Thunderbird2:Phishing

From MozillaWiki
Jump to navigation Jump to search
Please do not edit these pages unless you are a member of Team Thunderbird. Your feedback and comments are welcomed on the discussion page.

Tracked by: bug 328749

Design Overview

Objectives

The primary objectives of this project are to:

  • Make it easy for web service extensions to support online phishing detectors with Thunderbird.
  • Leverage the safe browsing phishing detector being added to Firefox2, to ship Thunderbird2 with a phishing detector implementation that supports local and online URL blacklists.

Background

Thunderbird 1.5 contains a simple phishing detector to help protect users against revealing personal information to e-mail scams.

The current implementation uses a set of simple static rules to determine if a URL in a message looks suspicious or not.

These rules look for things like: IP addresses in the host name field, URLs which have different host names than the urls the message shows the user (i.e. the url is http://myevilsite.com but the url text shown to the user is http://ebay.com).

We would like to make it possible for web service extension authors to replace our existing phishing detector with one that can leverage local and online URL blacklists. This requires us to first write a phishing API which can be implemented by the extension authors and which integrates with our existing phishing detector.

We would also like to work with the safe browsing extension for Firefox2, converting its phishing detector to use this API and then making it useable from Thunderbird. I suggest reading the design documentation for safe browsing.

Front End Design

We already have a user interface in Thunderbird 1.5 for presenting messages which could be potential e-mail scams. We plan on leaving this UI intact, focusing our work on re-designing the actual phishing detector engine.

The current UI has two layers of defense:

A large, highly visible status bar across the top of the message indicates that Thunderbird thinks the current message is a potential e-mail scam:

phishingbar.png

If a user then proceeds to click on a link in this message, we bring up an alert prompt which includes some information about why we think the link is suspicious (i.e. it says ebay.com but you are really going to myevilsite.com):

phishingalert.png

The phishing bar is part of the message notification bar associated with each message window.

When a message has been parsed, we update the pishing bar for the current message by calling [1] setPhishingMsg. Currently setPhishingMsg calls isMsgEmailScam which walks through the DOM building up a list of http urls we want to examine. This is where we can tie into an improved phishing service using a phishing service API.

Phishing Service Requirements

Unlike the browser case, with e-mail, we have multiple URLs which have to be examined, any one of which could be a phishing URL. We need the ability to pass in an array of URLs to the service for analysis.

Since the black list could be local or remote, the consumer must be able to handle asynchronous callbacks with the actual results.

Thunderbird's current phishing alert dialog contains some specific information about why we think the URL being clicked on is suspicious. I think this behavior should be removed, replaced with a generic e-mail scam message that is the same for all suspicious URLs. This then simplifies the information we need to get back from the phishing service.

In summary, Thunderbird needs the ability to pass in an array of http URLs to the phishing service, and get called back later with the results.

Retrieved from "https://wiki.mozilla.org/index.php?title=Thunderbird2:Phishing&oldid=18512"