Firefox 2 To Have Anti-Phishing Technology

Mitchell Bronze writes "Mozilla's Mike Shaver said in an interview that the upcoming Firefox 2 will have anti-phishing capability using technology that might come from Google." From the article: "With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year. 'It is another example of the energy that has returned to the browser market,' Shaver said."

An opportunity, a threat...

[Opportunist]

The biggest problem is still the weakest link in the system: Its user.

Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored. This starts with Mails that urge him to open something "really urgently", covers various plugins for Browsers that come filled with spyware (which, in turn, is a perfect door for other malware) and goes to bogus files on various P2P networks that claim to be some crack, hack or other "goodie" to lure the P2P user into starting it.

Now, you can walk the same way that antivirus companies go, you wait for the threat to unfold and grab it at its neck when you find it lurking in the system once your update covers it. That's fine as long as your releases at least match the speed of trojan development, if there is some intersection between the moment you update your anti-trojan signatures and the moment the trojan goes into a new generation.

And that window is closing. Fast. We're now facing trojans with update cycles that make you wonder when and how they create them. Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.

Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.

As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).

I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.

My hope is that Firefox will have a different approach to the problem. Self-checking processes (to avoid injections), close scrutiny of its BHOs, etc. I hope they will not try to use AV techniques, but instead concentrate on the entry points for such a program, and try to detect it there.

Smart move

[fak3r]

With the scams changing so rapidly moving detection to a web browser just makes sense. When these things aren't tagged by the users email server (ClamAV is excellent for this) or client, this would be a great 'saftey net' from stopping me...err...grandma from entering her login info for PayPal/eBay/etc. Plus with FF online updating I could see them having a plugin/extention that would have .dat files with the latest Phishing definitions they could download and update to daily; ala virus checkers.

Is this a free alternative to Verisign?

[digitaldc]

The various phishing shields use a variety of techniques to protect against the online scams. These include blacklists of known fraudulent Web sites, white lists of good sites and analyses of Web addresses and Web pages. Firefox 2 might be different, since the developers aren't married to those approaches, Shaver said.

Verisign [verisignsecured.com] already has this kind of techology, the question is, will Firefox 2 make Verisign obsolete?

Verisign's advice: [verisignsecured.com] The best way to avoid becoming a victim of phishing is to never respond to unsolicited emails asking for personal information or directing you to a Web site where you are asked to enter personal information--even if it looks TOTALLY official.

Privacy concerns?

[hcdejong]

Will Firefox adopt an approach that doesn't compromise the user's privacy as much as IE 7 (its solution being to send every URL to Redmond)?

Re:Good on ya

[BecomingLumberg]

Fox may be a memory hog, but I have not seen it to be out of line in most modern systems. Plus, I get really low useage when i turn off all the extensions i have added to it for customizing.

And I cannot emphasize enough how great it is for my parents. By switching them to Fox and Bird, I have stopped my monthy trip up to remove all new spyware/viruses... now I just go for dinner. That gets an A+ in my book.

Damnit

[Anonymous Coward]

Time for a fork.

Seriously, I'll tell you the only anti-phishing technology we need: our damn heads, with a side of common sense.

I don't want my browser to have stupid coddling features like this that will just get in the way of a decent, savvy surfer. That's the problem with popularity - it leads to diluting the quality. I'd rather have a *good* browser only used by 3% of the people out there. Hell, the mere minority status might even make it *better* - now that Firefox is popular, more and more sites are finding ways of advertising specifically to it.

If Firefox 2 does have this, then it better be easy to fully disable, otherwise I'm definitely not upgrading.

Good

[PenguinBoyDave]

I have been forced to test IE 7 for my company, and the fact that Firefox 2 will have this will give us no reason to use IE 7.

Open source a problem here?

[LeDopore]

Won't it be easier to defeat this anti-phishing scheme since Firefox is open source?

(Seriously. If not, please post why not and educate me.)

Re:More appropriate as an extension?

[bloobloo]

But then they're also the least likely to have installed Firefox at all, so building it into FF won't help much there either.

Re:anti-phishing == no passwords

[INeedAttention.com]

Interesting. I was about to reply and "correct" you, saying that American Express Blue already offers the protection of using your physical card as a second security factor. In fact, I even have the smart card reader that American Express was giving out for free (I wasn't even a cardholder). However, it seems they only offer this service in the middle east now. Link anyway, just for fun: American Express smart card reader [americanexpress.com.bh]

Re:Damnit

[Anonymous Coward]

Time for a fork.

Go right ahead. Let us know how that turns out for you and the 2 other users. The rest of us will continue to use Firefox.

Re:It already is an extension...

[rainman_bc]

It basically checks websites you visit against its database and tells you if they are considered dangerous or what have you.

So it reports my surfing to google's database? Thanks but no thanks. I've never fallen pray to phishing attacks, and don't want a feature like that logging all the pr0n sites I visit. Wait, the only pr0n site I need is google images now anyway haha!

Why should we trust google? They are looking out for their shareholder, not the end user.

Re:Damnit

[Spliffster]

not sure if this is also in seamonkey (aka the mozilla suite), i'd recommend to check this.

Re:More appropriate as an extension?

[Denyer]

Let's have some other basic IE features that are more lightweight (a few lines of code, by comparison) built in, then -- such as Clone Window [pikey.me.uk]. As optional features, of course, but it'd help people switching who aren't techy and don't understand why they've "lost" functionality.

Re:Good on ya

[Firehed]

Indeed... after *just* opening it, it's at 50MB, just a few kb under what explorer (shell, not browswer!) is using. I fixed the problem around Christmastime with my move to 2GB of ram. It's not overly problematic, just irritating.