Phishing Protection - false sense of security due to poor documentation

RESOLVED FIXED in Firefox 3 beta1

Status

Firefox Graveyard
Help Documentation
--
critical
RESOLVED FIXED
12 years ago
2 years ago

People

(Reporter: RenegadeX, Assigned: Steffen Wilberg)

Tracking

Trunk
Firefox 3 beta1
Bug Flags:
blocking-firefox3 -
wanted-firefox3 +

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0

FF2.0's promise of 'Phishing Protection' in no way guarantees the authenticity of a site, but as this is never explicitly mentioned in any documentation (Help or other), a false sense of security is given. As a result, users encountering unreported sites will unwittingly believe that the absence of a 'Suspected Web Forgery' warning means that the forged sites they encounter are authentic/to be trusted. As a result, users will unwittingly submit their personal details to web-thiefs.

What's more, using FF's built-in Help section, finding 'Phishing Protection' information via keyword is next to impossible, and even then when it's uncovered under 'Security Options', the feature is not fully explained. Help needs improved and easier to find documentation on this new feature.

I posted a 'typical' situation a Firefox user might come across, the 'logical' steps a user would take in order to find info using Help, and suggestions for improving the documentation in a post on MozillaZine - http://forums.mozillazine.org/viewtopic.php?t=470103

A mention should also be made on http://www.mozilla.org/projects/bonecho/anti-phishing/ that a warning will only appear for sites that have been previously reported by other users.

Due to the seriousness of the consequences that a false sense of security will no doubt incur, I'm putting this down as 'Critical' and recommend for BLOCKING 2.0 release.

Reproducible: Always
(Reporter)

Comment 1

12 years ago
Anyone able to CC: the Help document people and the Firefox homepage people on this? It's kinda important..

Comment 2

12 years ago
I believe there is a big warning message relating to this when you install. You have to agree to terms to enable this and i'm sure it states what you want in there. Did you read it before accepting?
(In reply to comment #2)
> I believe there is a big warning message relating to this when you install. You
> have to agree to terms to enable this

The only warning/accept dialog I saw was when the active checking was turned on, because sending every URL you visit off to a 3rd party provider raises significant privacy concerns.

No signature-based detection is going to be perfect; not anti-virus, not network IDS, not spam filtering, and not anti-phishing. This appears to be a bug about explaining those limitations, not somehow fixing the impossible so I'm moving it over into the "help" component.
Status: UNCONFIRMED → NEW
Component: Phishing Protection → Help Documentation
Ever confirmed: true
Keywords: uiwanted
QA Contact: phishing.protection → help.documentation

Comment 4

11 years ago
Changes to http://www.mozilla.com/en-US/firefox/features.html#secure might help too.  I suspect that more users see that page than read Firefox's Help.

Comment 5

11 years ago
This is not a difficult thing.  The warning could consist of a single sentence.

The document currently reads:  "Check this option if you want Firefox to actively check whether the site you are visiting may be an attempt to mislead you into providing personal information (this is often referred to as phishing)."

Add to this:  "NOTICE:  The absence of a warning does not guarantee that a site is trustworthy."
Flags: blocking-firefox3?
(In reply to comment #5)
> This is not a difficult thing.

No, it isn't.  It just requires that I find time to work on it, and right now term is ending and I have three projects all due within a week.  I don't have time to do this right now.  There's a much better chance I'll have time in January.

Also, note that since v3 is a ways off in any releasable form, there's little gain in fixing the Help docs (built-in, that is) now instead of later if we wouldn't even ship with the modified docs between now and that "later".
We'd take the additional documentation, but this isn't really a blocker in my opinion.
Flags: blocking-firefox3? → blocking-firefox3-
Whiteboard: [wanted-firefox3]
(Assignee)

Comment 8

11 years ago
Created attachment 269893 [details] [diff] [review]
patch v1

Adds the disclaimer and a reference to "Report Web Forgery". Also adds "anti-phishing options" to the search db, so this can be found easier.
Assignee: nobody → steffen.wilberg
Status: NEW → ASSIGNED
Attachment #269893 - Flags: review?(jwalden+fxhelp)
(Assignee)

Updated

11 years ago
Target Milestone: --- → Firefox 3 alpha6
(Assignee)

Updated

11 years ago
Target Milestone: Firefox 3 alpha6 → Firefox 3 beta1
Comment on attachment 269893 [details] [diff] [review]
patch v1

>Index: mozilla/browser/locales/en-US/chrome/help/prefs.xhtml

>+  it using <span class="menuPath">Help > Report Web Forgery...</span>, as

Make that a &gt;, and r=me.  Sorry for the extreme delay on this; I've been preoccupied with other things too much lately.
Attachment #269893 - Flags: review?(jwalden+fxhelp) → review+
(Assignee)

Updated

11 years ago
Attachment #269893 - Flags: approval1.9?
(Assignee)

Updated

11 years ago
Keywords: uiwanted

Updated

11 years ago
Attachment #269893 - Flags: approval1.9? → approval1.9+
(Assignee)

Comment 10

11 years ago
Checked in, with &gt;.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Target Milestone: Firefox 3 M7 → Firefox 3 M9
Version: unspecified → Trunk
Flags: wanted-firefox3+
Whiteboard: [wanted-firefox3]
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.