282316 - RFE: Show when user visits new SSL site (anti phishing)

Status: RESOLVED WONTFIX

(Firefox :: Security, enhancement)

Description

[s.marshall]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050201 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050201 Firefox/1.0+

If a user follows a link in an email and reaches a site that looks like (for
example) their bank, they may not check the address bar to realise that it is
different. This applies whether or not the address is similar (as in
paypa1.com), visually identical (IDN issue bug 279099), different but
potentially confusing (paypal-secure.com), or totally unrelated
(honestjohnphish.com). These phishing sites, especially those in the last
category, could obtain valid SSL certificates.

In order to provide the level of security expected when users see a 'secure'
site with the padlock and yellow address bar, Mozilla should warn when users
visit a secure site that they have never before sent data to.

I would suggest implementing a solution as follows:

1) Maintain a list of https sites to which a user has sent form information.
This should be separate from history as it needs to persist. In order to avoid
privacy concerns, it could be stored as a secure hash of each domain. (Note: If
I recall rightly, this idea came from an article Gerv wrote.)

2) On visiting an https site not in this list, the browser (Mozilla, Firefox)
should present warning UI such as a yellow bar across the top 'You have not
previously visited this secure site. Ensure it is genuine before sending data'. 

3) Disable form controls (and other items which could return data to the site,
such as Java applets) until the user clicks on the bar and chooses to allow the
site.

As an additional refinement, I would suggest including hashes for a few hundred
'known' secure sites preinstalled with the browser; this would include common
sites like ebay, paypal, amazon, microsoft, mozilla.org :), banks, etc. in order
to reduce the need for this UI altogether.

Reproducible: Always

Steps to Reproduce:
1. Following a link in email, visit the (imaginary) paypal.honestjohn.com site,
which looks just like paypal
2. The site includes a security padlock and yellow address bar, so a user dumb
enough to follow the link from email in the first place may assume it is safe
3. User enters their credit card details and Paypal password into site

Actual Results:  
4. Profit. (for honestjohn)

Expected Results:  
Form controls are disabled, so when user tries to give away their credit card,
they find they cannot. They then notice the yellow warning bar on the page (or
perhaps a dialogue pops up on clicking the form controls). On closer examination
the user realises this site isn't paypal.com, has an epiphany and vows never to
click links from suspicious emails again.

Comment 1

[Manuel Bucher [:manuel]]

Closing, because we won't implement this for several reasons. I think the primary reason is that we don't want to show a warning symbol on first view for trustful websites (e.g. paypal.com on first visit). This would also show the warning too many times on small websites. The landscape of https has changed a lot. Most websites use it nowadays.

Shipping an allow-list isn't great either, due to the effect of "picking winners" which is unfair to new players.

There are different mechanisms that help with the fishing aspect. The best one for the user is using a password manager that only autofills passwords with the correct matching url (Firefox password manager or add-ons like Bitwarden do this).

We do also rely on safe-browsing to give a strong signal to users when they visit known fishing-sites.

Nowadays we also highlight the top-level domain to users. So users get a visual hint on what the origin is. Using subdomains for fishing is less effective with that. (e.g. paypal.honestjohn.com).

Thanks anyway for submitting the feature request. It was a good suggestion at the time.