Security/Safe Browsing: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
Line 14: Line 14:
safebrowsing is enabled by default on the MOZILLA_1_8_BRANCH and trunk.  You can enable/disable it in the Options dialog in the Security tab.
safebrowsing is enabled by default on the MOZILLA_1_8_BRANCH and trunk.  You can enable/disable it in the Options dialog in the Security tab.


If you wish to see debugging output, open <code>toolkit/components/url-classifier/src/nsUrlClassifierLib.js</code> and set <code>G_GDEBUG</code> to true
If you wish to see debugging output, open <code>toolkit/components/url-classifier/src/nsUrlClassifierLib.js</code> and set <code>G_GDEBUG</code> to true.


== Design Doc ==
== Design Doc ==

Revision as of 21:22, 13 February 2007

Name Change

Note: Safe Browsing has been renamed to Phishing Protection.

Overview

Google Safe Browsing was an anti-phishing extension released by Google on labs.google.com in December 2005. Google has released this extension to the Mozilla Foundation under MPL 1.1/GPL 2.0/LGPL 2.1 in order that it might be used as part of Firefox if desired.

We've landed this change on the trunk as a global extension as of 7 March 2006. The next steps are to figure out whether this is something we want to use as the base for an anti-phishing feature in Firefox. Of course, whether it is enabled or even shipped is still a matter for discussion, as is the final form the extension might take, its UI, the way users opt-in, and the like.

You can read the discussion that lead up to to its integration in https://bugzilla.mozilla.org/show_bug.cgi?id=329292

How to Enable

safebrowsing is enabled by default on the MOZILLA_1_8_BRANCH and trunk. You can enable/disable it in the Options dialog in the Security tab.

If you wish to see debugging output, open toolkit/components/url-classifier/src/nsUrlClassifierLib.js and set G_GDEBUG to true.

Design Doc

Phishing Protection: Design Documentation

Server Spec

Phishing Protection: Server Spec

Client Spec

Phishing Protection: Client Spec

Source Code

The original extension code is in: http://lxr.mozilla.org/seamonkey/source/extensions/safe-browsing

Bug 337336 is for removing it since we've moved into the core browser.

For integration with firefox, the code from the extension is broken into two parts: http://lxr.mozilla.org/seamonkey/source/browser/components/safebrowsing/ http://lxr.mozilla.org/seamonkey/source/toolkit/components/url-classifier/

The browser component contains the Phishing Warden, Controller, Browser View and Displayer described on the Phishing_Protection:_Design_Documentation#Major_Abstractions page. The toolkit component contains the ListManager and TRTables.

Major Open Issues

  • How (if at all) does the extension get enabled? What language to use to inform users of the privacy implications? How do they opt?
  • Content: is the branding OK? Is the language? Do we want to tweak the warning?
  • UI: Where's the most appropriate place for (1) the preferences (2) the test page and (3) the report-a-phishing-link functionality?
  • Ability to switch to other providers (need UI for it, need a bit of refactoring, etc.)
  • Break into separate service and UI pieces?

TODO: expand, file bugs

Important Bugs

Other Bugs or Potential Improvements

Are filed as bugs under Firefox / Safe Browsing

Contacts

All the following are at g o o g l e d o t c o m

primary: niels, tc, fritz

secondary: sullivan, brakowski (product manager)