browser.safebrowsing.enabled=false is not obeyed when launched from known Phish URL

RESOLVED INVALID

Status

()

Toolkit
Safe Browsing
--
minor
RESOLVED INVALID
11 years ago
4 years ago

People

(Reporter: Robb Topolski, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

(note: I investigate Phish sites, so I have Phish Warnings off by default)

Clicking a link in an email message launches FF and promptly displays the "Suspected Web Forgery" dialog, even though I have disabled it in the Options Security panel.  

This does not happen on subsequently loaded URLs in that session.

Reproducible: Always

Steps to Reproduce:
(See details)
Actual Results:  
(See details)

Expected Results:  
browser.safebrowsing.enabled=false should be obeyed

This is not high priority for me, let alone anyone else.  But if you're in the neighborhood of the offending code.........

Comment 1

11 years ago
I'm having a hard time reproducing.  I started Firefox on a new profile, disabled phishing protection in the options dialog, then set my home page to a site on this list:
http://sb.google.com/safebrowsing/update?version=goog-black-url:1:-1
When I restarted Firefox, I didn't see the phishing warning.

Is this with the same profile or multiple profiles?
(Reporter)

Comment 2

11 years ago
Please change 

Reproducible: Always
to 
Reproducible: approximately 2 out of 5 tries on a moderately loaded profile

This appears to be a race condition, and definitely could depend on the startup load of a particular profile.  

Thank you for that link.  I shall try to reproduce on various profiles and report back.  Obviously, I will test a default profile.  Do you have any suggestions for add-ons that would be a good test of a heavily loaded profile that would affect startup timing?

And finally, does this have broader implications, or do you also see this as quite low on the priority scale? (Just so I know how much work to put into it.)

Comment 3

11 years ago
It could be a race condition, but I'm not sure how since the logic is in javascript which can't be interrupted.

If this is happening in the remote lookup mode (browser.safebrowsing.remoteLookups also set to true), it may have some privacy implications since the URL of the page would be sent to a third party against the user's wishes.  Otherwise, it seems like mainly an annoyance.
(Reporter)

Comment 4

11 years ago
The URL I chose was ... 
http://www.volksbank.de.networld.onlineid25147492.moremi3or.biz/vr/ 
... which currently is in the list.  

I am launching FF via Start, Run, http://www.volksbank.de.networld.onlineid25147492.moremi3or.biz/vr/ [OK button]

With a default profile, Phishing Protection on via list or lookup, I get the warning.  With Phishing Protection off, I get the warning 0 out of 5 tries.

With my profile, Phishing Protection off, I get the warning 5 out of 5 tries.

My extensions:
Enabled Extensions: (14)
Adblock Filterset.G Updater 0.3.0.5
Adblock Plus 0.7.2.4
Check4Change 1.6
Google Browser Sync 1.3.20061031.0
Image Zoom 0.2.7
Live HTTP Headers 0.13.1
QuickJava 0.4.2.1
RefControl 0.8.9
ShowIP 0.8.05
Talkback 2.0.0.2
Tamper Data 9.8.1
Web Developer 1.1.3
WOT 20070226

Please let me know if you want further information.
(Reporter)

Comment 5

11 years ago
PS: You might notice I only listed 13 extentions, when 14 are mentioned.  Listzilla (which made the nice list) was the 14th but was not installed during my test.
(Reporter)

Comment 6

11 years ago
 > If this is happening in the remote lookup mode
 > (browser.safebrowsing.remoteLookups also set to true), it may have some privacy
 > implications since the URL of the page would be sent to a third party against
 > the user's wishes.

Okay, I tested this and, unfortunately, you are correct.  There is a undesired conversation with sb.l.google.com in that particular case.  

I went to Options and enabled Phishing Protection and chose Remote Lookups.  After confirming that this brought the alert as expected, I then disabled Phishing Protection by clearing the checkmark via the options panel.  

I then did Start, Run, http://www.volksbank.de.networld.onlineid25147492.moremi3or.biz/vr/ and the alert appeared.  

Wireshark captured the following conversation:


No.     Time        Source                Destination           Protocol Info
    122 19.144923   192.168.177.116       sb.l.google.com       HTTP     GET /safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client=navclient-auto-ffox2.0.0.2&mozver=1.8.1.2-2007021917&encver=1&nonce=1380457&wrkey=MTqVMiu4pq6PMjr-TeknUsZS&encparams=7bJ5Bkxuo0HhKOMIjiEIlj33Rl%2By6C%2BDLsOsbH%2FojNCSi1cbjznzHaSqlQN5Fz4mwghTFmY2r%2FHySpyDfWNoaUHkoV5U5IX7FbswBWKfe9w%3D& HTTP/1.1

Hypertext Transfer Protocol
    GET /safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client=navclient-auto-ffox2.0.0.2&mozver=1.8.1.2-2007021917&encver=1&nonce=1380457&wrkey=MTqVMiu4pq6PMjr-TeknUsZS&encparams=7bJ5Bkxuo0HhKOMIjiEIlj33Rl%2By6C%2BDLsOsbH%2
    Host: sb.google.com\r\n
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2\r\n
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    Cookie: [removed by author]
    \r\n



No.     Time        Source                Destination           Protocol Info
    125 19.184894   sb.l.google.com       192.168.177.116       HTTP     HTTP/1.1 200 OK (text/plain)

Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Content-Type: text/plain\r\n
    Content-Encoding: gzip\r\n
    Server: TrustRank Frontend\r\n
    Cache-Control: private, x-gzip-ok=""\r\n
    Content-Length: 31
    Date: Mon, 26 Feb 2007 22:03:59 GMT\r\n
    \r\n
    Content-encoded entity body (gzip): 31 bytes -> 11 bytes
Line-based text data: text/plain

 ... I do want to add that the Wireshark experiment did reveal that I had 5 RSS feeds in the bookmarks toolbar, so -- in addition to the startup timing delays caused by add-ons, these feeds were queried as part of startup, too.

Hope that helps.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
(Assignee)

Updated

4 years ago
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.