we need to reduce the number of remote lookups per user

RESOLVED FIXED in Firefox 2

Status

()

RESOLVED FIXED
13 years ago
5 years ago

People

(Reporter: tony, Assigned: tony)

Tracking

({fixed1.8.1})

Trunk
Firefox 2
fixed1.8.1
Points:
---
Bug Flags:
blocking-firefox2 +
blocking1.8.0.8 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] post FF1.5)

Attachments

(1 attachment)

(Assignee)

Description

13 years ago
We're getting more remote lookups per user than we can handle for a user base the size of firefox's.  We currently check all document loads.  Instead of checking each document load, only checking top level loads (that is, ignore frame loads) is expected to reduce the number of check by an order of magnitude.
(Assignee)

Updated

13 years ago
Blocks: 349227
Flags: blocking-firefox2?
Is this really a "security" bug? If it's more of a "business/marketing confidential" bug I can move it into the mozilla.org confidential group.

Actually you should be getting very few lookups from Firefox 2 users, since the remote lookup is turned off by default. Are these lookups coming from the similar feature in the Google Toolbar instead? If so this bug may be in the entirely wrong place.

(I'm not going to disagree that lookups should only be done on the top-level documents, though. That's the right thing whether or not Firefox is the source of the load problem you're getting.)
(Assignee)

Comment 2

13 years ago
You could try to hide a phishing page in a frame.  E.g., suppose you hit a phishing page while browsing in a bitty browser:
http://www.bitty.com/
If the framing site maliciously put phishing stuff in a frame to hide it from you I'd say that makes the framing site bad; it should go on the phishing list, too.

On the accidental side, people who regularly log on to their bank in a bitty-browser (why?) and then one day happen to stumble across a phish for their bank and decide "why not, as long as it's here I'll do my banking now" has got to be a very tiny population. If we potentially leave that crowd at risk to ensure the service stays up for everyone else I'm fine with that.

Updated

13 years ago
Flags: blocking-firefox2? → blocking-firefox2+
Target Milestone: --- → Firefox 2
(Assignee)

Comment 4

13 years ago
Created attachment 234868 [details] [diff] [review]
v1: use onLocationChange instead

This seems to do what we want (ignore (i)frames, only use the final url if there are redirects, fires on background tabs, fires on forward/backward nav and reload, does not fire on tab select).
Attachment #234868 - Flags: review?(darin)

Comment 5

13 years ago
> only use the final url if there are redirects

That makes me worry.  It gives a phisher a lot of mobility after spamming, for one thing.

Updated

13 years ago
Attachment #234868 - Flags: review?(darin) → review+
(Assignee)

Comment 6

13 years ago
(In reply to comment #5)
> > only use the final url if there are redirects
> 
> That makes me worry.  It gives a phisher a lot of mobility after spamming, for
> one thing.

This is true, but the short life of existing phishing sites suggests that phishers don't do this.  Probably because email filters catch them first.

We could add back in the onStateChange for STATE_IS_NETWORK, which checks the first url, but I don't know a way to prevent it from firing a second time on onLocationChange if it isn't a redirect.
(Assignee)

Updated

13 years ago
Attachment #234868 - Flags: superreview?(bryner)
Attachment #234868 - Flags: superreview?(bryner) → superreview+
(Assignee)

Comment 7

13 years ago
on trunk
Why is this bug hidden with the security flag? Just an overabundance of paranoia?

I plan on removing the flag next time I stumble across this bug, please add an explanatory comment if I shouldn't.
Whiteboard: [sg:nse]
(Assignee)

Comment 9

13 years ago
(In reply to comment #8)
> Why is this bug hidden with the security flag? Just an overabundance of
> paranoia?
> 
> I plan on removing the flag next time I stumble across this bug, please add an
> explanatory comment if I shouldn't.

Using frames is a way to bypass phishing protection.  Your call as to whether or not that's a security bug.
(Assignee)

Updated

13 years ago
Attachment #234868 - Flags: approval1.8.1?

Comment 10

13 years ago
Comment on attachment 234868 [details] [diff] [review]
v1: use onLocationChange instead

a=schrep/connor for drivers .
Attachment #234868 - Flags: approval1.8.1? → approval1.8.1+
(Assignee)

Comment 11

13 years ago
on branch
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Group: security
Flags: blocking1.8.0.8-
Whiteboard: [sg:nse] → [sg:nse] post FF1.5
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.