| This 38 message thread spans 2 pages: 38 (  2 ) > > || |
|Phishing Filters and User Privacy - browsers that "phone home"|
The latest "must-have" features in modern browsers includes anti-phishing technology where visited sites are assessed for their likelyhood to steal end-user personal information.
Internet Explorer 7 includes a "Phishing Filter":
In the case of Microsoft, data is transmitted to their servers via a secure connection which includes every URL you visit, however according to the IE7 privacy statement [microsoft.com] query strings are not transmitted, so for example your specific Google or MSN searches will not be sent. The URLs submitted in real time are compared to a database held by Microsoft, which returns information to the browser regarding the URL.
|Phishing Filter is designed to warn you if the website you are visiting might be impersonating a trusted website. Phishing Filter does this by first checking the address of the website you are visiting against a list of website addresses stored on your computer that have been reported to Microsoft as legitimate ("legitimate list"). (...) addresses not on the legitimate list will be sent to Microsoft and checked against a frequently updated list of websites that have been reported to Microsoft as phishing, suspicious, or legitimate websites. (...) the address of the website you are visiting will be sent to Microsoft, together with some standard information from your computer such as IP address, browser type, and Phishing Filter version number. To help protect your privacy, the address information sent to Microsoft is encrypted using SSL and limited to the domain and path of the website. Other information that may be associated with the address, such as search terms, data you entered in forms, or cookies, will not be sent. |
Firefox 2.0 takes a different route, called "Safe Browsing". The biggest difference is that data is not sent to Mozilla or any other source, but each URL you visit is checked against a local list which is downloaded periodically from Mozilla.
|When Phishing Protection is used in default mode, no information about the sites you visit is sent to Mozilla or anti-phishing partners. Rather, sites are checked against a local list that is downloaded to your computer and updated on a regular basis. |
Firefox's solution certainly appears to avoid any privacy problems as the data remains on the end-user's machine. But the lack of a real-time lookup reduces the potential effectiveness faced with a rapidly-evolving threat.
Finally, Opera. Opera 9 does not include phishing protection, but such measures are expected in Opera 9.1 onwards. From OperaWatch [operawatch.com]:
|Operaís Fraud Protection will work differently than Firefox and Internet Explorerís (IE) anti-phishing protection. In Opera, when you type a URL in the address bar, while the page is being requested from the web server, Opera will simultaneously access Operaís database to check the legitimacy of the site you want to visit. |
If the site is determined to be a fraud, Opera will instead display a warning and block you from visiting the site. Youíll still have the option to bypass the warning.
So, in your opinion is anti-phishing protection (using any method) really a useful tool, or is it just part of a marketing exercise where each browser must keep up with the others? Do you think anti-phishing will work? Are you concerned about the "phone home" aspects of real-time URL lookups sent to Microsoft or Opera?
[edited by: encyclo at 1:44 am (utc) on Nov. 6, 2006]
Firefox 2.0 approach protects user's privacy, IE7 not.
I have investigated many spam emails with great interest since the release of IE7. Not one of the obviously phishing sites linked from the emails has been identified as such by Microsoft's system. Based upon this I suspect that this will never work well - phishing sites need to be added to the database within seconds of the first report - because that's how fast new phishing sites can be distributed by email.
The firefox method seems limited by the size of the local file - if there are ten-million phishing sites it just won't work.
Have to agree with vincevincevince.
Unfortunatelly, I think all three (although I think Opera's is just a variant of Microsoft's) solutions are non-workable.
As stated before, phishing sites are deployed, spammed out, and taken down in less then a few hours.
Any database will be woefully out of date, within minutes after downloading.
Databases at Microsoft, Opera, or any other third party might catch up faster, but the probability is very high that majority of such phishing sites would be missed.
[edited by: Tapolyai at 3:11 am (utc) on Nov. 6, 2006]
The only way I can see this working in practice is at the level of collaboration between ISPs. A sudden surge in visitors to a previously unknown site could trigger either an AI based or an instant manual-review based block across all participating ISPs. If a block seems too much, then meddling with the source code to add a warning doesn't seem unjustified.
How do you disable within Firefox? In IE 7, I just turned off phishing. Sorry, I just don't tust any of them.
In Fx2.0 the list is downloaded roughly every half hour; I'm not sure how big it is. I think this means that in everyday use of the web youíll never come up against a phishing site that isnít in the list because of lag.
Also, it is possible (if you go drilling down through the options) to set Firefox to do a live lookup to Google (or other anti-phishing list supplier). This of course does reduce your privacy, so itís not enabled by default.
First time you, or someone your know, get your account information pilfered you won't complain about the minor variance in design.
It is optimal?
Nah, but is it needed?
These technologies aren't aimed at computer savvy people, it's aimed at the average joe on the net that doesn't have a clue what's happening and losing a little privacy opposed to being defrauded is a small price to pay to rid ourselves of the damn phishers.
Of course I'm not running either anti-phish, but I look at the URL's and obviously don't click on emails telling me to update my accounts, but does granny know to do this?
I'm glad to see some protection in place for the masses, about time.
Where is the anti phish setting in Firefox?
To paraphrase the warning message when this feature is enabled in FF 2
Once enabled the data is stored forever some place.
I view such "protection" with the same cynicism with which I view cycle helmets. A great idea in theory, but the danger lies with implying a greater level of security than is actually delivered.
The best protection against phishing lies with user caution. Browsers which suggest they protect against phishing may induce rash behaviour among users, resulting in more danger.
As for privacy, I haven't a problem with it. I can not imagine that anyone is really interested in the surfing habits of an unknown 41 year old man in England. Even if the staff at some company could identify me, from among the billions of other people's data they collect, why should they care? Why should I care? Unless I intend to commit acts of great illegality.
Don't fall for the trap that a "real time" list will protect you more.
A real time list is only real time as soon as it is updated.
If a new phishing site appears the real time list will only alert users if Micro$oft know about it! In theory 10 million new phishing sites could appear but IE7 users won't be protected until all 10 million are added to the list.
I somehow get the feeling that making a browser 'phishing safe' is just spin to a) gather info by stealth, b) fool users into using a product they think they need.
This is quite similar to all those 'anti bacterial' cleaning products. Pure FUD marketing.
According to Mozilla [lxr.mozilla.org], in "standard" mode the list of phisihing sites is updated every 30 minutes or so, although they may adjust the time in the future. I'm not sure who needs a list that's more up to date than that, so "real time" checking seems to be another way for Google collect data. The word periodically which is used to describe the update frequency is somewhat misleading IMHO.
|If a new phishing site appears the real time list will only alert users if Micro$oft know about it! |
Not everyone will be protected initially but it's a numbers game.
So what it's the first 10K people that encounter it are wide open if the next 10M people are protected?
You can't stop everything but you can limit the collateral damage somewhat.
Don't agree that this is of any use whatsoever. This makes granny feel safer when the browser makes her think it's OK. But if the method isn't effective, and clearly it isn't, you are giving her false hope instead of teaching her how to avoid phishing in the first place.
So sad that spammers and phishers are so far ahead of the curve than the developers.
It is a total waste of space and I don't see how microsoft can claim an upper hand here on phishing detection.
When a flaw in a Microsoft package is announced Redmond issue a press release saying something like "We will release a patch a week next tuesday"
If they are that quick to respond to reported vulnerabilities how quick are they to respond to phishing?
There are far too many delays in the system for IE and FF but I'll take issue here with IE for it's phoning home method.
A new phishing site is created 22:50 GMT.
How long until someone is phished?
How long until that person realises they have been phished?
What do they do about it? Hmm, where's the 1-800 number for Phish Alert?
When Microsoft are informed do they immediately list a site or do they have to have their legal team check it out incase the site is not actually a phishing site and they don't want to get sued?
How many people have visited the rogue site from when it was created to when the site was first listed? It could be days, or weeks even.
This has to be the worst feature / case of mis-selling a product ever!
>>> This makes granny feel safer when the browser makes her think it's OK.
Could get worse.... you THINK the site you are visiting is OK, but actually it is a brand new 'phishing site' not yet tagged as such. Makes things even more confusing for granny.
|you THINK the site you are visiting is OK, but actually it is a brand new 'phishing site' not yet tagged as such. Makes things even more confusing for granny. |
FF and IE users will be so confident that their PC is 'phishing safe' that they will drop their guard, respond to any bank, auction, or online pay site and enter their details.
The only true way of defeating phising is an idea suggested by Robert X. Cringely.
Everytime you get a phishing email click the link and enter a totally fictious username, password, account no. etc.
If thousands of people did that, then the phishers would have thousands of fake account details which would give them access denied when they logged onto the real site.
Whilst that relies on good samaritans to create a false account info a better solution would be to do this:
An anti phishing site uses a script which connects via anonymous proxies (just like the spammers do) and generates random username, password and account numbers and posts them on the phishing site.
This will flood the phishers with thousands of false info which they would not realise.
It would make far more sense if Microsoft, Mozilla, or G. did something like this.
I await the first time someone either sues Firefox or Microsoft for including them in their phishing site list, or when someone corrupts the database and prevents accessing regular sites.
Lame arguments all around against anti=phish as it's no different than a new virus that comes out that your virus scanner doesn't know about yet. Until the virus profile is in the scanner you sit there with a false sense of security.
Is there are point just because it's phishing vs. a virus?
I don't think so.
People are protected AFTER the fact in both cases.
[edited by: incrediBILL at 6:02 am (utc) on Nov. 7, 2006]
A virus tends to cause a lot of trouble and spreads like wildfire. A phishing site tends to get closed down pretty quickly.
|A virus tends to cause a lot of trouble and spreads like wildfire. A phishing site tends to get closed down pretty quickly |
Phishing emails spread like wildfire too and I've seen Phish sites up days before someone kills 'em, it all depends on who/when/where it happens as a weekend is a killer time for phishing from a corporate server.
I agree with incrediBILL here - the anti-phishing features are targeted to the general public. They might not be perfect but I'm sure they are better than nothing for most people, especially since most people aren't browsing the internet all day so by the time they read an email and click a phising link it will probably already have been identified as such.
a bit off the topic. Sometimes I received very tricky phishing emails. I would like to report them, but where should I report them?
|a bit off the topic. Sometimes I received very tricky phishing emails. I would like to report them, but where should I report them? |
The antiphishing workgroup does a good job at it to my knowledge:
1. Create a new mail to firstname.lastname@example.org.
2. Drag and drop the phishing email from your inbox onto this new email message
* In Netscape drop it on the 'attachment' area
3. Do not use "forward" if you can help it, as this approach loses information and requires more manual processing. The exception is when you use the Web interface to outlook: in that case forward is the only solution.
I hope the antiphising workgroup is authorative enough to allow a URL.
The best anti-phishing tool a user can use is:
- do NOT click, type the address of your bank/service provides/ ebay/ paypal, whatnot yourself in the address bar.
The best anti-phishing method for a service provider:
- do not send emails to customers with URL in them that require them to log in
- tell customers you will never send URLs that need them to log in.
- use only one domainname, even when external marketing companies are involved.
- if important data is to be protected; use real 2 factor authentication preferably including an off-line device.
swa66 has the only real practical advice for actually fixing the problem.
I also doubt that the MS database is updated more frequently on their side more often than every half hour. Of course I could just have a look at their source code and see. Oh wait, no I can't see how they do what they claim they do.
It really doesn't matter whether the intentions are good or not, I can't see what MS does with the information they collect, who they share it with or what they'll do in the future. Same goes for Google and Opera. All Mozilla can see is that I download the file. That sounds like it's in my best interests.
Of course, "in my best interests" doesn't imply the service will work well, just that I'm not going to spend my time and effort updating somebody else's marketing info on me.
Wow, so cynical already and the day's just started...
IB and DM,
They aren't better than nothing they are worse than nothing. As has been stated, they provide granny with false expectations that it does something. It's a totally different animal than antivirus and I don't know why you aren't getting that point.
The phishing sites get shut down pretty quickly because ebay/paypal etc go after them. So a long term solution isn't needed on a browser. To make granny safe requires either a real-time solution or awareness. This non-solution makes her less alert and feel more secure.
If it takes a week to get into the database, in most cases the site has been shut down. It may help 5 grannies not to get phished and give 10,000 grannies false hope to take down her guard and catch 2,000 of the 10,000 who might otherwise have been alert/too scared to provide login details from an email.
Come on people, this isn't rocket science...
Not knowing what MS does, it's really hard to criticize IMO but technically speaking, from all the phishing sites I've ever seen, and I've seen a LOT of them just for curiosity, I think I could easily develop code to profile the page so a mega company like MS could sure put enough resources than I can deploy to make such a thing REASONABLY safe.
I do similar site profiling when I link check my directory and have profiles that cover hundreds of domain parks and I can pretty accurately identify a domain park page I've never seen even, and some are pretty tricky trying not to be identified, so I'm sure pretty sure automated anti-phishing could do the same.
OK, let's look at what it would take to provide real-time anti-phishing.
MS could easily pull the referenced page in real time and evaluate the content automatically to see if it looks like a phishing page, about 1-2 second turnaround in most cases.
You could check the text for many keywords like paypal, citibank, BofA, compare the graphics against logos for those companies, yada yada. check URLs in the page for just IPs or subdomains which is common and report back whether it looks safe or not.
What's the main clue it's a phish page?
Phish pages typically have all links out to the real site, which isn't the current domain, and a single form that either submits to the current domain or a 3rd party domain. Seems like just evaluating the page to see if it has all external links except the form post itself would be a real tip we have a suspicious page on it's own.
It's not rocket science to built something that could easily profile what appears to be phishing, and worse case, pop it up on a screen for a human in a control room to quickly glance at when something meets the criteria and they review it ASAP. After a quick hand review, everyone else that encounters the page is protected.
In my scenario of how I would implement this technically, you might have ZERO people get to the page if it's automatically checked in real-time, or a handful of people tricked while waiting on someone to hand check a suspicious page.
So, based on my experience building similar page profiling code, I see it possible to be at least 98% accurate just with automated page profiling alone and improving over time.
Let's face it, anti-phishing as offered by IE7 and FF is mostly snake-oil. The Firefox solution is less damaging in terms of leaking user data with little in the way of reduction in effectiveness, however the situation remains that FF2.0 is still phoning home every half-hour to a Mozilla server, in the process sending the user's IP address and browser version number / OS version string.
I am concerned by Opera's proposed solution. It seems as if they are simply jumping on the bandwagon rather than adding an anti-phishing feature due to any particular demand. Let's face it, Opera users don't tend to include the granny contingent. The suggestion that they would send real-time information in the clear (unencrypted) is not reassuring. It is a reaction to IE7s encrypted connection (where you can't be sure what is being transmitted), but is no better a solution.
The IE7 "whitelist" seems flawed in practice as well, and in any case there is a significant weakness in all the current implementations - the inability to handle the increasing problem of DNS poisoning. MS can decide to whitelist "google.com" or "msn.com" to reduce connections to the anti-phishing servers, but this opens up a hole with false positives if the phisher uses DNS poisoning or spyware-installed hosts file modifications to switch calls to a whitelisted site to the attacker's server.
It isn't a zero-gain issue for end-users - anti-phishing technology can help in limited circumstances to reduce the effectiveness of simple phishing scams. However, the implementations are under-developed, incomplete, badly thought-out and ineffective against anything but the simplest of threats. There's a long way to go before getting to the sort of on-page analysis suggested by IncrediBILL in the above post.
| This 38 message thread spans 2 pages: 38 (  2 ) > > |