Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox 3 Antiphishing Sends Your URLs To Google

kdawson posted about 7 years ago | from the clickstream-of-the-world dept.

Privacy 296

iritant writes "As we were discussing, Gran Paradiso — the latest version of Firefox — is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry — the feature is disabled by default."

Sorry! There are no comments related to the filter you selected.

And Google does it again! (4, Interesting)

lecithin (745575) | about 7 years ago | (#20746655)

Does anybody remember Google Web Accelerator? This also came out with the 'selling point' that it would help the customer:

http://slashdot.org/article.pl?sid=05/05/04/2223238&tid=217 [slashdot.org]

Google has your mail. They have your searches. Now they are going for your browsing history.

Add it all together and you have a lot of business intelligence. Time to target consumers and influence opinions?

Smart yes, but still quite scary.

What information are they going to collect next? What are they doing with all the information that they are already collecting?

Re:And Google does it again! (-1, Troll)

operato (782224) | about 7 years ago | (#20746695)

your garbage!!! oh noes! then... your poop from your toilet!!! oh noes!! ah well who cares free food and electricity for stalking me.

Re:And Google does it again! (5, Insightful)

cephalien (529516) | about 7 years ago | (#20746707)

This isn't news. ANY anti-phishing tool that checks to see if a page is a phishing site is going to have to send it SOMEWHERE... or did you think that they were just going to be able to magically download a tiny file on your computer that would just 'know' all the phishing sites?

They all do this, which is why I don't use them. Some common sense will tell you if a site is phishing. If you try to go to a bank website and get http://bank-0-am3rika.tv/l0g0n [bank-0-am3rika.tv] , then you might want to reconsider putting in your username and password.

Silly sensationalism. nothing more.

Re:And Google does it again! (0)

Anonymous Coward | about 7 years ago | (#20746755)

ANY anti-phishing tool that checks to see if a page is a phishing site is going to have to send it SOMEWHERE.
Care to explain why? Why is it necessary to send the URL, when it could simply send a hash of the URL (or a portion thereof) instead?

Re:And Google does it again! (2, Informative)

grasshoppa (657393) | about 7 years ago | (#20746885)

And what would this accomplish? Google would still know which site you are visiting, as they would have had to hash it out originally. Which was the start of the whole argument, lest you forget.

Personally, I'm OK with the trade off, although the likelihood of me being taken by a phishing site is small.

Re:And Google does it again! (3, Insightful)

mikael (484) | about 7 years ago | (#20747147)

With the site URL, Google will know the server and exact page.

With only the IP address, they would only know the server.

And given that most of these phishing sites seemed to be an PC on a broadband connection (botnet?), they only really need to know the IP address.

Re:And Google does it again! (1)

mhall119 (1035984) | about 7 years ago | (#20746919)

Because then Google (or whoever) would have to already have checked the exact URL. If Google hasn't checked the URL, the hash won't be able to tell them what they should be checking. Furthermore, if Google _has_ already checked the URL and has it's associated hash, Google can easily match the hash you are sending to the URL that they already checked, so they still have the exact same information.

Also, if someone is generating random characters at the end of each URL they send out as a spam email, then hash matching wouldn't work. Hashing the hostname portion might work around this though.

Re:And Google does it again! (0)

Anonymous Coward | about 7 years ago | (#20746969)

Why is it necessary to send the URL, when it could simply send a hash of the URL (or a portion thereof) instead?
What's the point? For that to be of any use, Google would have to maintain their blacklist in the form of a list of hashes. Which they would have to generate from the URLs. It would then be trivial for them to keep a list of the URL each hash was generated from, nullifying any potential privacy advantage (except perhaps to prevent a malicious third party eavesdropping and building up its own list of the URLs you visit, but encrypting the connection would do that just as well).

Re:And Google does it again! (4, Interesting)

TorKlingberg (599697) | about 7 years ago | (#20746841)

How about http://www.bankofarnerica.com/ [bankofarnerica.com] ?

Re:And Google does it again! (1)

FishWithAHammer (957772) | about 7 years ago | (#20746881)

Hah. Typosquatting a great phisher's domain.

Re:And Google does it again! (1)

cephalien (529516) | about 7 years ago | (#20746901)

I have to admit that looked ok at first -- but I still read it twice before clicking on it.

I bet we wouldn't have half the phishing problems we do now if people just stopped automatically trusting everything they see on the internet.

Fixed that for you. (5, Insightful)

Kadin2048 (468275) | about 7 years ago | (#20747047)

I bet we wouldn't have half the problems we do now if people just stopped automatically trusting everything they see.

Re:Fixed that for you. (1, Funny)

Anonymous Coward | about 7 years ago | (#20747339)

I bet we wouldn't have half the problems we do now if people just stopped automatically trusting.

Re:Fixed that for you. (5, Funny)

XenoPhage (242134) | about 7 years ago | (#20747445)

I bet we wouldn't have half the problems we do now if we just stopped having people.

Re:And Google does it again! (4, Insightful)

trolltalk.com (1108067) | about 7 years ago | (#20747169)

It would also help if fonts were designed a bit better. D A R N and D A M are easy to mistake in a LOT of lowercase fonts if you don't space them out: - darn dam darn dam,

Re:And Google does it again! (2, Insightful)

Seumas (6865) | about 7 years ago | (#20747137)

Or a solution could just require downloading a database on a regular basis and then comparing the uRL to that database locally on your own machine.

Aside from the privacy issue, I simply wouldn't want to double the web traffic on my system.

A better way (0, Redundant)

brunes69 (86786) | about 7 years ago | (#20747215)

A better way to do it would be to just maintain a database of phishing sites that the browser downloads and checks *LOCALLY* to see if it is phishing.

Instead of every page hit being set to Google or $SERVER, it checks Google or $SERVER to see if the database has changed since last downloaded. If it has, it downloads a binary update and inserts it into the database. Then it checks the LOCAL database to see if this is a phishing site.

Such a mechanism is just as up-to-date as submitting the URL to the remote site, and much more secure. And the binary form of such database updates would be minuscule, on average each request would likely take *LESS* time this way since you are only checking last-modified headers on a file instead of initiating a full HTTP GET/POST.

Re:A better way (2, Insightful)

hummassa (157160) | about 7 years ago | (#20747381)

And why should Google (or any other $SERVER) give you this expensive-to-gather information (phishing sites blacklist) for Free??
I think it's quite fair give some info about my mail, searches, and browsing history to Google in exchange for a great search engine and virtually unlimited e-mail space.

Re:And Google does it again! (1)

Sylver Dragon (445237) | about 7 years ago | (#20747297)

ANY anti-phishing tool that checks to see if a page is a phishing site is going to have to send it SOMEWHERE... or did you think that they were just going to be able to magically download a tiny file on your computer that would just 'know' all the phishing sites?

Um, downloading a definition file isn't exactly magic. Anti-virus companies have been doing it for years. So yes, actually, I would have expect that every few days my browser runs off and gets the latest phishing definition file (maybe every time on launch, probably best to have it configurable). Then, when I am browsing every URL I go to is hashed and checked against the local hash table. The advantage is that the bandwidth for checking the online database is front loaded, and I am not waiting for each check to make a round trip to Google's servers, nor am I providing some third party with my entire browsing history.
The good thing is that this is off by default, but I wonder if this remote browsing history "feature" is pointed out to the user when they turn on the anti-phishing feature.

Re:And Google does it again! (1)

Nos. (179609) | about 7 years ago | (#20746713)

So, don't use gmail, don't use google for your search, and don't turn this feature on... it is off by default.

Re:And Google does it again! (3, Interesting)

cromar (1103585) | about 7 years ago | (#20746751)

Also, they can already collect some of (if not a lot of) your browsing history by checking the IP making requests to Google Adwords, if I'm not mistaken.

They probably just use cookies to track you (0)

Anonymous Coward | about 7 years ago | (#20747003)

... so, dump your google cookies from time to time if you're concerned about this. FF is open source, there no reason you can't break google's session tracking at will.

Please, this is non-news.

The Open Source Cunnundrum (-1, Flamebait)

Anonymous Coward | about 7 years ago | (#20747021)

To suck ass, or to suck penis...

Re:And Google does it again! (1)

SueAnnSueAnn (998877) | about 7 years ago | (#20747035)

Well Google and privacy are as usual an oxymoron.

Sue

Well.. (2, Insightful)

El Lobo (994537) | about 7 years ago | (#20746667)

Considering that Google is one of the major sponsors of FF, I'm not amazed. Sending the addresses to Yahoo, or MSN, well THAT would be newz.

Re:Well.. (1)

yvajj (970228) | about 7 years ago | (#20747025)

Wow... talk about double standards. Your argument is ludicrous at best. "If Google does it... its ok".

This is a privacy issue, plain and simple. There are other ways to solve this without having to send the URL to Google. Another approach would be to maintain a list of BAD URLS on the client. This is more expensive since it requires a potentially large list of bad URLS to be stored locally.

However, this is a viable option for those who want the URL protection without sacrificing their privacy.

Google isn't as saintly as you would think. I recommend you do some research on their handling of privacy issues with China and India.

Re:Well.. (1)

davetd02 (212006) | about 7 years ago | (#20747191)

Potentially large?

How about potentially many megabytes, updated daily (if not more frequently) as zombies go up and down. Storing it on the client side would be a huge resource drain with infrequent hits. Spammers know well enough to keep changing URLs as soon as they start getting picked up by filters; the list would have to update as fast as the zombienet can find a new host.

It's possible, but it'd be a massive heavyweight way of doing things that'd require an always-on high-speed connection to work. If a user connects periodically it's quite possible that the user could end up at a phishing site before the entire list was updated to reflect the newest entries.

Re:Well.. (1)

yvajj (970228) | about 7 years ago | (#20747267)


Yes... it could end up being megabytes. There are ways you could reduce the footprint of the DB by storing only the hashes locally (or using compression).

For someone who's anal about their privacy, this may be a worthwhile tradeoff. I didn't say this was ideal... I said it was a potential resolution to the privacy issue.

Some people may be ok with sending their private data to Google. Others may not.

Re:Well.. (2, Interesting)

Midnight Thunder (17205) | about 7 years ago | (#20747229)

Considering that Google is one of the major sponsors of FF, I'm not amazed. Sending the addresses to Yahoo, or MSN, well THAT would be newz.

Like every other feature I think you should be given the option of choosing where you get taken to, if anywhere. For example if I have my own anti-phishing web site then I should be able to choose that.

I support Google for many things, but I am getting more insecure about their privacy issues.

How did you expect it to work? (0)

Anonymous Coward | about 7 years ago | (#20746677)

Hashes? That wouldn't stop Google if they wanted the URL.

Does a master list exist? (2, Insightful)

tgatliff (311583) | about 7 years ago | (#20746683)

My thought would be if a master list exists for someone to put up a master site that does not keep up with the information, and put a patch into Firefox to have it pull from this site...

There is no secret to why Mozilla Firefox wants this feature. I suspect Google has agreed to pay then for the feature to be in Firefox, as I would think this data would be quite lucrative....

Re:Does a master list exist? (5, Informative)

42forty-two42 (532340) | about 7 years ago | (#20746717)

By default firefox does not send URLs to google. It downloads a static list from google periodically, and checks against that.

Re:Does a master list exist? (2, Interesting)

tgatliff (311583) | about 7 years ago | (#20746789)

Yes, but my thought would be to modify the feature so that you can pick the "carrier" for the feature... Meaning, have several instead of just using Google only...

Not new. (5, Informative)

garbletext (669861) | about 7 years ago | (#20746687)

This is a non-story. The ability to ask google about phishing has existed since 2.0, and was disabled then as well. Not that telling google every site you visit is a good thing.

Re:Not new. (3, Insightful)

griffjon (14945) | about 7 years ago | (#20746827)

Is this any worse than IE7, which sends the same to M$? At least Google servers are likely to respond in a more chipper fashion than M$'s, which at times have been noticeably slow, such that I turned AntiPhishing off for some newbies I'd activated it for

Re:Not new. (0)

Anonymous Coward | about 7 years ago | (#20746845)

Mod this black brother up! He right!!!

Re:Not new. (1)

MLCT (1148749) | about 7 years ago | (#20747319)

Was just going to post the same thing. This is already in firefox, and is disabled by default. It is not even borderline news - it just is not news.

Uhh, how ELSE are you going to do this? (5, Insightful)

nweaver (113078) | about 7 years ago | (#20746719)

A "blacklist" of phishing sites needs to be stored somewhere, and you need to be able to do queries against it.

It changes too fast, and is too large, for it to be stored locally.

So SOMEBODY needs to provide a database interface to it, and unless you are willing to tolerate the voodoo cryptography and serious performance penalty to do privacy-preserving searches, how else is this supposed to be done?

Re:Uhh, how ELSE are you going to do this? (1, Insightful)

Anonymous Coward | about 7 years ago | (#20746869)

lets look at another blacklist example of sites - peerguardian.
That has a substantial list, that changes rapidly and yet, it can be stored locally and queried easily enough.
text compresses ridiculously well - and thats all this blacklist is.

Re:Uhh, how ELSE are you going to do this? (3, Interesting)

Schraegstrichpunkt (931443) | about 7 years ago | (#20746949)

You could do it by providing a bloom filter the browser, and then when there is a match, the browser could download a certain subset of the blacklist to verify that the match is not a false positive.

Re:Uhh, how ELSE are you going to do this? (1)

nweaver (113078) | about 7 years ago | (#20746991)

Good idea. You'd have to stick to just the top level name and/or IP, but that would work.

I like it.

The same way other people do it (1)

Arkaic (784460) | about 7 years ago | (#20747039)

Pull down the entire blacklist periodically, and then just query the local copy.

Uhh, how about with a *HASH*?!?!? (0)

Anonymous Coward | about 7 years ago | (#20747121)

unless you are willing to tolerate the voodoo cryptography and serious performance penalty to do privacy-preserving searches, how else is this supposed to be done?
Since when is a simple hash "voodoo cryptography??!?!

And could you elaborate on the "performance penalty" when the time to do an MD5/SHA would be several orders of magnitude less than the round-trip to the server for validation?

Re:Uhh, how about with a *HASH*?!?!? (1)

nweaver (113078) | about 7 years ago | (#20747205)

A hash is insufficient, as Google has constructed the hash and could just as easily keep a map of H(URL)->URL as part of the database.

Re:Uhh, how about with a *HASH*?!?!? (0)

Anonymous Coward | about 7 years ago | (#20747357)

They could, but *would* they? If they're gonna make a concerted effort to *not* collect the data, they would.

You asked "how else could it be done" - and I told you.

How about admitting you're wrong?

Re:Uhh, how about with a *HASH*?!?!? (1)

nweaver (113078) | about 7 years ago | (#20747437)

Because privacy preserving database queries are different, and allow you to query the database WITHOUT the database owner able to extract information, and it is true "Deep crypto voodoo"

Why the concern? (4, Insightful)

Aranykai (1053846) | about 7 years ago | (#20746757)

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?

What will this mean? Probably that google will continue to improve their search engines, their advertising programs and other services, and they will all stay free.

Damn, go smoke some more pot, your not paranoid enough.

Re:Why the concern? (1)

marcello_dl (667940) | about 7 years ago | (#20746859)

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?


Why is everyone so concerned about criminal activities online? they already deal with drugs, arms, extortion, waste recycling...

Re:Why the concern? (0)

Anonymous Coward | about 7 years ago | (#20746921)

omg... you forgot the 3 big ones... terrorism, child porn & copyright infringement

Re:Why the concern? (1)

Carewolf (581105) | about 7 years ago | (#20746873)

Why is everyone so concerned about a company having their URL history?


Because they do evil.

Re:Why the concern? (2, Funny)

bulldog060 (992160) | about 7 years ago | (#20746953)

i think the biggest concern is coming up from 2 groups, 1st group is obviously the people that think it is all a big plot to control them, and the 2nd would be people that put alot of effort into hiding there pr0n/online dating habits from their spouses or authorities starting to get nervous about another way for them to get caught

Re:Why the concern? (1)

iknownuttin (1099999) | about 7 years ago | (#20747285)

i think the biggest concern is coming up from 2 groups, 1st group is obviously the people that think it is all a big plot to control them, and the 2nd would be people that put alot of effort into hiding there pr0n/online dating habits from their spouses or authorities starting to get nervous about another way for them to get caught

Or how about the US Government deciding to execute a gigantic dragnet and grab everyone who has read Al-Jazeera and posted something somewhere that says that "we deserved to get bombed" - which I've seen on this site here many times.

Re:Why the concern? (1)

king-manic (409855) | about 7 years ago | (#20747125)

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(Google), your email(gmail) and your documents(google docs), what does it matter?

coming soon to a web browser near you it's GSoul. Why sing away your should to just anybody. Choose the best. Choose Google*!

*offer void where prohibited. Google promises not to do anything it considers evil with your soul. Google reserves the right to eat your soul. In the states of Utah and Nevada Google may also take possession of any Dependants souls. side effects may include loss of reflection, nausea, vomiting, anal bleeding, vampirism, and cold feet.

Re:Why the concern? (1)

chill (34294) | about 7 years ago | (#20747359)

It gives Google the ability to determine exactly which "escorts" listed on Craigslist I perused before settling on the cute little Latina who promised multiple language lessons. :-)

Give me your URL history, combine it with your online purchase and reading history and a decent psychologist (or psych AI) can probably tell you what color shirt you are wearing today.

The government understands this theory. It is why you can certain FOI requests get denied and others allowed. Not that the information you are requesting itself is sensitive, but if you start getting too many pieces of the puzzle together in one place, you start to see things that you were not meant to know.

The concern. (4, Insightful)

Kadin2048 (468275) | about 7 years ago | (#20747453)

Why is everyone so concerned about a company having their URL history? I mean, they already have your searches(google), your email(gmail) and your documents(google docs), what does it matter?
Because it's another thing the authorities can subpoena -- or just take, without all that messy paperwork -- and comb through to find things to go after you with.

The way the laws are these days, even if you're Mother Teresa, you're probably doing something illegal, even if you don't think of it as illegal or even realize it. (Ever downloaded VLC or Handbrake? Bought discount smokes? Played a little online poker? Bought something without paying your state's sales tax?) Sure, the FBI normally has bigger fish to fry than you and me, but there's no reason that'll always be the case. The tools that are used for terrorism now will be used for narcotics tomorrow, and copyright enforcement the day after that, and eventually it'll trickle down until it's being used against something you're doing. And information compiled in databases has a tendency to stick around (at least, when it's not being misplaced or stolen). Your browsing habits today could come back to seriously haunt you in a decade or two.

And it's not just the government that you have to worry about, or Google's official policy as a corporation. You also have to consider how much the people who actually deal with this data are paid. How much would it cost to get one of them to give someone malicious access to the database? A whole lot less than the database would be worth, I suspect. Even if you're not doing anything illegal (which, again, I doubt; most people break a half-dozen laws before they get to work in the morning), you're a rare person if there's not something going on in your life that you'd prefer to keep private. Medical conditions, sexual preferences ... it all sounds like good opportunities for extortion to me.

There aren't really any analogues in the pre-computer world to the size and scope of databases like Google's, in terms of both the breadth and depth of information it could contain on individuals. This is not something that we have much societal experience with, and the limited track record we do have is decidedly mixed. It's not especially paranoid to want to take a "wait and see" approach.

Re:Why the concern? (0)

Anonymous Coward | about 7 years ago | (#20747459)

It's disabled by default anyhow. That weighs heavily as to goog's intent and respect for the user.

And frankly, you have to trust SOMEBODY with your information, unless you stop using the services.

I doubt m$ or yawhoo would even *TELL* you they were collecting information, unless sued or caught pants down.
I think goog is the more discerning operation of its size and heft. IMHO AFAIK IANAL SEMPER FUBARIS

Now - if someone would come out with a nice 3rd party plugin that could perform this check for badware against
goog's list, via proxy + hash + some anonymity, I'd buy them a burrito and possibly a negra modelo as well.

Maybe it already exists, in which case, post the link... your burrito may already be on its way. -Duff

Big brother (1)

marc_garcia (1095119) | about 7 years ago | (#20746759)

Google already know almost everything about us... Hopefully they go on using it for good things: I like video recommendations according to my searches!

umm?? (1)

gitargr8 (966020) | about 7 years ago | (#20746773)

and Google gets a wealth of information about which sites are popular

Doesn't running the leading search engine already give you a pretty good idea about which sites are popular?

Re:umm?? (1)

User 956 (568564) | about 7 years ago | (#20747217)

Doesn't running the leading search engine already give you a pretty good idea about which sites are popular?

I imagine it gives a pretty good idea, but something like this would allow pretty easy creation of an alexa competitor (which is kind of different data). For example, I have slashdot bookmarked. I usually don't ever search for it.

Already there (4, Informative)

Todd Knarr (15451) | about 7 years ago | (#20746781)

It's already in the version of Firefox I'm using, 2.0.0.6 downloaded directly from Mozilla's web site. In fact you've got the choice to enable it or leave it disabled, and if you enable it you've got the choice between downloading a list and doing the check internally or checking each URL interactively with a service (currently Google's the only one in the list, but more could easily be added).

Re:Already there (2, Interesting)

ivan256 (17499) | about 7 years ago | (#20746911)

If you're going to do it interactively, why not use a hash of the URL (or the domain name/port) instead of sending the URL itself? Then even with live checking, google would only know which sites you went to if they were a match in their list of bad guys.

Re:Already there (4, Interesting)

Todd Knarr (15451) | about 7 years ago | (#20747075)

Because http://thief.com/login.html [thief.com] and http://thief.com/Login.html [thief.com] both hash to radically different values, but both have in the plaintext a characteristic fingerprint of a phishing attempt. A service that gets the plaintext can trivially identify both, but a service that only gets a hash would be fooled by the second if it only had seen the first before.

Re:Already there (1)

Todd Knarr (15451) | about 7 years ago | (#20747109)

Bah. SlashDot mangled the URLs, there's supposed to be a "www.bankofamerica.com@" in front of the "thief.com".

Re:Already there (1)

m1sha (1113269) | about 7 years ago | (#20747315)

But you've gone and assumed that the phisherman has used a non-case-sensitive server. Everyone knows that you can't commit crimes running Genuine Windows Server.

Re:Already there (1)

Volatar (1099775) | about 7 years ago | (#20747245)

Sweet! I am turning that one right away.

Helping Google better their business and protecting myself from phishing better then I would otherwise is a double win!

Oh my GOD! (5, Funny)

gowen (141411) | about 7 years ago | (#20746785)

Google are going to find out what websites are popular. That's information that they simply couldn't otherwise find out unless they ... oooh ... operated the world's most popular search engine.

Everybody panic!

Re:Oh my GOD! (2, Insightful)

Bill, Shooter of Bul (629286) | about 7 years ago | (#20747149)

You laugh, but there is a difference between knowing which topics people search for and consequently which one they go to when presented with a list of sites related to that topic, and knowing the sites people go to directly and how often they do it.

the unarticle... (5, Funny)

revery (456516) | about 7 years ago | (#20746793)

Breaking news: Cheese gives you cancer!!

Oh wait, no it doesn't... You might still get cancer though...

Really a fair deal? (4, Insightful)

Ungrounded Lightning (62228) | about 7 years ago | (#20746809)

Fair deal? Not to worry -- the feature is disabled by default."

But does the "enable" interface inform the user that Google gets their browsing history as a side-effect of providing the blacklist?

Re:Really a fair deal? (1)

akasch (1159557) | about 7 years ago | (#20746943)

I'm wondering if you have to actually use it after enabling it, or can you just enable it and get info on the site you already visited - then anytime you turn it on they would get your whole browsing history anyway if you are dense enough not to clear cookies regularly

Re:Really a fair deal? (3, Informative)

ronanbear (924575) | about 7 years ago | (#20747029)

Actually, it does explain it pretty well on FF2. If they changed that it would be news.

Got Contacts? (Shameless Plug) Get Backup-Pal! (-1, Troll)

Anonymous Coward | about 7 years ago | (#20746831)

QUICK! (without looking at your cellular phonebook)
Do you know all the important numbers in it by heart?

Relax... Backup-Pal just released its first major upgrade... 90+ Motorola phones are now supported...

RAZR RIZR KRZR PEBL SLVR E815 W510 and MORE!

Come check out the excitement at http://backup-pal.com/Motorola [backup-pal.com]

Backing up your contacts has never been Sooooo Easy!

Really not an issue (1)

allthefish (1158249) | about 7 years ago | (#20746849)

As much as I hate things phoning home, with a phishing filter there's really not much of a choice. It has to check the site against SOMETHING, and as Google is the closest to being the standard repository of URLs, then I think it makes the most sense.

Just think about it. When you want information about a certain bug or scam, what's the first place you go? Generally, its Google. Yes, Google is probably paying Mozilla for it, but who cares? Even if they weren't, its the most logical choice anyway. Plus, the feature is off by default, and you have to deliberately turn it on. There's no deception going on here.

These aren't the droids you're looking for. Move along.

Fear mode... (1)

xyph0r (1153429) | about 7 years ago | (#20746863)

Good job my fear mode's set to off by default or I might've actually cared about this non-news.

Hash (1, Insightful)

Arthur B. (806360) | about 7 years ago | (#20746887)

Why not send a hash with a salt ? It makes it fast to check if the url is in the malware blacklist but if Google wants to know the list of websites you visited, they have considerably more work to do. You could also send fake hashes along each request.

Salt won't help you. (4, Informative)

SanityInAnarchy (655584) | about 7 years ago | (#20747101)

Salt helps for things like passwords, where two users with the same password will have it appear differently in the password file.

It makes no sense here. It would prevent a third-party from intercepting your browsing history -- but then, they can do that anyway, by simply being your ISP.

But if Google has the list of malware sites, obviously they know that foo.com resolves to a particular hash (with a particular salt). The only way this could possibly work is if Google stored a separate list for each user, each with its own salt, which would still require you trusting Google to be doing this and not to be keeping a mapping of hash+salt -> website.

There is no way hashes can solve this problem. The only solution is to either be smart, so you don't need a blacklist, or to download the entire blacklist periodically, which is an option, but not everyone likes it.

Re:Hash (1)

sirambrose (919153) | about 7 years ago | (#20747419)

That won't work because google would have to maintain a full table of all the possible hashes of every url on the phishing list. If they can feasibly store a full set of salted hashes for all the bad urls, they can probably do the same for all the urls in their index. For a company that caches most of the web, a hash table of all urls or hostnames can't be too hard.

In addition, the hash function would probably have some collisions. Users don't want an anti-phishing tool that flags random sites that happen to have a url that collides with the url of a phisher's site.

Oh joy. (1)

SatanicPuppy (611928) | about 7 years ago | (#20746891)

Why does this need to be included by default? Am I the only one who finds the anti-phishing stuff to be annoying? Fine, some people want it, make a plugin or an extension, but stop adding tangential stuff to the codebase! Adding a piece of "functionality" to a web browser that does a name check on every website you load is bound to add a huge chunk of overhead.

Am I the only one who remembers The Kitchen Sink [mozilla.org] ? Adding stuff like this into a pure vanilla install is ridiculous. I don't care if they want to make a "secure" version with plugins already installed and enabled, but don't make it a part of the

Re:Oh joy. (1, Funny)

Anonymous Coward | about 7 years ago | (#20747345)

I don't care if they want to make a "secure" version with plugins already installed and enabled, but don't make it a part of the

That must be a first. You got bored of your comment before I did!

Re:Oh joy. (3, Insightful)

moore.dustin (942289) | about 7 years ago | (#20747455)

The people who have no idea about about extensions and plugins(the average user), are the people who want the anti-fishing features. Being the more advanced user, it is far easier for you to turn it off than it is for the average user to seek, install, and maintain(update) a plugin.

I would agree that it is annoying for me as well though - I do not need the help of the browser to ward off phishing, especially at the cost of a performance hit. That said, Firefox is not a pet project of the geek world anymore. FF is aggressively seeking the mind and market share of the everyday user, so they must produce a product those users want. Outside of security, what is the real benefit of abandoning IE6 and more importantly IE7? Pages rendering correctly/standard compliance is not an issue with the average user, not in the least. So that only really leaves security, interface/usability, and I suppose can throw in the great extension selection as a motivator to switch as well. This is a move in the direction of better security to offer its users who value it.

toolbar (1)

wwmedia (950346) | about 7 years ago | (#20746909)

wait aint this the same google that pays people per firefox download (thats conveniently bundled with google toolbar which sends every url to google)...

What about a downloadable "Definition Update"? (1)

Zymergy (803632) | about 7 years ago | (#20746923)

What about a user downloadable "Definition Update" for the Antiphishing engine similar to what scanning engines in Norton, McAfee, AVG, Ad-Aware, SS&D, etc.. do?

Re:What about a downloadable "Definition Update"? (1)

richwklein (767820) | about 7 years ago | (#20747377)

Downloading a "Definition Update" is how the phishing/malware protection works by default. However, real time checking has been possible since FF 2.0 was released. The user actually has to enable it in their preferences. I personally doubt anyone ever does.

It is even more of a non-issue with 3.0. Bug #388652 is about removing the real-time checking and it looks like it is seriously being considered.

WordPress Now FireFox (1)

WED Fan (911325) | about 7 years ago | (#20746929)

I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress...wait, firefox...dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.

Old troll. (1)

SanityInAnarchy (655584) | about 7 years ago | (#20747199)

Fact is, I don't have to, because a LOT of people already have -- the people responsible for developing and shipping Firefox, for example.

"May as well be closed"? Maybe, if no one outside the development team looks at it. But the difference is between a diverse development team, everyone paid by a different group, some not paid at all for their Firefox work, and a single, homogeneous team, working for one company, who may not even care what spyware goes in.

By the way, if you'd bothered to check, this feature is off by default. Do you honestly think Google could've gotten it in if the feature was enabled by default?

Get a clue (2, Insightful)

Anonymous Coward | about 7 years ago | (#20746931)

Edit > Preferences > Security > Tell me if the site I'm visiting... >

[X] Check using a downloaded of suspected sites
[ ] Check by asking [Google, .. oh no other one in this dropdown] about each site I visit.

Also saves your bandwidth.

Clueless users don't change defaults (5, Insightful)

lowy (91366) | about 7 years ago | (#20746961)

It seems to me that the users who most need anti-phishing protection are the ones least likely to change their defaults.

Re:main(p){printf(p,34,p="main(a){printf(p,34,p=%c (1)

What is a number (652374) | about 7 years ago | (#20747233)

main(a) should be main(p) ? %c%s% c could be %c%s%c ? --- I type this every time.

fud? (0)

Anonymous Coward | about 7 years ago | (#20746987)

"As we were discussing, Gran Paradiso -- the latest version of Firefox -- is nearing release. Gran Paradiso includes a form of malware protection that checks every URL against a known list of sites. It does so by sending each URL to Google. In other words, if people enable this feature, they get some malware protection, and Google gets a wealth of information about which sites are popular (or, for that matter, which sites should be checked for malware). Fair deal? Not to worry -- the feature is disabled by default."
... And yet you chose to post an article sensationalizing and misrepresenting this feature - despite it not being enabled by default?
This isnt digg you know, its not a good thing to post articles that are thinly veiled flamebait.
Where is your evidence that it sends every url to google?
Is it just how you think it can be implemented or a transparent opportunity to spread FUD about privacy issues, google and firefox?

This is Idiotware (1)

Burz (138833) | about 7 years ago | (#20747033)

Because the people who put it in FF are acting like idiots by assuming average users are dumb and won't learn a couple of simple instructions. Hence, the idiots (i.e. many people in IT) don't even bother to suggest proper URL usage and instead concoct convoluted and invasive crap based on what a central authority considers socially acceptable for web browsing (and don't tell me the blacklist won't be expanded beyond suspected phishers-- you know it will).

The best thing they could do, IMO, is to render every URL in the address bar with the domain in red BOLD letters. Then, on first-use of Firefox the user gets a popup baloon coming out of the address bar advising them to always keep an eye on the domain field. This has the added benefit of making SSL certificates worthwhile, since certificates only work if you pay attention to the domain you are connecting to.

Teaching basic URL awareness also assumes that people who don't bother to spell correctly (or blithely click 'OK' on certificate warnings) will get what they deserve.

This feature could make me switch away from Firefox.

Re:This is Idiotware (1)

SanityInAnarchy (655584) | about 7 years ago | (#20747251)

First, realize the feature is disabled by default, and can be enabled without sending your browsing history to Google. Also, it's fairly likely it will let you visit those sites, it'll just prompt you first.

Because the people who put it in FF are acting like idiots by assuming average users are dumb and won't learn a couple of simple instructions.

Actually, they are, intelligently, realizing that your average IT department doesn't have the resources to educate users properly, and some of those users are fundamentally un-educatable. You can either give them the invasive crap from Firefox, or you can figure the IT dept will standardize on IE to get the same invasive crap, because no IT dept in their right mind is going to let them just get exploited anyway.

Did I miss the memo? (4, Informative)

LMacG (118321) | about 7 years ago | (#20747053)

Is this tin foil hat day or what? This isn't a new feature in FF3, it's already in FF2.

Wait, maybe it's sending server dumps and some developer said "if you don't like it, fork it." That must be it.

Do we get a "this is a non-story" correction to this post too?

Re:Did I miss the memo? (1)

transonic_shock (1024205) | about 7 years ago | (#20747145)

Thats exactly what I thought.....this isn't a new feature in FF3. it was a new feature in FF2.

Re:Did I miss the memo? (2, Funny)

Cro Magnon (467622) | about 7 years ago | (#20747163)

Hey, this is Slashdot. You expected NEW info?

Dont think Google think Doubleclick (0)

Anonymous Coward | about 7 years ago | (#20747135)


same company and most people here probably firewalled them off years ago,

how long till google goes into dev>null ?

How about... (1)

grishnav (522003) | about 7 years ago | (#20747195)

...accessing the list through TOR?

Huh (1)

terrence.donnelly (1144137) | about 7 years ago | (#20747209)

Only a matter of time until those things from Half-Life 2 are flying around my apartment gathering data about what I eat, wear, and do on my spare time. Then start spitting out ads. I quit.

Why is this an issue? (1)

allthefish (1158249) | about 7 years ago | (#20747257)

There's really no reason to be up in arms about this. You can put your torch and pitchfork down.

Firefox is open-source. They're not trying to hide anything. One of the side-effects of FOSS is that the developers can't hide anything in the code without someone looking through it and pointing it out. This has happened countless times in the past (Azureus, etc.), but we've got no indication that they're actually trying to keep it from us. Actually, quite the opposite is true; they seem to be making it public knowledge.

Another effect of being open source is that you are free to fork it if you like. If y'all don't like this new direction, then why not produce something better?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?