Slashdot Log In
Firefox 3 Antiphishing Sends Your URLs To Google
Posted by
kdawson
on Tue Sep 25, 2007 02:34 PM
from the clickstream-of-the-world dept.
from the clickstream-of-the-world dept.
iritant writes "As we were discussing, Gran Paradiso — the latest version of Firefox — is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry — the feature is disabled by default."
Related Stories
[+]
Technology: Firefox Working to Fix Memory Leaks 555 comments
Christopher Blanc writes "Many Mozilla community members, including both volunteers and Mozilla Corporation employees, have been
helping to reduce Firefox's memory usage and fix memory leak bugs lately. Hopefully, the result of this effort will be that Firefox 3 uses less memory than Firefox 2 did, especially after it has been used for several hours." Here's hoping. Frequent restarts of things on my computer make me furious. I can't imagine why anyone would tolerate such things.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Not new. (Score:5, Informative)
Uhh, how ELSE are you going to do this? (Score:5, Insightful)
It changes too fast, and is too large, for it to be stored locally.
So SOMEBODY needs to provide a database interface to it, and unless you are willing to tolerate the voodoo cryptography and serious performance penalty to do privacy-preserving searches, how else is this supposed to be done?
Already there (Score:5, Informative)
It's already in the version of Firefox I'm using, 2.0.0.6 downloaded directly from Mozilla's web site. In fact you've got the choice to enable it or leave it disabled, and if you enable it you've got the choice between downloading a list and doing the check internally or checking each URL interactively with a service (currently Google's the only one in the list, but more could easily be added).
Re:Already there (Score:5, Interesting)
Because http://thief.com/login.html [thief.com] and http://thief.com/Login.html [thief.com] both hash to radically different values, but both have in the plaintext a characteristic fingerprint of a phishing attempt. A service that gets the plaintext can trivially identify both, but a service that only gets a hash would be fooled by the second if it only had seen the first before.
Parent
Oh my GOD! (Score:5, Funny)
Everybody panic!
the unarticle... (Score:5, Funny)
Oh wait, no it doesn't... You might still get cancer though...
Really a fair deal? (Score:5, Insightful)
But does the "enable" interface inform the user that Google gets their browsing history as a side-effect of providing the blacklist?
Clueless users don't change defaults (Score:5, Insightful)
Did I miss the memo? (Score:5, Informative)
Wait, maybe it's sending server dumps and some developer said "if you don't like it, fork it." That must be it.
Do we get a "this is a non-story" correction to this post too?
Phishing detection by unique URL no longer works. (Score:5, Informative)
It's not really enough to just check the URL against some phishing database. The phishing sites now use unique URLs for each phish going out. Some even use unique subdomains. An example is http://onlinesession-949076872.natwest.com.nigy3r.cn.
We've been struggling with this for SiteTruth [sitetruth.com], which, among other things, uses PhishTank's data. Originally, we used PhishTank's online query API, but that required an exact match on the URL, which was useless. Now we download their entire database every few hours and blacklist the entire base domain (what you buy from a domain registrar) if there's a verified, active phishing site anywhere in the domain.
That seems reasonable enough. But there's collateral damage. So, most days, we have AOL, Microsoft Live, and Yahoo blacklisted. That's because those major sites have "open redirectors" - URLs which will redirect to any specified site. For example,
A convenient, easy to use redirection script popular with phishers. Provides a URL that appears to be on AOL, but isn't. Interestingly, AOL treats as spam any email that uses their own redirector URL. [aol.co.uk] So it's only useful for attacking non-AOL users.
&rver=4.0.1532.0&lc=1033&id=64855
&ru=http:%2F%2Fby117w.bay117.mail.live.com%2Fmail%2Flogout.aspx%3Fredirect%3Dtrue
%26logouturl%3Dhttp:%2F%2F62.49.9.117:443/HB.onlineserv.cgi/
The "logout" page for Microsoft Live can be abused, with some effort, to make it appear as if some hostile site is on Microsoft Live. This looks like Microsoft tried "security through obscurity" and failed.
_ylu=X3oDMTE2ZXYybGFuBGNvbG8DdwRsA1dTMQRwb3MDMQRzZWMDc3IEdnRpZANpMDIxXzQ3/SIG=15j5u6auo/
EXP=1140214114/**http://hticketing.com/www.bankofamerica.com/sslencrypt218bit/online_banking/
A Yahoo redirector URL intended to create the illusion of a Bank of America site. It may be possible to exploit this as a cross site scripting attack. [xssed.com]
These were all active phishing sites an hour or two ago.
Yes, arguably the intelligent user should be able to visually parse the URLs above and realize that they're not really on the sites indicated. Or notice that a redirection took place. But most users don't notice that. Neither do many anti-phishing tools, especially if the attacker combines both techniques described above.
Phishing has reached the point that if you have an open redirector or proxy on your web site, someone will use it to borrow your reputation for their scam. Open redirectors are now like open mail relays - a nice Internet feature that had to be shut down because of exploits.
So fix those open redirectors, people, or expect to be listed as a phishing-friendly site.
Re:And Google does it again! (Score:5, Insightful)
They all do this, which is why I don't use them. Some common sense will tell you if a site is phishing. If you try to go to a bank website and get http://bank-0-am3rika.tv/l0g0n [bank-0-am3rika.tv], then you might want to reconsider putting in your username and password.
Silly sensationalism. nothing more.
Parent
Re:And Google does it again! (Score:5, Interesting)
Parent
Fixed that for you. (Score:5, Insightful)
Parent
Re:Fixed that for you. (Score:5, Funny)
Parent
Re:Fixed that for you. (Score:5, Funny)
Parent
Re:Fixed that for you. (Score:5, Insightful)
Parent
Re:Fixed that for you. (Score:5, Funny)
I bet.
Parent
Re:And Google does it again! (Score:5, Insightful)
Parent
Re:And Google does it again! (Score:5, Interesting)
But you don't need to believe me, you can believe your own eyes. This [uol.com.br] is the 13R station and This [unetral.com.br] is a real BR station.
Parent
Re:And Google does it again! (Score:5, Insightful)
Parent
Re:And Google does it again! (Score:5, Informative)
Parent
Re:Does a master list exist? (Score:5, Informative)
Parent
Re:Does a master list exist? (Score:5, Interesting)
Parent
Salt won't help you. (Score:5, Informative)
It makes no sense here. It would prevent a third-party from intercepting your browsing history -- but then, they can do that anyway, by simply being your ISP.
But if Google has the list of malware sites, obviously they know that foo.com resolves to a particular hash (with a particular salt). The only way this could possibly work is if Google stored a separate list for each user, each with its own salt, which would still require you trusting Google to be doing this and not to be keeping a mapping of hash+salt -> website.
There is no way hashes can solve this problem. The only solution is to either be smart, so you don't need a blacklist, or to download the entire blacklist periodically, which is an option, but not everyone likes it.
Parent
The concern. (Score:5, Insightful)
The way the laws are these days, even if you're Mother Teresa, you're probably doing something illegal, even if you don't think of it as illegal or even realize it. (Ever downloaded VLC or Handbrake? Bought discount smokes? Played a little online poker? Bought something without paying your state's sales tax?) Sure, the FBI normally has bigger fish to fry than you and me, but there's no reason that'll always be the case. The tools that are used for terrorism now will be used for narcotics tomorrow, and copyright enforcement the day after that, and eventually it'll trickle down until it's being used against something you're doing. And information compiled in databases has a tendency to stick around (at least, when it's not being misplaced or stolen). Your browsing habits today could come back to seriously haunt you in a decade or two.
And it's not just the government that you have to worry about, or Google's official policy as a corporation. You also have to consider how much the people who actually deal with this data are paid. How much would it cost to get one of them to give someone malicious access to the database? A whole lot less than the database would be worth, I suspect. Even if you're not doing anything illegal (which, again, I doubt; most people break a half-dozen laws before they get to work in the morning), you're a rare person if there's not something going on in your life that you'd prefer to keep private. Medical conditions, sexual preferences
There aren't really any analogues in the pre-computer world to the size and scope of databases like Google's, in terms of both the breadth and depth of information it could contain on individuals. This is not something that we have much societal experience with, and the limited track record we do have is decidedly mixed. It's not especially paranoid to want to take a "wait and see" approach.
Parent