CFA/Security-Research/AntiPhishing

From MozillaWiki
Jump to: navigation, search

« Comparative Feature Analyses
« Security Notes
« Security Research

Current Capabilities

  • Tell me if the site I'm visiting is a suspected forgery (phishing), and offer to take user to search page to find the real website they were looking for
    • Check using a downloaded list of suspected sites
    • Check by asking Google about each site I visit

Upcoming Capabilities

  • Highlight URL domain name in address bar (in FF3)
  • EV certificates (FF3)
    • Clear UI to indicate identity verified
  • Always provide identity information (FF3)

Features by 3rd parties or other browsers

  • International domain name anti-spoofing - notifies user when visually similar characters in the URL are not expressed in the same language (IE)
  • Address bar protection - every window, including pop-ups, will show you an address bar (IE)
  • Microsoft Windows CardSpace (InfoCard) - stores digital identities of a person, and provides a unified and secure interface for choosing the identity for a particular transaction, such as logging in to a website
  • Web Wallet: integrates security questions into the user's workflow to engage the user, and prevent user from entering information on a phishing web form
  • FirePhish - uses Open Phishing DB to provide user with info and tools to protect against phishing attacks (FF extension)
    • Blinking-red warning when entering high-risk phishing-suspected sites
    • Green frame around location bar when entering sites on your safe list
  • iTrustPage - anti-phishing tool that prevents users from filling out suspicious web forms, and suggests corresponding legitimate form (FF extension)
  • Security status bar - color-coded notifications appear next to the address bar to notify user of website security and privacy settings. Address Bar turns green for websites bearing new High Assurance certificates (IE7, VeriSign EV Green Bar FF Extension)

Additional features

  • openID - decentralized single sign-on system that is possibly vulnerable to phishing attacks
  • Safe browsing whitelist
  • Ability to disable AJAX on certain sites; notify user if asynchronous calls are being made on user's behalf (FF brainstorm)
  • Phishing Protection (FF brainstorm)
    • Make it easier to report phishing sites
    • Implement phishing filter that learns automatically; integrate w/ PhishTank
  • Surf by IP protection (FF brainstorm)
    • Disallow visiting sites by IP address (IP anywhere in URL)
    • Allow local LAN IPs

Screenshots

Firefox 2 phishing protection:

PhishFF2.PNG

Microsoft Windows CardSpace

PhishCardSpace.PNG

Web Wallet

PhishWebWallet.PNG PhishWebWallet2.PNG

Conclusions

  • Most users don't know to look at the address bar to distinguish the legitimacy of a website; among those who do, most don't know what to look for
  • Blacklists have limited usefulness because of the transient nature of phishing site (lifetime of 5 days on average; some last 6 hours); explore possible implementations of real-time checking without violating privacy
  • We should make it difficult to select the "wrong" option (smaller text, as in the malware notification mockups)
  • Suggest and provide links to the real site instead of send people to http://www.google.com/firefox; if not feasible, put search box in place of link
  • Build support for digital identity cards: CardSpace and OpenID