Firefox 3 Antiphishing Sends Your URLs To Google

iritant writes "As we were discussing, Gran Paradiso — the latest version of Firefox — is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry — the feature is disabled by default."

Well..

[El Lobo]

Considering that Google is one of the major sponsors of FF, I'm not amazed. Sending the addresses to Yahoo, or MSN, well THAT would be newz.

Does a master list exist?

[tgatliff]

My thought would be if a master list exists for someone to put up a master site that does not keep up with the information, and put a patch into Firefox to have it pull from this site...

There is no secret to why Mozilla Firefox wants this feature. I suspect Google has agreed to pay then for the feature to be in Firefox, as I would think this data would be quite lucrative....

Re:And Google does it again!

[cephalien]

This isn't news. ANY anti-phishing tool that checks to see if a page is a phishing site is going to have to send it SOMEWHERE... or did you think that they were just going to be able to magically download a tiny file on your computer that would just 'know' all the phishing sites?

They all do this, which is why I don't use them. Some common sense will tell you if a site is phishing. If you try to go to a bank website and get http://bank-0-am3rika.tv/l0g0n [bank-0-am3rika.tv], then you might want to reconsider putting in your username and password.

Silly sensationalism. nothing more.

Uhh, how ELSE are you going to do this?

[nweaver]

A "blacklist" of phishing sites needs to be stored somewhere, and you need to be able to do queries against it.

It changes too fast, and is too large, for it to be stored locally.

So SOMEBODY needs to provide a database interface to it, and unless you are willing to tolerate the voodoo cryptography and serious performance penalty to do privacy-preserving searches, how else is this supposed to be done?

Why the concern?

[Aranykai]

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?

What will this mean? Probably that google will continue to improve their search engines, their advertising programs and other services, and they will all stay free.

Damn, go smoke some more pot, your not paranoid enough.

Really a fair deal?

[Ungrounded Lightning]

Fair deal? Not to worry -- the feature is disabled by default."

But does the "enable" interface inform the user that Google gets their browsing history as a side-effect of providing the blacklist?

Re:Not new.

[griffjon]

Is this any worse than IE7, which sends the same to M$? At least Google servers are likely to respond in a more chipper fashion than M$'s, which at times have been noticeably slow, such that I turned AntiPhishing off for some newbies I'd activated it for

Re:Uhh, how ELSE are you going to do this?

[Anonymous Coward]

lets look at another blacklist example of sites - peerguardian.
That has a substantial list, that changes rapidly and yet, it can be stored locally and queried easily enough.
text compresses ridiculously well - and thats all this blacklist is.

Hash

[Arthur B.]

Why not send a hash with a salt ? It makes it fast to check if the url is in the malware blacklist but if Google wants to know the list of websites you visited, they have considerably more work to do. You could also send fake hashes along each request.

Get a clue

[Anonymous Coward]

Edit > Preferences > Security > Tell me if the site I'm visiting... >

[X] Check using a downloaded of suspected sites
[ ] Check by asking [Google, .. oh no other one in this dropdown] about each site I visit.

Also saves your bandwidth.

Clueless users don't change defaults

[lowy]

It seems to me that the users who most need anti-phishing protection are the ones least likely to change their defaults.

Fixed that for you.

[Kadin2048]

I bet we wouldn't have half the problems we do now if people just stopped automatically trusting everything they see.

Re:And Google does it again!

[Seumas]

Or a solution could just require downloading a database on a regular basis and then comparing the uRL to that database locally on your own machine.

Aside from the privacy issue, I simply wouldn't want to double the web traffic on my system.

Re:And Google does it again!

[mikael]

With the site URL, Google will know the server and exact page.

With only the IP address, they would only know the server.

And given that most of these phishing sites seemed to be an PC on a broadband connection (botnet?), they only really need to know the IP address.

Re:Oh my GOD!

[Bill, Shooter of Bul]

You laugh, but there is a difference between knowing which topics people search for and consequently which one they go to when presented with a list of sites related to that topic, and knowing the sites people go to directly and how often they do it.

Re:And Google does it again!

[trolltalk.com]

It would also help if fonts were designed a bit better. D A R N and D A M are easy to mistake in a LOT of lowercase fonts if you don't space them out: - darn dam darn dam,

and explorer beams your urlz to microsoft

[nannynannybooboo]

This blog post from a few years back explains how/why one might run a system like this: http://blogs.msdn.com/ie/archive/2005/08/31/458663.aspx [msdn.com] (blogs.msdn.com)

Re:A better way

[hummassa]

And why should Google (or any other $SERVER) give you this expensive-to-gather information (phishing sites blacklist) for Free??
I think it's quite fair give some info about my mail, searches, and browsing history to Google in exchange for a great search engine and virtually unlimited e-mail space.

The concern.

[Kadin2048]

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?

Because it's another thing the authorities can subpoena -- or just take, without all that messy paperwork -- and comb through to find things to go after you with.

The way the laws are these days, even if you're Mother Teresa, you're probably doing something illegal, even if you don't think of it as illegal or even realize it. (Ever downloaded VLC or Handbrake? Bought discount smokes? Played a little online poker? Bought something without paying your state's sales tax?) Sure, the FBI normally has bigger fish to fry than you and me, but there's no reason that'll always be the case. The tools that are used for terrorism now will be used for narcotics tomorrow, and copyright enforcement the day after that, and eventually it'll trickle down until it's being used against something you're doing. And information compiled in databases has a tendency to stick around (at least, when it's not being misplaced or stolen). Your browsing habits today could come back to seriously haunt you in a decade or two.

And it's not just the government that you have to worry about, or Google's official policy as a corporation. You also have to consider how much the people who actually deal with this data are paid. How much would it cost to get one of them to give someone malicious access to the database? A whole lot less than the database would be worth, I suspect. Even if you're not doing anything illegal (which, again, I doubt; most people break a half-dozen laws before they get to work in the morning), you're a rare person if there's not something going on in your life that you'd prefer to keep private. Medical conditions, sexual preferences ... it all sounds like good opportunities for extortion to me.

There aren't really any analogues in the pre-computer world to the size and scope of databases like Google's, in terms of both the breadth and depth of information it could contain on individuals. This is not something that we have much societal experience with, and the limited track record we do have is decidedly mixed. It's not especially paranoid to want to take a "wait and see" approach.

Re:Oh joy.

[moore.dustin]

The people who have no idea about about extensions and plugins(the average user), are the people who want the anti-fishing features. Being the more advanced user, it is far easier for you to turn it off than it is for the average user to seek, install, and maintain(update) a plugin.

I would agree that it is annoying for me as well though - I do not need the help of the browser to ward off phishing, especially at the cost of a performance hit. That said, Firefox is not a pet project of the geek world anymore. FF is aggressively seeking the mind and market share of the everyday user, so they must produce a product those users want. Outside of security, what is the real benefit of abandoning IE6 and more importantly IE7? Pages rendering correctly/standard compliance is not an issue with the average user, not in the least. So that only really leaves security, interface/usability, and I suppose can throw in the great extension selection as a motivator to switch as well. This is a move in the direction of better security to offer its users who value it.

Wow, just wow...

[GarfBond]

This is a *really* bad submission. It's wrong on so many fronts.

1. As others have pointed out, there's nothing innately wrong with using Google for antiphishing. They have a large userbase, and can easily detect a mass of users flocking to a really sketchy site. Would it be a huge deal if they plugged into PhishTank [phishtank.com]?
2. The submission does reflect this, but the feature isn't on by default. Instead, Firefox appears to use a static master black list that it redownloads periodically.
3. I can't trigger it now, but I'm pretty sure that you're asked to confirm when you select Google that you're aware of the URL sending and other various privacy implications. The user will not be uninformed when they make this choice
4. The feature is already present in Firefox 2. It is not new to Firefox 3. It's been well publicized before, and there haven't been any major problems since.

This is a pretty stupid low to go for some anti-Google hits.

Re:And Google does it again!

[ThirdPrize]

My surname is PRYSZLAK. Unfornunately most people print it out mixed case so they have no idea if its LAK or IAK at the end. Why institutions use fonts where you cannot tell the letters apart is beyond me.

Mod me +1 Bitter.

Re:Fixed that for you.

[QuickFox]

I bet we wouldn't have half the problems we do now if we were just.

We're plumbing the depths of journalism today

[Torodung]

I am legitimately not trying to troll here.

Could Slashdot editors please have a group discussion about accuracy and integrity in journalism? First it was the WordPress piece, that was rightly amended, and now there's this. Both deal with a fear that "someone" is spying on us. Anyone who deals with computer security deals with that fear on a regular basis, but those fears should not be expressed in the journalism: Facts should.

As many have mentioned, this feature can be found in the Firefox 2.0.0.7 security tab under "Tell me if the site I'm visiting is a suspected forgery." The summary is flat-out misleading, and contains links to a general page about all Firefox 3 features (which does not mention Google in the slightest), and the entire discussion about Firefox 2 memory leaks, not the relevant posts the author seems to reference.

There literally is no "FA" to "R" in the first place, and the summary is inaccurate, not only in its facts, but because it is summarizing nothing.

This editorial behavior gives Slashdot a bad name, and moves it a step towards the irrelevancy of The National Inquirer. I've been bringing buckets of salt to take with this site in the past weeks, and would like to see these trends reversed.

Please discuss it.

(I've shut off the Karma bonus on this post, it should fly on its own merits. I'm not posting "AC," because if I'm out of line here, I'm willing to pay the price for it.)

--
Toro

Re:And Google does it again!

[heinousjay]

Since people regularly denounce the mundane as evil and in general take very subjective positions on all morality, perhaps it's time to retire the rhetoric and stop using emotionally loaded terms for all conversations involving Google.

I'm not holding my breath, particularly not with the people around Slashdot.

Re:And Google does it again!

[fbjon]

That is precisely why I avoid Arial and its ilk whenever possible.

Well...

[Jugalator]

It's kinda hard to verify URL's if you don't compare them to a massive database.

Is anyone surprised? How is it evil? The evil would only come from the data being misused. Obviously they NEED the data, or rather, the dudes running the database need it. That's not the evil part.