Closed Bug 305776 Opened 19 years ago Closed 15 years ago

is there a protection mechanism we can create againt home page hijacking?

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: chofmann, Unassigned)

Details

reports are surfacing that spyware/adware packages are targeting firefox 

tristan reports these....
http://www.geckozone.org/forum/viewtopic.php?t=27760 (FR) and
http://mozillaes.ismx.org/index.php?option=com_forum&Itemid=122&page=viewtopic&t=8265&highlight=
(ES, with a screenshot).

seems that running Spybot Search & Destroy fixes the problem.

maybe we could emulate what it is doing, or try and obscure the homepage setting
to make it less prone to changes from other programs/scripts running locally.

there is no evidence that home pages are being reset from remote.  if there is
we should spin that off into another bug.
What is the actual goal? To prevent local malicious spyware from changing the
homepage setting? That is IMO an unreasonable goal... our code is open source,
whatever kinds of obfuscation we could put in would be easy to break.
As has been said before, once malicious code is running locally - all bets are
off. Also, it is trivial to watch what an application does when changing the
homepage, be it using hidden files, registry keys, or whatever.

What protection can you afford that actually offers a decent level of protection? 
My 2 euro-cents. 

Since Firefox is the same for all users, IMO the only thing that diferenciates
one Firefox setup from the other is the use of the master password. Maybe we
could create an encrypted version of the home page url using the user's master
password if there is one and check at firefox' startup if the home page in
prefs.js is still the same as the encrypted one, if it is not we reset it to the
one stored in the encrypted file.
and what Do you do if the spyware delets the encryped file and/or installs a
keylogger or somethign else ?
->matti, 
The encrypted file could have an aleatory name for instance, or the data could
be added to another file in the profile which could not be deleted without
Firefox stopping to work or we could propose the user to remotely store it on a
mozilla server etc. 

I don't see how a keylogger comes into play here, you take as granted that the
spyware is already on the user machine when they install firefox, how about
protecting people who already have Firefox installed and a master password set
before they get the spyware ? No solution is perfect but IMO there is a big
difference between imperfect security measures to protect the home page, make it
much more difficult to hijack it and deciding not to take any measure.
Since this is impossible, I'm marking it as wontfix.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.