Staying Safe From Phishing With Firefox

I’ve written a spec for Firefox’s anti-phishing features, in the form of a document which explains to the user how they can stay safe from phishing using Firefox.

Staying Safe From Phishing With Firefox.

The idea is that the statement represents the minimum work we need to educate users to do to stay safe, and that Firefox’s anti-phishing features should be designed in such a way as to always make that statement true. There’s a discussion page which talks about this in more depth.

I’d be very interested in feedback of the following forms:

  • You can actually make the user have to do even less work than that by…
  • You can make it easier for the user to understand what they have to do by…
  • Your advice does not protect the user in the following situation…

9 thoughts on “Staying Safe From Phishing With Firefox

  1. Staying Safe From Phishing With Firefox

    Gervase Markham has started writing a document called Staying Safe From Phishing With Firefox.

    Obviously the people at mozilla.orgare doing the best they can to protect the users, but my opinion is that the users should learn to protect themselves.

  2. Your advice does not protect the user in the following situation: the window is not maximized.

    Also, I disagree with your stance that https sites are the only ones worth protecting, and that browsers should only protect users from spoofed https sites.

  3. Jesse: you are going to need to elaborate a bit. Are you just talking about the ambiguity of “the bottom right corner”? It refers to the bottom right corner of the web page, but I can see how it might be confusing. Or is there something else?

    How are we supposed to protect the user from spoofed sites when we can’t be certain what site a user is actually on? DNS spoofing isn’t that hard – at least, according to dveditz. Phishers aren’t doing it now, but only because there are currently easier ways to catch people.

  4. Henri: it’s not directly relevant to IDN, but mozilla.org is currently developing a CA Certificate Policy which determines what root certs can and cannot go into Mozilla. Have a look and see if the Finnish Population Register Centre’s cert might qualify. Even if it doesn’t, you don’t have to pay an American company for a cert – I’m sure many companies whose certs we include are not American.

  5. “you are going to need to elaborate a bit. Are you just talking about the ambiguity of ‘the bottom right corner’? It refers to the bottom right corner of the web page, but I can see how it might be confusing. Or is there something else?”

    Your advice doesn’t protect users when the window is not maximized because the entire window could be bogus/spoofed using a larger browser window’s content area.

    “How are we supposed to protect the user from spoofed sites when we can’t be certain what site a user is actually on? DNS spoofing isn’t that hard – at least, according to dveditz. Phishers aren’t doing it now, but only because there are currently easier ways to catch people.”

    I find it hard to believe that it’s that easy to compromise DNS. If it were, the Internet would be plagued by problems worse than phishing.

  6. Your advice doesn’t protect users when the window is not maximized because the entire window could be bogus/spoofed using a larger browser window’s content area.

    That requires a user to visit a malicious site, and for that site to know what other sites the user is currently visiting. (Assuming that if you get a “login to Paypal” popup while randomly surfing, you aren’t silly enough to fill it in. I’m not sure we can do much to help people who are that silly.)

    I find it hard to believe that it’s that easy to compromise DNS.

    In some cases, it’s pretty easy – Dan Veditz pointed me at airpwn.

  7. Even if it doesn’t, you don’t have to pay an American company for a cert – I’m sure many companies whose certs we include are not American.

    Being American in particular is not the key issue but, rather, that a government site (or any site for that matter) would have to buy a cert from a foreign private company in order to avoid suspicion. Also, the choice of CA gets rather limited if you take the intersection of the default CA sets of Mozilla Foundation, Apple, Microsoft, Opera Software and Sun (JDK!).

    In general, it is questionable that the same company can provide the problem (unvetted IDNs) and charge for the solution (certs).

    In some cases, it’s pretty easy – Dan Veditz pointed me at airpwn.

    IMO, wireless networks should be secured on the link layer or on the IP layer instead of requiring each app to deal with the issue.