Open Bug 1356426 Opened 7 years ago Updated 1 month ago

We should check downloads against the goog-badbinurl-shavar list prior to downloading them

Categories

(Toolkit :: Safe Browsing, enhancement, P3)

Product:
Toolkit
Component:
Safe Browsing
Type:
enhancement

Tracking

()

Status:
REOPENED

People

(Reporter: francois, Unassigned)

References

(Blocks 2 open bugs)

Details

We could abort the download early by checking the blacklist prior to actually contacting the server and downloading anything.

Note that it would only affect a small number of downloads (0.01% of all downloads):

- Nightly 55: https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2017-04-11&keys=__none__!__none__!__none__&max_channel_version=nightly%252F55&measure=APPLICATION_REPUTATION_LOCAL&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2017-03-08&table=1&trim=1&use_submission_date=0
- Aurora 54: https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2017-04-11&keys=__none__!__none__!__none__&max_channel_version=aurora%252F54&measure=APPLICATION_REPUTATION_LOCAL&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2017-03-08&table=1&trim=1&use_submission_date=0
- Beta 53: https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2017-04-06&keys=__none__!__none__!__none__&max_channel_version=beta%252F53&measure=APPLICATION_REPUTATION_LOCAL&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2017-03-07&table=1&trim=1&use_submission_date=0

This is what the first test case of Desktop Download Warnings covers: https://testsafebrowsing.appspot.com/

It's possible we could hook into the same triggers as the download manager and simply show the malware interstitial prior to releasing the download to it.

(The UI on Chrome is the same for DANGEROUS verdicts and URLs on the blacklist.)
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
Status: RESOLVED → REOPENED
Resolution: INACTIVE → ---
(In reply to François Marier [:francois] from comment #0)
> Note that it would only affect a small number of downloads (0.01% of all
> downloads):

This statement is wrong. The probe I referenced is not per-download, but rather per-URL-check. So for example a given download might send a ping for the download URL, the redirect URL and the referrer URL (i.e. 3 pings in total).

We don't yet have a per-download probe that could help us determine the proportion of downloads that would be affected.
Severity: normal → S3
Blocks: shavar-deprecation
You need to log in before you can comment on or make changes to this bug.