improve and update after what? 2 years of being cut loose by Mozilla? The Mozilla Corp doesn't support Seamonkey yet I have it on all my machines and it updates nearly as quickly as FF. So if you truly feel that it can be updated to Google Antiphishing v2.0 you should try to build a community around it. That is one of the great things about FOSS. We always have a choice.

Re:A security update that reduces security

[LordSnooty]

somewhat akin to a AntiVirus 2.0.0.19 program deciding to turn-off its scanner,

It's not really, is it - the scanner is the crucial part of the AV program, the phishing filter is just one small feature of Firefox. Also the replacement product is free. Nobody would complain if a free AV package forced you to upgrade. In fact they (Clam, AVG) do it on a regular basis. Really not "somewhat akin" at all.

Re:A security update that reduces security

[Hadlock]

I still don't see why they're pushing people so hard to upgrade to 3.0. The version 3.0 still seems slower and more buggy than the version of 2.0 I have been using for some time. Does the firefox corperation get more money from google every time you download the latest version or something? I would argue that FF 2.0 is not and obsolete product - it does everything I need perfectly, and I would consider myself a power user. The mozilla corp. has been pushing people to upgrade now pretty hard for about six months and I really don't see the need to upgrade.
 
I prefer v.2 to v.3 so much that I still use v.2 at work, although I will boot into v.3 at work to check and see how it renders our website at work differently from 2.0 (we have bad code and in most cases there's a significant difference). v.2 has everything I need and a smaller memory footprint - why would I upgrade?

Re:A security update that reduces security

[TheRealMindChild]

I still don't see why they're pushing people so hard to upgrade to 3.0.

Because they are going to stop working on that version. I hate to point out the obvious, but this isn't really a complicated question.

Re:A security update that reduces security

[Ramze]

I think the idea is that since they aren't going to offer any more updates to the software, anyone using FF 2.0 is going to be vulnerable to future browser exploits and rendering issues which will not ever be patched (unless someone forks the code), so from a user-safety perspective and a public relations perspective, Mozilla needs to strongly persuade people to move away from the old version.

The reasons to upgrade are the same as for any software. Sooner or later, FF3 or higher will have features that FF2 does not have and that you will need or wish you had. Whether that's patches, plug-ins, or new features, I can't say... but it is coming. Maybe a new version of HTML or a new scripting language... maybe a plugin that only works with 3.0 or higher for web pages you need access to -- who knows.

As for why they choose to turn the anti-phishing off rather than move to the next version, I think it's fair to say that turning off something is easier than re-coding it to work with something new. Also, why code it to work with the new Google version when you're discontinuing support? At some point, Google's API will change and FF 2 users will be left without a working anti-phishing engine again -- only without any warning because Mozilla will have moved on to FF 4 or beyond by then.

You are, of course, welcome to continue to use FF 2 if you enjoy the product, but it is not Mozilla's responsibility to continue to support it once they've moved on to a newer version.

You are correct that Mozilla could wait until Google discontinues its service to turn off the feature, but that is only prolonging the inevitable. They likely want the upgrade in place before Google shuts down its service so that users have advanced warning. If I were Mozilla, I'd even put up a splash screen upon installing the update to warn people that the anti-phishing no longer works and to upgrade to FF 3 if they wish to continue using the feature.

I'm not exactly sure what you're arguing. It sounds as if you're upset that Mozilla is "pushing" people to FF3 by discontinuing a feature in FF2, but really it's Google that's changing and Mozilla is reacting to that change by turning off the feature in advance in an effort to control the situation. It's not as if Mozilla turned off FF2's ability to use tabs or plugins or other features to intentionally cripple FF2.

Honestly, your post sounds a bit like a rant that eventually you'll have to move to something other than FF2 and you're upset that the reasons to move have only just begun to pile up. I can understand that you like the software and believe it is still worth supporting and/or forking to continue updating, but apparently Mozilla isn't going to be the one to do that for you.

Re:A security update that reduces security

[aussie_a]

The version 3.0 still seems slower and more buggy than the version of 2.0

Well it might SEEM slower and more buggy, but objective tests I've done (as I wanted to know which was better) indicate this isn't true.

Re:A security update that reduces security

[gparent]

I still don't see why they're pushing people so hard to upgrade to 3.0.

Because they won't work on 2.0 anymore. It will not be supported and will no longer receive security updates. How hard is that to understand?

The version 3.0 still seems slower and more buggy than the version of 2.0 I have been using for some time.

Except it's faster. Java Script improvements, less memory leaks, a garbage collector of sorts, etc. FF 3.0 requires less resources.

I would argue that FF 2.0 is not and obsolete product

By definition, it is. It will reach End of Life.

Re:A security update that reduces security

[theaveng]

Even if it is going to "end of life", I still don't see why they need to disable the security protection. If Microsoft did that with XP, in order to try to get people to move to Vista, people would scream bloody murder.

But because this is Firefox, for some reason it's okay where if MS did it, people would call foul. Double standard.

Re:A security update that reduces security

[totally+bogus+dude]

Possibly it is a double-standard, but they haven't done any significant development on 2.x for quite a while, only security updates. Updating the Safe Browsing protocol may be considered "significant development" (I have no idea how much work would actually be involved) and therefore isn't really an option.

Since Google is going to be disabling their service which makes the phishing detector thing work at all, stopping the browser from trying to access it is a reasonable measure. It perhaps depends on the manner in which they disable it; if someone wants to make and use their own SBP 1.0 server with Firefox 2 they should be able to, so removing the code altogether would be bad, but disabling the option and hiding the UI option to enable it would be okay.

Your analogy should have compared the idea of Microsoft disabling a soon-to-be-unusable feature of IE6 to get people to move to IE7. A lot of people (especially here) would argue that's a good thing, as IE7 is more standards compliant and more secure than IE6.

Why bother?

[Ambvai]

I consciously refused to upgrade to 3.0-- a number of my extensions and scripts don't work right and it's incredibly ugly in my opinion. Workarounds/alternative settings exist, I'm sure... but how much are people really missing out on by refusing the updates?

Re:Why bother?

[andy9701]

Have you checked back to see if your extensions/scripts have been updated to work with FF3? I could see that being the case right around when it was released, but hopefully they should be updated by now (assuming that they are still actively developed).

There are a variety of themes that you can use to make FF less ugly - I don't like the default theme myself on Windows (the default Mac one is fine; I'm not sure about the default Linux theme). Personally, I like Qute when running on Windows (it was the default theme during the pre-1.0 days, if you were using FF back then). I'm sure there are other themes that make FF less ugly, as well.

Personally, on OS X at least, I've found FF3 to be much, much better than FF2. It's very stable, and uses a lot less memory. I only have about 5 extensions installed, but I haven't had any problems with it at all since its release (aside from some extension oddness, but that is hardly Mozilla's fault).

Re:Why bother?

[Richard_at_work]

The 'Awesome Bar' is one of the things I hate about FireFox 3 (and the hate list isn't all that big).

Thanks, Mozilla, for deciding that I need to change my tried and tested browsing habits of 15 years, simply because you think your way is better - you could have at least given us a way to revert to the old url bar behaviour, but you didn't.

And yes, I've installed various extensions, I've tweaked the about:config and no, it doesn't get the behaviour anywhere near FF2 - infact, some of it is just plain broken, like having the 'browser.urlbar.matchOnlyTyped' setting set to true still allows the url bar to match on non-typed urls.

It sucks.

Hey... it's open source!

[jimbudncl]

Somebody throw in some new phishing detection, for free, already. What else, are you going to do, today, over-use Google, and piss off an ISP?

(sorry about all the commas... I have no idea why I used them)

Re:Hey... it's open source!

You must be on your comma.

It's like being on your period. But with less bitching.

Re:Why would anyone use FF2?

[mysidia]

You just gave a reason for Firefox 2 users not to upgrade to Firefox 3.

The reason not to switch from Firefox 2 to Opera instead (for older systems) is the same reason for Windows '98 users to not switch from MSIE to Firefox.

They are more familiar with their chosen browser, and there is an inherent resistance to switching.

It's ashame the last major, tried and true, stable release of Firefox is EOL'ed so rapidly, in favor of the bleeding-edge FF 3.

What would you think of Microsoft if they had discontinued further security updates for Windows XP in 2007, one year after the release of Vista?

Re:Why would anyone use FF2?

[Miladinoski]

Yes, you have a point there, I can't say you are wrong, but I don't get why wouldn't you give up for something that is newer and works on your older machine (and is supported too) than use what you are used to, but get significantly slower browsing.

I certainly would give up from something that I am used to, to something that works better.

RHEL4 support anyone

[Mr+Z]

I still use Firefox 2 at work because the Firefox 3 downloads won't run on Red Hat Enterprise Linux Workstation 4. Seems to want libpangocairo, as I recall. Also, a couple plugins I like haven't been updated for Firefox 3 (FLST and Open Link In... come to mind).

I wonder how many of the 25% are in similar situations to mine?

Mac Os X 10.2.8

[escudier0]

No Firefox 3 for Mac Os X 10.2.8 -> I'll keep Firefox 2 on my old Mac....

Re:The real "problem" is

[FlyingBishop]

Google has too much power, but you're just being ridiculous. This is the last FF2 security release ever. Leaving in an automatic information query to a dead server would be a GAPING security hole.

Re:If it wasn't for the Awful Bar

[SignOfZeta]

1. Go to about:config.
2. Set browser.urlbar.maxRichResults to 0 to disable the awesomeness.
3. If you don't like the style of the once-Awesomebar, install the Oldbar extension.

I don't mind the Awesomebar, but those are just my two cents. Then again, I'm still with Safari, holding out for a Mac version of Chrome.

Will anyone notice?

[drew]

I'm fairly certain that anyone who actually needs phishing detection probably won't even notice that it's gone, or won't know what it means. For example, people like my parents who only have Firefox because some well meaning geek installed it for them a year and a half ago...

Re:The real "problem" is

[theodicey]

What's Mozilla supposed to do, in your opinion?

Run their own phishing blacklist? Is that really a good use of their time?

Maybe they should sue Google, without any contract having been broken?

Or break into their data center and force them at gunpoint to turn the machines back on?

Mozilla should have gotten Google to contractually agree to keep the servers running through the end of life of Firefox 2, and they didn't, which is their screwup. But you're just conspiracymongering.

Re:Why would anyone use FF2?

[i.of.the.storm]

Not sure what's so bleeding-edge about FF 3, it's a lot more stable and faster than Firefox 2 was. I think your word choice is a bit disingenuous and designed to make FF 3 look bad. And the situation is a bit different since upgrading from XP to Vista costs money, whereas unless you're on Windows 98 upgrading from Firefox 2 to 3 doesn't cost a thing.

Re:Ridiculous

[Chabil+Ha']

Because contrary to your notion, it's an end-user's right not to upgrade.

Yet another example of the following aphorism:

Open Source != Socialism

People on older distros

[sentientbrendan]

can't upgrade.

On Linux Firefox doesn't distribute RPM's or DEB's for the various major platforms, and most vendor's don't provide new software for distros once they've been released.

Also, getting firefox 3 compiled from source on older distros is incredibly difficult due to version skew of various libraries. I got most of the way there, and gave up.

People who use linux for work are often stuck on older distros due to long corporate maintanance cycle's. It costs them a lot of money to roll out a major update to thousands of machines, especially if you are developing software on top of them.

Thus, it really sucks that there is no way to put newer software on older linux OS's without running into library version hell. Especially since this is so easy on other platforms. After all, who has trouble getting software working on XP?

Re:People on older distros

[TheSunborn]

Why not just download the firefox binary, and unzip it to your home directory? Then you can just run it from there.

Re:People on older distros

[FlyingGuy]

Yep same problem here. Running SLES 10 sp1 and FF 3 requires GTK 7.x and GTK 7.x requires a whole host of lib updates. I tried valiantly to get them all updated and totally crapped my system. I had backed up everything so it was simple enough to boot from CD and restore back, but man what a PITA!

Re:People on older distros

[TeacherOfHeroes]

Firefox 3 relies on the Cairo (svg) and Pango (typesetting) libraries, which are included with and used by newer versions of the GTK (I thought it was >= 2.8, but meh). Especially when using older linux systems (like RHEL4) to which you do not have root access, trying to build all of the updated libraries in a little bottle just to run firefox 3 is a pretty tall order. IIRC, when I tried, I had to start at glibc and work my way up - I never did get it to work properly.

Re:Well, at least it's clear

[Ian+Alexander]

Google is going to stop supporting the version of the protocol that FF2 relies on. They could upgrade the version of the protocol 2.0 uses (they're doing it with 3.0) but it's pretty near EOL so they're not going to bother. This is all in the article.

Older machines

[RudeIota]

Just to be fair, there ARE some people who can't upgrade to FF3. I'm thinking of Mac OS users. FF3 only works with 10.4 or higher. So many of those with G4 Macs are left in the dust.

I'm unsure of Windows compatibility, but Windows XP *is* over 7 years old, so users of older PCs are probably in good shape, at least.

Re:Why would anyone use FF2?

[bencoder]

And what if you are still on FF version 2 because you don't like some of the 'features' introduced in FF version 3? I'm looking at you, 'Awesome Bar'.

There was a lot of resistance to the awesome bar, and I thought it was a stupid idea at first, but honestly, give it a week and you'll get used to it and wish it was there when you're forced to use other browsers.

I was thinking of converting back from 3.0

[Uzik2]

the anti click jacking code and the really miserable handling of self signed certificates is starting to really annoy me.

Re:Why would anyone use FF2?

[caitsith01]

I totally agree. After how much trying is one entitled to simply decide that one does not like a particular piece of software?

FF3 has decided that people like me, who actually like using URLs to access on-line resources (crazy, I know) would rather have some higher-level language based address system which trawls through your history and bookmarks and spews them forth into the address bar whether you want them there or not. I have tried everything to disable this "feature" without success.

It would be trivial for them to include options about this stuff, but apparently the old ways are forbidden and options are 'confusing'. That kind of attitude is what ultimately loses you users.

Re:Why would anyone use FF2?

If you have been using Firefox 2, then you *haven't* been giving Firefox 3 a chance "since it was introduced"; you only gave it a chance until you switched back. It's obvious that you're too stubborn to use the awesome bar regularly because it learns which sites you like to type into it, and it only takes *one* try. If you type a single letter in the bar, then select the site you want from the list, the very next time it will appear at the top of the list. In the worst case, you have to type the whole url *once*, then the second time only three or four letters, and after that it should only take one. And here's a hidden feature for you: if one of the bar's suggestions offends you for some reason, you can banish it by pressing shift-delete (this also works for form autocompletion).

I miss the Aweseome Bar's learning when I use Chrome. GMail's URL does not start with G, but Firefox learned that when I typed G I wanted GMail. In Chrome I have to remember to type "M" for GMail, becuase no matter how many times I type "GMail", then scroll down and select https://mail.google.com/mail/, it won't remember.

Re:Phishing detection?

[digitig]

No. To be a valid analogy on /. it has to have a car in it. A bicycle just isn't good enough.

How to get me to switch to Firefox 3 from 2.

[a+whoabot]

When I go "Check for updates" I get the dialog box that informs me: "This update will cause some of your extensions and/or themes to stop working until they are updated." Clicking on "show list" shows me that Compact Menu and Whitehart will be disabled with FF3. If that extension and that theme get updated, then I'll switch to FF3. Until then, I'll "suffer" with my working browser, anti-phishing or not.

Re:Why would anyone use FF2?

[Richard_at_work]

Ahh, someone who knows me inside out - glad you could be of service, but nothing you said has been of any help to me.

Firstly, who said I wasn't using FF3? I certainly never did in this (or any other) thread - you simply surmised that from things I did say, and your assumption has proven to be wrong. I use FF3 daily, because it has better memory usage than FF2 - but the Awesome Bar still sucks, even after six months of usage and 'training' as it certainly doesn't seem to learn my browsing habits.

Take, for instance, the example I gave in another thread - I start typing the domain of a site I use daily and the 'Awesome Bar' decides that what I actually want is a site I visited once, several months ago. How many times should I train the 'Awesome Bar' in that situation?

I want my old url bar back. You have said nothing which has changed my opinion of the current system.

Fine, some people may find it better than the old alternative - so why not make it an option they could use? Even make it the default, just allow it to be disabled. Or am I worth less as a customer to Mozilla for some reason?

Re:Why would anyone use FF2?

[ion.simon.c]

The reason I consider it bleeding edge, is a bunch of plugins don't work at all with FF3.
It's a relatively new, unproven release, in the grand scheme of things.

Mmm.
In the grand scheme of things, VMS and masonry are new and unproven things, too.

If someone complains about the site not working and describes that message, I tell them to downgrade to FF2, which actually lets you still access the site (with just a simple dialog box).

*points* *laughs*
Moron. I hope that you don't work a helpdesk or IT somewhere.

FF3 keeps needing updates frequently, security bugfixes (I guess), and I kept running into crash bugs with FF3, several times a day, even the latest version of FF3, whereas FF2 and FF1 were rock solid, rarely ever crashed.

System specs? Installed plugins?

It Makes Sense

[CritterNYC]

Firefox 2 uses an older version of the anti-phishing that will no longer be supported by Google (the provider of the database). So, whether Mozilla removes it or not, v1 is giong away.

2.0.0.19 is the final release of Firefox 2. As soon as it is released, Firefox 2 has reached its end of life and will no longer be updated or supported (no new features, no bug fixes, no security updates). So, it doesn't make much sense to worry about the anti-phishing feature being updated when the browser itself can no longer be assured of being secure due to possible bugs, etc.