Google Goofs On Firefox's Anti-Phishing List

Stephen writes "While phishing is a problem, giving one company the power to block any site that it wishes at the browser level never seemed like a good idea. Today Google blocked a host of legitimate web sites by listing mine.nu. mine.nu is available as a dynamic dns domain and anybody can claim a sub domain. All sub-domains are blocked regardless of whether phishing actually occurs on the sub-domain or not. Several Linux enthusiast sites are caught up in the net including Hostfile Ad Blocking and Berry Linux Bootable CD."

Good idea?

[grasshoppa]

While phishing is a problem, giving one company the power to block any site that it wishes at the browser level never seemed like a good idea

Actually, giving a single company this kind of authority is usually not a bad idea. Spamhaus and email, for example.

The issue is about trust. Even with this goofup, I trust google ( although their response to this could change that ). Hell, I trust MS here too, to a limited extent.

first time

[Toveling]

This is the first time we've heard about Google (or any others) making a bad block. As long as Google fixes this expediently, I'd say that it's an acceptable margin of error and the amount of phishing sites blocked is by far worth it. Now, if wikileaks suddenly gets blocked for 'phishing', something is definitely awry.

Re:I'm not sure how this is a goof

[caramelcarrot]

Presumably if Google thinks some subdomains are malicious, they actually know which ones are in fact malicious? Owing to the fact that they found them in the first place? I'm wondering if the reason they just blocked the entire domain was because some attackers are just registering lots of subdomains as a fast-flux method.

Re:I hate that Google can do this

[Anonymous Coward]

I am not a lawyer, so I should stop now, but I have to suggest that your friend talk to a lawyer regarding this matter. Google could potentially be liable for damages for libel.

Re:Get a real domain then.

[ccguy]

Granted, I can see there are opportunities for abuse here, but if the owners of dynamic dns domains don't properly police their "customers" and spammers and/or other malicious websites start using it, then Google has every right to blacklist the entire domain.

Countries have been banned from sites, email, IRC channels and so on with this argument.

Just so you know, some ISPs have defacto monopolies in their countries, and everyone there get the same domain. Any idiot that say 'let ban *.il, or *.es, because I got 10 spam messages from there' should be fired on the spot.

In fact, if he works at google whoever hired him should be fired, too.

Anti-Phishing makes Firefox slow

[Anders]

Note that the anti-phishing feature makes Firefox slow [opensuse.org] over time.

This was a dumb idea anyway

[CSMatt]

Putting anti-phishing filters into browsers just shifts the responsibility of good security practices from the user to some blacklisting company. What incentive is there to be weary about suspicious sites if you can count on the almighty Google to hold your hand while you browse the Web? This makes about as much sense as someone installing parental controls in their machine and declaring that their Internet connection is now "kid-friendly."

I've never had these filters turned on, and I've never exposed my financial data to others by accident. Usually this has something to do with me hovering the mouse over links and checking the URL in the status bar.

Some pain needs to be applied

[Animats]

If you're serious about blocking phishing sites, you have to accept some collateral damage. Blocking by URL stopped working last year; most attacks have unique URLs now. Many have unique subdomains. So you have to block at the second-level domain level to be effective.

We publish a list of major domains being exploited by phishing scams. [sitetruth.com] Today, there are 46 domains listed. eBay, for example, is on the list, because eBay has an open redirector exploit. [ebay.com] Click on that URL. It says "ebay.com", right? It looks like eBay, right? It's not.

On the other hand, "tinyurl.com", which used to be popular with phishers, has been able to get off the blacklist by cracking down on misuse of their service. It's possible to do redirection competently.

When we started our list last year, it had about 175 exploited domains. After some serious nagging and an article in The Register, we're down to 46. And only 11 have been on the list for more than three months; the others come and go as exploits are reported and holes plugged. So this is a problem that can be solved.

I'm glad to see Google taking a hard line on this. It's necessary that sites that do redirection feel the pain when they accept redirects to hostile sites. Google can apply much more pain that we can. Few sites will want to be on Google's blacklist for long.

Re:I hate that Google can do this

[Anonymous Coward]

No, Google doesn't filter by IP address. But because the site was hosted on the same server as a bad site it added a URL block for the innocent too. Do you see?

I don't see. How would Google determine that two sites with different domains are hosted on the same physical server, if not by IP number?

Firefox's anti-* shouldn't be enabled by default

[TheDarkener]

This is something that strikes me as the first time Firefox really pushed something out by default that shouldn't be. Just for one example, people who are on LTSP networks, say, 200 users, will ALL download anti-phishing, anti-malware blacklists from Google, each in their own home directory. There's no way that I know of, anyway, to share this data - SQLite seems to make it impossible. That's the first mistake in creating a compatible, light web browser.

The second mistake is enabling website blocking based on 3rd party blacklists by default. This is basically Microsoft UI thinking - "You *need* this because you don't know any better." Screw that. I mean, make it a checkbox on setup - "Use Google-provided anti-malware blacklists" Simple as that. I spent weeks trying to find out why, after just a few Firefox instances were launched on an LTSP server, none more would load - part of this was because every user logging in was trying to download the anti-malware stuff from Google, saturating the line, and preventing Firefox from loading for the first time.

I hope the Firefox devs will take all scenarios into account when making changes. It seems lame that every user needs all of the stuff in places.sqlite. And even if you argue with that, at the LEAST make it cross-DB compatible, so you can put everyone's in a nice big central MySQL database.

Re:Misleading desciption

[HobophobE]

Having a distributed system where individuals are responsible for rating resources (other individuals, websites, basically _anything_ with a unique ID or URI) would go a long way not just to combat phishing and malware, but other sorts of scams, trolls, etc. I call that system a "reputation system."

We need a system where I can rate a site as vapid (ie, experts-exchange is a waste of my time in search results) and then people who choose to subscribe to my ratings will see those sites may not be worth their time.

The key is to make it extensible such that it can encompass the internet at large and even things in real life like menu items in restaurants.

It's one thing to get feedback about something from one or a handful of people. It is more valuable to have a large graph of opinions which you can prune at will to give you the best information available.

Since Gmail.com can be blocked, why not?

[kentsin]

I do not recognize any proof or intention to proof that information is harmful (to child).

Never, mind, people just use their power. Do you?