Open
Bug 282316
Opened 19 years ago
Updated 2 years ago
RFE: Show when user visits new SSL site (anti phishing)
Categories
(Firefox :: Security, enhancement)
Tracking
()
NEW
People
(Reporter: s.marshall, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050201 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050201 Firefox/1.0+ If a user follows a link in an email and reaches a site that looks like (for example) their bank, they may not check the address bar to realise that it is different. This applies whether or not the address is similar (as in paypa1.com), visually identical (IDN issue bug 279099), different but potentially confusing (paypal-secure.com), or totally unrelated (honestjohnphish.com). These phishing sites, especially those in the last category, could obtain valid SSL certificates. In order to provide the level of security expected when users see a 'secure' site with the padlock and yellow address bar, Mozilla should warn when users visit a secure site that they have never before sent data to. I would suggest implementing a solution as follows: 1) Maintain a list of https sites to which a user has sent form information. This should be separate from history as it needs to persist. In order to avoid privacy concerns, it could be stored as a secure hash of each domain. (Note: If I recall rightly, this idea came from an article Gerv wrote.) 2) On visiting an https site not in this list, the browser (Mozilla, Firefox) should present warning UI such as a yellow bar across the top 'You have not previously visited this secure site. Ensure it is genuine before sending data'. 3) Disable form controls (and other items which could return data to the site, such as Java applets) until the user clicks on the bar and chooses to allow the site. As an additional refinement, I would suggest including hashes for a few hundred 'known' secure sites preinstalled with the browser; this would include common sites like ebay, paypal, amazon, microsoft, mozilla.org :), banks, etc. in order to reduce the need for this UI altogether. Reproducible: Always Steps to Reproduce: 1. Following a link in email, visit the (imaginary) paypal.honestjohn.com site, which looks just like paypal 2. The site includes a security padlock and yellow address bar, so a user dumb enough to follow the link from email in the first place may assume it is safe 3. User enters their credit card details and Paypal password into site Actual Results: 4. Profit. (for honestjohn) Expected Results: Form controls are disabled, so when user tries to give away their credit card, they find they cannot. They then notice the yellow warning bar on the page (or perhaps a dialogue pops up on clicking the form controls). On closer examination the user realises this site isn't paypal.com, has an epiphany and vows never to click links from suspicious emails again.
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•15 years ago
|
QA Contact: toolkit
Updated•2 years ago
|
Severity: normal → S3
Updated•2 years ago
|
Assignee: dveditz → nobody
Severity: S3 → N/A
Product: Core → Firefox
You need to log in
before you can comment on or make changes to this bug.
Description
•