“A recent article, raised the question on whether, Firefox 2
new anti-phishing feature may pose a privacy threat.” – Mozilla Links, October 27, 2006.
A user just learned that Firefox 2 has an enhanced anti-phishing protection mode that checks every visited web address on a live database of known or suspect phishing web sites maintained for Google. So Google knows what web addresses are being visited. If you are logged on some Google service, it’s probable it also knows what web addresses you visit.
By default this mode is turned off. Instead, Firefox downloads a list of newly reported phishing sites twice an hour, web addresses are checked against it and Google knows nothing.
The user, iritant, thinks this is news, so he posts it to Slashdot. Slashdot agrees and approves it. The Inquirer thinks it’s a slow week for Firefox/Mozilla news and this is the best it will get so Nick Farrel posts an article about it: “Google is getting shedloads of information on the sorts of sites you are visiting”, reads the center paragraph.
Now we can wait and see it making the usual round on blogs and tech news and social bookmarking sites.
For clarifications purposes:
- Firefox 2’s anti-phishing is not Google exclusive. It has the necessary hooks for other providers to offer their lists and integrate with it. Unfortunately, no other provider like Netcraft or McAfee has done so. Which is sad as it not only would bring choice for users but would also be a business opportunity for them. Mozilla can’t do much about it other that work with those interested.
- Firefox 3 will have an anti-malware protection that will work exactly the same way as anti-phishing sites with Google as a provider. So you can be as concerned or unconcerned about it as you currently are. This is the no news part.
I would like to see a way to identify phishing and malware web sites as reliable as the way Firefox (and Opera and Internet Explorer) implements it that doesn’t require you to share your web address with a third party. I would jump on immediately.
Or at least an alternative to Google. I share the feeling that it’s too much information (search, visited web sites, email, documents, calendars) for a single company. Any company.
For that reason I don’t activate the enhanced mode. And I know the risks.
According to the Antiphishing Working Group, an independent association of web related companies, there were more than 31,000 new phishing sites during June this year. That means, there could be about 21 new phishing sites between the twice-hourly updates if you are using basic anti-phishing. That works for me but I am not sure about recommending it to everyone.
In summary, there’s no news here since last year: Yes Firefox 2 has an enhanced anti-phishing protection that sends your web address to Google that you have to activate. There’s currently no other mechanism to achieve a comparable level of protection. Unless there were other providers. Which Firefox could integrate. Instead some of them have opted to ship their own products, some as extensions. Same goes for malware protection. Except Stop Badware may act as another provider.