Closed Bug 285665 Opened 19 years ago Closed 19 years ago

Security risk with false links

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 279191

People

(Reporter: marc, Assigned: mscott)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0

I hope a few of the developers for Netscape, Mozilla, Firefox, and Thunderbird
are reading this because I am a bit angry that I have to think of this for you.

There is a simple security fix that OUGHT to be in every browser and email
handler and it is this. IF A LINK URL IS GIVEN IN THE DOCUMENT THAT DESCRIBES
ONE URL WHILE ACTUALLY POINTING TO A DIFFERENT URL, THE USER OUGHT TO SEE A BIG
RED POPUP SAYING "DANGER DANGER WILL ROBINSON!"

So for example if the html code is something like -

<a href="www.somesleazebag.com">www.somerealplace.com</a>

it should be very simple to catch this type of spoofing and give the poor user a
heads up warning! AND this should be the default behaviour if you want to make
it a user settable option.

I am seeing a lot of email that trys to sucker the poor users into giving up
vital information by pretending to be coming from a legitimate place, then
actually redirecting them to a website that pretends to be that site and thus
gain access to vital information. Sites like PayPals and EBay are prime
examples. I get a lot of junk email trying to claim I must update my account
information of some such at PayPals. I am an engineer so I know to check links
before using them, BUT YOUR AVERAGE USER DOES NOT!!!!.

Expecting the average user to be aware of such redirection attempts is WAY
BEYOND their capabilities! MOST USERS DO NOT HAVE A CLUE HOW LINKING EVEN WORKS!
PERIOD! This is a place where you developers need to design your software for
users, NOT for other engineers and computer scientists!


Reproducible: Always

Steps to Reproduce:
1.Get some spam that is spoofing some legitimate website
2.Click on the links provided
3.Take your chances

Actual Results:  
Guess!

Expected Results:  
The software should have given me a very big loud warning that a URL was
possible being spoofed
we've already done stuff like this, in the anti-phishing work that Scott has
been devoting a large amount of his time to in the past few months. Please try a
recent trunk build.
please read the bugzilla ettitquette guidelines before filing bugs. No need to
shout and be rude. 


*** This bug has been marked as a duplicate of 279191 ***

*** This bug has been marked as a duplicate of 279191 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Reporter, I wish I knew what to say to bring you into the fold of valued
and productive contributors to open source software. The count of active
contributors to the whole of the projects you mentioned is only a little 
more than the number of pink thingies at the end of your arms. Some 
projects could double the number of contributors in one go.

You are right when you shouted GUESS. We are asking software to guess
when we are being lied to. This and the other problem you mentioned are
hard.

If it helps you, I hate it when people send me HTML mail
http://www.headscape.co.uk/view_article.asp?PageId=5&ArticleId=140
, I hate it when people use defective tools 
http://asmallvictory.net/archives/004665.html
and I hate it when people write things like 
Bug 279191 Comment 48 

I may be mistaken, but I don't think that you are quite right when you
assert that the solution to your example is simple. I tend to agree
that 'average users' and 'poor users' may need some help. I suggest to
such users:

* Never use Microsoft products
* Use a Mac
* Use Linux
* Display HTML mail (if you must) as plain text

In your opinion, do you think that I get very far? All of these have have
solid experimental data to back them up. All have been made by
experienced security professionals. Very much I agree that 'average 
users' need help, but I have to admit that as to what help, alas
ignoramus.
Ben and all -

First of all let me apologize for shouting, my Dad got burned and I got pretty
angry. Sorry..  I am VERY glad to see that work IS being done to solve this 
problem, yes there is some details to be worked out, but basically this is a
straightforward problem that is NOT that difficult to solve and SHOULD have been
done a long time ago. 

I would like to also say this is NOT just an annoyance or a typical bug, USERS
ARE GETTIN HURT! That should make a bug like this a TOP priority, and this IS an
emergency! I would go so far as to immediately recommend a release  of these
products with the anti philshing code AS IS... It does not have to be perfect
and it appears to be working enough to be effective. I noted in the other bug's
commentaries that there appears to be a lot of delay because of argumentation
over details... That is NOT good! Again let me repeat - This IS an emergency,
users are getting hurt and the longer the fix is delayed the more users will get
hurt. Asking them to get and install the very latest nightly build version is
NOT the correct solution either, they want some assurance they are getting a
"sanctioned" version that works reliably. 

BTW I did try to search the bugzilla database for a duplicate bug, but would
never have guessed the term anti-philshing was being used. Poor choice of words.

Bill - I read your article on your views about using plain text emails. I have
to say I STRONGLY disagree with you, and I hope other developers on the
Mozilla/Firefox/Thunderbird teams do not feel the same way. Like in any ball
game, one should never lose site of the ball, and in this case the ball is the
undisputable fact that people are communicators and they LIKE to easily
communicate with each other! Any tool that allows them to communicate their
thoughts and ideas easier will always win hands down! Why do you think cell
telephones are so popular these days? Its because it makes communication easier
than land lines. Email that supports richer mediums of communications -
pictures, graphics, sound, layout, etc will win over simple text based email
every time! Simply because it allows far more effective communication. It is ok
if you want to bury YOUR head in the sand, but the world is going to gravitate
towards tools that allow these richer and more effective means of communicating.  

Yes HTML has its problems, as your article points out. But that is exactly where
engineering attention should be focused. Work on solving those problems, such as
putting in anti-philshing technologies. Don't try to convince people to go back
to simpler technologies. Mozilla, Thunderbird, and Firefox are great tools,
moving in the right direction. If they change directions to support the idea of
only having text email, these products would die. I would bet my last dollar on
that!. Whereever there is a need to support enriched easier and safer means of
communication, get out there in front an do it! Don't drag your feet.

I wish I could clone me, I would love to jump in and help out.

    Marc...
You need to log in before you can comment on or make changes to this bug.