Forgot your password?
Security Mozilla The Internet

Firefox 2.0 Update To Remove Phishing Detection 351

Posted by kdawson
from the way-past-time-to-update dept.
An anonymous reader writes "Computerworld and others are reporting that Firefox, the last security update to be released before 2.0 goes end-of-life, will remove the phishing detection at the request of Google. The browser is using an older version of the Safe Browsing protocol that Google will discontinue. According to the latest NetApplications report, about 25% of all Firefox users were still on version 2.0. This move ought to result in an increased adoption of Firefox 3.0 and other browsers, unless it goes unnoticed by most users."
This discussion has been archived. No new comments can be posted.

Firefox 2.0 Update To Remove Phishing Detection

Comments Filter:
  • by mysidia (191772) on Sunday December 07, 2008 @03:53PM (#26023125)

    Hrm.. I don't think that's the intended use of security updates that causes users to be willing to accept and enable such updates.

    In a way, it's a breach of trust if they were intentionally holding back on upgrading to 3.0. Users would be in slightly better shape if they refused to accept this update (at least until Google finally does turn it off).

    I anticipate not necessarily a massive increase in users updating to Firefox 3.0, but more likely a massive increase in phishing targetting 2.0 users who still think they're protected (they didn't pay attention to the update release notes).

    • by dafrazzman (1246706) on Sunday December 07, 2008 @04:05PM (#26023249)

      Even a minor increase in 3.0 adoption would be worth it, as the phishing detection won't matter once google turns it off. I think Mozilla is doing well by making one last effort to move people towards Firefox 3.

      At least the version 2 users are being given some warning, as opposed to just being left out to dry without any heads up at all.

      • by theaveng (1243528) on Sunday December 07, 2008 @04:42PM (#26023655)

        I disagree. I already tried Firefox 3 and it ran very poorly, so that's why I went back to Firefox 2.

        IMHO rahter than disable the feature, thereby making users vulnerable to scams, the correct solution is to upgrade the anti-phishing to v2. Toturn it off completely is somewhat akin to a AntiVirus program deciding to turn-off its scanner, to force users to move to AntiVirus 3. The ends do NOT justify leaving users vulnerable to attack.

        • by gparent (1242548) on Sunday December 07, 2008 @04:46PM (#26023695)
          It's going to End of Life. They won't upgrade an obsolete product. Either they turn it off in the next update and get some people to upgrade, or they leave it on giving a false sense of security since it won't even work.
          • Re: (Score:3, Interesting)

            by Hadlock (143607)

            I still don't see why they're pushing people so hard to upgrade to 3.0. The version 3.0 still seems slower and more buggy than the version of 2.0 I have been using for some time. Does the firefox corperation get more money from google every time you download the latest version or something? I would argue that FF 2.0 is not and obsolete product - it does everything I need perfectly, and I would consider myself a power user. The mozilla corp. has been pushing people to upgrade now pretty hard for about six m

            • by TheRealMindChild (743925) on Sunday December 07, 2008 @06:44PM (#26024763) Homepage Journal
              I still don't see why they're pushing people so hard to upgrade to 3.0.

              Because they are going to stop working on that version. I hate to point out the obvious, but this isn't really a complicated question.
              • Re: (Score:3, Insightful)

                by theaveng (1243528)

                Even if it is going to "end of life", I still don't see why they need to disable the security protection. If Microsoft did that with XP, in order to try to get people to move to Vista, people would scream bloody murder.

                But because this is Firefox, for some reason it's okay where if MS did it, people would call foul. Double standard.

                • Re: (Score:3, Insightful)

                  Possibly it is a double-standard, but they haven't done any significant development on 2.x for quite a while, only security updates. Updating the Safe Browsing protocol may be considered "significant development" (I have no idea how much work would actually be involved) and therefore isn't really an option.

                  Since Google is going to be disabling their service which makes the phishing detector thing work at all, stopping the browser from trying to access it is a reasonable measure. It perhaps depends on the ma

            • by Ramze (640788) on Sunday December 07, 2008 @07:05PM (#26024941)
              I think the idea is that since they aren't going to offer any more updates to the software, anyone using FF 2.0 is going to be vulnerable to future browser exploits and rendering issues which will not ever be patched (unless someone forks the code), so from a user-safety perspective and a public relations perspective, Mozilla needs to strongly persuade people to move away from the old version.

              The reasons to upgrade are the same as for any software. Sooner or later, FF3 or higher will have features that FF2 does not have and that you will need or wish you had. Whether that's patches, plug-ins, or new features, I can't say... but it is coming. Maybe a new version of HTML or a new scripting language... maybe a plugin that only works with 3.0 or higher for web pages you need access to -- who knows.

              As for why they choose to turn the anti-phishing off rather than move to the next version, I think it's fair to say that turning off something is easier than re-coding it to work with something new. Also, why code it to work with the new Google version when you're discontinuing support? At some point, Google's API will change and FF 2 users will be left without a working anti-phishing engine again -- only without any warning because Mozilla will have moved on to FF 4 or beyond by then.

              You are, of course, welcome to continue to use FF 2 if you enjoy the product, but it is not Mozilla's responsibility to continue to support it once they've moved on to a newer version.

              You are correct that Mozilla could wait until Google discontinues its service to turn off the feature, but that is only prolonging the inevitable. They likely want the upgrade in place before Google shuts down its service so that users have advanced warning. If I were Mozilla, I'd even put up a splash screen upon installing the update to warn people that the anti-phishing no longer works and to upgrade to FF 3 if they wish to continue using the feature.

              I'm not exactly sure what you're arguing. It sounds as if you're upset that Mozilla is "pushing" people to FF3 by discontinuing a feature in FF2, but really it's Google that's changing and Mozilla is reacting to that change by turning off the feature in advance in an effort to control the situation. It's not as if Mozilla turned off FF2's ability to use tabs or plugins or other features to intentionally cripple FF2.

              Honestly, your post sounds a bit like a rant that eventually you'll have to move to something other than FF2 and you're upset that the reasons to move have only just begun to pile up. I can understand that you like the software and believe it is still worth supporting and/or forking to continue updating, but apparently Mozilla isn't going to be the one to do that for you.

            • Re: (Score:2, Interesting)

              by aussie_a (778472)

              The version 3.0 still seems slower and more buggy than the version of 2.0

              Well it might SEEM slower and more buggy, but objective tests I've done (as I wanted to know which was better) indicate this isn't true.

            • by gparent (1242548) on Sunday December 07, 2008 @07:54PM (#26025315)

              I still don't see why they're pushing people so hard to upgrade to 3.0.

              Because they won't work on 2.0 anymore. It will not be supported and will no longer receive security updates. How hard is that to understand?

              The version 3.0 still seems slower and more buggy than the version of 2.0 I have been using for some time.

              Except it's faster. Java Script improvements, less memory leaks, a garbage collector of sorts, etc. FF 3.0 requires less resources.

              I would argue that FF 2.0 is not and obsolete product

              By definition, it is. It will reach End of Life.

          • "End of Life" doesn't mean the same thing with GPL software as with commercial software. Many people and organisations have the source code, and have modified it to suit their needs. It's not up to Mozilla or Google to tell people to upgrade to version 3, and it's not up to Mozilla to tell people that upgrading the phishing protection is not worth it. In a couple of years, when Mozilla will be gone and buried, we'll still be using the source code.
        • Re: (Score:3, Informative)

          by LordSnooty (853791)

          somewhat akin to a AntiVirus program deciding to turn-off its scanner,

          It's not really, is it - the scanner is the crucial part of the AV program, the phishing filter is just one small feature of Firefox. Also the replacement product is free. Nobody would complain if a free AV package forced you to upgrade. In fact they (Clam, AVG) do it on a regular basis. Really not "somewhat akin" at all.

    • I honestly don't think many people actually even know about the phishing protection, and I assume the update would inform users that it was removed.
  • Why bother? (Score:2, Insightful)

    by Ambvai (1106941)
    I consciously refused to upgrade to 3.0-- a number of my extensions and scripts don't work right and it's incredibly ugly in my opinion. Workarounds/alternative settings exist, I'm sure... but how much are people really missing out on by refusing the updates?
    • Re:Why bother? (Score:4, Informative)

      by andy9701 (112808) on Sunday December 07, 2008 @04:08PM (#26023285) Homepage Journal

      Have you checked back to see if your extensions/scripts have been updated to work with FF3? I could see that being the case right around when it was released, but hopefully they should be updated by now (assuming that they are still actively developed).

      There are a variety of themes that you can use to make FF less ugly - I don't like the default theme myself on Windows (the default Mac one is fine; I'm not sure about the default Linux theme). Personally, I like Qute [] when running on Windows (it was the default theme during the pre-1.0 days, if you were using FF back then). I'm sure there are other themes that make FF less ugly, as well.

      Personally, on OS X at least, I've found FF3 to be much, much better than FF2. It's very stable, and uses a lot less memory. I only have about 5 extensions installed, but I haven't had any problems with it at all since its release (aside from some extension oddness, but that is hardly Mozilla's fault).

      • by Wansu (846)

        Thus far, I haven't found any effective way to clear FF3's location bar. Dubbed the "Awesome bar", it remembers URLs of certain sites you've visited. The last time I tried it, clearing private data did not clear the location bar. I tried several settings changes that were suggested. One change will cause FF3 not to display these URLs but they are still stored. If you change the setting back, they are all still there. Apparently, the "Awesome bar" feature was so highly thought of that none of the developers

        • Re: (Score:3, Insightful)

          The 'Awesome Bar' is one of the things I hate about FireFox 3 (and the hate list isn't all that big).

          Thanks, Mozilla, for deciding that I need to change my tried and tested browsing habits of 15 years, simply because you think your way is better - you could have at least given us a way to revert to the old url bar behaviour, but you didn't.

          And yes, I've installed various extensions, I've tweaked the about:config and no, it doesn't get the behaviour anywhere near FF2 - infact, some of it is just plain
        • by Plutonite (999141)

          I don't understand how you don't appreciate the feature (which I think is the most beneficial addition to browser tech since tabs), but you can simply rid your computer of browsing history and that should do it. It forms queries from what you type, and I haven't checked but it looks like it has an index of those queries as well, stored somewhere under it's installation folder (it adapts to your choices so it must store query history).

          Seriously though, take off the tin foil hat and try it out. It's awesome.

          • I don't understand why you can't understand that some people don't like this 'feature'?

            It's one thing to say you like it, but another thing to attack others for not doing the same. Grow up and accept that it is a legitimate criticism of FF3 that it forces users to adopt a particular auto-complete system for the address bar which runs contrary to years of established practice.

            As for "install another bare bones browser", I think you'll find it's called Firefox 2 and it's all you need...

            • by Plutonite (999141)

              But it doesn't! You can always be dick and type the whole URL out, it won't stop you. It probably just sets a variable "userIsSadistic" or something. Jeeze.

              • But it doesn't! You can always be dick and type the whole URL out, it won't stop you. It probably just sets a variable "userIsSadistic" or something. Jeeze.

                You don't get it do you? In FF2, if I want (say) google, I can type g+[enter] in the address bar and rely on the fact that Google is my most commonly visited site with an address starting with 'g'. If I need more precision, one or two letters is usually enough.

                Now if I type 'g' I get a random range of options from my bookmarks, history etc which contain the letter 'g' anywhere in their name or URL. THIS IS NOT USEFUL. More to the point, it's not the behaviour I want, and I know many, many other Firefox

          • by jgalun (8930)

            I've been using Mozilla since M12 or so, but the awesome bar drives me crazy. If I start typing "nytimes," I want it to find I don't want it to find a blog entry whose title is "NYTimes Fails Again" or some page at the nytimes that I visited more recently than the homepage (like

            I know the sites I browse to. I just want Firefox to autocomplete to the domain. I don't need it to search my browser history for me, because I know where I want to go.

            I'm not sa

    • by ShakaUVM (157947)

      >>I consciously refused to upgrade to 3.0-- a number of my extensions and scripts don't work right and it's incredibly ugly in my opinion

      Yep, and yep.

      For me, merging the left and right arrows was the biggest issue for me.

  • by jimbudncl (1263912) on Sunday December 07, 2008 @04:05PM (#26023247)
    Somebody throw in some new phishing detection, for free, already. What else, are you going to do, today, over-use Google, and piss off an ISP?

    (sorry about all the commas... I have no idea why I used them)
    • (sorry about all the commas... I have no idea why I used them)

      Wouldn't it have been easier to just delete them instead of writing that apology?

    • Re: (Score:2, Funny)

      by Anonymous Coward

      You must be on your comma.

      It's like being on your period. But with less bitching.

    • Somebody throw in some new phishing detection, for free, already. What else, are you going to do, today, over-use Google, and piss off an ISP?

      (sorry about all the commas... I have no idea why I used them)

      You're reading Slashdot from a typewriter?

  • I don't understand why they just don't make the anti-phishing functions a separate library that can be updated independently of whatever program that is calling it.
  • by Mr Z (6791)

    I still use Firefox 2 at work because the Firefox 3 downloads won't run on Red Hat Enterprise Linux Workstation 4. Seems to want libpangocairo, as I recall. Also, a couple plugins I like haven't been updated for Firefox 3 (FLST and Open Link In... come to mind).

    I wonder how many of the 25% are in similar situations to mine?

    • by kelnos (564113)

      I wonder how many of the 25% are in similar situations to mine?

      You're probably the only one.

      No, seriously, think about it. The 25% figure includes people running Windows, Mac, and Linux. I'd bet Linux is the smallest bit of that, and I'd also assume (poosibly incorrectly) that Linux users are more apt to upgrade their software (when not prompted by an auto-update feature; the FF2 updater doesn't prompt you to update to FF3). Then take this likely-tiny fraction and reduce it further for people who are not just running LInux, but who are running RHEL WS 4. And a si

  • Mac Os X 10.2.8 (Score:2, Interesting)

    by escudier0 (583546)
    No Firefox 3 for Mac Os X 10.2.8 -> I'll keep Firefox 2 on my old Mac....
  • by drew (2081) on Sunday December 07, 2008 @04:40PM (#26023609) Homepage

    I'm fairly certain that anyone who actually needs phishing detection probably won't even notice that it's gone, or won't know what it means. For example, people like my parents who only have Firefox because some well meaning geek installed it for them a year and a half ago...

    • I use neither firefox nor windows, so I don't know for sure, but wouldn't the automatic updater have upgraded most of those people to Firefox 3 when it was released?

      If that is the case, then the only people impacted by this would be those who deliberately refused the upgrade.

  • by sentientbrendan (316150) on Sunday December 07, 2008 @04:45PM (#26023681)

    can't upgrade.

    On Linux Firefox doesn't distribute RPM's or DEB's for the various major platforms, and most vendor's don't provide new software for distros once they've been released.

    Also, getting firefox 3 compiled from source on older distros is incredibly difficult due to version skew of various libraries. I got most of the way there, and gave up.

    People who use linux for work are often stuck on older distros due to long corporate maintanance cycle's. It costs them a lot of money to roll out a major update to thousands of machines, especially if you are developing software on top of them.

    Thus, it really sucks that there is no way to put newer software on older linux OS's without running into library version hell. Especially since this is so easy on other platforms. After all, who has trouble getting software working on XP?

    • Re: (Score:3, Interesting)

      by TheSunborn (68004)

      Why not just download the firefox binary, and unzip it to your home directory? Then you can just run it from there.

      • by mpcooke3 (306161)

        It's not a good long term solution to this general problem, due to the fact that other software could have dependencies on the 'deprecated' official distro version of firefox.

        I'm not saying that anything does actually have dependencies on the official distro version of firefox or that they would rely on the anti-phishing feature but if this was an official package it could happen at some point. Therefore breaking a feature of a distro packaged piece of software and not offering an official distro upgrade R

      • Re: (Score:3, Informative)

        Firefox 3 relies on the Cairo (svg) and Pango (typesetting) libraries, which are included with and used by newer versions of the GTK (I thought it was >= 2.8, but meh). Especially when using older linux systems (like RHEL4) to which you do not have root access, trying to build all of the updated libraries in a little bottle just to run firefox 3 is a pretty tall order. IIRC, when I tried, I had to start at glibc and work my way up - I never did get it to work properly.

    • by FlyingGuy (989135) <flyingguy@gmai[ ]om ['l.c' in gap]> on Sunday December 07, 2008 @04:56PM (#26023779)

      Yep same problem here. Running SLES 10 sp1 and FF 3 requires GTK 7.x and GTK 7.x requires a whole host of lib updates. I tried valiantly to get them all updated and totally crapped my system. I had backed up everything so it was simple enough to boot from CD and restore back, but man what a PITA!

      • by kelnos (564113)
        GTK is only up to version 2.14.x now. Sorry, troll.
      • Does this help? []

        First hit on "Firefox GTK", btw.

      • by Cow Jones (615566)

        (posting to undo an accidental moderation. I meant to moderate your post informative, not overrated)

        I've got the very same problem here. I'm using Ubuntu Dapper (6.06), which is a long-term service release (LTS). It's supposed to be supported by the Ubuntu team for 5 years; guess they'll have to create their own security patches for FF2 from now on.

        As a web developer (among other things) I'm all for getting people to use newer browsers, but FF2 doesn't feel old enough to be abandoned yet. Like a lot of othe

  • the anti click jacking code and the really miserable handling of self signed certificates is starting to really annoy me.

  • by a whoabot (706122) on Sunday December 07, 2008 @06:37PM (#26024693)

    When I go "Check for updates" I get the dialog box that informs me: "This update will cause some of your extensions and/or themes to stop working until they are updated." Clicking on "show list" shows me that Compact Menu and Whitehart will be disabled with FF3. If that extension and that theme get updated, then I'll switch to FF3. Until then, I'll "suffer" with my working browser, anti-phishing or not.

  • It Makes Sense (Score:3, Informative)

    by CritterNYC (190163) on Sunday December 07, 2008 @07:33PM (#26025151) Homepage

    Firefox 2 uses an older version of the anti-phishing that will no longer be supported by Google (the provider of the database). So, whether Mozilla removes it or not, v1 is giong away. is the final release of Firefox 2. As soon as it is released, Firefox 2 has reached its end of life and will no longer be updated or supported (no new features, no bug fixes, no security updates). So, it doesn't make much sense to worry about the anti-phishing feature being updated when the browser itself can no longer be assured of being secure due to possible bugs, etc.

  • Is there any list of knobs I have to tweak to get a stock FF3 install to behave normally, i.e. no transmission of entered URLs/searches to third parties, no "auto-complete" with www. and .com/.net and any of that bullshit that has become accepted nowadays?

    Yes, that's a rhetoric rant, but if anyone knows, please reply anyway.

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis