Closed Bug 355060 Opened 18 years ago Closed 17 years ago

Phishing Protection - false sense of security due to poor documentation

Categories

(Firefox Graveyard :: Help Documentation, defect)

Product:
Firefox Graveyard
Component:
Help Documentation
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Firefox 3 beta1

People

(Reporter: I_am_RenegadeX, Assigned: steffen.wilberg)

References

(
URL
)

Details

Attachments

(1 file)

patch v1
4.31 KB, patch
Waldo
: review+
mconnor
: approval1.9+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0

FF2.0's promise of 'Phishing Protection' in no way guarantees the authenticity of a site, but as this is never explicitly mentioned in any documentation (Help or other), a false sense of security is given. As a result, users encountering unreported sites will unwittingly believe that the absence of a 'Suspected Web Forgery' warning means that the forged sites they encounter are authentic/to be trusted. As a result, users will unwittingly submit their personal details to web-thiefs.

What's more, using FF's built-in Help section, finding 'Phishing Protection' information via keyword is next to impossible, and even then when it's uncovered under 'Security Options', the feature is not fully explained. Help needs improved and easier to find documentation on this new feature.

I posted a 'typical' situation a Firefox user might come across, the 'logical' steps a user would take in order to find info using Help, and suggestions for improving the documentation in a post on MozillaZine - http://forums.mozillazine.org/viewtopic.php?t=470103

A mention should also be made on http://www.mozilla.org/projects/bonecho/anti-phishing/ that a warning will only appear for sites that have been previously reported by other users.

Due to the seriousness of the consequences that a false sense of security will no doubt incur, I'm putting this down as 'Critical' and recommend for BLOCKING 2.0 release.

Reproducible: Always
Anyone able to CC: the Help document people and the Firefox homepage people on this? It's kinda important..
I believe there is a big warning message relating to this when you install. You have to agree to terms to enable this and i'm sure it states what you want in there. Did you read it before accepting?
(In reply to comment #2)
> I believe there is a big warning message relating to this when you install. You
> have to agree to terms to enable this

The only warning/accept dialog I saw was when the active checking was turned on, because sending every URL you visit off to a 3rd party provider raises significant privacy concerns.

No signature-based detection is going to be perfect; not anti-virus, not network IDS, not spam filtering, and not anti-phishing. This appears to be a bug about explaining those limitations, not somehow fixing the impossible so I'm moving it over into the "help" component.
Status: UNCONFIRMED → NEW
Component: Phishing Protection → Help Documentation
Ever confirmed: true
Keywords: uiwanted
QA Contact: phishing.protection → help.documentation
Changes to http://www.mozilla.com/en-US/firefox/features.html#secure might help too.  I suspect that more users see that page than read Firefox's Help.
This is not a difficult thing.  The warning could consist of a single sentence.

The document currently reads:  "Check this option if you want Firefox to actively check whether the site you are visiting may be an attempt to mislead you into providing personal information (this is often referred to as phishing)."

Add to this:  "NOTICE:  The absence of a warning does not guarantee that a site is trustworthy."
Flags: blocking-firefox3?
(In reply to comment #5)
> This is not a difficult thing.

No, it isn't.  It just requires that I find time to work on it, and right now term is ending and I have three projects all due within a week.  I don't have time to do this right now.  There's a much better chance I'll have time in January.

Also, note that since v3 is a ways off in any releasable form, there's little gain in fixing the Help docs (built-in, that is) now instead of later if we wouldn't even ship with the modified docs between now and that "later".
We'd take the additional documentation, but this isn't really a blocker in my opinion.
Flags: blocking-firefox3? → blocking-firefox3-
Whiteboard: [wanted-firefox3]
Attached patch patch v1Splinter Review 
Adds the disclaimer and a reference to "Report Web Forgery". Also adds "anti-phishing options" to the search db, so this can be found easier.
Assignee: nobody → steffen.wilberg
Status: NEW → ASSIGNED
Attachment #269893 - Flags: review?(jwalden+fxhelp)
Target Milestone: --- → Firefox 3 alpha6
Target Milestone: Firefox 3 alpha6 → Firefox 3 beta1
Comment on attachment 269893 [details] [diff] [review]
patch v1

>Index: mozilla/browser/locales/en-US/chrome/help/prefs.xhtml

>+  it using <span class="menuPath">Help > Report Web Forgery...</span>, as

Make that a &gt;, and r=me.  Sorry for the extreme delay on this; I've been preoccupied with other things too much lately.
Attachment #269893 - Flags: review?(jwalden+fxhelp) → review+
Attachment #269893 - Flags: approval1.9?
Keywords: uiwanted
Attachment #269893 - Flags: approval1.9? → approval1.9+
Checked in, with &gt;.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Target Milestone: Firefox 3 M7 → Firefox 3 M9
Version: unspecified → Trunk
Flags: wanted-firefox3+
Whiteboard: [wanted-firefox3]
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: