We should check downloads against the goog-badbinurl-shavar list prior to downloading them

REOPENED
Unassigned

Status

()

enhancement
P3
normal
REOPENED
2 years ago
6 months ago

People

(Reporter: francois, Unassigned)

Tracking

(Blocks 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
We could abort the download early by checking the blacklist prior to actually contacting the server and downloading anything.

Note that it would only affect a small number of downloads (0.01% of all downloads):

- Nightly 55: https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2017-04-11&keys=__none__!__none__!__none__&max_channel_version=nightly%252F55&measure=APPLICATION_REPUTATION_LOCAL&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2017-03-08&table=1&trim=1&use_submission_date=0
- Aurora 54: https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2017-04-11&keys=__none__!__none__!__none__&max_channel_version=aurora%252F54&measure=APPLICATION_REPUTATION_LOCAL&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2017-03-08&table=1&trim=1&use_submission_date=0
- Beta 53: https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2017-04-06&keys=__none__!__none__!__none__&max_channel_version=beta%252F53&measure=APPLICATION_REPUTATION_LOCAL&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2017-03-07&table=1&trim=1&use_submission_date=0

This is what the first test case of Desktop Download Warnings covers: https://testsafebrowsing.appspot.com/

It's possible we could hook into the same triggers as the download manager and simply show the malware interstitial prior to releasing the download to it.

(The UI on Chrome is the same for DANGEROUS verdicts and URLs on the blacklist.)

Comment 1

11 months ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → INACTIVE
(Reporter)

Updated

11 months ago
Status: RESOLVED → REOPENED
Resolution: INACTIVE → ---
(Reporter)

Comment 2

6 months ago
(In reply to François Marier [:francois] from comment #0)
> Note that it would only affect a small number of downloads (0.01% of all
> downloads):

This statement is wrong. The probe I referenced is not per-download, but rather per-URL-check. So for example a given download might send a ping for the download URL, the redirect URL and the referrer URL (i.e. 3 pings in total).

We don't yet have a per-download probe that could help us determine the proportion of downloads that would be affected.
You need to log in before you can comment on or make changes to this bug.