Closed Bug 532152 Opened 15 years ago Closed 11 years ago

A new anti-phishing mechanism

Categories

(Toolkit :: Safe Browsing, enhancement)

Product:
Toolkit
Component:
Safe Browsing
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: deprecationmail, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; sv-SE; rv:1.9.3a1pre) Gecko/20091127 Minefield/3.7a1pre
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; sv-SE; rv:1.9.3a1pre) Gecko/20091127 Minefield/3.7a1pre

Just to introduce you to the idea before you lose interest, if implemented and used properly, this might stop phishing almost entirely.

While it certainly isn't something I think about often, I was thinking of ways to prevent phishing today and suddenly I had this idea.

Instead of trying to block every phishing site out there through filters and things, I thought, "Let's give the user a chance to protect themselves". As you probably know, no filter for phishing covers 100% of the malicious sites out there, and therefore I propose doing the opposite, with the help of the user.

After all, there is most likely just a few sites that the user is using, where there also are phishing sites the user might stumble upon. Bank sites, e-mail services and social networking to some extent.

And here we go:

What I propose is a list where the user can add entries of their most important sites which require name and password. For example, the user uses the bank "Bankolonia" which can be accessed from the Internet. One day, the user gets an e-mail which supposedly is from Bankolonia stating that they need to enter their details on the site to confirm that they are themselves (or something similar, which is a classic phishing attempt). The user, not being a fully experienced users enters the site through the e-mail link, and the first thing he/she does, is to check the URL bar for a smiley.

That's right, the user has previously entered the address "Bankolonia.com" in the phishing UI control (added with this idea) and if the URL matches, a smiley is shown in the URL bar.

In this case though, there was is no smiley icon up there. The user checks the address of the site properly and sees that it says "Bankol0nia.com" instead of "Bankolonia.com".

The user exits the site and has been saved from a phishing attempt.

---------

Well, that's how it is supposed to work. The idea is a bit rough, but it has potential. Two more things that I'd like to add is that, if the idea is implemented, bank sites are likely to recommend Firefox users to enter the sites URL in the phishing UI, which would help this system to a good start. And, for safety, when URL's gets added to the list, the URL input should be checked against the list of malicious sites, in case the user spelled the URL wrong or simply is fooled by the malicious site to enter their URL. Firefox should then refuse to add it to the list, and if the user is convinced that the URL is correct, he/she could report it for a closer inspection.
Feedback is highly appreciated. Thanks!

Reproducible: Always
Version: unspecified → Trunk
This could be a good idea for an addon.
Most user who know enough about phishing and URLs don't need the phishing protection. In most cases inexperienced user  are only affected by phishing.
Severity: normal → enhancement
Exactly, but that is why I was hoping that activating this should be as common as having anti-virus software. It should be something you always do if you are going to use the computer for bank accessing and accessing e-mail accounts online. If banks started recommending it, I'm sure a lot of people would follow their advise.
What matti is saying is that the average user would never know what a URL is, nor do they care. Having an option would simply confuse and scare users. The point is to have a protection that the user never notices unless it is necessary. Believe me, if you ask users to do something they don't understand, they will either not do it at all, or they will do it incorrectly. Now, for advanced users, this would be great if someone would make an addon.
I agree - addons are a great way to experiment with ideas like this.

I'd also note that the bookmark "star" icon serves many of the goals described here - you can selectively star the pages you know you trust, you can look for the star to be filled in whenever you are at your bank's login page.

Nevertheless - please do build the add on, see what kind of reception you get, and what kind of iteration emerges.
You both have good points and to respond in order:

> What matti is saying is that the average user would never know what a URL is,
> nor do they care. Having an option would simply confuse and scare users.

I partially agree. There's two things to this. There are users who never install addons but surely understands integrated UI options. Therefore, if an addon is successful, an UI integration can be done. The good about that is that it will be kept invisible for the average user until he/she is told by a friend to set it, reading about it, or simply find it when exploring the settings of Firefox. Assuming that people can't enter the same thing in another field as they do in the URL bar is underestimating users.

> I'd also note that the bookmark "star" icon serves many of the goals described
> here - you can selectively star the pages you know you trust, you can look for
> the star to be filled in whenever you are at your bank's login page.

I must admit I've never known surely what happened when I've (accidentally) clicked the star, checked it now and saw that they ended up in an unsorted bookmarks folder. But this is still good for two reasons. The first is that all users who use star as a way of bookmarking will be familiar with this. The other is that it means at least some of the code needed is already done. That is, if addon code and native browser code uses the same language etc etc. Which brings us to the last part of this post.(In reply to comment #4)

> Nevertheless - please do build the add on, see what kind of reception you get,
> and what kind of iteration emerges.

I do not have the knowledge, nor the time to learn (although I really want to) the language used to create addons for Mozilla products. If you do, I would appreciate if you, or someone else, turned this idea into an (experimental) addon.
Would this be a candidate project for Google summer of code?
I don't see this as a likely solution at this point.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.