Closed Bug 282316 Opened 20 years ago Closed 1 year ago

RFE: Show when user visits new SSL site (anti phishing)

Categories

(Firefox :: Security, enhancement)

x86
Windows XP
enhancement

Tracking

()

RESOLVED WONTFIX

People

(Reporter: s.marshall, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050201 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050201 Firefox/1.0+ If a user follows a link in an email and reaches a site that looks like (for example) their bank, they may not check the address bar to realise that it is different. This applies whether or not the address is similar (as in paypa1.com), visually identical (IDN issue bug 279099), different but potentially confusing (paypal-secure.com), or totally unrelated (honestjohnphish.com). These phishing sites, especially those in the last category, could obtain valid SSL certificates. In order to provide the level of security expected when users see a 'secure' site with the padlock and yellow address bar, Mozilla should warn when users visit a secure site that they have never before sent data to. I would suggest implementing a solution as follows: 1) Maintain a list of https sites to which a user has sent form information. This should be separate from history as it needs to persist. In order to avoid privacy concerns, it could be stored as a secure hash of each domain. (Note: If I recall rightly, this idea came from an article Gerv wrote.) 2) On visiting an https site not in this list, the browser (Mozilla, Firefox) should present warning UI such as a yellow bar across the top 'You have not previously visited this secure site. Ensure it is genuine before sending data'. 3) Disable form controls (and other items which could return data to the site, such as Java applets) until the user clicks on the bar and chooses to allow the site. As an additional refinement, I would suggest including hashes for a few hundred 'known' secure sites preinstalled with the browser; this would include common sites like ebay, paypal, amazon, microsoft, mozilla.org :), banks, etc. in order to reduce the need for this UI altogether. Reproducible: Always Steps to Reproduce: 1. Following a link in email, visit the (imaginary) paypal.honestjohn.com site, which looks just like paypal 2. The site includes a security padlock and yellow address bar, so a user dumb enough to follow the link from email in the first place may assume it is safe 3. User enters their credit card details and Paypal password into site Actual Results: 4. Profit. (for honestjohn) Expected Results: Form controls are disabled, so when user tries to give away their credit card, they find they cannot. They then notice the yellow warning bar on the page (or perhaps a dialogue pops up on clicking the form controls). On closer examination the user realises this site isn't paypal.com, has an epiphany and vows never to click links from suspicious emails again.
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: toolkit
Severity: normal → S3
Assignee: dveditz → nobody
Severity: S3 → N/A
Product: Core → Firefox

Closing, because we won't implement this for several reasons. I think the primary reason is that we don't want to show a warning symbol on first view for trustful websites (e.g. paypal.com on first visit). This would also show the warning too many times on small websites. The landscape of https has changed a lot. Most websites use it nowadays.

Shipping an allow-list isn't great either, due to the effect of "picking winners" which is unfair to new players.

There are different mechanisms that help with the fishing aspect. The best one for the user is using a password manager that only autofills passwords with the correct matching url (Firefox password manager or add-ons like Bitwarden do this).

We do also rely on safe-browsing to give a strong signal to users when they visit known fishing-sites.

Nowadays we also highlight the top-level domain to users. So users get a visual hint on what the origin is. Using subdomains for fishing is less effective with that. (e.g. paypal.honestjohn.com).

Thanks anyway for submitting the feature request. It was a good suggestion at the time.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.