Phishing Protection

From MozillaWiki
Jump to: navigation, search

Note: The Safe Browsing feature in Firefox has been renamed to Phishing Protection, but it's still now as Safe Browsing internally.

Overview

Google Safe Browsing was an anti-phishing extension released by Google on labs.google.com in December 2005. Google has released this extension to the Mozilla Foundation under MPL 1.1/GPL 2.0/LGPL 2.1 in order that it might be used as part of Firefox if desired.

We've landed this change on the trunk as a global extension as of 7 March 2006. The next steps are to figure out whether this is something we want to use as the base for an anti-phishing feature in Firefox. Of course, whether it is enabled or even shipped is still a matter for discussion, as is the final form the extension might take, its UI, the way users opt-in, and the like.

You can read the discussion that lead up to to its integration in https://bugzilla.mozilla.org/show_bug.cgi?id=329292

Prefs

  • browser.safebrowsing.debug: show debugging info from the JavaScript list update code on the command line
  • browser.safebrowsing.enabled: enable phishing protection
  • browser.safebrowsing.gethashURL: server endpoint for completions of malware and phishing lists
  • browser.safebrowsing.id: what SAFEBROWSING_ID in gethashURL and updateURL maps to
  • browser.safebrowsing.malware.enabled: enable malware protection
  • browser.safebrowsing.malware.reportURL: probably unused
  • browser.safebrowsing.reportMalwareMistakeURL: destination for the "This isn't an attack site" button (after ignoring the interstitial warning)
  • browser.safebrowsing.reportPhishMistakeURL: destination for the "This isn't a web forgery" button (after ignoring the interstitial warning)
  • browser.safebrowsing.reportPhishURL: destination for the "Help | Report Web Forgery" menu item
  • browser.safebrowsing.updateURL: server endpoint for malware and phishing list updates
  • urlclassifier.disallow_completions: list of tables for which we never call gethash
  • urlclassifier.gethashnoise: the number of fake entries to add to any gethash calls
  • urlclassifier.malwareTable: list of tables to use when looking for malware (they need to be named *-malware-* or *-unwanted-*)
  • urlclassifier.max-complete-age
  • urlclassifier.phishTable: list of tables to use when looking for phishing (they need to be named *-phish-*)

Documentation

Engineering

Product/Component: Toolkit/Safe Browsing

  • Tracking bug
  • The Firefox implementation is split into a few parts:
    • browser/components/safebrowsing/
    • netwerk/base/nsChannelClassifier
    • toolkit/components/url-classifier/ (includes the list manager)
  • Local store is in:
    • ~/.cache/mozilla/firefox/XXXX/safebrowsing/ on Linux
    • ~/Library/Caches/Firefox/Profiles/XXXX/safebrowsing/ on Mac
  • itisatrap.org test pages
  • Telemetry dashboard

Code walkthrough

Both nsBaseChannel::Open() and nsBaseChannel::AsyncOpen() ask for the channel to be "classified" by nsChannelClassifier. There is also a local-only classification that is requested by tracking protection.

The classifier determines the type of URL that it is and then returns the appropriate NS_ERROR code. That causes the channel to be cancelled with that error code.

When the classification state of the page changes, the appropriate UI is shown.

QA

To turn on debugging output, export the following environment variable:

NSPR_LOG_MODULES="UrlClassifierDbService:5,UrlClassifierStreamUpdater:5,nsChannelClassifier:5"