Closed
Bug 285665
Opened 19 years ago
Closed 19 years ago
Security risk with false links
Categories
(Thunderbird :: General, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 279191
People
(Reporter: marc, Assigned: mscott)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0 I hope a few of the developers for Netscape, Mozilla, Firefox, and Thunderbird are reading this because I am a bit angry that I have to think of this for you. There is a simple security fix that OUGHT to be in every browser and email handler and it is this. IF A LINK URL IS GIVEN IN THE DOCUMENT THAT DESCRIBES ONE URL WHILE ACTUALLY POINTING TO A DIFFERENT URL, THE USER OUGHT TO SEE A BIG RED POPUP SAYING "DANGER DANGER WILL ROBINSON!" So for example if the html code is something like - <a href="www.somesleazebag.com">www.somerealplace.com</a> it should be very simple to catch this type of spoofing and give the poor user a heads up warning! AND this should be the default behaviour if you want to make it a user settable option. I am seeing a lot of email that trys to sucker the poor users into giving up vital information by pretending to be coming from a legitimate place, then actually redirecting them to a website that pretends to be that site and thus gain access to vital information. Sites like PayPals and EBay are prime examples. I get a lot of junk email trying to claim I must update my account information of some such at PayPals. I am an engineer so I know to check links before using them, BUT YOUR AVERAGE USER DOES NOT!!!!. Expecting the average user to be aware of such redirection attempts is WAY BEYOND their capabilities! MOST USERS DO NOT HAVE A CLUE HOW LINKING EVEN WORKS! PERIOD! This is a place where you developers need to design your software for users, NOT for other engineers and computer scientists! Reproducible: Always Steps to Reproduce: 1.Get some spam that is spoofing some legitimate website 2.Click on the links provided 3.Take your chances Actual Results: Guess! Expected Results: The software should have given me a very big loud warning that a URL was possible being spoofed
Comment 1•19 years ago
|
||
we've already done stuff like this, in the anti-phishing work that Scott has been devoting a large amount of his time to in the past few months. Please try a recent trunk build.
Assignee | ||
Comment 2•19 years ago
|
||
please read the bugzilla ettitquette guidelines before filing bugs. No need to shout and be rude. *** This bug has been marked as a duplicate of 279191 *** *** This bug has been marked as a duplicate of 279191 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Comment 3•19 years ago
|
||
Reporter, I wish I knew what to say to bring you into the fold of valued and productive contributors to open source software. The count of active contributors to the whole of the projects you mentioned is only a little more than the number of pink thingies at the end of your arms. Some projects could double the number of contributors in one go. You are right when you shouted GUESS. We are asking software to guess when we are being lied to. This and the other problem you mentioned are hard. If it helps you, I hate it when people send me HTML mail http://www.headscape.co.uk/view_article.asp?PageId=5&ArticleId=140 , I hate it when people use defective tools http://asmallvictory.net/archives/004665.html and I hate it when people write things like Bug 279191 Comment 48 I may be mistaken, but I don't think that you are quite right when you assert that the solution to your example is simple. I tend to agree that 'average users' and 'poor users' may need some help. I suggest to such users: * Never use Microsoft products * Use a Mac * Use Linux * Display HTML mail (if you must) as plain text In your opinion, do you think that I get very far? All of these have have solid experimental data to back them up. All have been made by experienced security professionals. Very much I agree that 'average users' need help, but I have to admit that as to what help, alas ignoramus.
Reporter | ||
Comment 4•19 years ago
|
||
Ben and all - First of all let me apologize for shouting, my Dad got burned and I got pretty angry. Sorry.. I am VERY glad to see that work IS being done to solve this problem, yes there is some details to be worked out, but basically this is a straightforward problem that is NOT that difficult to solve and SHOULD have been done a long time ago. I would like to also say this is NOT just an annoyance or a typical bug, USERS ARE GETTIN HURT! That should make a bug like this a TOP priority, and this IS an emergency! I would go so far as to immediately recommend a release of these products with the anti philshing code AS IS... It does not have to be perfect and it appears to be working enough to be effective. I noted in the other bug's commentaries that there appears to be a lot of delay because of argumentation over details... That is NOT good! Again let me repeat - This IS an emergency, users are getting hurt and the longer the fix is delayed the more users will get hurt. Asking them to get and install the very latest nightly build version is NOT the correct solution either, they want some assurance they are getting a "sanctioned" version that works reliably. BTW I did try to search the bugzilla database for a duplicate bug, but would never have guessed the term anti-philshing was being used. Poor choice of words. Bill - I read your article on your views about using plain text emails. I have to say I STRONGLY disagree with you, and I hope other developers on the Mozilla/Firefox/Thunderbird teams do not feel the same way. Like in any ball game, one should never lose site of the ball, and in this case the ball is the undisputable fact that people are communicators and they LIKE to easily communicate with each other! Any tool that allows them to communicate their thoughts and ideas easier will always win hands down! Why do you think cell telephones are so popular these days? Its because it makes communication easier than land lines. Email that supports richer mediums of communications - pictures, graphics, sound, layout, etc will win over simple text based email every time! Simply because it allows far more effective communication. It is ok if you want to bury YOUR head in the sand, but the world is going to gravitate towards tools that allow these richer and more effective means of communicating. Yes HTML has its problems, as your article points out. But that is exactly where engineering attention should be focused. Work on solving those problems, such as putting in anti-philshing technologies. Don't try to convince people to go back to simpler technologies. Mozilla, Thunderbird, and Firefox are great tools, moving in the right direction. If they change directions to support the idea of only having text email, these products would die. I would bet my last dollar on that!. Whereever there is a need to support enriched easier and safer means of communication, get out there in front an do it! Don't drag your feet. I wish I could clone me, I would love to jump in and help out. Marc...
You need to log in
before you can comment on or make changes to this bug.
Description
•