Security/Safe Browsing/Password phishing
From MozillaWiki
< Security | Safe Browsing
Implementation of a new Safe Browsing service for the prevention of password phishing.
Contents
Sub-tasks
The work is split across seven tasks.
Prep Work
- Pref to turn password phishing on/off
- Download the whitelist locally.
- Basic ThreatHit API
- Dummy login reputation component
- Update of the bundled protobuf library
| ID | Summary | Priority | Status | Resolution | Assigned to |
|---|---|---|---|---|---|
| 1384753 | Move csd.proto into a common Safe Browsing directory and update it | P2 | RESOLVED | FIXED | Dimi Lee [:dimi] |
| 1411861 | Update csd.proto to support login reputation | P2 | RESOLVED | FIXED | Dimi Lee [:dimi] |
| 1385461 | Update our bundled copy of the protocol buffers library | P1 | RESOLVED | FIXED | François Marier [:francois] |
| 1385484 | Add the login reputation whitelist behind prefs | P2 | RESOLVED | FIXED | François Marier [:francois] |
| 1411450 | Remove static constructors from protobuf | -- | RESOLVED | FIXED | François Marier [:francois] |
| 1351147 | Support v4/ThreatHit request in Safe Browsing V4 | P2 | RESOLVED | FIXED | Thomas Nguyen (:tnguyen) |
6 Total; 0 Open (0%); 6 Resolved (100%); 0 Verified (0%);
Content Integration
- Add a trigger when a password field is focused.
- Check these URLs against the local whitelist.
- Whitelist coverage telemetry
| ID | Summary | Priority | Status | Resolution | Assigned to |
|---|---|---|---|---|---|
| 1407878 | Add a trigger when a password field is focused | P2 | RESOLVED | FIXED | Dimi Lee [:dimi] |
| 1407879 | Check password field url against the local whitelist | P2 | RESOLVED | FIXED | Dimi Lee [:dimi] |
| 1422671 | Add telemetry for login reputation service | P2 | RESOLVED | FIXED | Dimi Lee [:dimi] |
| 1425168 | Cache login reputation query | P3 | NEW |
4 Total; 1 Open (25%); 3 Resolved (75%); 0 Verified (0%);
Ship ThreatHit
- Manual testing with Google
- work with Google to figure out a testing strategy.
- Add region code ThreatHit
- Add rotating user ID to ThreatHit
- Stand up a proxy server
- Update privacy policy for ThreatHit
- Checkbox on the Safe Browsing warning pages:
| ID | Summary | Priority | Status | Resolution | Assigned to |
|---|---|---|---|---|---|
| 1421096 | Safe Browsing proxy | -- | RESOLVED | WONTFIX | Chris Kolosiwsky [:ckolos] (ckolos has left the building) |
| 1414051 | Complete an end-to-end test of the TheatHit API | P1 | RESOLVED | FIXED | François Marier [:francois] |
| 1421803 | ThreatHit requests are sent too early | P1 | RESOLVED | FIXED | François Marier [:francois] |
| 1372456 | Map between ISO 3166 country code and UN M.49 region code | P3 | NEW | ||
| 1385156 | Add report checkbox on Safe Browsing warning pages | P3 | NEW | ||
| 1387364 | Add Safe browsing Unique ID stable over a week or two | P3 | NEW | ||
| 1414056 | Proxy requests to the Safe Browsing client reporting endpoint | P3 | NEW |
7 Total; 4 Open (57.14%); 3 Resolved (42.86%); 0 Verified (0%);
Server Lookups
- Prepare requests to the server backend
- Parse server responses
- Verdict statistics in telemetry
- Add lookup API in about:url-classifier
| ID | Summary | Priority | Status | Resolution | Assigned to |
|---|---|---|---|---|---|
| 1384751 | Add login reputation queries to about:url-classifier | P5 | NEW | ||
| 1413732 | Query the login reputation service | P5 | NEW |
2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Caching
- Persistent verdict cache
| ID | Summary | Priority | Status | Resolution | Assigned to |
|---|---|---|---|---|---|
| 1416647 | Support verdict cache for password phishing | P5 | NEW |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Whitelisting
- Trust-based whitelisting heuristics
- Whitelisting statistics in telemetry
| ID | Summary | Priority | Status | Resolution | Assigned to |
|---|---|---|---|---|---|
| 1416653 | Support trust-based whitelisting heuristics | P5 | NEW |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
User Interface
- Design for the warning UI on Desktop and Fennec
- Warning UI on Desktop
- Warning UI on Fennec
- Warning UI telemetry
- Update privacy policy for password phishing
- UI pref on Desktop
| ID | Summary | Priority | Status | Resolution | Assigned to |
|---|---|---|---|---|---|
| 1408561 | Design for the password phishing UI | P5 | UNCONFIRMED | ||
| 1413389 | Integrate login reputation query result with UI to show warning message accordingly | P5 | RESOLVED | WONTFIX |
2 Total; 1 Open (50%); 1 Resolved (50%); 0 Verified (0%);
