Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Will Warn Users When Visiting Sites That Suffered a Data Breach (bleepingcomputer.com)

Posted by msmash on from the strengthening-walls dept.

An anonymous reader writes: Mozilla engineers are working on a notifications system for Firefox that shows a security warning to users visiting sites that have suffered data breaches. The notifications system will use data provided by Have I Been Pwned?, a website that indexes public data breaches and allows users to search and see if their details have been compromised in any of these incidents. Work on this project has only recently started. The code to show these warnings is not even in the Firefox codebase but managed separately as an add-on available (on GitHub). The alert also includes an input field. In the add-ons current version this field doesn't do anything, but we presume it's there to allow users to search and see if their data was exposed during that site's security breach. Troy Hunt, Have I Been Pwned's author has confirmed his official collaboration with Mozilla on this feature.

64 comments

  1. Yes! by Anonymous Coward · · Score: 5, Insightful

    Finally, a feature that makes me want to use Firefox.

    Except how useful is this given that it's going to warn me about every single site I visit?

    1. Re: Yes! by pollarda · · Score: 1

      Odds are, at least with the legs companies, if they suffered a data breach, theyâ(TM)ve cracked down on security and fixed as many of the problems as they can find. The real danger is with the companies who havenâ(TM)t suffered a data breach (that they know of) since their problems havenâ(TM)t been addressed.

    2. Re:Yes! by Freischutz · · Score: 1

      Finally, a feature that makes me want to use Firefox.

      Except how useful is this given that it's going to warn me about every single site I visit?

      Look on the bright side, at least you'll get a giggle out of seeing a warning banner with an announcement that reads something like this 'Warning: This organisation was hacked by the Russian intelligence services due to the utterly inadequate security measures employed by this organisation.' every time you visit gop.org and democrats.org.

    3. Re:Yes! by Anonymous Coward · · Score: 1

      Except how useful is this given that it's going to warn me about every single site I visit?

      From the fine article it seems like the focus is on prompting people to change their password when a site has been compromised.

      But I think there could be a much greater value. I think part of the problem is that users just don't know how shitty websites are at protecting their personal data. When there is a major breach it is big news... for 15 minutes and then some other news story captures the spotlight and everybody forgets.

      Putting a big bright sign right on the website itself whenever people use it will cause the bad PR of exposing users' criminals to stay fresh in people's minds. It might be enough to generate support for legal protections with teeth rather than the namby-pamby lobbyist-written laws that assure the companies don't have any real liability for screwing over millions of people.

    4. Re:Yes! by AmiMoJo · · Score: 3, Interesting

      I wonder if it might give people a false sense of security. Just because a site isn't flagged up doesn't mean it hasn't been hacked or is secure.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re: Yes! by 14erCleaner · · Score: 4, Funny

      But will it warn me about sites that don't support Unicode?

      --
      Have you read my blog lately?
    6. Re:Yes! by arth1 · · Score: 1

      People want theatre. Not real security, with the inconvenience that entails.

      Anyhow, I don't think this will happen, or if it does, it won't survive for long.
      There are plenty of big companies that would sue the living shat out of the Mozilla Foundation if they do this, calling it anti-competitive. If the warning is perceived to make even a single potential customer leave the web site, they'll call in their army of lawyers and pull strings on the politicos they bought.

    7. Re:Yes! by Anonymous Coward · · Score: 0

      This is a "feature" that makes me never want to touch Firefox ever again. I don't want Firefox feeding my email address to some third party email/data harvesting operation every time I connect to a web site.

    8. Re: Yes! by Anonymous Coward · · Score: 0

      Do you really want to see emoji-enhanced cdreimer spam?

    9. Re: Yes! by Anonymous Coward · · Score: 0

      Nice fallacy. 4chan displays any valid character and still blocks emojis.

    10. Re: Yes! by Anonymous Coward · · Score: 0, Informative

      If you're going to be paranoid, at least think for a second: Firefox doesn't know your email address.

    11. Re: Yes! by Anonymous Coward · · Score: 0

      If you're going to be naive, at least think for a second: Firefox absolutely knows your email address if you use it for web mail. It also knows your username and password for every single site that you login to from Firefox.

    12. Re: Yes! by Anonymous Coward · · Score: 1

      Except my browser doesn't send my data to a third party like Firefox does.

    13. Re: Yes! by thereitis · · Score: 0

      You found a browser that doesn't send data to a 3rd party? Please, do tell, what browser are you using?

    14. Re: Yes! by ChunderDownunder · · Score: 1

      Your use of the verb "know" implies a sentience.

    15. Re: Yes! by Anonymous Coward · · Score: 0

      But shouldn't the message tell you how many days it's been since the last known data breech? The way things are with corporate web security and their lack of concern or motivation to be proactive nowadays.

    16. Re:Yes! by Anonymous Coward · · Score: 0

      Most likely it will require 10 clicks to enter to blocked site once, but one click will let to go to site AND make the change permanent and warnings invisible in future. At least if they follow the same logic as with expired/self signed certificates.

    17. Re:Yes! by Anonymous Coward · · Score: 0

      If they tell you the date of the lat breach and the total number of breaches, then you will have a better chance of selection the least bad of the websites for your data...

      This will become something to compete about for various sites... suddently making data security a priority!

      I applaud FF for this!

    18. Re: Yes! by Anonymous Coward · · Score: 0

      Pale Moon.

      And you're welcome.

    19. Re: Yes! by Anonymous Coward · · Score: 0

      No it doesn't

  2. Harvesting the sites I visit by QuietLagoon · · Score: 0

    So now, Firefox will be tracking and harvesting the sites I visit? Wow, Mozilla really is turning Firefox into a Chrome clone.

    1. Re:Harvesting the sites I visit by Anonymous Coward · · Score: 0

      No. It will download a list of sites that have been breached and check your browsing against the local list. That's 1000x times less expensive for mozilla anyway since otherwise the load on their servers would be enormous.

      FWIW, that is also basically the way google's safe-search works (which firefox also uses) - it downloads a blacklist of hashed URLs and only talks to google if the page you are browsing matches the hash, Then it send the hash to google to get the full URL and does the URL comparison locally (in case there is a hash collision). So google does get a list of people who browse sites they consider unsafe. Most people will consider that a reasonable trade-off.

    2. Re:Harvesting the sites I visit by raburton · · Score: 5, Informative

      So now, Firefox will be tracking and harvesting the sites I visit? Wow, Mozilla really is turning Firefox into a Chrome clone.

      Having looked at the code: No, it downloads a breach list from here: https://stage.haveibeenpwned.c... It does not send all your browsing history to them.
      If you enter your email address that will be the sent to the site for checking, but that's obviously optional.

    3. Re:Harvesting the sites I visit by Khyber · · Score: 1

      As is Mozilla could actually afford the infrastructure needed to handle the sheer amount of requests from their 5% market share...

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    4. Re:Harvesting the sites I visit by Anonymous Coward · · Score: 0

      So google does get a list of people who browse sites they consider unsafe. Most people will consider that a reasonable trade-off.

      Except that websites on this list can regularly be websites you may want to avoid others to know you are visiting (the more "underground" a website, the higher the risk of malicious ads/code...). Even just mainstream torrent/streaming websites have been listed there regularly.

      There is no reason for them to double-check the URLs directly. Hash collisions are far too unlikely when used properly (and that is a reasonable trade-off, as long as the message includes this unlikely risk of collision, and there is always a way to bypass it...), and there can be incremental list updates very regularly when needed (in most cases, this won't be significantly more expensive), instead of checking a single URL.

      More importantly, if browsers stopped trying to be the next Internet Explorer 6, adding tons of stupidly useless APIs and non-features, aiming for a full OS in a browser, there would be much less security and privacy problems on the web today.

      Until version 4, Firefox was finally the hope to end all this bullshit for good. Sadly Google wasted it all.

    5. Re:Harvesting the sites I visit by Anonymous Coward · · Score: 0

      Except that websites on this list can regularly be websites you may want to avoid others to know you are visiting (the more "underground" a website, the higher the risk of malicious ads/code...)

      If you want to visit risky websites on purpose, then disable safe-browsing. Seems like if you aren't educated enough to know to turn off safe-browsing then you aren't educated enough to adequately handle the risks of using such websites.

      You are worried about corner cases, Mozilla and google are worried about the common case.

    6. Re:Harvesting the sites I visit by Anonymous Coward · · Score: 0

      I don't think it should even have to do that much. Here, I can write it for them without needing to download the list:

      bool hadDataBreach(const std::string& url)
      {
            return true;
      }

  3. Privacy by Anonymous Coward · · Score: 0

    Why am I reading this as "Firefox will share your browsing history with another partner."

    Is this list downloaded and compared locally? I doubt it too. Which means they have to send the URL to someone and ask if it is okay.

    This better have a disable option. Ideally it would be in the privacy tab and not buried in the config file.

    1. Re: Privacy by Anonymous Coward · · Score: 1

      Just go to about:config then set:

      HasHaveIBeenPawnedBeenPawned to 1

    2. Re:Privacy by raburton · · Score: 5, Insightful

      Why am I reading this as "Firefox will share your browsing history with another partner."

      Probably because you have a bias.

      Is this list downloaded and compared locally? I doubt it too.

      Yes, this is exactly how it works. It downloads a list from here: https://stage.haveibeenpwned.c...

      The beauty of open source code is you can see how it works, if you aren't too lazy to just not bother.

    3. Re:Privacy by Anonymous Coward · · Score: 0

      My bias is that I expect everyone to monetize my actions. At some point firefox got lumped in with all the others and the question became who they sell to not if they sell.

  4. Implementation finished by Anonymous Coward · · Score: 0

    bool CheckSiteForBreach(string URL)
    {
        return true;
    }

    Done!

    And if it isn't bug-free yet, just wait a little while, it will be.

  5. Will they also warn me about TLS CAs? by Anonymous Coward · · Score: 0

    ... Given that CAs aren't trustworthy, just because they or Mozilla say so.

    Yes, if it is your own CA, then TLS might be OK.
    But trusting some random CA employees is equivalent to having no encryption at all.
    Or do you trust the first person coming out an office building to keep all your secrets?

    1. Re:Will they also warn me about TLS CAs? by houghi · · Score: 1

      I do trust others more when it comes to CA and TLS, because I have not enough clue to what I am doing and so I might make it worse.

      At some point you need to do a trade off between being able to do everything yourself and trusting other people. As long as you want to have a sane life.
      This does not stop with IT security. Does not mean I trust anything blindly, but I often trust them more than myself.

      The fact that you say "Yes, if it is your own CA, then TLS might be OK." and not that it is means you have the same idea and are just moaning about nothing.

      --
      Don't fight for your country, if your country does not fight for you.
  6. "that have suffered data breaches" by Gaygirlie · · Score: 3, Insightful

    Hmm, I don't think that's going to work. I mean, in this day and age, it'd be easier to maintain a list of sites that haven't suffered such!

  7. Next step: totally unbiased fact checking built-in by Anonymous Coward · · Score: 1

    When Mozilla starts annotating sites you visit, I wonder how long until they copy Google and automatically show totally unbiased and neutral "fact checkers" when you visit an offensive website? They already have their own ministry of truth initiative after all: https://blog.mozilla.org/blog/2017/08/08/mozilla-information-trust-initiative-building-movement-fight-misinformation-online/

  8. I would like to be warned of session replay script by grungeman · · Score: 1

    You may know that some websites use scripts to record everything from a session, every keystroke and mouse move. And they don't feel oblidged to inform you that they are doing this.

    https://freedom-to-tinker.com/...

    --

    Signature deleted by lameness filter.
  9. I already have a script to do that... by Baron_Yam · · Score: 1

    It just throws up a warning icon and leaves it there regardless of what site I visit.

    ANY site you allow to run client-side scripts should be assumed to be logging your activity. Any site you give personal information to should be assumed to be either selling it or at imminent risk of having it stolen. Or both.

    That's not even paranoia, that's just common bloody sense; it's what financial self interest on the part of content providers and hackers leads to.

  10. "Just a list" is still notifying about activity. by Futurepower(R) · · Score: 1

    Even if Firefox only downloads a list, it is still giving information about your activity to another web site.

    The underlying problem? One problem that the management of mozilla.org has is being very poor at communicating. It is common that technically-knowledgeable people don't communicate well. It is common that even people who are especially socially capable make mistakes by communicating in a flawed way.

    Another example of poor communication: Mozilla.org management did not handle communicating the move to Firefox 57 well. People use Firefox because of the availability of add-ons, also known as extensions. (Communicate carefully: Don't give 1 thing 2 names.) Preventing use of most add-ons without a careful public explanation tended to cause people to lose confidence in Mozilla.org and begin using Waterfox or Pale Moon browsers.

  11. Corporate response should be amusing by nehumanuscrede · · Score: 1

    They -HATE- having to report such incidents as it is and only do so because they have to.

    Nothing like a glaring spotlight on your front door that says " Your personal information isn't safe with us " to help your customers feel at ease.

    Maybe the List of Shame will motivate corporate folks to secure their networks and quit treating their IT / Network Security as an expense instead of an investment.

    Maybe.

    But I doubt it.

    They'll just whine to Congress about how unfair it is that they're getting picked on and how it's hurting their business.

    You and I just roll our eyes at such things, but Congress does stupid things when enough bribe . . . . er. . . campaign donations are on the line.

    I would expect a silly response from them soon enough.

    1. Re:Corporate response should be amusing by Anonymous Coward · · Score: 0

      So they can block sites that failed to report a breach for over a year?

      Corporate response will be champagne bottles and free coke all around. This is a censorship dream come true.

      "The (torrent) website you're attempting to browse has been flagged as bad for you. Do you wish to be monitored (for your safety) and continue?"

  12. I'd rather the extensions still worked by Anonymous Coward · · Score: 0

    Seriously, can't the existing stuff work properly before you start adding new features?

    Browsers, office software, these are utilitarian applications. The basics should work well, virtually 100%. Instead, bugs and functionality issues linger for years while the shiny new new keeps getting added to the pile.

    Go back to making the best browser. Only then start thinking about new features.

  13. Have I been Pwnd by shayd2 · · Score: 1
    Has anyone checked out Have I been Pwnd? ?

    They are obviously collecting email and IP addresses

  14. Just great by Anonymous Coward · · Score: 0

    Because that won't be abused...

  15. Overload by burtosis · · Score: 1

    Every site I'd ever visit would light up like a Christmas tree with warnings. I'll give it two weeks before those annoying auto add ons block these warnings.

  16. Re:"Just a list" is still notifying about activity by raburton · · Score: 3, Informative

    Even if Firefox only downloads a list, it is still giving information about your activity to another web site.

    Yes, it tells a site that someone at your ip address (which much of the time is likely to be a DHCP address from your ISP) uses Firefox. I'm struggling to think of a serious enough situation that could arise from that to justify your level of outrage.

    The underlying problem? One problem that the management of mozilla.org has is being very poor at communicating. It is common that technically-knowledgeable people don't communicate well. It is common that even people who are especially socially capable make mistakes by communicating in a flawed way.

    Funny because you already seem to know all you need to about this functionality (and you clearly don't like it) and it isn't even part of Firefox yet and may well never be.

    Another example of poor communication: Mozilla.org management did not handle communicating the move to Firefox 57 well. People use Firefox because of the availability of add-ons, also known as extensions. (Communicate carefully: Don't give 1 thing 2 names.) Preventing use of most add-ons without a careful public explanation tended to cause people to lose confidence in Mozilla.org and begin using Waterfox or Pale Moon browsers.

    I wondered when we'd get to WebExtensions - every haters current favourite stick to beat Mozilla with.

    You must have been out when they came door to door to tell you about the pending changes, but I'm not sure how you missed the sky writers and the leaflet drops! Seriously, what do you want from them? You're blaming the wrong people here anyway. Mozilla gave developers 2 years warning about support for the old addons system being dropped. They have been marking your addons as legacy to help warn people they need to get them updated for some time too, if you want something more user focused. Then of course there is reading the Mozilla site, update notes, etc. That doesn’t seem like an unreasonable suggestion - to occasionally look at the site of, or release notes for, a software product you use on a daily basis.

    Unfortunately most addon developers didn't bother to update their addons in a timely manner. That left them scurrying to fix their addons at the last minute to fit around a timetable they knew about for 2 years. I am aware that not everything that could be done with addons can be ported to the new system, but if addon developers had made a bit of effort sooner they could have influenced the WebExtension support and perhaps got additions made to the API. I’m not sure the Mozilla developers have always been as responsive to suggestions as would be liked, but more people getting involved at an earlier stage would almost certainly have worked out better.

    It was only by dropping the old addon system that they were able to give us a new, fast, efficient browser to keep up with the likes of Chrome. I'm sure most of the people whining about the change were also whining about how far behind Firefox was getting. And performance wasn't the only problem with the old system - no permissions system, no security, addons breaking from release to release of Firefox, etc.

  17. Waaaay too late by Spinlock_1977 · · Score: 3, Funny

    Nice try, but I want a plug-in that warns me a website is GOING to be breached, rather than 'it already has been breached'. Can someone code that up please?

    --
    - The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
    1. Re:Waaaay too late by Anonymous Coward · · Score: 0

      That SSL warning tag at the top is a good first indicator.

    2. Re:Waaaay too late by Anonymous Coward · · Score: 0

      All you need to do, is browse the web on a Win Xp machine ;)

    3. Re:Waaaay too late by AmiMoJo · · Score: 1

      bool IsSiteVulnerableToBeingHacked(char *url) {
          return true;   // accurate to 1 decimal place
      }

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  18. Wait, they hacked themselves? by Anonymous Coward · · Score: 0

    Given that Putin was installed by US puppet Boris Yeltsin ...

  19. Is Google on the List by number17 · · Score: 1

    Will I receive a warning every time I perform a search in Firefox's default search field? That will get annoying fast.
    Google Employees Hit by Sabre Breach - http://www.securityweek.com/go...


    What about submitting a Firefox bug? They've been breached too.
    Mozilla admits bug-tracker breach led to attacks against Firefox users - https://www.computerworld.com/...

  20. Re:"Just a list" is still notifying about activity by Anonymous Coward · · Score: 0

    I agree with almost everything you said, except " if addon developers had made a bit of effort sooner they could have influenced the WebExtension support and perhaps got additions made to the API". Mozilla's current lead developers have directly refused to allow functionality they believe is unnecessary and are publicly unwilling to even entertain that this might be incorrect, despite points made by previous Mozilla developers. This is (I believe) the core of the issue some people exaggerate about the org.

    That said, this prototype concept is a good one for personal security, so I hop it is included.

  21. Re:"Just a list" is still notifying about activity by Antiocheian · · Score: 1

    Unfortunately most addon developers didn't bother to update their addons in a timely manner.

    It's fortunately for them because they have better things to do with their free time. Who cares about Mozilla anymore ?

    I'm sure most of the people whining about the change

    Does switching to Chrome, Pale Moon or Brave count as "whining" ?

  22. Re:"Just a list" is still notifying about activity by Anonymous Coward · · Score: 0

    >People use Firefox because of the availability of add-ons

    Um, not even half of them do so for the add-ons, and most of those don't even use more than an adblocker and a couple of popular addons that are already ported. The "problem" here is not just that Mozilla isn't communicating well, but that other people are quick to jump on that and misinform people, acting like everyone who uses Firefox is like them, and Mozilla needs to cater to their needs first and foremost, or it's a "problem".

    Thankfully this is changing for the better. The people who feel this way aren't #1 anymore, and are moving on to lesser-used browsers where they can feel special because they really *are* the only users there. And Firefox is still for the rest of the people who used it, and can continue making a proper browser instead of just one where some loud people try to act like it's only value is the add-ons. Let Pale Moon be that browser instead. Firefox is for everyone, not just you.

  23. My initial reaction was incorrect. by Futurepower(R) · · Score: 1

    The underlying problem? Try number 2. Downloading a list and warning users of contacting any site on that list may be a good idea. But that should not be a browser function, it should be an operating system function. There should be a warning any time a computer tries to connect to an unsafe site, for any reason, not just because of browsing.

    The Slashdot summary and the stories linked in the summary don't mention that Mozilla is apparently merely copying the Google Chrome browser: Manage warnings about unsafe sites.

    My initial reaction was incorrect partly because of poor communication. I didn't understand what was being reported.

    1. Re:My initial reaction was incorrect. by theweatherelectric · · Score: 1

      don't mention that Mozilla is apparently merely copying the Google Chrome browser

      No, this is a separate issue. Firefox has long had attack site warnings. I think Internet Explorer was the first to have unsafe site warnings starting with Internet Explorer 7 11 years ago, so everyone's copying Microsoft.

  24. No warning == brand new site? by misnohmer · · Score: 1

    So this is going to be like all the "...known to the state of California to cause cancer and birth defects." warnings which are present of every hotel, store, and most products sold in California. While warning about data breaches may be a good sounding idea, in practice this will turn into "this is a brand new company" indicator, i.e. "no warning about data breach means they are brand new to the internet"

    A better idea would be to provide details about time, size and handling of every known breach (how quick were customers notified, what remedy was offered, etc).

  25. Trust is based on knowing them! by Anonymous Coward · · Score: 0

    Yes, you literally "trust" them blindly! Because you know nothing about them, an if you believe you do, you are deluding yourself.
    That is not trust. That is just ignorance due to laziness!

    Trust is a thing of human interaction! You know... that concept that's considered outdated by most Americans (like Damore) and abused to serve the opposite by the rest of the Americans (SJWs): Social behavior!
    (Exceptions show the rule.)

    I trust people based on how much I know them! Duh!

    The fact that you believe that is the same idea, proves you understood nothing.
    I trust MY CA. And ONLY MY. In case you are such a swarm entity that you understand "me" to mean "my group/company/whatever: No. ME = this body, this brain, and not even things others say to me!

    And if you had any clue about the insides of TLS, you would never ever say that TLS "is" trustworthy. It is a huge mess on the inside, with too many bad decisions to even be funny.

    I use one-time pads from a high-quality randomness source wherever I can, btw. And since I only trust actual people that I actually met, everyone of them gets a nice pad to use to communicate with me. (Using my own software solution that works on Linux/BSD/..., AOSP, and will never exist for anything Apple/Microsoft/Google/Amazon/Facebook/...)