Closed Bug 401642 Opened 17 years ago Closed 16 years ago

Re-add Google Safe Browsing Test Page to test blacklist

Categories

(Toolkit :: Safe Browsing, defect)

defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: wgianopoulos, Unassigned)

References

()

Details

(Keywords: regression)

Phishing protection appears to not work at all. The Google test page for this feature, http://www.google.com/tools/firefox/safebrowsing/phish-o-rama.html, no longer triggers the alert.
Flags: blocking-firefox3?
Blocks: 399233
Keywords: regression
Bill, which build are you using? I'm using the 27th nightly, and it works fine (in that the phishing bubble appears but is hidden by content, which will be fixed in tomorrow's nightly by bug 399233).

Also, have you tried it with the Firefox-specific phishing test page?
http://www.mozilla.com/firefox/its-a-trap.html

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007102705 Minefield/3.0a9pre ID:2007102705
maybe a dupe of bug 341950 ?
(In reply to comment #1)
> Bill, which build are you using? I'm using the 27th nightly, and it works fine
> (in that the phishing bubble appears but is hidden by content, which will be
> fixed in tomorrow's nightly by bug 399233).
> 
> Also, have you tried it with the Firefox-specific phishing test page?
> http://www.mozilla.com/firefox/its-a-trap.html
> 
> Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007102705
> Minefield/3.0a9pre ID:2007102705
> 

Yes it worked fine before the landing of the bug 399233.  Now it no longer triggers the phishing alert at all, leading me to believe the only thing that triggers the alert is the Firefox specific test page.
(In reply to comment #2)
> maybe a dupe of bug 341950 ?
> 

This has nothing to do with that bug.
http://www.google.com/tools/firefox/safebrowsing/phish-o-rama.html was previously on a hard-coded list that the safebrowsing code checked separately.

The new code doesn't check this hard-coded list;  Test URLs are inserted into the database by the component.  When this change was made, we only brought over the mozilla.com test URL (http://www.mozilla.com/firefox/its-a-trap.html).
(In reply to comment #5)
> http://www.google.com/tools/firefox/safebrowsing/phish-o-rama.html was
> previously on a hard-coded list that the safebrowsing code checked separately.
> 
> The new code doesn't check this hard-coded list;  Test URLs are inserted into
> the database by the component.  When this change was made, we only brought over
> the mozilla.com test URL (http://www.mozilla.com/firefox/its-a-trap.html).
> 

OK good to know. Closing as INVALID then.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Flags: blocking-firefox3?
(In reply to comment #5)
> http://www.google.com/tools/firefox/safebrowsing/phish-o-rama.html was
> previously on a hard-coded list that the safebrowsing code checked separately.
> 
> The new code doesn't check this hard-coded list;  Test URLs are inserted into
> the database by the component.  When this change was made, we only brought over
> the mozilla.com test URL (http://www.mozilla.com/firefox/its-a-trap.html).
> 

Except for the fact that I don't see anything in the patch that removed this entry from any hard-coded list.  Reopening.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Where is this Phishing list ? and is it up for Trunk builds ?  
I ask because looking at the links in this bug I'm not getting any warnings: 

https://bugzilla.mozilla.org/show_bug.cgi?id=367538#c15

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007102914 Minefield/3.0a9pre Firefox/3.0 ID:2007102914
The (In reply to comment #7)
> Except for the fact that I don't see anything in the patch that removed this
> entry from any hard-coded list.  Reopening.

It wasn't Removed from a hard-coded list, that hard-coded list is just ignored now (specifically in the part of the patch that emptied out showMessage()).

Most of that code will be going away soon.

The new test blacklist is somewhere around http://mxr.mozilla.org/seamonkey/source/browser/components/safebrowsing/content/malware-warden.js#68.
(In reply to comment #8)

> Where is this Phishing list ? and is it up for Trunk builds ?  

The phishing list is downloaded from google, and is obfuscated (we only get hashes of the URLs, not URLs themselves.

> I ask because looking at the links in this bug I'm not getting any warnings: 
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=367538#c15

It looks like all of those URLs are 404s or domain squatting now, so they've likely been expired from the phishing list.
OK as long as th unused code will eventually be removed, I am setting this back to INVALID.  No need for extra bloat.
Status: REOPENED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → INVALID
Google's Safe Browsing Test Page has been mentioned many times since phishing protection was added to Firefox, so I think we should continue to support the test page even though we have our own.
Status: RESOLVED → REOPENED
Flags: blocking-firefox3?
Resolution: INVALID → ---
Summary: phishing protection seems to be fundamentally broken → Re-add Google Safe Browsing Test Page to test blacklist
Not a blocker, IMO this is INVALID.
Flags: blocking-firefox3? → blocking-firefox3-
Since my original complaint that the phishing protection is just plain broken, seems to have been hijacked to this other issue, I have refiled that as bug 402435 along with an example of a real phishing site that is identified correctly by Firefox 2.0.0.9 and the alpha8 milestone, but not by the current trunk.
In my opinion the entire idea of having the user exposed test site be hardcoded in a blacklist is brain-damaged.

The good news is the fix can all be made without altering the codebase.

There are 2 problems with the current approach.

1.  On the page http://www.mozilla.com/en-US/firefox/phishing-protection/ the link to the blacklisted site is from the sentence:

You can test the Phishing Protection feature by browsing to this test site.

This certainly implies that if you click on the link and get the this site was blocked page, that a test has been made of the phishing protection system and it was successful, when in fact the code short-circuited any such test and, in fact nothing was tested and you could very possibly be running with broken phishing protection.

2.  There is only the one url in the blacklist so this test is not particularly localizable.

The fix here is to have google add

 http://www/mozilla/org/firefox/phishing-test/*

to their blacklist database.

then make a copy of 

 http://www.mozilla.com/firefox/its-a-trap.html

and save it as
 
 http://www.mozilla/com/firefox/phishing-test/en-US/its-a-trap.html

Then, change the link in the http://www.mozilla.com/en-US/firefox/phishing-protection/ page to reference this new URL.

This will result in performing what is advertised to the user as a test, will actually test that the browser is properly communicating with the phishing protection serve and that it the service is end-to-end functional.

Additionally, the new its-a-trap" page could be modified to include troubleshooting information in case the page does not get blocked.

The current test-page as well as it's hardcoded black-list could be left as is so developers can do UI testing independent of the outside service.
@Tony: Can Google fix this bug ?
It looks like http://www.mozilla.com/en-US/firefox/phishing-protection/ no longer points to http://www.google.com/tools/firefox/safebrowsing/phish-o-rama.html.  It currently points to http://www.mozilla.com/firefox/its-a-trap.html, which seems to work fine in Firefox 3.  Since I don't see any Firefox 3 pages linking to the old google.com test page, I don't think this bug is valid anymore.

People who happen to still be using an older version of Firefox or Google Toolbar should still be able to use the google.com test page.
Status: REOPENED → RESOLVED
Closed: 17 years ago16 years ago
Resolution: --- → INVALID
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.