Firefox 3 Antiphishing Sends Your URLs To Google

iritant writes "As we were discussing, Gran Paradiso — the latest version of Firefox — is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry — the feature is disabled by default."

And Google does it again!

[lecithin]

Does anybody remember Google Web Accelerator? This also came out with the 'selling point' that it would help the customer:

http://slashdot.org/article.pl?sid=05/05/04/2223238&tid=217 [slashdot.org]

Google has your mail. They have your searches. Now they are going for your browsing history.

Add it all together and you have a lot of business intelligence. Time to target consumers and influence opinions?

Smart yes, but still quite scary.

What information are they going to collect next? What are they doing with all the information that they are already collecting?

Re:And Google does it again!

[cephalien]

This isn't news. ANY anti-phishing tool that checks to see if a page is a phishing site is going to have to send it SOMEWHERE... or did you think that they were just going to be able to magically download a tiny file on your computer that would just 'know' all the phishing sites?

They all do this, which is why I don't use them. Some common sense will tell you if a site is phishing. If you try to go to a bank website and get http://bank-0-am3rika.tv/l0g0n [bank-0-am3rika.tv], then you might want to reconsider putting in your username and password.

Silly sensationalism. nothing more.

Re:And Google does it again!

[TorKlingberg]

How about http://www.bankofarnerica.com/ [bankofarnerica.com]?

Re:

[FishWithAHammer]

Hah. Typosquatting a great phisher's domain.

Fixed that for you.

[Kadin2048]

I bet we wouldn't have half the problems we do now if people just stopped automatically trusting everything they see.

Re:Fixed that for you.

[XenoPhage]

I bet we wouldn't have half the problems we do now if we just stopped having people.

Re:Fixed that for you.

[Knuckles]

I bet we wouldn't have half the problems we do now if we just stopped

Re:Fixed that for you.

[QuickFox]

I bet we wouldn't have half the problems we do now if we were just.

Re:Fixed that for you.

[19thNervousBreakdown]

I bet.

Re:And Google does it again!

[trolltalk.com]

It would also help if fonts were designed a bit better. D A R N and D A M are easy to mistake in a LOT of lowercase fonts if you don't space them out: - darn dam darn dam,

Re:

[Sparr0]

Didn't you hear? "m" is the new ligature for "rn"

PS: Yes, I am making fun of the entire concept of ligatures. They are silly. I do not want "fi" replaced with a single glyph where the dot of the i is part of the - of the f. DO NOT WANT.

Re:And Google does it again!

[Zaatxe]

Here in Brazil, Petrobras gasoline stations have the brand BR over a green and yellow pair of stripes. And then somebody had the idea of branding their gasoline stations 13R, using a font almost impossible to tell the differrence between BR and 13R. And of course this 13R stations sell very low quality fuel...

But you don't need to believe me, you can believe your own eyes. This [uol.com.br] is the 13R station and This [unetral.com.br] is a real BR station.

Re:

[CandyMan]

> Thus the reason why many 2nd and 3rd world countries are 2nd and 3rd world countries.

You keep using that term. I do not think it means what you think it means.

Second world [wikipedia.org]:
The term "Second World" is a phrase that was used to describe the Communist states within the Soviet Union's sphere of influence.
(...)
Additionally, the term is often used incorrectly, to describe a moderately developed country. This is most likely based on the misconception that the First World refers to the developed world, the Thi

Re:And Google does it again!

[fbjon]

That is precisely why I avoid Arial and its ilk whenever possible.

Re:

[hendridm]

Correction:

That is precisely why I avoid Arial and its ilk whenever possible.

:)

Re:

[Seumas]

Or a solution could just require downloading a database on a regular basis and then comparing the uRL to that database locally on your own machine.

Aside from the privacy issue, I simply wouldn't want to double the web traffic on my system.

Re:And Google does it again!

[LMacG]

Ah, you mean the way it already works [mozilla.com], then? Good idea!

Re:

[Sylver Dragon]

ANY anti-phishing tool that checks to see if a page is a phishing site is going to have to send it SOMEWHERE... or did you think that they were just going to be able to magically download a tiny file on your computer that would just 'know' all the phishing sites?

Um, downloading a definition file isn't exactly magic. Anti-virus companies have been doing it for years. So yes, actually, I would have expect that every few days my browser runs off and gets the latest phishing definition file (maybe every ti

Re:

[FuzzyDaddy]

So yes, actually, I would have expect that every few days

Given that the phishing site goes up when the spam goes out, you'd want information much fresher than that. I imagine a phishing site's only good for a few hours after you send out the "bait". I occasionally check out phishing sites I get in my spam, and it seems that a lifetime of a few hours is typical. I think the banks/etc. are getting faster at getting them taken down.

Re:

[Sylver Dragon]

Even a centralized database is going to suffer from the time problem. Either way, the site has to be discovered, and an entry created. If the lifetime of a phishing site is measured only in hours, it is not likely that it will get into the database before it goes offline.

Re:

[FuzzyDaddy]

If a comment on slashdot can post in a few seconds, surely an online database can update phishing websites that quickly. Site discovery is easy, from one of the hundred million spam emails with links to the site.

Re:

[grasshoppa]

And what would this accomplish? Google would still know which site you are visiting, as they would have had to hash it out originally. Which was the start of the whole argument, lest you forget.

Personally, I'm OK with the trade off, although the likelihood of me being taken by a phishing site is small.

Re:And Google does it again!

[mikael]

With the site URL, Google will know the server and exact page.

With only the IP address, they would only know the server.

And given that most of these phishing sites seemed to be an PC on a broadband connection (botnet?), they only really need to know the IP address.

Re:

[Knuckles]

Maybe I'm stupid, but why do you need a hash for the sole purpose of simply sending just the server name or IP?

Re:

[mhall119]

Because then Google (or whoever) would have to already have checked the exact URL. If Google hasn't checked the URL, the hash won't be able to tell them what they should be checking. Furthermore, if Google _has_ already checked the URL and has it's associated hash, Google can easily match the hash you are sending to the URL that they already checked, so they still have the exact same information.

Also, if someone is generating random characters at the end of each URL they send out as a spam email, then has

Re:

[mrsteveman1]

Firefox2 already does that, you can set it to download a list periodically.

Now please forward that information to....everyone else in this thread.

Thx

Re:

[hummassa]

And why should Google (or any other $SERVER) give you this expensive-to-gather information (phishing sites blacklist) for Free??
I think it's quite fair give some info about my mail, searches, and browsing history to Google in exchange for a great search engine and virtually unlimited e-mail space.

Re:

[BalanceOfJudgement]

And why should Google or any other $SERVER give you this expensive-to-gather information phishing sites blacklist for Free??

For the same reason many anti-virus vendors have free versions of their products that they keep up to date for free: it reduces the overall infection rate and makes the internet a generally safer place.

I'm willing to exchange some small information for this service if it were so asked, but I'm not going to exchange my mail or searches for it. I might exchange my browsing histor

Re:And Google does it again!

[cromar]

Also, they can already collect some of (if not a lot of) your browsing history by checking the IP making requests to Google Adwords, if I'm not mistaken.

Re:

[Score Whore]

And isn't it wonderful how "the people's browser" is now bending them over the sofa and sticking it to them from behind without even a "How do you do?"

It's kind of funny. Ten years ago Netscape 4 started to incorporate features for the benefit of AOL and in the process ignored a mindset that focused on the user. As a result it turned into the worlds buggiest browser. Now here we have the descendant of Netscape incorporating features for the benefit of Google and curiously enough turning into the world's bug

Re:And Google does it again!

[SIGALRM]

I know you're trolling, but GP ask an interesting (if somewhat reactionary) question:

What are they doing with all the information that they are already collecting?

Are there answers to his question in the EULAs? Should we pay careful attention to Terms of Service and Privacy Policies before agreeing to the terms? I think so. Even the "do no evil" guys can do evil and call it good.

Re:

[heinousjay]

Since people regularly denounce the mundane as evil and in general take very subjective positions on all morality, perhaps it's time to retire the rhetoric and stop using emotionally loaded terms for all conversations involving Google.

I'm not holding my breath, particularly not with the people around Slashdot.

Re:

[LO0G]

???? IE7's antiphishing is enabled by default?

On every machine I've installed IE7 on, the first time you hit a page in the internet, it pops up and asks you if you want to turn antiphishing on.

Microsoft also claims [microsoft.com] that it's off by default:
"Automatic checking of all websites by Phishing Filter is off by default. Phishing Filter can be turned on and off from the Internet Explorer Tools menu. For example, to turn off automatic checking of all websites:"

Well..

[El Lobo]

Considering that Google is one of the major sponsors of FF, I'm not amazed. Sending the addresses to Yahoo, or MSN, well THAT would be newz.

Re:

[Midnight Thunder]

Considering that Google is one of the major sponsors of FF, I'm not amazed. Sending the addresses to Yahoo, or MSN, well THAT would be newz.

Like every other feature I think you should be given the option of choosing where you get taken to, if anywhere. For example if I have my own anti-phishing web site then I should be able to choose that.

I support Google for many things, but I am getting more insecure about their privacy issues.

Re:

[davetd02]

Potentially large?

How about potentially many megabytes, updated daily (if not more frequently) as zombies go up and down. Storing it on the client side would be a huge resource drain with infrequent hits. Spammers know well enough to keep changing URLs as soon as they start getting picked up by filters; the list would have to update as fast as the zombienet can find a new host.

It's possible, but it'd be a massive heavyweight way of doing things that'd require an always-on high-speed connection to work. I

Does a master list exist?

[tgatliff]

My thought would be if a master list exists for someone to put up a master site that does not keep up with the information, and put a patch into Firefox to have it pull from this site...

There is no secret to why Mozilla Firefox wants this feature. I suspect Google has agreed to pay then for the feature to be in Firefox, as I would think this data would be quite lucrative....

Re:Does a master list exist?

[42forty-two42]

By default firefox does not send URLs to google. It downloads a static list from google periodically, and checks against that.

Re:

[tgatliff]

Yes, but my thought would be to modify the feature so that you can pick the "carrier" for the feature... Meaning, have several instead of just using Google only...

Re:Does a master list exist?

[elyk]

In firefox 2.0, if you look in preferences > security, there are two options for antiphishing. One is the "use a downloaded list" option, and the other is the "check by asking google for each site I visit". But the word google is a dropdown box - it appears that there will eventually be more choices, but they haven't made deals with (or been offered money from, depending on how cynical you are) other providers yet.

Not new.

[garbletext]

This is a non-story. The ability to ask google about phishing has existed since 2.0, and was disabled then as well. Not that telling google every site you visit is a good thing.

Re:Not new.

[griffjon]

Is this any worse than IE7, which sends the same to M$? At least Google servers are likely to respond in a more chipper fashion than M$'s, which at times have been noticeably slow, such that I turned AntiPhishing off for some newbies I'd activated it for

No kidding

[Kelson]

The article is about as informative as one of those "Your computer is broadcasting an IP Address!" banners.

For the record:

• As you point out, Firefox 2 already does this, and it's disabled by default.
• IE7 does the same thing with servers at Microsoft. Disabled by default, but strongly encourages you to turn it on.
• Opera 9 does the same thing with servers at Opera. Enabled by default, IIRC, but can be turned off.
• Isn't Safari 3 supposed to get similar anti-phishing capabilities?

Re:Not new.

[Anonymous Coward]

Firefox 2 indeed has such a setting.
[ ] Tell me if the site I'm visiting is a suspected forgery
      (*) Check using a downloaded list of suspected sites
      ( ) Check by asking [Google] about each site I visit

And heck, when I try to enable Check by asking Google... a window asking me to accept or reject the terms of service comes up! It says exactly this:
"If you choose to check with Google about each site you visit, Google will receive the URLs of pages you visit for evaluation. When you click to accept, reject, or close the warning message that Phishing Protection gives you about a suspicious page, Google will log your action and the URL of the page. Google will receive standard log information, including a cookie, as part of this process. Google will not associate the information that Phishing Protection logs with other personal information about you. However, it is possible that a URL sent to Google may itself contain personal information. Please see the Google Privacy Policy for more information."
With two choices, accept or reject the terms of service, or I can cancel and it leaves it on my previous setting.

I wonder if Firefox 3 does the same, eh?

Uhh, how ELSE are you going to do this?

[nweaver]

A "blacklist" of phishing sites needs to be stored somewhere, and you need to be able to do queries against it.

It changes too fast, and is too large, for it to be stored locally.

So SOMEBODY needs to provide a database interface to it, and unless you are willing to tolerate the voodoo cryptography and serious performance penalty to do privacy-preserving searches, how else is this supposed to be done?

Re:Uhh, how ELSE are you going to do this?

[Schraegstrichpunkt]

You could do it by providing a bloom filter the browser, and then when there is a match, the browser could download a certain subset of the blacklist to verify that the match is not a false positive.

Re:

[nweaver]

Good idea. You'd have to stick to just the top level name and/or IP, but that would work.

I like it.

Re:

[tknd]

You can also say that the internet "changes too fast" and is "too large, for it to be stored locally" yet we don't have a single service provider solution for the internet as a whole. Rather it is a network or a collection of systems.

One alternative is to try the peer approach. It works exactly as it does in real life. You often find people asking friends about recommendations and experiences with various things like restaurants. The same concept can be applied to websites but done internally by the sof

Re:

[RonnyJ]

Well, you could hash the URL into a non-unique identifier, and send that identifier to Google.

Google could then look that up in their database, then return known phishing URLs hashed with another method. The browser could then check to see if the URL also matches with the second hash returned.

Re:

[nweaver]

Thats what the Bloom filter suggestion was, but the bloom filter is better because its a small amount of data you store locally, and then only do you send a query to google.

Re:

[nweaver]

A hash is insufficient, as Google has constructed the hash and could just as easily keep a map of H(URL)->URL as part of the database.

Re:

[nweaver]

Because privacy preserving database queries are different, and allow you to query the database WITHOUT the database owner able to extract information, and it is true "Deep crypto voodoo"

Why the concern?

[Aranykai]

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?

What will this mean? Probably that google will continue to improve their search engines, their advertising programs and other services, and they will all stay free.

Damn, go smoke some more pot, your not paranoid enough.

Re:

[marcello_dl]

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?

Why is everyone so concerned about criminal activities online? they already deal with drugs, arms, extortion, waste recycling...

Re:

[Carewolf]

Why is everyone so concerned about a company having their URL history?

Because they do evil.

Re:

[bulldog060]

i think the biggest concern is coming up from 2 groups, 1st group is obviously the people that think it is all a big plot to control them, and the 2nd would be people that put alot of effort into hiding there pr0n/online dating habits from their spouses or authorities starting to get nervous about another way for them to get caught

Re:

[iknownuttin]

i think the biggest concern is coming up from 2 groups, 1st group is obviously the people that think it is all a big plot to control them, and the 2nd would be people that put alot of effort into hiding there pr0n/online dating habits from their spouses or authorities starting to get nervous about another way for them to get caught

Or how about the US Government deciding to execute a gigantic dragnet and grab everyone who has read Al-Jazeera and posted something somewhere that says that "we deserved to get

Re:

[Mortanius]

Or how about the US Government deciding to execute a gigantic dragnet and grab everyone who has read Al-Jazeera and posted something somewhere that says that "we deserved to get bombed" - which I've seen on this site here many times.

See #1. Or refer to "paranoid nutcases."

Re:

[king-manic]

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(Google), your email(gmail) and your documents(google docs), what does it matter?

coming soon to a web browser near you it's GSoul. Why sing away your should to just anybody. Choose the best. Choose Google*!

*offer void where prohibited. Google promises not to do anything it considers evil with your soul. Google reserves the right to eat your soul. In the states of Utah and Nevada Google may also take

Re:

[chill]

It gives Google the ability to determine exactly which "escorts" listed on Craigslist I perused before settling on the cute little Latina who promised multiple language lessons. :-)

Give me your URL history, combine it with your online purchase and reading history and a decent psychologist (or psych AI) can probably tell you what color shirt you are wearing today.

The government understands this theory. It is why you can certain FOI requests get denied and others allowed. Not that the information you are re

The concern.

[Kadin2048]

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?

Because it's another thing the authorities can subpoena -- or just take, without all that messy paperwork -- and comb through to find things to go after you with.

The way the laws are these days, even if you're Mother Teresa, you're probably doing something illegal, even if you don't think of it as illegal or even realize it. (Ever downloaded VLC or Handbrake? Bought discount smokes? Played a little online poker? Bought something without paying your state's sales tax?) Sure, the FBI normally has bigger fish to fry than you and me, but there's no reason that'll always be the case. The tools that are used for terrorism now will be used for narcotics tomorrow, and copyright enforcement the day after that, and eventually it'll trickle down until it's being used against something you're doing. And information compiled in databases has a tendency to stick around (at least, when it's not being misplaced or stolen). Your browsing habits today could come back to seriously haunt you in a decade or two.

And it's not just the government that you have to worry about, or Google's official policy as a corporation. You also have to consider how much the people who actually deal with this data are paid. How much would it cost to get one of them to give someone malicious access to the database? A whole lot less than the database would be worth, I suspect. Even if you're not doing anything illegal (which, again, I doubt; most people break a half-dozen laws before they get to work in the morning), you're a rare person if there's not something going on in your life that you'd prefer to keep private. Medical conditions, sexual preferences ... it all sounds like good opportunities for extortion to me.

There aren't really any analogues in the pre-computer world to the size and scope of databases like Google's, in terms of both the breadth and depth of information it could contain on individuals. This is not something that we have much societal experience with, and the limited track record we do have is decidedly mixed. It's not especially paranoid to want to take a "wait and see" approach.

Re:

[Sylver Dragon]

Well, this will probably just get me labeled as a "tin-foil hatter" but here goes.
The main point of maintaining my privacy, in regard to what I read, is simply the fact that I have no way to know what may later be deemed "undesirable". Do I think that "they" are out to get me? No. But I have read enough history to realize that, if we are ever unlucky enough to have a government, or persons within our government who were interested in suppressing a particular group or point of view, that they will quickl

Re:

[Ogive17]

Replace 'Google' with 'government' and you'd be crying 'foul.'

Already there

[Todd Knarr]

It's already in the version of Firefox I'm using, 2.0.0.6 downloaded directly from Mozilla's web site. In fact you've got the choice to enable it or leave it disabled, and if you enable it you've got the choice between downloading a list and doing the check internally or checking each URL interactively with a service (currently Google's the only one in the list, but more could easily be added).

Re:

[ivan256]

If you're going to do it interactively, why not use a hash of the URL (or the domain name/port) instead of sending the URL itself? Then even with live checking, google would only know which sites you went to if they were a match in their list of bad guys.

Re:Already there

[Todd Knarr]

Because http://thief.com/login.html [thief.com] and http://thief.com/Login.html [thief.com] both hash to radically different values, but both have in the plaintext a characteristic fingerprint of a phishing attempt. A service that gets the plaintext can trivially identify both, but a service that only gets a hash would be fooled by the second if it only had seen the first before.

Re:

[Todd Knarr]

Bah. SlashDot mangled the URLs, there's supposed to be a "www.bankofamerica.com@" in front of the "thief.com".

Re:

[Todd Knarr]

No, just that he can change his URLs at will. Note that URLs do not name files in a filesystem, that's merely one common way of implementing things. I've got a Web server that's at the opposite extreme: all URLs are equivalent to "/" and get handled identically (a 404 error gets returned) and there's no filesystem backing at all.

Oh my GOD!

[gowen]

Google are going to find out what websites are popular. That's information that they simply couldn't otherwise find out unless they ... oooh ... operated the world's most popular search engine.

Everybody panic!

Re:

[Bill, Shooter of Bul]

You laugh, but there is a difference between knowing which topics people search for and consequently which one they go to when presented with a list of sites related to that topic, and knowing the sites people go to directly and how often they do it.

the unarticle...

[revery]

Breaking news: Cheese gives you cancer!!

Oh wait, no it doesn't... You might still get cancer though...

Really a fair deal?

[Ungrounded Lightning]

Fair deal? Not to worry -- the feature is disabled by default."

But does the "enable" interface inform the user that Google gets their browsing history as a side-effect of providing the blacklist?

Re:Really a fair deal?

[ronanbear]

Actually, it does explain it pretty well on FF2. If they changed that it would be news.

Re:Really a fair deal?

[xlv]

Actually, it does explain it pretty well on FF2. If they changed that it would be news.

FYI, here's the text in the popup for Firefox 2.0.0.7:

If you choose to check with Google about each site you visit, Google will receive the URLs [google.com] of pages you visit for evaluation. When you click to accept, reject, or close the warning message that Phishing Protection gives you about a suspicious page, Google will log your action and the URL of the page. Google will receive standard log information [google.com], including a cookie, as part of this process. Google will not associate the information that Phishing Protection logs with other personal information about you. However, it is possible that a URL sent to Google may itself contain personal information. Please see the Google Privacy Policy [google.com] for more information.

Hash

[Arthur B.]

Why not send a hash with a salt ? It makes it fast to check if the url is in the malware blacklist but if Google wants to know the list of websites you visited, they have considerably more work to do. You could also send fake hashes along each request.

Salt won't help you.

[SanityInAnarchy]

Salt helps for things like passwords, where two users with the same password will have it appear differently in the password file.

It makes no sense here. It would prevent a third-party from intercepting your browsing history -- but then, they can do that anyway, by simply being your ISP.

But if Google has the list of malware sites, obviously they know that foo.com resolves to a particular hash (with a particular salt). The only way this could possibly work is if Google stored a separate list for each user, each with its own salt, which would still require you trusting Google to be doing this and not to be keeping a mapping of hash+salt -> website.

There is no way hashes can solve this problem. The only solution is to either be smart, so you don't need a blacklist, or to download the entire blacklist periodically, which is an option, but not everyone likes it.

Oh joy.

[SatanicPuppy]

Why does this need to be included by default? Am I the only one who finds the anti-phishing stuff to be annoying? Fine, some people want it, make a plugin or an extension, but stop adding tangential stuff to the codebase! Adding a piece of "functionality" to a web browser that does a name check on every website you load is bound to add a huge chunk of overhead.

Am I the only one who remembers The Kitchen Sink [mozilla.org]? Adding stuff like this into a pure vanilla install is ridiculous. I don't care if they want to make

Re:Oh joy.

[moore.dustin]

The people who have no idea about about extensions and plugins(the average user), are the people who want the anti-fishing features. Being the more advanced user, it is far easier for you to turn it off than it is for the average user to seek, install, and maintain(update) a plugin.

I would agree that it is annoying for me as well though - I do not need the help of the browser to ward off phishing, especially at the cost of a performance hit. That said, Firefox is not a pet project of the geek world anymore. FF is aggressively seeking the mind and market share of the everyday user, so they must produce a product those users want. Outside of security, what is the real benefit of abandoning IE6 and more importantly IE7? Pages rendering correctly/standard compliance is not an issue with the average user, not in the least. So that only really leaves security, interface/usability, and I suppose can throw in the great extension selection as a motivator to switch as well. This is a move in the direction of better security to offer its users who value it.

toolbar

[wwmedia]

wait aint this the same google that pays people per firefox download (thats conveniently bundled with google toolbar which sends every url to google)...

WordPress Now FireFox

[WED Fan]

I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress...wait, firefox...dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.

Old troll.

[SanityInAnarchy]

Fact is, I don't have to, because a LOT of people already have -- the people responsible for developing and shipping Firefox, for example.

"May as well be closed"? Maybe, if no one outside the development team looks at it. But the difference is between a diverse development team, everyone paid by a different group, some not paid at all for their Firefox work, and a single, homogeneous team, working for one company, who may not even care what spyware goes in.

By the way, if you'd bothered to check, this featur

Get a clue

[Anonymous Coward]

Edit > Preferences > Security > Tell me if the site I'm visiting... >

[X] Check using a downloaded of suspected sites
[ ] Check by asking [Google, .. oh no other one in this dropdown] about each site I visit.

Also saves your bandwidth.

Clueless users don't change defaults

[lowy]

It seems to me that the users who most need anti-phishing protection are the ones least likely to change their defaults.

This is Idiotware

[Burz]

Because the people who put it in FF are acting like idiots by assuming average users are dumb and won't learn a couple of simple instructions. Hence, the idiots (i.e. many people in IT) don't even bother to suggest proper URL usage and instead concoct convoluted and invasive crap based on what a central authority considers socially acceptable for web browsing (and don't tell me the blacklist won't be expanded beyond suspected phishers-- you know it will).

The best thing they could do, IMO, is to render every

Re:

[SanityInAnarchy]

First, realize the feature is disabled by default, and can be enabled without sending your browsing history to Google. Also, it's fairly likely it will let you visit those sites, it'll just prompt you first.

Because the people who put it in FF are acting like idiots by assuming average users are dumb and won't learn a couple of simple instructions.

Actually, they are, intelligently, realizing that your average IT department doesn't have the resources to educate users properly, and some of those users are fu

Re:

[Burz]

Having it disabled by default is one saving grace, I will admit.

But we are certain to hear techies ramble on to their acquaintances about clicking that checkbox in preferences, instead of telling them to keep looking at the domain (the latter being the only way to truly safeguard yourself in the longrun anyway).

Any IT dept who pushes this is stupid, because they are leaking internal employee activities to an external site.

and some of those users are fundamentally un-educatable.

Then you are part of the problem, and given your level of knowledge implied by your p

Did I miss the memo?

[LMacG]

Is this tin foil hat day or what? This isn't a new feature in FF3, it's already in FF2.

Wait, maybe it's sending server dumps and some developer said "if you don't like it, fork it." That must be it.

Do we get a "this is a non-story" correction to this post too?

Re:Did I miss the memo?

[Tim C]

The difference appears to be that while FF2 periodically downloads a list from google, FF3 uploads every URL you visit.

The feature itself may not be new, but the implementation certainly seems to be.

Re:

[Cro Magnon]

Hey, this is Slashdot. You expected NEW info?

How about...

[grishnav]

...accessing the list through TOR?

and explorer beams your urlz to microsoft

[nannynannybooboo]

This blog post from a few years back explains how/why one might run a system like this: http://blogs.msdn.com/ie/archive/2005/08/31/458663.aspx [msdn.com] (blogs.msdn.com)

Slashot getting more idiots or more trolls?

[pembo13]

This feature is available in FF 2, and is disabled by default, and as has to modes of enablement, only one of which sends data to Google? So now people shouldn't even be allowed to choose to send their data to Google? Does kdawson and iritant not use Firefox and see this feature here for ages now?

This should have been a plug-in

[forgoil]

This is something that is OK if you choose to add it, to put it in the actual firefox deliverable is not OK, even if it is off default.

Plus as people are pointing out, why the #!()%/)#(/%(#/! is it sending info *to* google? You should retrieve an updated list of those sites to *your* computer where it is checked. Imagine what they could do with this technology in let's say... China? Yes, not so much fun anymore is it? How about the feds?

How come the Firefox developers came to agree to this in the first plac

Oh yeah, THEY'RE reliable.

[glindsey]

Just do a Google search for "Ad-Aware" or "Spybot" and check out how many of the sponsored links are actually links to scam or malware programs masquerading as these spyware cleaners.

Until Google stops doing business with outright criminals, I'm not going to trust them to tell me who is a criminal and who is legitimate.

Wow, just wow...

[GarfBond]

This is a *really* bad submission. It's wrong on so many fronts.

1. As others have pointed out, there's nothing innately wrong with using Google for antiphishing. They have a large userbase, and can easily detect a mass of users flocking to a really sketchy site. Would it be a huge deal if they plugged into PhishTank [phishtank.com]?
2. The submission does reflect this, but the feature isn't on by default. Instead, Firefox appears to use a static master black list that it redownloads periodically.
3. I can't trigger it now, but I'm pretty sure that you're asked to confirm when you select Google that you're aware of the URL sending and other various privacy implications. The user will not be uninformed when they make this choice
4. The feature is already present in Firefox 2. It is not new to Firefox 3. It's been well publicized before, and there haven't been any major problems since.

This is a pretty stupid low to go for some anti-Google hits.

We're plumbing the depths of journalism today

[Torodung]

I am legitimately not trying to troll here.

Could Slashdot editors please have a group discussion about accuracy and integrity in journalism? First it was the WordPress piece, that was rightly amended, and now there's this. Both deal with a fear that "someone" is spying on us. Anyone who deals with computer security deals with that fear on a regular basis, but those fears should not be expressed in the journalism: Facts should.

As many have mentioned, this feature can be found in the Firefox 2.0.0.7 security tab under "Tell me if the site I'm visiting is a suspected forgery." The summary is flat-out misleading, and contains links to a general page about all Firefox 3 features (which does not mention Google in the slightest), and the entire discussion about Firefox 2 memory leaks, not the relevant posts the author seems to reference.

There literally is no "FA" to "R" in the first place, and the summary is inaccurate, not only in its facts, but because it is summarizing nothing.

This editorial behavior gives Slashdot a bad name, and moves it a step towards the irrelevancy of The National Inquirer. I've been bringing buckets of salt to take with this site in the past weeks, and would like to see these trends reversed.

Please discuss it.

(I've shut off the Karma bonus on this post, it should fly on its own merits. I'm not posting "AC," because if I'm out of line here, I'm willing to pay the price for it.)

--
Toro

Well...

[Jugalator]

It's kinda hard to verify URL's if you don't compare them to a massive database.

Is anyone surprised? How is it evil? The evil would only come from the data being misused. Obviously they NEED the data, or rather, the dudes running the database need it. That's not the evil part.

Re:

[Dhalka226]

URL verification can be done with hashes and other techniques that do not invade privacy.

Yes, if you assume that the only active protection is a 1:1 URL-to-badness mapping. That may be accurate right now, I'm not sure, but it likely won't last very long.

For example, I probably wouldn't blacklist aol.com for some phishing pages on their domains because it's casting too large a net, but I might well do it for pages on evilhackerzphishingyourssn.com. It's trivial to set up anyrandomcombination.somedomain

Phishing detection by unique URL no longer works.

[Animats]

It's not really enough to just check the URL against some phishing database. The phishing sites now use unique URLs for each phish going out. Some even use unique subdomains. An example is http://onlinesession-949076872.natwest.com.nigy3r.cn.

We've been struggling with this for SiteTruth [sitetruth.com], which, among other things, uses PhishTank's data. Originally, we used PhishTank's online query API, but that required an exact match on the URL, which was useless. Now we download their entire database every few hours and blacklist the entire base domain (what you buy from a domain registrar) if there's a verified, active phishing site anywhere in the domain.

That seems reasonable enough. But there's collateral damage. So, most days, we have AOL, Microsoft Live, and Yahoo blacklisted. That's because those major sites have "open redirectors" - URLs which will redirect to any specified site. For example,

• http://r.aol.com/cgi/redir?http://mgw1.haoyisheng.com/icons/asp.html
  A convenient, easy to use redirection script popular with phishers. Provides a URL that appears to be on AOL, but isn't. Interestingly, AOL treats as spam any email that uses their own redirector URL. [aol.co.uk] So it's only useful for attacking non-AOL users.
• http://login.live.com/logout.srf?ct=1179231565
  &rver=4.0.1532.0&lc=1033&id=64855
  &ru=http:%2F%2Fby117w.bay117.mail.live.com%2Fmail%2Flogout.aspx%3Fredirect%3Dtrue
  %26logouturl%3Dhttp:%2F%2F62.49.9.117:443/HB.onlineserv.cgi/
  The "logout" page for Microsoft Live can be abused, with some effort, to make it appear as if some hostile site is on Microsoft Live. This looks like Microsoft tried "security through obscurity" and failed.
• http://rds.yahoo.com/_ylt=A0Je5VTi9_RDDbAA3TJXNyoA;
  _ylu=X3oDMTE2ZXYybGFuBGNvbG8DdwRsA1dTMQRwb3MDMQRzZWMDc3IEdnRpZANpMDIxXzQ3/SIG=15j5u6auo/
  EXP=1140214114/**http://hticketing.com/www.bankofamerica.com/sslencrypt218bit/online_banking/
  A Yahoo redirector URL intended to create the illusion of a Bank of America site. It may be possible to exploit this as a cross site scripting attack. [xssed.com]

These were all active phishing sites an hour or two ago.

Yes, arguably the intelligent user should be able to visually parse the URLs above and realize that they're not really on the sites indicated. Or notice that a redirection took place. But most users don't notice that. Neither do many anti-phishing tools, especially if the attacker combines both techniques described above.

Phishing has reached the point that if you have an open redirector or proxy on your web site, someone will use it to borrow your reputation for their scam. Open redirectors are now like open mail relays - a nice Internet feature that had to be shut down because of exploits.

So fix those open redirectors, people, or expect to be listed as a phishing-friendly site.

Re:

[User 956]

Doesn't running the leading search engine already give you a pretty good idea about which sites are popular?

I imagine it gives a pretty good idea, but something like this would allow pretty easy creation of an alexa competitor (which is kind of different data). For example, I have slashdot bookmarked. I usually don't ever search for it.