Firefox 2.0 to Contain Anti-Phishing Features

This is a good idea.

The built anti-phishing capability warns users when they come across Web forgeries, and offers to return the user to his or her home page. Meanwhile, microsummaries are regularly updated summaries of Web pages, small enough to fit in the space available to a bookmark label, but large enough to provide more useful information about pages than static page titles, and are regularly updated as new information becomes available.

Posted on July 21, 2006 at 12:55 PM • 20 Comments

Comments

NicJuly 21, 2006 1:21 PM

Sounds like a lot of features are inspired by Opera, maybe they could add a few more things - like saving the open tabs for a future session.
The anti-phishing is a nice idea, it will be a nice improvement over having multiple toolbar plugins, or the nothing that most people have, because toolbars are too much trouble to download.

AndrewJuly 21, 2006 2:27 PM

I'm curious what "warns users when they come across Web forgeries" really means..... what is the technology they are doing here?

Finding "lookalike characters" in a URL? Links that don't match their alternate text? Matching a blacklist?

JonahJuly 21, 2006 2:56 PM

How does the Phishing Protection feature work in Firefox 2 Beta 1?

Phishing Protection is turned on by default in Firefox 2 Beta 1, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 Beta 1 when the anti-phishing feature is enabled. Since phishing attacks can occur very quickly, there's also an option check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Anti-Phishing preferences pane. (Note: final set of anti-phishing service providers TBD.)

Source: http://www.mozilla.org/projects/bonecho/...

A. FisherJuly 21, 2006 3:56 PM

I think I'd be targeting the anti-phishing update sites, or at least the URL retrieval, say with a Trojan-horse add-on.

ctmfJuly 21, 2006 11:27 PM

Instead of a list of known phishing sites, which can never be up-to-date (see virus scanners), why don't they just put a feature where you enter known good domain names? Most people won't have more than a dozen financial-type sites, and they won't change very often.

Say you sign up for your bank's online banking, they give you a flyer with the exact url. You type it in exactly from the flyer, no b.s., no email links. Tell the browser this is a good site. Browser saves it in a list.

Now if the domain part of the url changes for any reason, the browser can warn you about it.

If you get some random email sending you to a phishing site, you can check the site against your list of good sites, doesn't match, don't use it.

Problem is, the user still has to know what the warning means and not just click "do it anyway".
You'd have to compile the list on multiple machines, or find a way to share the information, though.

DworkinJuly 22, 2006 2:42 AM

Firefox can already save open tabs without using an extension. Just "bookmark all tabs" into one convenient bookmark folder. Use the middle mouse button/wheel to open them all up at once again.

Stefan WagnerJuly 22, 2006 8:54 AM

@ctmf:
The browser would still have to identify, whether you're performing some financial transactions, or just create a new comment for 'schneier', using a new search-engine, playing a game, ...

If only https-traffic would be analysed, this could work in combination with users being aware of how https works.

But I'm sceptical on the feature.
If a million of phishing-spam is send out - how long does it take to blacklist the site?
How often will my browser update his list?

If it updates too often, it will be annoying.
If it updates too rarely, it will be useless.

JungsonnJuly 22, 2006 9:03 AM

Andrew said:

I'm curious what "warns users when they come across Web forgeries" really means..... what is the technology they are doing here?

==

I guess they use a blacklist beacuse the thing is being updated as stated above, but i wonder how fast this updating is. Blacklisting is a way, but not the most optimal, it requires human input. a better method involves checking the headers/ip's against reverse dns entries if i may suggest.

CarmeJuly 23, 2006 1:24 AM

Stefan:

"The browser would still have to identify, whether you're performing some financial transactions..."

But the browser shouldn't actively alert you. It should passively let you know you're visiting a known good site. It has to be something visually distinct, like coloring the url line green or painting a border around the window. So you know that when visiting your bank's page, or any service you trust and white-listed before, the url line should be green and if it's not then something is wrong.

Dave RJuly 24, 2006 3:28 AM

I agree with Bruce, this is a good idea. To a large extent it doesn't matter how it works, or whether the blacklist is updated hourly or weekly.
The point is there is no trade-off. By using Firefox I am getting extra security for my online banking transactions.
I don't have to do anything to get that extra security.

PaeniteoJuly 24, 2006 3:38 AM

"Instead of a list of known phishing sites, which can never be up-to-date (see virus scanners), why don't they just put a feature where you enter known good domain names? Most people won't have more than a dozen financial-type sites, and they won't change very often."

"But the browser shouldn't actively alert you. It should passively let you know you're visiting a known good site."

There is an extension for Firefox which does exactly that.
You can define short texts which will be displayed in an inaccessible part of the UI (by webpages) when entering a certain site.
In addition, you can turn on coloring of the URL bar, AFAIR.

I.e. when visiting mybank.com, the statusbar will show "My personal banking site".
When visiting mybank.com.phishing.net, the text will not be there, which you could then notice.

dbhJuly 24, 2006 1:05 PM

@Paenito
Yes, there is an (old) extension that has to be hacked to use with later versions of FF. However, it lacks proactive protection, only alerting observant users to Phishing. I think it is a start, better with a flashing red icon if the site isn't in an approved whitelist per @CTMF. Or maybe URL coloring in red. And maybe green for whitelisted sites. And the blacklist doesn't hurt, there are still lots of folks who will fall for them.

siennalizardJuly 25, 2006 6:08 PM

Thunderbird (the Mozilla mail client) has had this feature anti-phishing since 1.5, I think. It's very good, but I don't think it does much more than what you or I would: hover the link and you can see where it really points. If that differs from the actual text of the link, avoid it like the plague.

What irritates me is that registrars should be able to tell when a domain request is put in for a name obviously intended to deceive, like paypalcgi-bin.com. Such purchases are clearly for one purpose alone: to confuse, and possibly defraud non-technical users.

Or maybe it's just a matter of education.

GreekTeacherJuly 26, 2006 7:38 AM

Unfortunately, here in Greece most (web banking) sites do not work correctly with Firefox and require IE (only). I wonder in the case that sth. goes wrong (not only phising) if one can claim that it was their fault because their site only worked with an insecure browser.
I 'd better start making up a list of security experts ready to testify. Anyone interested???

jayhJuly 26, 2006 2:47 PM

--Thunderbird (the Mozilla mail client) has had this feature anti-phishing since 1.5, I think. It's very good---

Ironically my copy of Thunderbird consistently flags legitimate email from my CC company as phishing (do they know something I don't?), yet som actual phishing gets thru.

PaeniteoJuly 27, 2006 7:07 AM

@jayh: Look at the hyperlinks contained in those messages.
Do they point to raw IP-addresses?
Do the "obscure" the target URL by using a different URL in the link text?*
These are points that lead Thunderbird to mark an email as phishing.

* I mean HTML like this:
www.company.com/login
Some firms do so, apparently for better recognition of the "brand" domain name.

PaeniteoJuly 27, 2006 7:09 AM

Oops, HTML got kicked out, here again with different kind of brackets:

{a href="https://billingserver17.company.com/login/eraclei"}www.company.com/login{/a}

AZORJuly 29, 2006 12:05 PM

Looks nice but, usally people who have FireFox are from IT -> their know how is much better then avarge IE users. I think veru usefull plugin, but IE need same update too.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..