Web forgery and malware protection no longer work after upgrading to Beta 3

RESOLVED WORKSFORME

Status

()

Toolkit
Safe Browsing
P2
critical
RESOLVED WORKSFORME
10 years ago
4 years ago

People

(Reporter: Ehsan, Assigned: dcamp)

Tracking

({regression})

Trunk
Firefox 3
x86
Windows Vista
regression
Points:
---
Bug Flags:
blocking-firefox3 +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
Created attachment 302987 [details]
Screenshot

After I upgraded from Fx3 Beta 2 to Beta 3, the web forgery and malware protection don't seem to work any longer.  Please see the attached screenshot.  The same thing happens on <http://www.google.com/tools/firefox/safebrowsing/phish-o-rama.html> as well.

I inspected the Security settings in the Options window, and I found out that "Check by asking Google about each site I visit" was selected.  I'm not sure if this happened on its own or it was a mistake on my part, but I usually use "Check using a downloaded list of suspected sites" because of privacy concerns.  Switching to "Check using a downloaded list of suspected sites" didn't change anything as well.

So, basically, my current Firefox 3 profile in vulnerable to phishing and malware sites.

Please let me know what data I can provide to assist in debugging this.
Flags: blocking-firefox3?
(Reporter)

Comment 1

10 years ago
Getting this on Beta 4 radar...
Target Milestone: --- → Firefox 3 beta4
It's possible that between the two betas you've got to load the new database, and you haven't yet -- although I thought the "it's a trap" and "phish-o-rama" pages were hardcoded in as demonstrations and should work regardless. 

http://mxr.mozilla.org/firefox/source/browser/components/safebrowsing/content/phishing-warden.js#70

For me (with a nightly) the its-a-trap page is blocked but the google phish-o-rama page is not.
Assignee: nobody → dcamp
Group: security
kTestUrls isn't used anywhere. See bug 401642 about phish-o-rama.
(Reporter)

Comment 4

10 years ago
(In reply to comment #2)
> It's possible that between the two betas you've got to load the new database,
> and you haven't yet

How should I have reloaded the new database?  Is it something to do manually?  Should the installer have handled it?  Should it happen automatically?

> -- although I thought the "it's a trap" and "phish-o-rama"
> pages were hardcoded in as demonstrations and should work regardless. 
> 
> http://mxr.mozilla.org/firefox/source/browser/components/safebrowsing/content/phishing-warden.js#70

From comment 3, I can tell that this is no longer the case.

> For me (with a nightly) the its-a-trap page is blocked but the google
> phish-o-rama page is not.

I guess it has something to do with the upgrade, because I haven't seen it in nightlies on the same machine.  FWIW, it was an automatic update to Firefox 3 beta 3.
I don't think they should be hard-coded, as it's useful for them to act as tests that we're actually going out to the DB and checking the pages.

We're going to get Google to add them into their DB, I believe, or have Google redirect the phish-o-rama page to our its-a-trap page.

Blocking on ensuring that its-a-trap always works, not sure that I care deeply about phish-o-rama.
Flags: blocking-firefox3? → blocking-firefox3+
Priority: -- → P3
To be clear, Ehsan, can you confirm whether:

http://www.mozilla.com/firefox/its-an-attack.html
and
http://www.mozilla.com/firefox/its-a-trap.html

Trigger the warnings for you?

If those two do trigger the warning, then yes, Mike is right, we should use this bug to track progress getting test urls build right in to the blacklist.

If not, then your bug is something else, having to do maybe with the recent removal of the lookup-style ("Ask google every time") code, though I sort of doubt it.
(Reporter)

Comment 7

10 years ago
(In reply to comment #6)
> To be clear, Ehsan, can you confirm whether:
> 
> http://www.mozilla.com/firefox/its-an-attack.html
> and
> http://www.mozilla.com/firefox/its-a-trap.html
> 
> Trigger the warnings for you?

:-/ Actually, they both seem to trigger the warning now.  Even <http://www.joehewitt.com/> does trigger the warning.  I swear no warning was shown when I filed the bug!  ;-)

There *was* something wrong with malware/forgery protection when I upgraded to Beta 3.  I hate to see this being resolved as WORKSFORME, and leave the hole open in the code, but I can't repro this any more...
Target Milestone: Firefox 3 beta4 → Firefox 3
Dave - is it possible Ehsan just got caught in a DB reset or other wonkiness, and that we can close this WFM with a (reasonably) clear conscience?  I haven't seen other live instances of this elsewhere...
resolving WFM, please reopen if you can still reproduce.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Priority: P3 → P2
Resolution: --- → WORKSFORME
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.