Closed Bug 1397544 Opened 8 years ago Closed 8 years ago

Use the IP malware Safe Browsing list

Categories

(Toolkit :: Safe Browsing, enhancement, P3)

Product:
Toolkit
Component:
Safe Browsing
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: francois, Assigned: dimi)

Details

(Whiteboard: #sbv4-m10)

Attachments

(1 file)

WIP patch
11.64 KB, patch
Details | Diff | Splinter Review
Chrome uses a list of IP addresses known to serve malware: ListIdentifier GetIpMalwareId() { return ListIdentifier(GetCurrentPlatformType(), IP_RANGE, MALWARE_THREAT); } https://cs.chromium.org/chromium/src/components/safe_browsing_db/v4_protocol_manager_util.cc?l=115&rcl=aa7726c0ac6fd261d1cd9932fb5e4e6e51c43676 It's not restricted to Chrome, it's also available in Chromium: https://cs.chromium.org/chromium/src/components/safe_browsing_db/v4_local_database_manager.cc?l=62&rcl=aa7726c0ac6fd261d1cd9932fb5e4e6e51c43676 We should determine whether or not we should add this to Firefox.
Google says that we should use this. There is no documentation for the hash format though so we'll have to look at the Chromium source code.
We can trace it from https://cs.chromium.org/chromium/src/components/safe_browsing_db/v4_local_database_manager.cc?l=425&rcl=a3c45f3749fe0fab81aea4391518fd2bd9f090dc I think it's similar to URL type, IP_RANGE type will store prefixes and hash of an IPV6 Unit test https://cs.chromium.org/chromium/src/components/safe_browsing_db/v4_local_database_manager_unittest.cc?l=852&rcl=a3c45f3749fe0fab81aea4391518fd2bd9f090dc Looks like they convert the ip v6 string into hash string and check prefix matches with local database. We can figure it out and check more details when starting this bug. Is there perf impact if we intend to implement this? Are we intending to check the IP malware matching list at the same place in nsChannelClassifier or earlier?
(In reply to Thomas Nguyen[:tnguyen] ni plz from comment #2) > Is there perf impact if we intend to implement this? Are we intending to > check the IP malware matching list at the same place in nsChannelClassifier > or earlier? We'd check it at the same time as we check URLs against the malware/phishing/unwanted list so it shouldn't change much from a performance point of view.
Summary: Investigate the IP Malware Safe Browsing list → Use the IP malware Safe Browsing list
Assignee: nobody → dlee
Status: NEW → ASSIGNED
Attached patch WIP patchSplinter Review
First patch (and coding) since June, I need some time to get familiar with safebrowsing...
Hi Francois, After checking chromium source code, I think how they are using MalwareIp database isn't the same as how we plan to do. If I understand correctly, chromium use malware ip database in client-side malware detection. After page loads, they check all IP address requested together with the page content[1][2]. Then chromium sends all those bad IPs with other information to the server to determine if this is a malware URL. Since they didn't use the "malware IP table" directly to decide if a URL load is valid, I wonder if we should use it that way. [1] https://cs.chromium.org/chromium/src/chrome/browser/safe_browsing/browser_feature_extractor.h?gsn=ShouldClassifyForMalware&l=66 [2] https://cs.chromium.org/chromium/src/chrome/browser/safe_browsing/browser_feature_extractor.cc?type=cs&q=MatchMalwareIp&l=48 [3] https://cs.chromium.org/chromium/src/components/safe_browsing/proto/csd.proto?type=cs&q=ClientMalwareRequest&l=154
Flags: needinfo?(francois)
(In reply to Dimi Lee[:dimi][:dlee] from comment #5) > If I understand correctly, chromium use malware ip database in client-side > malware detection. > After page loads, they check all IP address requested together with the page > content[1][2]. > Then chromium sends all those bad IPs with other information to the server > to determine if this is a malware URL. You're right, they're currently only using it in this way. > Since they didn't use the "malware IP table" directly to decide if a URL > load is valid, I wonder if we > should use it that way. I will try to find out whether it's meant to be used for more than just the client-side detection code you have found. Last time I talked to Google, they implied it was meant to be used like the URL blacklist for malware sites. Keeping the NEEDINFO open.
The list is currently not yet being populated. Let's reopen this bug if/when the list becomes available. Thanks for the patch Dimi and sorry about the confusion.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(francois)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: