Confirmed users
673
edits
User:DCamp/Malware Security Review: Difference between revisions
User:DCamp/Malware Security Review (view source)
Revision as of 18:44, 22 January 2008
, 22 January 2008→Overview
| Line 16: | Line 16: | ||
= Overview = | = Overview = | ||
Firefox 3's phishing and malware protection is an evolution of Firefox 2's phishing protection. | |||
The url-classifier stores a set of blacklisted fragments. A fragment is one URL fragment containing two or more domain components and some number of path components. | |||
Fragment examples: | |||
* example.com/ | |||
* www.example.com/foo/bar | |||
* www.mail.example.com/mail | |||
A load will be blocked if its URL includes one of these fragments (for example, www.example.com/blah/blah/ will match an example.com/ blacklist). | |||
The fragments are served by the safebrowsing server as truncated SHA256 hashes. In most cases we receive the 32bit prefix of the hash. In some cases (excessive collisions, popular sites) we will receive a longer version of the hash (currently a 128bit prefix). | |||
During lookup, if a 32bit hash prefix match is found, we request the longer version of the hash from the safebrowsing server. The results of the lookup are cached for the lifetime of the original entry. | |||
If an extended hash matches (whether the hash was originally sent as an extended hash, or later extended by a gethash request), we block the page. | |||
== Use Cases == | == Use Cases == | ||