Phishing Protection - false sense of security due to poor documentation

RESOLVED FIXED in Firefox 3 beta1


Firefox Graveyard
Help Documentation
12 years ago
2 years ago


(Reporter: RenegadeX, Assigned: Steffen Wilberg)


Firefox 3 beta1
Bug Flags:
blocking-firefox3 -
wanted-firefox3 +




(1 attachment)



12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0

FF2.0's promise of 'Phishing Protection' in no way guarantees the authenticity of a site, but as this is never explicitly mentioned in any documentation (Help or other), a false sense of security is given. As a result, users encountering unreported sites will unwittingly believe that the absence of a 'Suspected Web Forgery' warning means that the forged sites they encounter are authentic/to be trusted. As a result, users will unwittingly submit their personal details to web-thiefs.

What's more, using FF's built-in Help section, finding 'Phishing Protection' information via keyword is next to impossible, and even then when it's uncovered under 'Security Options', the feature is not fully explained. Help needs improved and easier to find documentation on this new feature.

I posted a 'typical' situation a Firefox user might come across, the 'logical' steps a user would take in order to find info using Help, and suggestions for improving the documentation in a post on MozillaZine -

A mention should also be made on that a warning will only appear for sites that have been previously reported by other users.

Due to the seriousness of the consequences that a false sense of security will no doubt incur, I'm putting this down as 'Critical' and recommend for BLOCKING 2.0 release.

Reproducible: Always

Comment 1

12 years ago
Anyone able to CC: the Help document people and the Firefox homepage people on this? It's kinda important..

Comment 2

12 years ago
I believe there is a big warning message relating to this when you install. You have to agree to terms to enable this and i'm sure it states what you want in there. Did you read it before accepting?
(In reply to comment #2)
> I believe there is a big warning message relating to this when you install. You
> have to agree to terms to enable this

The only warning/accept dialog I saw was when the active checking was turned on, because sending every URL you visit off to a 3rd party provider raises significant privacy concerns.

No signature-based detection is going to be perfect; not anti-virus, not network IDS, not spam filtering, and not anti-phishing. This appears to be a bug about explaining those limitations, not somehow fixing the impossible so I'm moving it over into the "help" component.
Component: Phishing Protection → Help Documentation
Ever confirmed: true
Keywords: uiwanted
QA Contact: → help.documentation

Comment 4

11 years ago
Changes to might help too.  I suspect that more users see that page than read Firefox's Help.

Comment 5

11 years ago
This is not a difficult thing.  The warning could consist of a single sentence.

The document currently reads:  "Check this option if you want Firefox to actively check whether the site you are visiting may be an attempt to mislead you into providing personal information (this is often referred to as phishing)."

Add to this:  "NOTICE:  The absence of a warning does not guarantee that a site is trustworthy."
Flags: blocking-firefox3?
(In reply to comment #5)
> This is not a difficult thing.

No, it isn't.  It just requires that I find time to work on it, and right now term is ending and I have three projects all due within a week.  I don't have time to do this right now.  There's a much better chance I'll have time in January.

Also, note that since v3 is a ways off in any releasable form, there's little gain in fixing the Help docs (built-in, that is) now instead of later if we wouldn't even ship with the modified docs between now and that "later".
We'd take the additional documentation, but this isn't really a blocker in my opinion.
Flags: blocking-firefox3? → blocking-firefox3-
Whiteboard: [wanted-firefox3]

Comment 8

11 years ago
Created attachment 269893 [details] [diff] [review]
patch v1

Adds the disclaimer and a reference to "Report Web Forgery". Also adds "anti-phishing options" to the search db, so this can be found easier.
Assignee: nobody → steffen.wilberg
Attachment #269893 - Flags: review?(jwalden+fxhelp)


11 years ago
Target Milestone: --- → Firefox 3 alpha6


11 years ago
Target Milestone: Firefox 3 alpha6 → Firefox 3 beta1
Comment on attachment 269893 [details] [diff] [review]
patch v1

>Index: mozilla/browser/locales/en-US/chrome/help/prefs.xhtml

>+  it using <span class="menuPath">Help > Report Web Forgery...</span>, as

Make that a &gt;, and r=me.  Sorry for the extreme delay on this; I've been preoccupied with other things too much lately.
Attachment #269893 - Flags: review?(jwalden+fxhelp) → review+


11 years ago
Attachment #269893 - Flags: approval1.9?


11 years ago
Keywords: uiwanted


11 years ago
Attachment #269893 - Flags: approval1.9? → approval1.9+

Comment 10

11 years ago
Checked in, with &gt;.
Last Resolved: 11 years ago
Resolution: --- → FIXED
Target Milestone: Firefox 3 M7 → Firefox 3 M9
Version: unspecified → Trunk
Flags: wanted-firefox3+
Whiteboard: [wanted-firefox3]
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.