The Firefox conspiracy: It’s FUD time again!

“A recent article, raised the question on whether, Firefox 2 new anti-phishing feature may pose a privacy threat.” – Mozilla Links, October 27, 2006.

A user just learned that Firefox 2 has an enhanced anti-phishing protection mode that checks every visited web address on a live database of known or suspect phishing web sites maintained for Google. So Google knows what web addresses are being visited. If you are logged on some Google service, it’s probable it also knows what web addresses you visit.

By default this mode is turned off. Instead, Firefox downloads a list of newly reported phishing sites twice an hour, web addresses are checked against it and Google knows nothing.

The user, iritant, thinks this is news, so he posts it to Slashdot. Slashdot agrees and approves it. The Inquirer thinks it’s a slow week for Firefox/Mozilla news and this is the best it will get so Nick Farrel posts an article about it: “Google is getting shedloads of information on the sorts of sites you are visiting”, reads the center paragraph.

Now we can wait and see it making the usual round on blogs and tech news and social bookmarking sites.

For clarifications purposes:

  • Firefox 2’s anti-phishing is not Google exclusive. It has the necessary hooks for other providers to offer their lists and integrate with it. Unfortunately, no other provider like Netcraft or McAfee has done so. Which is sad as it not only would bring choice for users but would also be a business opportunity for them. Mozilla can’t do much about it other that work with those interested.
  • Firefox 3 will have an anti-malware protection that will work exactly the same way as anti-phishing sites with Google as a provider. So you can be as concerned or unconcerned about it as you currently are. This is the no news part.
  • Mozilla is in talks with stopbadware.org, an independent malware fighting association that includes Google, Sun Microsystems, Lenovo, Oxford and Harvard universities and Consumer Reports WebWatch, to include it as another provider. Its Privacy Policy suggests submitted reports and queries stay at stopbadware.org. At least it doesn’t say something like “we can share it with partners and members…”.

I would like to see a way to identify phishing and malware web sites as reliable as the way Firefox (and Opera and Internet Explorer) implements it that doesn’t require you to share your web address with a third party. I would jump on immediately.

Or at least an alternative to Google. I share the feeling that it’s too much information (search, visited web sites, email, documents, calendars) for a single company. Any company.

For that reason I don’t activate the enhanced mode. And I know the risks.

According to the Antiphishing Working Group, an independent association of web related companies, there were more than 31,000 new phishing sites during June this year. That means, there could be about 21 new phishing sites between the twice-hourly updates if you are using basic anti-phishing. That works for me but I am not sure about recommending it to everyone.

In summary, there’s no news here since last year: Yes Firefox 2 has an enhanced anti-phishing protection that sends your web address to Google that you have to activate. There’s currently no other mechanism to achieve a comparable level of protection. Unless there were other providers. Which Firefox could integrate. Instead some of them have opted to ship their own products, some as extensions. Same goes for malware protection. Except Stop Badware may act as another provider.

8 thoughts on “The Firefox conspiracy: It’s FUD time again!”

  1. A local newspaper here in Geneva, Switzerland reports it as being news about Gran Paradiso under the title “Firefox spies for Google”. So its already circulating… FUD is so sad.

  2. I hear you. Still: why not just exchance MD5 hashes or similar in enhanced mode instead of clearnames? Would work exactly the same and would not let the mailware protection service track what sites everyone is surfing to.

    BTW, how are CGI parms of GET requests handled: this could contain sensitive information but could at the same time be an essential part of the URL to identify a phishing site (e.g. http://someserver.org/yeah.pl?goto=someotherserver.org)

    Using MD5 hashes here could also be a way to protect sensitive information.

  3. And yet another way to circumvent this: instead of transmitting the URL, request new bad URLs since the last download. So instead of downloading the whole list, only download the delta since the last access. If there are none, this is a simple status code reply. If there are new ones, the list is probably rather short anyways. Same effect as advanced mode, no tracking possible.

  4. JP, that should work in some cases, but it would also reduce the efficiency of the antiphishing protection. For example if http://www.phishyphishy.com is already in the database, the hash for phishyphishy.com/try53 would not match. Of course the protocol could be extended (if it’s not already) to partition the URL and exchange hashes for each portion, but the main reason I think this is not feasible is that I can’t imagine Google giving up all this data since knowledge is its business.

    That’s why I think McAfee and Netcraft could offer a more private scheme like the one you suggest because their interest is to sell their products and not the data per se.

    Yet another option would be an NPF such as Antiphishing Working Group or the case for malware StopBadware.org.

    Regarding your second point, as far as I know, it’s a delta what is downloaded twice an hour. A higher frequency would impact Google servers for sure and discourage users to enable enhanced mode even more.

    It’s a hard situation for Google. I understand their position. They are not a non-profit, and need ROI. So I stay away of enhanced mode.

  5. This type of protection can be implemented outside of the browser, e.g. at the DNS level.

    I am using OpenDNS at home for that reason:

    http://www.opendns.com/features/phishing/

  6. Just run a packet sniffer and watch the remote sites firefox connects to on launch

    This simply SHOULD NOT HAPPEN if it isn’t spying

  7. My site is being blocked by those assholes because it supposedly links to or has malware, and the page it refers to talks about a dream I had with Stephen Colbert in it. What is that shit?? Still, it’s blocking the whole site and nobody can access it unless they click on the little tiny “ignore this” link in the lower-right corner of the BIG FUCKING SCARY RED PAGE SAYING MY SITE IS DANGEROUS.

Comments are closed.