Staying Safe From Phishing With Firefox - Discussion
It's A Spec
The Staying Safe page is really a spec. It's what we'd like to be able to say to people and have them be fully protected from phishing.
It's my view that users should have to do the minimum work possible to protect themselves. I don't think it's an achievable goal to say that they should do no work at all, so the Staying Safe page specifies my view of what that minimum amount of work should be. Our security efforts should be directed at making sure it remains true.
Several important things follow from this view:
- Anything we can do to reduce the amount of work is a good thing.
- Any bug or problem which makes that advice not true should be treated with the utmost seriousness. That's why the recent IDN homograph attacks are so potentially worrying - they mean that if you look at the security UI, it looks right but you are actually on the wrong site.
- Any UI we add to Firefox which makes that work more complicated without increasing security is a bad idea. Even if it increases security, we should try and find a way to do it without increasing the work.
How It Works
In Firefox, the status bar is always-on; it can't be disabled by a web page author.
Currently, most phishes are quite crude. They don't even use SSL. So, the security UI will be completely absent. In terms of visual difference, this is massive. If a user even glances, they can't fail to notice the absence of the domain and the lock. Non-SSL phishing can't fool anyone who follows this advice.
If phishers start using SSL, things get both better and worse. On the downside, the user then has to carefully check the name and know it's wrong. That's not so much worse. On the upside, the phisher has had to apply for a certificate and so hopefully the CA can revoke it, and track them down through the information they submitted that the CA verified.
- What if a legitimate site doesn't use SSL?
- If a site has a login which gives access to money, it should be. That's a bug in the site.
As far as I know, apart from the homograph attacks (which, at the moment, have not been seen in the wild), the advice is currently true.
I'm probably wrong about this. If I am, I want to know about it.