Firefox 2.0 Update To Remove Phishing Detection

← Back to Stories (view on slashdot.org)

Firefox 2.0 Update To Remove Phishing Detection

Posted by kdawson on Sunday December 7, 2008 @07:50AM from the way-past-time-to-update dept.

An anonymous reader writes "Computerworld and others are reporting that Firefox 2.0.0.19, the last security update to be released before 2.0 goes end-of-life, will remove the phishing detection at the request of Google. The browser is using an older version of the Safe Browsing protocol that Google will discontinue. According to the latest NetApplications report, about 25% of all Firefox users were still on version 2.0. This move ought to result in an increased adoption of Firefox 3.0 and other browsers, unless it goes unnoticed by most users."

20 of 351 comments (clear)

A security update that reduces security by mysidia · 2008-12-07 07:53 · Score: 5, Interesting

Hrm.. I don't think that's the intended use of security updates that causes users to be willing to accept and enable such updates.
In a way, it's a breach of trust if they were intentionally holding back on upgrading to 3.0. Users would be in slightly better shape if they refused to accept this update (at least until Google finally does turn it off).
I anticipate not necessarily a massive increase in users updating to Firefox 3.0, but more likely a massive increase in phishing targetting 2.0 users who still think they're protected (they didn't pay attention to the update release notes).
1. Re:A security update that reduces security by dafrazzman · 2008-12-07 08:05 · Score: 4, Insightful
  
  Even a minor increase in 3.0 adoption would be worth it, as the phishing detection won't matter once google turns it off. I think Mozilla is doing well by making one last effort to move people towards Firefox 3.
  At least the version 2 users are being given some warning, as opposed to just being left out to dry without any heads up at all.
  
  --
  My preferred name is frazz, but someone keeps taking it. If you see him, tell him I said hi.
2. Re:A security update that reduces security by theaveng · 2008-12-07 08:42 · Score: 4, Insightful
  
  I disagree. I already tried Firefox 3 and it ran very poorly, so that's why I went back to Firefox 2.
  IMHO rahter than disable the feature, thereby making users vulnerable to scams, the correct solution is to upgrade the anti-phishing to v2. Toturn it off completely is somewhat akin to a AntiVirus 2.0.0.19 program deciding to turn-off its scanner, to force users to move to AntiVirus 3. The ends do NOT justify leaving users vulnerable to attack.
  
  --
  FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
3. Re:A security update that reduces security by gparent · 2008-12-07 08:46 · Score: 4, Informative
  
  It's going to End of Life. They won't upgrade an obsolete product. Either they turn it off in the next update and get some people to upgrade, or they leave it on giving a false sense of security since it won't even work.
4. Re:A security update that reduces security by Tubal-Cain · 2008-12-07 08:58 · Score: 4, Insightful
  
  Uhhh... Google's turning off the servers.
  Your FF 2.0.18 won't have any phishing protection, either.
5. Re:A security update that reduces security by hairyfeet · 2008-12-07 09:19 · Score: 3, Insightful
  
  The problem is we are talking about a piece of dead code here. Mozilla has decided that the Firefox 2 code base is EOL, and frankly I don't blame them. The memory leaks in the code just never seemed to get fixed and the memory management in FF3 is simply light years better. And Google has already made it clear they are pulling the plug on the v1.0 Phishing filter, which would cause folks to think they had protection that they didn't actually have.
  You mention MSFT, but lets be honest here. Most folks didn't have a living shit fit when they EOLed the Win9X line after giving it an extension to give folks time to switch. Why? Because those of us that knew anything about Operating Systems knew that trying to keep that mess of a codebase patched and functional was like pissing in the wind. At least with FF2 you HAVE a choice.
  If you believe there are enough users out there that for one reason or another need FF2 you can set up a website and try to build a community around the FF2 code. Since the code is Open Source anyone who feels strongly about it can build a community of like minded individuals and keep it going. Just look at how Seamonkey continues to improve and update after what? 2 years of being cut loose by Mozilla? The Mozilla Corp doesn't support Seamonkey yet I have it on all my machines and it updates nearly as quickly as FF. So if you truly feel that it can be updated to Google Antiphishing v2.0 you should try to build a community around it. That is one of the great things about FOSS. We always have a choice.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
6. Re:A security update that reduces security by TheRealMindChild · 2008-12-07 10:44 · Score: 5, Insightful
  
  I still don't see why they're pushing people so hard to upgrade to 3.0.
  
  Because they are going to stop working on that version. I hate to point out the obvious, but this isn't really a complicated question.
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
7. Re:A security update that reduces security by Ramze · 2008-12-07 11:05 · Score: 4, Insightful
  
  I think the idea is that since they aren't going to offer any more updates to the software, anyone using FF 2.0 is going to be vulnerable to future browser exploits and rendering issues which will not ever be patched (unless someone forks the code), so from a user-safety perspective and a public relations perspective, Mozilla needs to strongly persuade people to move away from the old version.
  The reasons to upgrade are the same as for any software. Sooner or later, FF3 or higher will have features that FF2 does not have and that you will need or wish you had. Whether that's patches, plug-ins, or new features, I can't say... but it is coming. Maybe a new version of HTML or a new scripting language... maybe a plugin that only works with 3.0 or higher for web pages you need access to -- who knows.
  As for why they choose to turn the anti-phishing off rather than move to the next version, I think it's fair to say that turning off something is easier than re-coding it to work with something new. Also, why code it to work with the new Google version when you're discontinuing support? At some point, Google's API will change and FF 2 users will be left without a working anti-phishing engine again -- only without any warning because Mozilla will have moved on to FF 4 or beyond by then.
  You are, of course, welcome to continue to use FF 2 if you enjoy the product, but it is not Mozilla's responsibility to continue to support it once they've moved on to a newer version.
  You are correct that Mozilla could wait until Google discontinues its service to turn off the feature, but that is only prolonging the inevitable. They likely want the upgrade in place before Google shuts down its service so that users have advanced warning. If I were Mozilla, I'd even put up a splash screen upon installing the update to warn people that the anti-phishing no longer works and to upgrade to FF 3 if they wish to continue using the feature.
  I'm not exactly sure what you're arguing. It sounds as if you're upset that Mozilla is "pushing" people to FF3 by discontinuing a feature in FF2, but really it's Google that's changing and Mozilla is reacting to that change by turning off the feature in advance in an effort to control the situation. It's not as if Mozilla turned off FF2's ability to use tabs or plugins or other features to intentionally cripple FF2.
  Honestly, your post sounds a bit like a rant that eventually you'll have to move to something other than FF2 and you're upset that the reasons to move have only just begun to pile up. I can understand that you like the software and believe it is still worth supporting and/or forking to continue updating, but apparently Mozilla isn't going to be the one to do that for you.
8. Re:A security update that reduces security by gparent · 2008-12-07 11:54 · Score: 4, Informative
  
  I still don't see why they're pushing people so hard to upgrade to 3.0.
  Because they won't work on 2.0 anymore. It will not be supported and will no longer receive security updates. How hard is that to understand?
  
  The version 3.0 still seems slower and more buggy than the version of 2.0 I have been using for some time.
  Except it's faster. Java Script improvements, less memory leaks, a garbage collector of sorts, etc. FF 3.0 requires less resources.
  
  I would argue that FF 2.0 is not and obsolete product
  By definition, it is. It will reach End of Life.
Hey... it's open source! by jimbudncl · 2008-12-07 08:05 · Score: 3, Interesting

Somebody throw in some new phishing detection, for free, already. What else, are you going to do, today, over-use Google, and piss off an ISP?

(sorry about all the commas... I have no idea why I used them)
Re:Why bother? by andy9701 · 2008-12-07 08:08 · Score: 3, Informative

Have you checked back to see if your extensions/scripts have been updated to work with FF3? I could see that being the case right around when it was released, but hopefully they should be updated by now (assuming that they are still actively developed).
There are a variety of themes that you can use to make FF less ugly - I don't like the default theme myself on Windows (the default Mac one is fine; I'm not sure about the default Linux theme). Personally, I like Qute when running on Windows (it was the default theme during the pre-1.0 days, if you were using FF back then). I'm sure there are other themes that make FF less ugly, as well.
Personally, on OS X at least, I've found FF3 to be much, much better than FF2. It's very stable, and uses a lot less memory. I only have about 5 extensions installed, but I haven't had any problems with it at all since its release (aside from some extension oddness, but that is hardly Mozilla's fault).
Re:Why would anyone use FF2? by mysidia · 2008-12-07 08:13 · Score: 4, Insightful

You just gave a reason for Firefox 2 users not to upgrade to Firefox 3.
The reason not to switch from Firefox 2 to Opera instead (for older systems) is the same reason for Windows '98 users to not switch from MSIE to Firefox.
They are more familiar with their chosen browser, and there is an inherent resistance to switching.
It's ashame the last major, tried and true, stable release of Firefox is EOL'ed so rapidly, in favor of the bleeding-edge FF 3.
What would you think of Microsoft if they had discontinued further security updates for Windows XP in 2007, one year after the release of Vista?
Re:The real "problem" is by FlyingBishop · 2008-12-07 08:27 · Score: 3, Insightful

Google has too much power, but you're just being ridiculous. This is the last FF2 security release ever. Leaving in an automatic information query to a dead server would be a GAPING security hole.
Re:If it wasn't for the Awful Bar by SignOfZeta · 2008-12-07 08:39 · Score: 3, Informative
1. Go to about:config.
2. Set browser.urlbar.maxRichResults to 0 to disable the awesomeness.
3. If you don't like the style of the once-Awesomebar, install the Oldbar extension.
I don't mind the Awesomebar, but those are just my two cents. Then again, I'm still with Safari, holding out for a Mac version of Chrome.
Will anyone notice? by drew · 2008-12-07 08:40 · Score: 5, Insightful

I'm fairly certain that anyone who actually needs phishing detection probably won't even notice that it's gone, or won't know what it means. For example, people like my parents who only have Firefox because some well meaning geek installed it for them a year and a half ago...

--
If I don't put anything here, will anyone recognize me anymore?
Re:The real "problem" is by theodicey · 2008-12-07 08:40 · Score: 3, Insightful

What's Mozilla supposed to do, in your opinion?
Run their own phishing blacklist? Is that really a good use of their time?
Maybe they should sue Google, without any contract having been broken?
Or break into their data center and force them at gunpoint to turn the machines back on?
Mozilla should have gotten Google to contractually agree to keep the servers running through the end of life of Firefox 2, and they didn't, which is their screwup. But you're just conspiracymongering.
Re:Why would anyone use FF2? by i.of.the.storm · 2008-12-07 08:41 · Score: 5, Insightful

Not sure what's so bleeding-edge about FF 3, it's a lot more stable and faster than Firefox 2 was. I think your word choice is a bit disingenuous and designed to make FF 3 look bad. And the situation is a bit different since upgrading from XP to Vista costs money, whereas unless you're on Windows 98 upgrading from Firefox 2 to 3 doesn't cost a thing.

--
All your base are belong to Wii.
People on older distros by sentientbrendan · 2008-12-07 08:45 · Score: 5, Informative

can't upgrade.
On Linux Firefox doesn't distribute RPM's or DEB's for the various major platforms, and most vendor's don't provide new software for distros once they've been released.
Also, getting firefox 3 compiled from source on older distros is incredibly difficult due to version skew of various libraries. I got most of the way there, and gave up.
People who use linux for work are often stuck on older distros due to long corporate maintanance cycle's. It costs them a lot of money to roll out a major update to thousands of machines, especially if you are developing software on top of them.
Thus, it really sucks that there is no way to put newer software on older linux OS's without running into library version hell. Especially since this is so easy on other platforms. After all, who has trouble getting software working on XP?
1. Re:People on older distros by FlyingGuy · 2008-12-07 08:56 · Score: 3, Informative
  
  Yep same problem here. Running SLES 10 sp1 and FF 3 requires GTK 7.x and GTK 7.x requires a whole host of lib updates. I tried valiantly to get them all updated and totally crapped my system. I had backed up everything so it was simple enough to boot from CD and restore back, but man what a PITA!
  
  --
  Hey KID! Yeah you, get the fuck off my lawn!
Re:Why would anyone use FF2? by bencoder · 2008-12-07 09:07 · Score: 3, Insightful

And what if you are still on FF version 2 because you don't like some of the 'features' introduced in FF version 3? I'm looking at you, 'Awesome Bar'.
There was a lot of resistance to the awesome bar, and I thought it was a stupid idea at first, but honestly, give it a week and you'll get used to it and wish it was there when you're forced to use other browsers.