Bruce Schneier | |||||||||
Schneier on SecurityA blog covering security and security technology. « Voice Authentication in Telephone Banking | Main | Friday Squid Blogging: Humboldt Squid » July 21, 2006Firefox 2.0 to Contain Anti-Phishing FeaturesThis is a good idea. The built anti-phishing capability warns users when they come across Web forgeries, and offers to return the user to his or her home page. Meanwhile, microsummaries are regularly updated summaries of Web pages, small enough to fit in the space available to a bookmark label, but large enough to provide more useful information about pages than static page titles, and are regularly updated as new information becomes available. Posted on July 21, 2006 at 12:55 PM • 20 Comments • View Blog Reactions To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter. Sounds like a lot of features are inspired by Opera, maybe they could add a few more things - like saving the open tabs for a future session. Posted by: Nic at July 21, 2006 01:21 PM There is an add-on of firefox that save sessions: https://addons.mozilla.org/firefox/436/ and others.. Posted by: Spacial at July 21, 2006 01:27 PM I'm curious what "warns users when they come across Web forgeries" really means..... what is the technology they are doing here? Finding "lookalike characters" in a URL? Links that don't match their alternate text? Matching a blacklist? Posted by: Andrew at July 21, 2006 02:27 PM How does the Phishing Protection feature work in Firefox 2 Beta 1? Phishing Protection is turned on by default in Firefox 2 Beta 1, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 Beta 1 when the anti-phishing feature is enabled. Since phishing attacks can occur very quickly, there's also an option check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Anti-Phishing preferences pane. (Note: final set of anti-phishing service providers TBD.) Source: http://www.mozilla.org/projects/bonecho/anti-phishing/ Posted by: Jonah at July 21, 2006 02:56 PM I think I'd be targeting the anti-phishing update sites, or at least the URL retrieval, say with a Trojan-horse add-on. Posted by: A. Fisher at July 21, 2006 03:56 PM Instead of a list of known phishing sites, which can never be up-to-date (see virus scanners), why don't they just put a feature where you enter known good domain names? Most people won't have more than a dozen financial-type sites, and they won't change very often. Say you sign up for your bank's online banking, they give you a flyer with the exact url. You type it in exactly from the flyer, no b.s., no email links. Tell the browser this is a good site. Browser saves it in a list. Now if the domain part of the url changes for any reason, the browser can warn you about it. If you get some random email sending you to a phishing site, you can check the site against your list of good sites, doesn't match, don't use it. Problem is, the user still has to know what the warning means and not just click "do it anyway". Posted by: ctmf at July 21, 2006 11:27 PM Firefox can already save open tabs without using an extension. Just "bookmark all tabs" into one convenient bookmark folder. Use the middle mouse button/wheel to open them all up at once again. Posted by: Dworkin at July 22, 2006 02:42 AM @ctmf: If only https-traffic would be analysed, this could work in combination with users being aware of how https works. But I'm sceptical on the feature. If it updates too often, it will be annoying. Posted by: Stefan Wagner at July 22, 2006 08:54 AM Andrew said: I'm curious what "warns users when they come across Web forgeries" really means..... what is the technology they are doing here? == I guess they use a blacklist beacuse the thing is being updated as stated above, but i wonder how fast this updating is. Blacklisting is a way, but not the most optimal, it requires human input. a better method involves checking the headers/ip's against reverse dns entries if i may suggest. Posted by: Jungsonn at July 22, 2006 09:03 AM Stefan: "The browser would still have to identify, whether you're performing some financial transactions..." But the browser shouldn't actively alert you. It should passively let you know you're visiting a known good site. It has to be something visually distinct, like coloring the url line green or painting a border around the window. So you know that when visiting your bank's page, or any service you trust and white-listed before, the url line should be green and if it's not then something is wrong. Posted by: Carme at July 23, 2006 01:24 AM I agree with Bruce, this is a good idea. To a large extent it doesn't matter how it works, or whether the blacklist is updated hourly or weekly. Posted by: Dave R at July 24, 2006 03:28 AM "Instead of a list of known phishing sites, which can never be up-to-date (see virus scanners), why don't they just put a feature where you enter known good domain names? Most people won't have more than a dozen financial-type sites, and they won't change very often." "But the browser shouldn't actively alert you. It should passively let you know you're visiting a known good site." There is an extension for Firefox which does exactly that. I.e. when visiting mybank.com, the statusbar will show "My personal banking site". Posted by: Paeniteo at July 24, 2006 03:38 AM @Paenito Posted by: dbh at July 24, 2006 01:05 PM Thunderbird (the Mozilla mail client) has had this feature anti-phishing since 1.5, I think. It's very good, but I don't think it does much more than what you or I would: hover the link and you can see where it really points. If that differs from the actual text of the link, avoid it like the plague. What irritates me is that registrars should be able to tell when a domain request is put in for a name obviously intended to deceive, like paypalcgi-bin.com. Such purchases are clearly for one purpose alone: to confuse, and possibly defraud non-technical users. Or maybe it's just a matter of education. Posted by: siennalizard at July 25, 2006 06:08 PM Unfortunately, here in Greece most (web banking) sites do not work correctly with Firefox and require IE (only). I wonder in the case that sth. goes wrong (not only phising) if one can claim that it was their fault because their site only worked with an insecure browser. Posted by: GreekTeacher at July 26, 2006 07:38 AM --Thunderbird (the Mozilla mail client) has had this feature anti-phishing since 1.5, I think. It's very good--- Ironically my copy of Thunderbird consistently flags legitimate email from my CC company as phishing (do they know something I don't?), yet som actual phishing gets thru. Posted by: jayh at July 26, 2006 02:47 PM @jayh: Look at the hyperlinks contained in those messages. * I mean HTML like this: Posted by: Paeniteo at July 27, 2006 07:07 AM Oops, HTML got kicked out, here again with different kind of brackets: {a href="https://billingserver17.company.com/login/eraclei"}www.company.com/login{/a} Posted by: Paeniteo at July 27, 2006 07:09 AM Looks nice but, usally people who have FireFox are from IT -> their know how is much better then avarge IE users. I think veru usefull plugin, but IE need same update too. Posted by: AZOR at July 29, 2006 12:05 PM Post a comment
Powered by Movable Type 3.2. Photo at top by Steve Woit.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT Counterpane. |
|
Comments