Security/Safe Browsing/Password phishing

From MozillaWiki
Jump to: navigation, search

Implementation of a new Safe Browsing service for the prevention of password phishing.

Sub-tasks

The work is split across seven tasks.

Prep Work

  • Pref to turn password phishing on/off
  • Download the whitelist locally.
  • Basic ThreatHit API
  • Dummy login reputation component
  • Update of the bundled protobuf library
Full Query
ID Summary Priority Status Resolution Assigned to
1384753 Move csd.proto into a common Safe Browsing directory and update it P2 RESOLVED FIXED Dimi Lee [:dimi][:dlee]
1411861 Update csd.proto to support login reputation P2 RESOLVED FIXED Dimi Lee [:dimi][:dlee]
1385461 Update our bundled copy of the protocol buffers library P1 RESOLVED FIXED François Marier [:francois]
1385484 Add the login reputation whitelist behind prefs P2 RESOLVED FIXED François Marier [:francois]
1411450 Remove static constructors from protobuf -- RESOLVED FIXED François Marier [:francois]
1351147 Support v4/ThreatHit request in Safe Browsing V4 P2 RESOLVED FIXED Thomas Nguyen

6 Total; 0 Open (0%); 6 Resolved (100%); 0 Verified (0%);


Content Integration

  • Add a trigger when a password field is focused.
  • Check these URLs against the local whitelist.
  • Whitelist coverage telemetry
Full Query
ID Summary Priority Status Resolution Assigned to
1407878 Add a trigger when a password field is focused P2 RESOLVED FIXED Dimi Lee [:dimi][:dlee]
1407879 Check password field url against the local whitelist P2 RESOLVED FIXED Dimi Lee [:dimi][:dlee]
1422671 Add telemetry for login reputation service P2 RESOLVED FIXED Dimi Lee [:dimi][:dlee]
1425168 Cache login reputation query P3 NEW

4 Total; 1 Open (25%); 3 Resolved (75%); 0 Verified (0%);


Ship ThreatHit

  • Manual testing with Google
    • work with Google to figure out a testing strategy.
  • Add region code ThreatHit
  • Add rotating user ID to ThreatHit
  • Stand up a proxy server
  • Update privacy policy for ThreatHit
  • Checkbox on the Safe Browsing warning pages:
Full Query
ID Summary Priority Status Resolution Assigned to
1421096 Safe Browsing proxy -- RESOLVED WONTFIX Chris Kolosiwsky [:ckolos]
1414051 Complete an end-to-end test of the TheatHit API P1 RESOLVED FIXED François Marier [:francois]
1421803 ThreatHit requests are sent too early P1 RESOLVED FIXED François Marier [:francois]
1372456 Map between ISO 3166 country code and UN M.49 region code P3 NEW
1385156 Add report checkbox on Safe Browsing warning pages P3 NEW
1387364 Add Safe browsing Unique ID stable over a week or two P3 NEW
1414056 Proxy requests to the Safe Browsing client reporting endpoint P3 NEW

7 Total; 4 Open (57.14%); 3 Resolved (42.86%); 0 Verified (0%);


Server Lookups

  • Prepare requests to the server backend
  • Parse server responses
  • Verdict statistics in telemetry
  • Add lookup API in about:url-classifier
Full Query
ID Summary Priority Status Resolution Assigned to
1384751 Add login reputation queries to about:url-classifier P3 NEW
1413732 Query the login reputation service P3 NEW

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Caching

  • Persistent verdict cache
Full Query
ID Summary Priority Status Resolution Assigned to
1416647 Support verdict cache for password phishing P3 NEW

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Whitelisting

  • Trust-based whitelisting heuristics
  • Whitelisting statistics in telemetry
Full Query
ID Summary Priority Status Resolution Assigned to
1416653 Support trust-based whitelisting heuristics P3 NEW

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


User Interface

  • Design for the warning UI on Desktop and Fennec
  • Warning UI on Desktop
  • Warning UI on Fennec
  • Warning UI telemetry
  • Update privacy policy for password phishing
  • UI pref on Desktop
Full Query
ID Summary Priority Status Resolution Assigned to
1408561 Design for the password phishing UI P5 UNCONFIRMED
1413389 Integrate login reputation query result with UI to show warning message accordingly P5 RESOLVED WONTFIX

2 Total; 1 Open (50%); 1 Resolved (50%); 0 Verified (0%);