Schneier on Security

A blog covering security and security technology.

« Voice Authentication in Telephone Banking | Main | Friday Squid Blogging: Humboldt Squid »

July 21, 2006

Firefox 2.0 to Contain Anti-Phishing Features

This is a good idea.

The built anti-phishing capability warns users when they come across Web forgeries, and offers to return the user to his or her home page. Meanwhile, microsummaries are regularly updated summaries of Web pages, small enough to fit in the space available to a bookmark label, but large enough to provide more useful information about pages than static page titles, and are regularly updated as new information becomes available.

Posted on July 21, 2006 at 12:55 PM • 20 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Nic • July 21, 2006 1:21 PM

Sounds like a lot of features are inspired by Opera, maybe they could add a few more things - like saving the open tabs for a future session.
The anti-phishing is a nice idea, it will be a nice improvement over having multiple toolbar plugins, or the nothing that most people have, because toolbars are too much trouble to download.

Spacial • July 21, 2006 1:27 PM

There is an add-on of firefox that save sessions:

https://addons.mozilla.org/firefox/436/

and others..

Nils • July 21, 2006 1:38 PM

version 2.0 (beta) does already save open tabs..

Andrew • July 21, 2006 2:27 PM

I'm curious what "warns users when they come across Web forgeries" really means..... what is the technology they are doing here?

Finding "lookalike characters" in a URL? Links that don't match their alternate text? Matching a blacklist?

Jonah • July 21, 2006 2:56 PM

How does the Phishing Protection feature work in Firefox 2 Beta 1?

Phishing Protection is turned on by default in Firefox 2 Beta 1, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 Beta 1 when the anti-phishing feature is enabled. Since phishing attacks can occur very quickly, there's also an option check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Anti-Phishing preferences pane. (Note: final set of anti-phishing service providers TBD.)

Source: http://www.mozilla.org/projects/bonecho/...

A. Fisher • July 21, 2006 3:56 PM

I think I'd be targeting the anti-phishing update sites, or at least the URL retrieval, say with a Trojan-horse add-on.

ctmf • July 21, 2006 11:27 PM

Instead of a list of known phishing sites, which can never be up-to-date (see virus scanners), why don't they just put a feature where you enter known good domain names? Most people won't have more than a dozen financial-type sites, and they won't change very often.

Say you sign up for your bank's online banking, they give you a flyer with the exact url. You type it in exactly from the flyer, no b.s., no email links. Tell the browser this is a good site. Browser saves it in a list.

Now if the domain part of the url changes for any reason, the browser can warn you about it.

If you get some random email sending you to a phishing site, you can check the site against your list of good sites, doesn't match, don't use it.

Problem is, the user still has to know what the warning means and not just click "do it anyway".
You'd have to compile the list on multiple machines, or find a way to share the information, though.

Dworkin • July 22, 2006 2:42 AM

Firefox can already save open tabs without using an extension. Just "bookmark all tabs" into one convenient bookmark folder. Use the middle mouse button/wheel to open them all up at once again.

Stefan Wagner • July 22, 2006 8:54 AM

@ctmf:
The browser would still have to identify, whether you're performing some financial transactions, or just create a new comment for 'schneier', using a new search-engine, playing a game, ...

If only https-traffic would be analysed, this could work in combination with users being aware of how https works.

But I'm sceptical on the feature.
If a million of phishing-spam is send out - how long does it take to blacklist the site?
How often will my browser update his list?

If it updates too often, it will be annoying.
If it updates too rarely, it will be useless.

Jungsonn • July 22, 2006 9:03 AM

Andrew said:

I'm curious what "warns users when they come across Web forgeries" really means..... what is the technology they are doing here?

I guess they use a blacklist beacuse the thing is being updated as stated above, but i wonder how fast this updating is. Blacklisting is a way, but not the most optimal, it requires human input. a better method involves checking the headers/ip's against reverse dns entries if i may suggest.

Carme • July 23, 2006 1:24 AM

Stefan:

"The browser would still have to identify, whether you're performing some financial transactions..."

But the browser shouldn't actively alert you. It should passively let you know you're visiting a known good site. It has to be something visually distinct, like coloring the url line green or painting a border around the window. So you know that when visiting your bank's page, or any service you trust and white-listed before, the url line should be green and if it's not then something is wrong.

Dave R • July 24, 2006 3:28 AM

I agree with Bruce, this is a good idea. To a large extent it doesn't matter how it works, or whether the blacklist is updated hourly or weekly.
The point is there is no trade-off. By using Firefox I am getting extra security for my online banking transactions.
I don't have to do anything to get that extra security.

Paeniteo • July 24, 2006 3:38 AM

"Instead of a list of known phishing sites, which can never be up-to-date (see virus scanners), why don't they just put a feature where you enter known good domain names? Most people won't have more than a dozen financial-type sites, and they won't change very often."

"But the browser shouldn't actively alert you. It should passively let you know you're visiting a known good site."

There is an extension for Firefox which does exactly that.
You can define short texts which will be displayed in an inaccessible part of the UI (by webpages) when entering a certain site.
In addition, you can turn on coloring of the URL bar, AFAIR.

I.e. when visiting mybank.com, the statusbar will show "My personal banking site".
When visiting mybank.com.phishing.net, the text will not be there, which you could then notice.

dbh • July 24, 2006 1:05 PM

@Paenito
Yes, there is an (old) extension that has to be hacked to use with later versions of FF. However, it lacks proactive protection, only alerting observant users to Phishing. I think it is a start, better with a flashing red icon if the site isn't in an approved whitelist per @CTMF. Or maybe URL coloring in red. And maybe green for whitelisted sites. And the blacklist doesn't hurt, there are still lots of folks who will fall for them.

siennalizard • July 25, 2006 6:08 PM

Thunderbird (the Mozilla mail client) has had this feature anti-phishing since 1.5, I think. It's very good, but I don't think it does much more than what you or I would: hover the link and you can see where it really points. If that differs from the actual text of the link, avoid it like the plague.

What irritates me is that registrars should be able to tell when a domain request is put in for a name obviously intended to deceive, like paypalcgi-bin.com. Such purchases are clearly for one purpose alone: to confuse, and possibly defraud non-technical users.

Or maybe it's just a matter of education.

GreekTeacher • July 26, 2006 7:38 AM

Unfortunately, here in Greece most (web banking) sites do not work correctly with Firefox and require IE (only). I wonder in the case that sth. goes wrong (not only phising) if one can claim that it was their fault because their site only worked with an insecure browser.
I 'd better start making up a list of security experts ready to testify. Anyone interested???

jayh • July 26, 2006 2:47 PM

--Thunderbird (the Mozilla mail client) has had this feature anti-phishing since 1.5, I think. It's very good---

Ironically my copy of Thunderbird consistently flags legitimate email from my CC company as phishing (do they know something I don't?), yet som actual phishing gets thru.

Paeniteo • July 27, 2006 7:07 AM

@jayh: Look at the hyperlinks contained in those messages.
Do they point to raw IP-addresses?
Do the "obscure" the target URL by using a different URL in the link text?*
These are points that lead Thunderbird to mark an email as phishing.

* I mean HTML like this:
www.company.com/login
Some firms do so, apparently for better recognition of the "brand" domain name.

Paeniteo • July 27, 2006 7:09 AM

Oops, HTML got kicked out, here again with different kind of brackets:

{a href="https://billingserver17.company.com/login/eraclei"}www.company.com/login{/a}

AZOR • July 29, 2006 12:05 PM

Looks nice but, usally people who have FireFox are from IT -> their know how is much better then avarge IE users. I think veru usefull plugin, but IE need same update too.

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D