278901 - add slashdot-style phishing protection

Status: RESOLVED WONTFIX

(MailNews Core :: Filters, defect)

Description

[Chris Thomas (CTho) [formerly cst@andrew.cmu.edu cst@yecc.com]]

For simple HTML, we should have each link followed by something that indicates
the actual URL it points to, so if I had a link pointing to evil.com that read
"http://good.com/enter_your_pin", you'd see:

http://good.com/enter_your_pin [evil.com]

I know the status bar shows the URL, but this is added protection for the 99/100
times when I don't look at the status bar before clicking a link.

I thought about requesting this for "Original HTML", but came up with too many
ways somebody evil could get around any solutions I could come up with.

Comment 1

[Ben Bucksch (:BenB)]

Compare 278490, solution 1.

As discussed at length on IRC yesterday, I am against this. I would like the
Simple HTML be perfectly readable, and this interferes a lot with the text, esp.
if you use links inline.

And it doesn't help in all cases, e.g. grandma won't know what "eBay
[216.117.155.116]" implies. (Real example from bug bug 278460 comment 1).

Compare bug 254913, which I think is a good idea (but won't help in *all* cases).

Comment 2

[Chris Thomas (CTho) [formerly cst@andrew.cmu.edu cst@yecc.com]]

(In reply to comment #1)
> Compare 278490, solution 1.
Doesn't work - that shows the entire URL.

> And it doesn't help in all cases, e.g. grandma won't know what "eBay
> [216.117.155.116]" implies. (Real example from bug bug 278460 comment 1).
As some of the related bugs show, Eudora apparently warns users that legitimate
sites rarely use numeric IPs.

> Compare bug 254913, which I think is a good idea (but won't help in *all* cases).
My problem with phishing detection is that we really screw the inexperienced
user if we *occasionally* fail to a scam.

Comment 3

[Chris Thomas (CTho) [formerly cst@andrew.cmu.edu cst@yecc.com]]

WONTFIXing.  I'll deal with a port of bug 279191.