Thunderbird2:Phishing

From MozillaWiki
Jump to: navigation, search
Please do not edit these pages unless you are a member of Team Thunderbird. Your feedback and comments are welcomed on the discussion page.

Tracked by: bug 328749

Design Overview

Objectives

The primary objectives of this project are to:

  • Make it easy for web service extensions to support online phishing detectors with Thunderbird.
  • Leverage the safe browsing phishing detector being added to Firefox2, to ship Thunderbird2 with a phishing detector implementation that supports local and online URL blacklists.

Background

Thunderbird 1.5 contains a simple phishing detector to help protect users against revealing personal information to e-mail scams.

The current implementation uses a set of simple static rules to determine if a URL in a message looks suspicious or not.

These rules look for things like: IP addresses in the host name field, URLs which have different host names than the urls the message shows the user (i.e. the url is http://myevilsite.com but the url text shown to the user is http://ebay.com).

We would like to make it possible for web service extension authors to replace our existing phishing detector with one that can leverage local and online URL blacklists. This requires us to first write a phishing API which can be implemented by the extension authors and which integrates with our existing phishing detector.

We would also like to work with the safe browsing extension for Firefox2, converting its phishing detector to use this API and then making it useable from Thunderbird. I suggest reading the design documentation for safe browsing.

Front End Design

We already have a user interface in Thunderbird 1.5 for presenting messages which could be potential e-mail scams. We plan on leaving this UI intact, focusing our work on re-designing the actual phishing detector engine.

The current UI has two layers of defense:

A large, highly visible status bar across the top of the message indicates that Thunderbird thinks the current message is a potential e-mail scam:

phishingbar.png

If a user then proceeds to click on a link in this message, we bring up an alert prompt which includes some information about why we think the link is suspicious (i.e. it says ebay.com but you are really going to myevilsite.com):

phishingalert.png

The phishing bar is part of the message notification bar associated with each message window.

When a message has been parsed, we update the pishing bar for the current message by calling [1] setPhishingMsg. Currently setPhishingMsg calls isMsgEmailScam which walks through the DOM building up a list of http urls we want to examine. This is where we can tie into an improved phishing service using a phishing service API.

Phishing Service Requirements

Unlike the browser case, with e-mail, we have multiple URLs which have to be examined, any one of which could be a phishing URL. Furthermore, in the case of e-mail, these URLs aren't actually being loaded until the user clicks on them so the phishing service can't rely on watching http requests.

We need the ability to pass in an array of URLs to the service for analysis.

Since the black list could be local or remote, the consumer must be able to handle asynchronous callbacks with the actual results.

Thunderbird's current phishing alert dialog contains specific information about why we think the URL being clicked on is suspicious. I think this behavior should be removed, replaced with a generic e-mail scam message that is the same for all suspicious URLs (this is what safe browsing does I believe). This then simplifies the information we need to get back from the phishing service.

In summary, Thunderbird needs the ability to pass in an array of http URLs, getting called back asynchronously with the results.

NOTE: If we only care about the local black lists and white lists, the interaction with the lists don't have to be asynch. I think this requirement can go away

Safe Browsing Extension

Phishing protection is a new feature for Firefox2, and to that end, a lot of work is happening with the safe browsing extension which recently landed on the mozilla trunk. The safe browsing extension already implements local and online URL blacklists. We should be able to abstract out enough of it to become the basis for a phishing detector used by Firefox and Thunderbird.

The safe browising documentation talks about the existing abstraction layers.

What work would we need to do to so Thunderbird could leverage this work as well?

  • Presumably we would want to separate out the ListManager, TRTables and other code used to maintain and update the black list tables. Provide a public API for interacting with these elements.
  • We need the ability to build just the phishing service without bringing in the browser UI and the browser specific abstraction layers (browser view, controller, displayer, etc).

I'm sure there are more issues to think about here. But this is a start.

Open Issues

  • Instead of making other web service extensions re-implement the phishing service, maybe we can just make the safe browsing phishing service support other providers (by changing the URLs used?)
  • Privacy policy if users turn on the online black listing.
  • What about adding the ability to report phishing scams? I think we should skip this for our intial implementation.