Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Will Warn Users When Visiting Sites That Suffered a Data Breach (bleepingcomputer.com)

Posted by msmash on from the strengthening-walls dept.

An anonymous reader writes: Mozilla engineers are working on a notifications system for Firefox that shows a security warning to users visiting sites that have suffered data breaches. The notifications system will use data provided by Have I Been Pwned?, a website that indexes public data breaches and allows users to search and see if their details have been compromised in any of these incidents. Work on this project has only recently started. The code to show these warnings is not even in the Firefox codebase but managed separately as an add-on available (on GitHub). The alert also includes an input field. In the add-ons current version this field doesn't do anything, but we presume it's there to allow users to search and see if their data was exposed during that site's security breach. Troy Hunt, Have I Been Pwned's author has confirmed his official collaboration with Mozilla on this feature.

30 of 64 comments (clear)

  1. Yes! by Anonymous Coward · · Score: 5, Insightful

    Finally, a feature that makes me want to use Firefox.

    Except how useful is this given that it's going to warn me about every single site I visit?

    1. Re: Yes! by pollarda · · Score: 1

      Odds are, at least with the legs companies, if they suffered a data breach, theyâ(TM)ve cracked down on security and fixed as many of the problems as they can find. The real danger is with the companies who havenâ(TM)t suffered a data breach (that they know of) since their problems havenâ(TM)t been addressed.

    2. Re:Yes! by Freischutz · · Score: 1

      Finally, a feature that makes me want to use Firefox.

      Except how useful is this given that it's going to warn me about every single site I visit?

      Look on the bright side, at least you'll get a giggle out of seeing a warning banner with an announcement that reads something like this 'Warning: This organisation was hacked by the Russian intelligence services due to the utterly inadequate security measures employed by this organisation.' every time you visit gop.org and democrats.org.

    3. Re:Yes! by Anonymous Coward · · Score: 1

      Except how useful is this given that it's going to warn me about every single site I visit?

      From the fine article it seems like the focus is on prompting people to change their password when a site has been compromised.

      But I think there could be a much greater value. I think part of the problem is that users just don't know how shitty websites are at protecting their personal data. When there is a major breach it is big news... for 15 minutes and then some other news story captures the spotlight and everybody forgets.

      Putting a big bright sign right on the website itself whenever people use it will cause the bad PR of exposing users' criminals to stay fresh in people's minds. It might be enough to generate support for legal protections with teeth rather than the namby-pamby lobbyist-written laws that assure the companies don't have any real liability for screwing over millions of people.

    4. Re:Yes! by AmiMoJo · · Score: 3, Interesting

      I wonder if it might give people a false sense of security. Just because a site isn't flagged up doesn't mean it hasn't been hacked or is secure.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re: Yes! by 14erCleaner · · Score: 4, Funny

      But will it warn me about sites that don't support Unicode?

      --
      Have you read my blog lately?
    6. Re:Yes! by arth1 · · Score: 1

      People want theatre. Not real security, with the inconvenience that entails.

      Anyhow, I don't think this will happen, or if it does, it won't survive for long.
      There are plenty of big companies that would sue the living shat out of the Mozilla Foundation if they do this, calling it anti-competitive. If the warning is perceived to make even a single potential customer leave the web site, they'll call in their army of lawyers and pull strings on the politicos they bought.

    7. Re: Yes! by Anonymous Coward · · Score: 1

      Except my browser doesn't send my data to a third party like Firefox does.

    8. Re: Yes! by ChunderDownunder · · Score: 1

      Your use of the verb "know" implies a sentience.

  2. Re: Privacy by Anonymous Coward · · Score: 1

    Just go to about:config then set:

    HasHaveIBeenPawnedBeenPawned to 1

  3. Re:Privacy by raburton · · Score: 5, Insightful

    Why am I reading this as "Firefox will share your browsing history with another partner."

    Probably because you have a bias.

    Is this list downloaded and compared locally? I doubt it too.

    Yes, this is exactly how it works. It downloads a list from here: https://stage.haveibeenpwned.c...

    The beauty of open source code is you can see how it works, if you aren't too lazy to just not bother.

  4. Re:Harvesting the sites I visit by raburton · · Score: 5, Informative

    So now, Firefox will be tracking and harvesting the sites I visit? Wow, Mozilla really is turning Firefox into a Chrome clone.

    Having looked at the code: No, it downloads a breach list from here: https://stage.haveibeenpwned.c... It does not send all your browsing history to them.
    If you enter your email address that will be the sent to the site for checking, but that's obviously optional.

  5. "that have suffered data breaches" by Gaygirlie · · Score: 3, Insightful

    Hmm, I don't think that's going to work. I mean, in this day and age, it'd be easier to maintain a list of sites that haven't suffered such!

  6. Next step: totally unbiased fact checking built-in by Anonymous Coward · · Score: 1

    When Mozilla starts annotating sites you visit, I wonder how long until they copy Google and automatically show totally unbiased and neutral "fact checkers" when you visit an offensive website? They already have their own ministry of truth initiative after all: https://blog.mozilla.org/blog/2017/08/08/mozilla-information-trust-initiative-building-movement-fight-misinformation-online/

  7. I would like to be warned of session replay script by grungeman · · Score: 1

    You may know that some websites use scripts to record everything from a session, every keystroke and mouse move. And they don't feel oblidged to inform you that they are doing this.

    https://freedom-to-tinker.com/...

    --

    Signature deleted by lameness filter.
  8. I already have a script to do that... by Baron_Yam · · Score: 1

    It just throws up a warning icon and leaves it there regardless of what site I visit.

    ANY site you allow to run client-side scripts should be assumed to be logging your activity. Any site you give personal information to should be assumed to be either selling it or at imminent risk of having it stolen. Or both.

    That's not even paranoia, that's just common bloody sense; it's what financial self interest on the part of content providers and hackers leads to.

  9. "Just a list" is still notifying about activity. by Futurepower(R) · · Score: 1

    Even if Firefox only downloads a list, it is still giving information about your activity to another web site.

    The underlying problem? One problem that the management of mozilla.org has is being very poor at communicating. It is common that technically-knowledgeable people don't communicate well. It is common that even people who are especially socially capable make mistakes by communicating in a flawed way.

    Another example of poor communication: Mozilla.org management did not handle communicating the move to Firefox 57 well. People use Firefox because of the availability of add-ons, also known as extensions. (Communicate carefully: Don't give 1 thing 2 names.) Preventing use of most add-ons without a careful public explanation tended to cause people to lose confidence in Mozilla.org and begin using Waterfox or Pale Moon browsers.

  10. Re:Will they also warn me about TLS CAs? by houghi · · Score: 1

    I do trust others more when it comes to CA and TLS, because I have not enough clue to what I am doing and so I might make it worse.

    At some point you need to do a trade off between being able to do everything yourself and trusting other people. As long as you want to have a sane life.
    This does not stop with IT security. Does not mean I trust anything blindly, but I often trust them more than myself.

    The fact that you say "Yes, if it is your own CA, then TLS might be OK." and not that it is means you have the same idea and are just moaning about nothing.

    --
    Don't fight for your country, if your country does not fight for you.
  11. Corporate response should be amusing by nehumanuscrede · · Score: 1

    They -HATE- having to report such incidents as it is and only do so because they have to.

    Nothing like a glaring spotlight on your front door that says " Your personal information isn't safe with us " to help your customers feel at ease.

    Maybe the List of Shame will motivate corporate folks to secure their networks and quit treating their IT / Network Security as an expense instead of an investment.

    Maybe.

    But I doubt it.

    They'll just whine to Congress about how unfair it is that they're getting picked on and how it's hurting their business.

    You and I just roll our eyes at such things, but Congress does stupid things when enough bribe . . . . er. . . campaign donations are on the line.

    I would expect a silly response from them soon enough.

  12. Have I been Pwnd by shayd2 · · Score: 1
    Has anyone checked out Have I been Pwnd? ?

    They are obviously collecting email and IP addresses

  13. Re:Harvesting the sites I visit by Khyber · · Score: 1

    As is Mozilla could actually afford the infrastructure needed to handle the sheer amount of requests from their 5% market share...

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  14. Overload by burtosis · · Score: 1

    Every site I'd ever visit would light up like a Christmas tree with warnings. I'll give it two weeks before those annoying auto add ons block these warnings.

  15. Re:"Just a list" is still notifying about activity by raburton · · Score: 3, Informative

    Even if Firefox only downloads a list, it is still giving information about your activity to another web site.

    Yes, it tells a site that someone at your ip address (which much of the time is likely to be a DHCP address from your ISP) uses Firefox. I'm struggling to think of a serious enough situation that could arise from that to justify your level of outrage.

    The underlying problem? One problem that the management of mozilla.org has is being very poor at communicating. It is common that technically-knowledgeable people don't communicate well. It is common that even people who are especially socially capable make mistakes by communicating in a flawed way.

    Funny because you already seem to know all you need to about this functionality (and you clearly don't like it) and it isn't even part of Firefox yet and may well never be.

    Another example of poor communication: Mozilla.org management did not handle communicating the move to Firefox 57 well. People use Firefox because of the availability of add-ons, also known as extensions. (Communicate carefully: Don't give 1 thing 2 names.) Preventing use of most add-ons without a careful public explanation tended to cause people to lose confidence in Mozilla.org and begin using Waterfox or Pale Moon browsers.

    I wondered when we'd get to WebExtensions - every haters current favourite stick to beat Mozilla with.

    You must have been out when they came door to door to tell you about the pending changes, but I'm not sure how you missed the sky writers and the leaflet drops! Seriously, what do you want from them? You're blaming the wrong people here anyway. Mozilla gave developers 2 years warning about support for the old addons system being dropped. They have been marking your addons as legacy to help warn people they need to get them updated for some time too, if you want something more user focused. Then of course there is reading the Mozilla site, update notes, etc. That doesn’t seem like an unreasonable suggestion - to occasionally look at the site of, or release notes for, a software product you use on a daily basis.

    Unfortunately most addon developers didn't bother to update their addons in a timely manner. That left them scurrying to fix their addons at the last minute to fit around a timetable they knew about for 2 years. I am aware that not everything that could be done with addons can be ported to the new system, but if addon developers had made a bit of effort sooner they could have influenced the WebExtension support and perhaps got additions made to the API. I’m not sure the Mozilla developers have always been as responsive to suggestions as would be liked, but more people getting involved at an earlier stage would almost certainly have worked out better.

    It was only by dropping the old addon system that they were able to give us a new, fast, efficient browser to keep up with the likes of Chrome. I'm sure most of the people whining about the change were also whining about how far behind Firefox was getting. And performance wasn't the only problem with the old system - no permissions system, no security, addons breaking from release to release of Firefox, etc.

  16. Waaaay too late by Spinlock_1977 · · Score: 3, Funny

    Nice try, but I want a plug-in that warns me a website is GOING to be breached, rather than 'it already has been breached'. Can someone code that up please?

    --
    - The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
    1. Re:Waaaay too late by AmiMoJo · · Score: 1

      bool IsSiteVulnerableToBeingHacked(char *url) {
          return true;   // accurate to 1 decimal place
      }

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  17. Is Google on the List by number17 · · Score: 1

    Will I receive a warning every time I perform a search in Firefox's default search field? That will get annoying fast.
    Google Employees Hit by Sabre Breach - http://www.securityweek.com/go...


    What about submitting a Firefox bug? They've been breached too.
    Mozilla admits bug-tracker breach led to attacks against Firefox users - https://www.computerworld.com/...

  18. Re:"Just a list" is still notifying about activity by Antiocheian · · Score: 1

    Unfortunately most addon developers didn't bother to update their addons in a timely manner.

    It's fortunately for them because they have better things to do with their free time. Who cares about Mozilla anymore ?

    I'm sure most of the people whining about the change

    Does switching to Chrome, Pale Moon or Brave count as "whining" ?

  19. My initial reaction was incorrect. by Futurepower(R) · · Score: 1

    The underlying problem? Try number 2. Downloading a list and warning users of contacting any site on that list may be a good idea. But that should not be a browser function, it should be an operating system function. There should be a warning any time a computer tries to connect to an unsafe site, for any reason, not just because of browsing.

    The Slashdot summary and the stories linked in the summary don't mention that Mozilla is apparently merely copying the Google Chrome browser: Manage warnings about unsafe sites.

    My initial reaction was incorrect partly because of poor communication. I didn't understand what was being reported.

    1. Re:My initial reaction was incorrect. by theweatherelectric · · Score: 1

      don't mention that Mozilla is apparently merely copying the Google Chrome browser

      No, this is a separate issue. Firefox has long had attack site warnings. I think Internet Explorer was the first to have unsafe site warnings starting with Internet Explorer 7 11 years ago, so everyone's copying Microsoft.

  20. No warning == brand new site? by misnohmer · · Score: 1

    So this is going to be like all the "...known to the state of California to cause cancer and birth defects." warnings which are present of every hotel, store, and most products sold in California. While warning about data breaches may be a good sounding idea, in practice this will turn into "this is a brand new company" indicator, i.e. "no warning about data breach means they are brand new to the internet"

    A better idea would be to provide details about time, size and handling of every known breach (how quick were customers notified, what remedy was offered, etc).