Welcome to WebmasterWorld Guest from 54.226.147.190

Forum Moderators: incrediBILL

Message Too Old, No Replies

Phishing Filters and User Privacy - browsers that "phone home"

     

encyclo

8:51 pm on Nov 5, 2006 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The latest "must-have" features in modern browsers includes anti-phishing technology where visited sites are assessed for their likelyhood to steal end-user personal information.

Internet Explorer 7 includes a "Phishing Filter":

[microsoft.com...]

In the case of Microsoft, data is transmitted to their servers via a secure connection which includes every URL you visit, however according to the IE7 privacy statement [microsoft.com] query strings are not transmitted, so for example your specific Google or MSN searches will not be sent. The URLs submitted in real time are compared to a database held by Microsoft, which returns information to the browser regarding the URL.

Phishing Filter is designed to warn you if the website you are visiting might be impersonating a trusted website. Phishing Filter does this by first checking the address of the website you are visiting against a list of website addresses stored on your computer that have been reported to Microsoft as legitimate ("legitimate list"). (...) addresses not on the legitimate list will be sent to Microsoft and checked against a frequently updated list of websites that have been reported to Microsoft as phishing, suspicious, or legitimate websites. (...) the address of the website you are visiting will be sent to Microsoft, together with some standard information from your computer such as IP address, browser type, and Phishing Filter version number. To help protect your privacy, the address information sent to Microsoft is encrypted using SSL and limited to the domain and path of the website. Other information that may be associated with the address, such as search terms, data you entered in forms, or cookies, will not be sent.

Firefox 2.0 takes a different route, called "Safe Browsing". The biggest difference is that data is not sent to Mozilla or any other source, but each URL you visit is checked against a local list which is downloaded periodically from Mozilla.

When Phishing Protection is used in default mode, no information about the sites you visit is sent to Mozilla or anti-phishing partners. Rather, sites are checked against a local list that is downloaded to your computer and updated on a regular basis.

Source: [mozilla.com...]

Firefox's solution certainly appears to avoid any privacy problems as the data remains on the end-user's machine. But the lack of a real-time lookup reduces the potential effectiveness faced with a rapidly-evolving threat.

Finally, Opera. Opera 9 does not include phishing protection, but such measures are expected in Opera 9.1 onwards. From OperaWatch [operawatch.com]:

Operaís Fraud Protection will work differently than Firefox and Internet Explorerís (IE) anti-phishing protection. In Opera, when you type a URL in the address bar, while the page is being requested from the web server, Opera will simultaneously access Operaís database to check the legitimacy of the site you want to visit.

If the site is determined to be a fraud, Opera will instead display a warning and block you from visiting the site. Youíll still have the option to bypass the warning.

So, in your opinion is anti-phishing protection (using any method) really a useful tool, or is it just part of a marketing exercise where each browser must keep up with the others? Do you think anti-phishing will work? Are you concerned about the "phone home" aspects of real-time URL lookups sent to Microsoft or Opera?

[edited by: encyclo at 1:44 am (utc) on Nov. 6, 2006]

incrediBILL

5:44 pm on Nov 7, 2006 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



leaking user data

You're more concerned with this than all those leaky toolbars people install for Yahoo, Google, Alexa and so forth?

Give me a break.

There's a long way to go before getting to the sort of on-page analysis suggested by IncrediBILL in the above post.

Really?

Send me a couple of hundred sample phish sites and I'll send you the code.

I'm pretty sure my parked and hijacked domain project was more complicated.

encyclo

6:04 pm on Nov 7, 2006 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Send me a couple of hundred sample phish sites and I'll send you the code.

I agree with you on this (my previous post wasn't supposed to read as a criticism of your comments, quite the opposite). It should be doable and even relatively simple as you have described - just that none of the current browser implementations are taking this approach. I agree with you that they should be taking this further rather than simply doing lookups on domain names.

than all those leaky toolbars people install

But the spyware toolbars aren't part of a standard installation, whereas the anti-phishing feature is. Of course, the same situation can be said of the Firefox update mechanism which equally phones home on a regular basis.

incrediBILL

6:53 pm on Nov 7, 2006 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I agree with you that they should be taking this further rather than simply doing lookups on domain names.

See, I doubt they are simply doing just lookups.

MSN could be scanning everything in their index, much like McAfee SiteAdvisor, and pre-screening pages as they crawl and update their index. The logic actually gets much simpler if you compare pages to a search engine's index that have been pre-evaluated in the last 14 days or so. You would only need to reasonably check pages older than a week or 2, or pages that have never been indexed, as phishers install stuff in places never seen before so they are almost ALWAYS new pages and with an index of the online universe behind your service you know when new pages appear easily.

True, a DNS poisoning or a hack could could mess that scenario all up ;)

I'm thinking someone could easily write an anti-phishing detector and plug it into a personal proxy server on the local machine, doesn't even need to be in the browser itself.

hk995

8:09 pm on Nov 7, 2006 (gmt 0)

5+ Year Member



I'm thinking someone could easily write an anti-phishing detector and plug it into a personal proxy server on the local machine, doesn't even need to be in the browser itself.

that would be a good idea! I'll be the first one to buy it!

Tapolyai

9:59 pm on Nov 7, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I am sure it is possible to write something that would recognize a web site as phishing site without a site domain name database (for example a Bayesian probability).

The problem I see is both Microsoft and Mozilla uses database of site names (if I am reading their implementation correctly), not signatures or statistical analysis of content - such solution would allow recognition of a site to be phishing, even if it is not in the database.

Again, I think the implementation is faulty at best. This does not mean the general public and the media will not accept it as the "sliced bread" of anti-phishing.

We have ample examples of misguided, limited, short-sighted or simply useless solutions implemented and accepted as the panacea.

I just think this technical solution is a knee-jerk reaction, and with not much research and think-through.

incrediBILL

12:29 am on Nov 8, 2006 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Again, I think the implementation is faulty at best.

That's an assessment made on minimal information.

If I was MS or Google I'd be quiet about specifics so the phishers don't adapt.

'Nuff said.

encyclo

1:51 am on Nov 8, 2006 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If I was MS or Google I'd be quiet about specifics so the phishers don't adapt.

Yes, because security by obscurity really helped Microsoft with regards to IE's security record. ;)

As for Firefox, I assume (sorry I'm still on FF 1.5 so I can't check) that the downloaded file is accessible on the client machine, as it's not their style to do encrypted or binary formats. It is easy enough to check what details are being checked by the anti-phishing service.

Tapolyai

3:49 am on Nov 8, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Again, I think the implementation is faulty at best.

That's an assessment made on minimal information.

If I was MS or Google I'd be quiet about specifics so the phishers don't adapt.

'Nuff said.

You are presuming too much. ;)

This 38 message thread spans 2 pages: 38
 

Featured Threads

Hot Threads This Week

Hot Threads This Month