Firefox 2.0 Wins Phishfight Against IE7

An anonymous reader writes "A new study that pitted the anti-phishing technology in Firefox 2.0 against that of IE7 generated some interesting results. From the Washingtonpost.com story: 'Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 locked 117 sites that Firefox did not.' Microsoft responded by pointing to its own supposed comparison study that put it in front of Mozilla and others in phish fighting, but the story notes: '3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."'"

You have to consider...

[otacon]

that most phising sites are designed to circumvent Internet Explorer, since it is the most common internet browser, and practically the only browser for 'clueless' users, especially the ones that would be victims to a phishing site.

Re:You have to consider...

[flyingsquid]

Also, should "www.firefox.com" and "www.mozilla.com" really be included in IE7's tally of phishing sites blocked?

Re:

[LiquidCoooled]

I thought the aim of a phishing site was to circumvent the user?
Its not specifically aimed to run a machine exploit (though some will involve overflowing the address bar), but to convince the user they are on a site they assume is safe.

slashdot.com.au might get some folks others might be fooled by slashdot.info or some other variation (like the whitehouse.com former porn site).
The attack vector is all in your head.

Re:

[IDontAgreeWithYou]

Yes, but if the browser is trying to detect phishing, you also need to get around it.

Re:

[frodo from middle ea]

I never get this argument...
If Linux/Firefox/(your favorite OSS product) was as popular as Windows/IE/(any proprietary Product), it will be attacked more, and will be equally vulnerable and would have equal # of security flaws.
Fact is I don't care, What I want is something that is secure and really don't care if it is not as popular. In fact, "security by insignificance" works for me.

Re:

[AdamKG]

Ok. Now- how would you explain away your homepage link?

Re:You have to consider...

[foamrotreturns]

No, you are dead wrong. Firefox gets patched more often, and since it is open source, that is the main reason that vulnerabilities are being found in it. Sooner or later, all the bugs in Firefox will be ironed out, and it will be considered bulletproof, while IE remains closed source and unavailable for third party code audits, which leaves it wide open to security breaches. Wouldn't you rather have a house that was built by one contractor and then inspected by thousands of others who were able to find and fix some issues with it than a house that was only inspected by the same contractor who built it? There is some correlation between popularity and number of exploits, but you make it sound like it's a 2-dimensional plane. It's not. There are other factors. The very same goes for Linux versus Windows. Until Windows and IE are open source, they will always be miles behind in security.
BTW, security through insignificance is the same as security through obscurity, which is just a false sense of security. Just because something is out of the limelight does not mean that no one has the intention of messing with it.

Re:You have to consider...

[cosminn]

Sooner or later, all the bugs in Firefox will be ironed out, and it will be considered bulletproof

You must be new to software engineering :) This will never happen with any software. The only way that would be possible is if you freeze the code, then ONLY fix bugs. Even then you have the possibility of creating a new bug from fixing a bug.

That's never going to happen tho. And the more features you add, the more bugs you add, regardless of open/closed source.

My problem is not that bugs exist, it's unavoidable, it's how they're handled that's important.

Re:

[owlstead]

"Wouldn't you rather have a house that was built by one contractor and then inspected by thousands of others who were able to find and fix some issues with it than a house that was only inspected by the same contractor who built it?"

Are you trying to be funny? Because I would never like to live in that first house. First of all, it would never get finished, disputes will break out and I would never get one ounce of peace. Fortunately, even with such hugely successfull applications, the number of real develo

Re:

[RzUpAnmsCwrds]

sooner or later, all the bugs in Firefox will be ironed out, and it will be considered bulletproof

Wrong, wrong, wrongedy wrong! There's always going to be another bug. The process of debugging itself adds more bugs. This is basic software engineering - you simply cannot assume that the software will be flawless.

Can Firefox be made very, very secure? Yes. Is it already reasonably secure? Yes. Will it ever be 100% secure, never needing a single security patch? Not a chance.

IE7 on Vista may not be the most sec

Re:

[foamrotreturns]

Allowing everyone to see the code allows the problems to be found quicker and be patched faster. With MS, a hole can go unnoticed (private exploits, anyone?) for long periods of time. All the while, the baddies can have their fun and no one would be the wiser. With OSS, the bug is usually discovered quite quickly, and the patch is usually not far behind. Even if the original programmer doesn't want to make the patch, someone else can do it because they have the source. OSS is simply more conducive to good s

Re:

[Firehed]

Yes, Firefox/Linux/OSX/etc has security through obscurity going for it, but that doesn't mean it's not also actually more secure.

Example: authentication in *nix-based OSes (including OS X) is required to modify system files or areas that could otherwise fuck up the computer. In XP, there's nothing. And in Vista, unless they changed it between RC2 and the RTM Gold Master, it's simply clicking 'allow'. If all you have to do is click, you won't read the thing - I very quickly found myself just randomly clic

Re:

[Trails]

We're testing out new(ish) anti-phishing technology. At least, new enopugh that the argument that IE7 is the "incumbent" doesn't really hold unless the sites are exploiting leftovers from IE6. Then the point becomes obvious - if MS is pushing IE7's relative security over "previous browsers" (read: IE6), they should have fixed these holes.

MS will always struggle here

[Timesprout]

The risk of litigation inspired by false positives means they will always have to be a little more circumspect with who they classify as a phisher.

Re:MS will always struggle here

[LordSnooty]

And why couldn't someone sue the Mozilla Corporation and/or Foundation in the same circumstances?

Re:

[IDontAgreeWithYou]

They could, but I imagine that it is slightly more lucrative to sue Microsoft.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[muukalainen]

> And why couldn't someone sue the Mozilla Corporation and/or Foundation in the same circumstances?

Probably because a) It's not a multi billion corporation with deep pockets and b) Because probably, being free, the application gives no warranties about the correctness of its phishing detection system, whereas c) In an American court, you can demand compensation for almost about everything, if you paid for a service; but if you didn't, probably you can't.

Re:

[burndive]

The anti-phishing blacklist is supplied by Google, or anyone else you want, AFAIK.

looks a lot like huhcorp

[Anonymous Coward]

That 3Sharp site [3sharp.com] look a lot like huhcorp [huhcorp.com].

C'Mon....

[shaneh0]

...The SmartWare site isn't much better. (SmartWare is the company that did the study the WP article is based on)

See for yourself: http://www.smartware.com/

A suggested improvement

[bogaboga]

I suggest an improvement to Firefox 2.0. This refers to browsing an un-secure site. Currently, the "warning" icon that embeds itself in the location bar is not that visible. I suggest programmers introduce one that is clearly visible or change the color of the location bar background when such a site is hit.

On the subject of phishing, I have not come across one, so my request is for a slashdotter to point me to an example so that I can check out one of Firefox's much hyped goodies. Thanks.

Re:A suggested improvement

[LiquidCoooled]

Its pretty hard to miss.

Here is the hard-coded example of a phishing site from firefox: its-a-trap! [mozilla.com].

The info is here [mozilla.com]

Thanx!

[bogaboga]

Thank you! You see, I had never hit a suspected phishing site before! Thanks once again.

Re:

[diersing]

Never get spam do you? Really?

Re:

[LiquidCoooled]

I get spam but delete it without ever clicking.
I've learnt never to click links or open attachments in unsolicited mails.

Re:

[ack154]

Never get spam do you? Really?

I get spam all the time... but I too had never seen this thing before. Just because people get spam and phishing emails doesn't mean they're dumb enough to click them. I don't even do it out of curiosity.

Re:

[orasio]

Somethimes I do, what's the problem?
There is a difference between programs and data.
E-mail is data, and data can't harm my system, unless I let it explicitly.
Webpages are data, so clicking on an http:/// [http] link will not do any strange thing.

I trust my email client not to do anything funny with spam, other than sending it to the spam can when it recognizes it. And I trust my webbrowser to sandbox any dynamic content. Am I wrong on my expectations?

Re:

[smooth wombat]

I suggest programmers introduce one that is clearly visible or change the color of the location bar background when such a site is hit.

The clearly visible one would be better since there are people who are completely color-blind (i.e. see things only in shades of gray) or who are color-blind to certain colors.

A combination of what you suggest would be the most effective way of getting someones attention since it would be color-independent. Have the address bar flash between two different colored b

Re:

[Crayon Kid]

Just FWIW, color blindness is actually about not being able to percieve one of the colors in RGB: green, red or blue, in roughly this order of how widespread they are. People who percieve only shades of gray are not technically "color blind" and that condition is extremely rare. Not that it shouldn't be also considered, of course, it's just that it's VERY hard to come up with a color combination that will work well for ALL kinds of color blindness AND for normal people at the same time. So the best alternat

PhishFight!

[Anonymous Coward]

/slap Microsoft

* Anonymous Coward slaps Microsoft around a bit with a large trout.

I win, I win!

Sort of off-topic but

[rodgster]

IE7 is also incompatable with quickbooks 2004 and above. With the other problems I've heard of I have to ask why in the world is this POS being forced on users as a high priority security update?

Intuit recommends uninstall. Just got that notice when I installed the latest QB update. Will Intuit learn from this? I've been reporting the bug of unable to run without power user (or higher user rights) in Betas for years.

Firefox, or IE7?

[smittyoneeach]

Firefox, or IE7?
Which way finds one
The phish-free heaven?
Let browser, like foam
Be lynx: sans leaven
Burma Shave

Re:

[AltGrendel]

As you browse

at a fast pace

keep the phishers

out of your face!

Burma Shave!

Well actually Firefox!

It's really Google vs. Microsoft

[SimplexO]

It's really Google vs. Microsoft because Firefox 2 essentially integrated Google's Safe Browsing extension [google.com] into the core browser. And while Firefox has the ability to change phishing-list providers (Tools -> Options -> Security), the only one it ships with is from Google.

Re:

[LiquidCoooled]

No, firefox ships with an automatically updating local database of phishing sites.
You don't need to test every site with google, just use the built in one.

Read more here [mozilla.com]

Re:

[aitan]

That list is currently provided only by Google, so the grandparent is right.

Re:

[rapidweather]

I thought one has a choice in Firefox preferences, one is to allow the browser to "download" a list of "known phishing sites" to use. The other is to allow Google to check each site the user goes to.
In my livecd linux, I preset most of the preferences, and do not just provide the default Firefox setup.
(See Screenshots, below)
I decided to not use the "downloaded" list, since it was large, and probably going to get bigger. That list would then be part of my ~/.mozilla, in /ramdisk in a livecd linux. I

If these are known phishing sites...

[jlewell]

can't they be shut down? Can law enforcement make the ISPs shut down known phishing sites?

Re:

[east coast]

What do you have against bassmasters.com?

Re:

[ack154]

What do you have against bassmasters.com?

Well, for one, I don't hear or see a single bass guitar on that entire site! I mean, how can you be the master of something and not want to show it off?

Re:If these are known phishing sites...

[jfengel]

They come and go very quickly. Shutting something down legally is a tremendous hassle. You have to go to a judge and get a court order to do it. You have to find the ISP responsible for hosting it, assuming its in a jurisdiction you can get a hold of. You have to get the ISP to pay attention to you in the first place.

It's probably a few hours of work, and then 30 seconds later the same site appears elsewhere. Marking it as "phishing" in a database doesn't have any due process protections, but it's not as severe as shutting it down.

Re:

[ronanbear]

This is where whitelisting would be useful. Warn people when a site they are visiting is less than two days old (and probably isn't in Google cache). Mail servers could add links from spam messages automatically to a temporary black list so that they get added much faster.

That would reduce the effectiveness of most phishing sites to almost nothing.

Re:

[laffer1]

It would also prevent litigation from false positives. On a white list setup, there wouldn't be a need to sue unless it was difficult to get a legit site added to the list. Then again, it might make attacking whitelisted sites more appealing.

Re:

[Pastis]

Caring ISPs are quick to react. Send an email to abuse@theisp.com after finding out who is hosting the server. They tend to be pretty quick in my experience...

Re:

[jfengel]

I suspect that most phishers these days are using the non-caring ISPs. There are plenty of them.

He mentions a whitelist. He must be joking.

[Viol8]

The author of the piece suggests a whitelist must be more practical.
Hmm , so that would mean checking against a list of a few billion web
pages as opposed to a few hundred for the scam pages. Anyone spot the
teensy problem? I do wish that just occasionally journos would have a
small amount of knowledge in the area they're writing about.

Re:He mentions a whitelist. He must be joking.

[Timesprout]

Actually he mentions a banking whitelist which is not a bad idea at all and not impractical to implement. In fact I can imagine in the future the banks will request this themselves as their liability incurred for customers duped by phishing scams increases.

Re:

[qbwiz]

Would there be a <banking> tag in the source, so that those pages will be checked? I suppose we'd have to mark every site that doesn't have that tag as phishing (with big flashing lights, of course), just so a phishing site doesn't try to pretend that it isn't banking.

Re:

[Crayon Kid]

The whitelisting is not such a bad idea. It certainly beats the blacklisting, which is inherently a stupid idea because you never end the race to keep the list updated.

But why not take whitelisting the extra step and put it in the hands of the user? Allow the user to "flag" sites he goes to as good, and make the flag visually imposing in some manner. Or, even better, deduce if the site is one he usually visits from his browsing history and flag it automatically.

And how about using Bayesian statistics to com

Re:

[mattwarden]

I do wish that just occasionally journos would have a small amount of knowledge in the area they're writing about.

Yeah, and I wish vicodin wasn't prescription-only. Talk about pie-in-the-sky!

Re:

[Bill Dimm]

First, it would be a list of domain names rather than webpages, so millions instead of billions. Second, it is only really important to whitelist sites where sensitive information is entered (banks, sites taking credit cards, etc.), so even fewer sites. Finally, the browser could cache the lookup results for the sites you've visited in the past, so it would only need to do a lookup when you visit a site you haven't been to before, like when you accidently go to mybanc.com when you should be at mybank.com.

Re:

[jrsp]

And now virus makers and phishers team up to hack your local copy of "safe" sites. "Why yes, young man, www.sitibank.com IS the right address."

The problem, as always, is trusting the data. If you request it from a known source via a secure channel you're good. Once you save it you expose it to other attacks.

Re:

[Bill Dimm]

The problem, as always, is trusting the data. If you request it from a known source via a secure channel you're good. Once you save it you expose it to other attacks.

If you have a virus on your computer, what keeps it from routing all TCP/IP traffic through a proxy to intercept the transmissions to the secure channel? What keeps it from modifying the browser executable to cut out the phishing check? What keeps it from keylogging your password when you visit a legitimate banking site? If you've got a viru

Re:

[Bill Dimm]

I haven't used Firefox or IE's anti-phishing stuff, and I may have a different view of how whitelisting should work than others do, but I'll try to explain how I would approach it. You have a trusted 3rd party compile a list of domains (or IP addresses) that are known to be phishing sites, as is currently being done by Google and used in Firefox. Similarly, you compile a list of known good banking sites (e.g. use yellow pages and call management at established companies to find out what domain names they

Re:

[Bill Dimm]

I touch on some of the issues you bring up in this post [slashdot.org].

Opera?

[elcid73]

I didn't RTA, nor do I have OPera's 9.1TP installed with fraud protection, but I'd be interested in how it fares.

Phishfight

[digitaldc]

And I thought a Phishfight is what happens after you criticize Trey for falling off his trampoline during a 'smokin' rendition of 'You Enjoy Myself'

That's probably the first time...

[petrus4]

...I've honestly ever seen the words "robust," and "Microsoft," in the same sentence.

Re:That's probably the first time...

[Volante3192]

I've honestly ever seen the words "robust," and "Microsoft," in the same sentence.

You don't read their marketing materials much, do you?

Re:

[mgblst]

Here is another for you: Microsoft products are about as robust as a bucket of water, without the bucket.

Ah, the magic of the english language.

Re:

[Aceticon]

Actually it's not at all uncommon to see both words together.

It's the absense of the word not in between that really stands out.

Re:

[Beryllium Sphere(tm)]

Hey, the parent to this post used the words "Microsoft" and "robust" in the same sentence.

doubled protection!

[eck011219]

So clearly the best idea is to visit each site you visit using BOTH browsers so one will likely catch the phishing mechanism! Ah, safety has never been so simple!

Firefox antiphising is far from perfect...

[diegocgteleline.es]

...at least until they fix bug #356355 , which "jumps" the antiphising filter

fe, if you go to http://200.119.135.99/ebay/login5878/ [200.119.135.99] the pishing filter will warn you

but if you encode the IP with a unusual encoding

http://0xc8.0x77.0x87.0x63/ebay/login5878/ [0x77.0x87.0x63]

the phising filter will not kick in

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[diegocgteleline.es]

Try http://200.0x77.0x87.0x63/ebay/login5878/ [0x77.0x87.0x63] , which is the same site. It passes...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Crayon Kid]

Why on sweet God does Firefox accept IP numbers encoded in hex??? I can't see the reason. And even if there is one, why doesn't anti-phishing consider this?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jZnat]

I think it's legal syntax. There are a lot of ways to encode IPv4 addresses.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dylan_-]

what is that url encoding? how does that work -it would be good to bypass the censorship @ skl ive seen other sorts whats that sort called?

It's just writing the IP address as different types of numbers. The "0x" at the start indicates that the number is hexadecimal, rather than decimal (I assume you know about number bases?)

Take slashdot.org for example. nslookup tells me I can connect with http://66.35.250.150/ [66.35.250.150] and sure enough it brings up the main page. Now, convert these numbers to hexadecimal and we

Re:

[jonnythan]

It did for me.

Re:

[diegocgteleline.es]

Well, duh, Google probably tried adding all possible combinations of a single URL to the blacklist while they fix the issue.

But they certainly didn't include *all* of them. Fe: I just tried to change a single number in the encoded address

http://200.0x77.0x87.0x63/ebay/login5878/ [0x77.0x87.0x63]

The phising filter doesn't kicks in *surprise*

The bug is certainly there: https://bugzilla.mozilla.org/show_bug.cgi?id=35635 5 [mozilla.org]

Re:

[diegocgteleline.es]

Fixed? Yes. Has been the fix sent to 2.0 users? No.

As I already wrote in other comment, it looks like google has added to the blacklist all the possible IP encoding combinations of a single URL.

But google has not added *mixes* of different encodings (the black list would grow too much). Try http://200.0x77.0x87.0x63/ebay/login5878/ [0x77.0x87.0x63] - changing 0xc8 by 200. The phising filter doesn't kicks in, and it's still the same site, the same IP - the bug is still there.

Re:

[ricotest]

It's worth noting that Netcraft's Toolbar correctly converts all IP obfusications (including decimal, octal, hex, binary? and mixes of those) before checking a URL for phishing attacks,

the best of both worlds?

[shortscruffydave]

Microsoft Firefox http://www.theregister.co.uk/2006/11/14/ms_firefox / [theregister.co.uk]

Conspiracy time

[ChubZee]

This seems to me like another bonus for Google and Microsoft in tracking users browsing habits. If every time someone visit a site using FF2.0 or IE7 it 'phones home' to find out of the page is a phishing site or not, won't these companies be able to build a more concise and accurate profile of web users? Just a thought...

Re:

[yulek]

it doesn't phone home. a list of phishing sites is cached locally.

False Positives?

[aardwolf64]

As the article points out, false positives were not addressed at all in this study. Without testing for false positives, those numbers are useless. If Firefox listed 100% of websites as phishing sites, the fact that it caught more than IE7 isn't all that impressive.

They don't look for the obvious

[cvd6262]

I teach a college course for teaching majors. Each year I do a phishing demonstration where I post a bunch of links on my blog, including one to the university's intranet. The links are all full paths (http://...), but the href in the intranet link points to a different server. When the students try to login, they get a message about phishing.

This semester I was a bit worried because I had heard IE 7 had new "anti-phishing technology." I thought IE would obviously check the text of the link against the target address, but that didn't happen. FireFox 2 doesn't either.

How hard would it be to check the text of a link against a regex for urls, then, if it is a url, check that the target is the same?

A phishfight is ...

[Aceticon]

A phishfight is ..

- When two philosophers fight each other with fishing rods
- A trout slapping competition in Greece
- What happens when a dolphin with a slight identity crisis gets fed-up with hearing the other dolphins sing Batman
- A form of violence between spelling-challenged fishmongers in an open air market. ...

Haiku

[db32]

Which browser to use
Red fox globe or big blue E
so long thanks for all the phish

Re:

[db32]

Doh, accidentally removed the 5 line end instead of the draft middle ;(

Wow....

[TheNetAvenger]

their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."'"


So let me get this right, the company is bad because they use MS products while testing MS products? Hmm...

So how does SlashDot suggest a company test MS products without using them?

Ok, just because a company USES MS products does not mean they are biased. They could be, but they also cou

More is not winning

[DesertBlade]

Microsoft maintains there on database of phishing sites and they are focused on reducing False Positives. It is still relativly new.

If a bank is falsely blocked by Firefox they will simply tell users to use IE.

If IE falsely blocks a bank site they would simply sue Microsoft.

Both browser still have a margin of error of 20-40%. While IE blocks some that FireFox misses, FireFox blocks some that IE misses. Firefox is doing better, but I wouldn't say they are winning yet.

Re:

[otacon]

How do you figure FireFox as a 'name brand' and Opera not, last time I checked the Mozilla Foundation was a non-profit organization, and until recently Opera was not free, it was pay-license or ad-supported.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Goaway]

You know, when I hear "wailing fanboys", I don't think FF or IE. Those people are fairly composed and sane.

The proponents of certain other browsers, however...

Re:

[Hijacked Public]

The people who sent the cake aren't the same people who decided to run a study. "Microsoft" is a vast corporation where each individual has distinct thoughts, plans, motives, etc.

So no, it isn't weird.

That's why I use MS Firefox

[Anonymous Coward]

Microsoft + Firefox = Awesomeness (for Windows only)

http://www.msfirefox.com/ [msfirefox.com]

Re:

[TheThiefMaster]

The repeated crashes I had with FF2.0 all disappeared when I disabled the google toolbar add-in. With the integrated Google search, spellchecker and anti-phishing, there's very little for the google toolbar to do anyhow. Although, the buttons for finding/highlighting the search terms in the page are very useful.

Re:

[donutello]

I've had 2.0 crash consistently on a PPC Mac, two Intel Macs and two Vista machines. In all of those cases, going back to 1.5 fixed the crashes. I don't have any toolbars installed. 3 of these machines were brand new ones that were repaved over the last week.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thrillseeker]

[begin aol]

me too.

[end aol]

If they have a halfway decent credit card...

[everphilski]

...they won't be held liable for fraudulent chaaaarges!

And the experiance of having to file the forms to cancel their current credit card and get a new one will teach them something about being careful.

Re:

[LunaticTippy]

You've obviously never been screwed by this. Let me educate you.

I had a thief steal my physical wallet while at a friend's house. By the time I realized what happened, 3 hours later, all my credit cards were maxed or turned off, my checking account was empty, and I had hundreds of dollars in overdraft charges, and I had no ID etc.

Getting everything straightened out took months. I spend literally dozens of hours taking care of everything. It was a huge deal, and lots of bills got paid late, and many fe

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Dr. Photo]

"3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was 'to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers.'"

This statement seems to imply that the study might not be impartial.

Other than the fact that these guys get paid by Microsoft on a regular basis to create product demos of MS products, I don't see any conflict o