Closed Bug 368093 Opened 18 years ago Closed 12 years ago

Report web forgery tool should tell you if your site hits the blacklist

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: johnath, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Right now when you submit a phishing site using the Help->Report web forgery tool, you end up on the google URL linked in the posting. This page does thank you and invite you to rejoice merrily for doing your part, but since it's a canned response, there's not a lot of real feel-good feedback there. Feel-good feedback is essential to getting people hooked on this and driving up userland reporting. beltzner and I had discussed a system whereby, if the submitted link actually made it into the blacklist, you would receive an email thanking you for your help submitting specific sites. The problem with email is that we don't ask for that right now, and that many users might be reluctant to supply it. On the other hand, we can do better anyhow. I would propose that whenever this tool is used, the browser caches the submitted link(s). When a new blacklist is pulled down, the cached entries can be checked against the list. If there are matches, we pop up an info box (maybe using the anti-phishing bubble instead of a modal dialog, haven't thought that part through yet) saying, basically: 3 of the sites you submitted have now been added to the worldwide anti-phishing blacklist. Thank you for making the internet a safer place for millions of users. You have helped shut down 18 phishing sites so far. Open for discussion are: a) Whether it adds to the warm-fuzzy feeling to list the actual urls (given their tendency to be very long, maybe not. Maybe something to do with the optional comments they attach?) b) Whether the stats-junkie fix we offer by keeping a running tally introduces any stats-junkie complications (I want my numbers synchronized over all my machines, &c. &c.) In general though, I think these tweaks could drive up participation (particularly repeat participation) rates for relatively little cost. The issue of the discoverability of the tool in the first place is another issue, but probably out of scope here. Reproducible: Always Steps to Reproduce: 1. Submit phishing site 2. Get standard thank you page. 3. Get no closure/success feedback.
a) I don't think we need to include the URI itself, but a "Cool! Show me!" button that opens a new tab and illustrates how it's now blocked would let a user know which site, precisely, had been added, and makes for a good full-circle experience. b) I'd suggest we not bother with the tally at all, since we'd have questions about whether or not to clear it with CPD, maintain that pref, etc, etc.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Sounds reasonable to me. What would the UI for notifying the user look like? Since updates happen in the background, it seem like it would annoy the user if an alert appeared during an update. There's no real context for this.
(In reply to comment #2) > Sounds reasonable to me. What would the UI for notifying the user look like? > Since updates happen in the background, it seem like it would annoy the user if > an alert appeared during an update. There's no real context for this. It would, and every time I try to think around that annoyance I come back to it. So on the one hand, we could try the "annoy me minimally" approach, using the ever more pervasive bottom-right-corner slide-up-notifier widget. On the other hand, there is a weaker version of this suggestion that reads: "The submit-a-phish page should show these stats" The problem with that is that it would be purely pull. This is fine for stats-junkies, who are used to reloading tracking pages, but not so great for casual users who might be turned into stats junkies with the right reminders. I suspect it also stops having any firefox hit at all, being now just a piece of web functionality on the google submit page (not that this is necessarily a bad thing). So the question becomes: Is anti-phishing reporting something we want FF to actively encourage casual users to do (in which case this bug should deal with how to carrot them with minimal annoyance) or something we expect only dedicated users to do (in which case I still think stats help create an incentive, but which argues for keeping it out of the UI and confined to the submission pages). Casual users are the biggest demographic/most coverage, but they also care the least, and are provably pretty poor at detecting such things in the first place.
Sadly the nsIAlertsService (the slidy thing) is Windows only atm (it's there in linux but, iirc, disabled by default). A couple of ideas about the UI ... * In the Brave New World of Firefox 3 I'm hoping to have a harmonized structure for Things Firefox Wants to Tell You. This would be one of those Things. (No, I don't know what it will look like yet. Yes, it sounds a lot like the status bar. Yes, I realize this is one of the things I didn't get done for Firefox 2.) * Upon submission of the phishing URI, we could ask users if they want to be notified, thus asking if they wish to be annoyed downstream. The question could also be asked upon the first annoyance. * I think reporting is something we want to make a more pleasant experience for users who are inclined to report, which is to say, altruistic users who know a thing or two about phishing. I sincerely doubt the casual user will be of a class to determine a phishing attack - they're who the filter is *for*, after all. * Indeed, making this a "check on the pages I submitted" instead of a "we just got an update, and hee-wow!, you saved some folks!" would be a way of making it non-annoying.
So I agree with the above, particularly: * The browser *should* be part of the "reward structure" process, rather than just pushing it all on to the google submit page. This also allows compatible behaviour to occur if, down the road, we ping multiple anti-phishing DBs (not that I have any indication this is happening). * Asking the user whether they want this notification is worth doing. I think we ask up front rather than onAnnoyance. Default true (since it's not *that* annoying), text like: [*] Tell me when sites I submit are added to the anti-phishing blacklist. * Yes this does seem to require an answer on the how-to-notify question - is there a bug # tracking that? If so, dependency plzkthx?
I don't think we're likely to ever implement this at this point.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.