Staying °ÂÁ´¤Ê From Phishing With Firefox - Discussion

It's A Spec

The Staying °ÂÁ´¤Ê page is really a spec. It's what we'd like to be able to say to people and have them be fully Êݸ¤ëd from phishing.

It's my ¸«²ò¡Ê¤ò¤È¤ë¡Ë that »ÈÍѼÔs should have to do the ºÇ¾®¸Â work possible to Êݸ¤ë themselves. I don't think it's an achievable goal to say that they should do no work at all, so the Staying °ÂÁ´¤Ê page ÌÀ¼¨¤¹¤ës my ¸«²ò¡Ê¤ò¤È¤ë¡Ë of what that ºÇ¾®¸Â ÎÌ of work should be. Our °ÂÁ´ À®²Ì¡¿ÅØÎÏs should be directed at making sure it remains true.

Several important things follow from this ¸«²ò¡Ê¤ò¤È¤ë¡Ë:

• Anything we can do to ¸º¤º¤ë the ÎÌ of work is a good thing.
• Any bug or problem which makes that advice not true should be °·¤¦¡¿¼£ÎŤ¹¤ëd with the ºÇÂç¤Î ¿¿ÌÌÌܤµ. That's why the ºÇ¶á¤Î IDN homograph attacks are so ÀøºßŪ¤Ë worrying - they mean that if you look at the °ÂÁ´ UI, it looks ¸¢Íø but you are ¸½¼Â¤Ë on the wrong ¾ì½ê¡¿°ÌÃÖ.
• Any UI we Äɲ乤ë to Firefox which makes that work more Ê£»¨¤Ë¤¹¤ëd without Áý²Ã¤¹¤ëing °ÂÁ´ is a bad idea. Even if it Áý²Ã¤¹¤ës °ÂÁ´, we should try and find a way to do it without Áý²Ã¤¹¤ëing the work.

How It ºîÉÊ

In Firefox, the status ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È is always-on; it can't be ̵ǽ¤Ë¤¹¤ëd by a web page author.

¸½ºß¡¿°ìÈ̤Ë, most phishes are ¤ä¤á¤ë Å·Á³¤Î¤Þ¤Þ. They don't even use SSL. So, the °ÂÁ´ UI will be ´°Á´¤Ë absent. ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of visual difference, this is Â絬ÌϤÊ. If a »ÈÍÑ¼Ô even ¤Á¤é¤ê¤È¸«¤ë¤³¤Ès, they can't fail to notice the absence of the domain and the lock. Èó¡¤ÉÔ¡¤Ìµ-SSL phishing can't fool anyone who follows this advice.

If phishers start using SSL, things get both better and worse. On the downside, the »ÈÍÑ¼Ô then has to carefully check the »Ø̾¤¹¤ë and know it's wrong. That's not so much worse. On the upside, the phisher has had to ŬÍѤ¹¤ë for a ¾ÚÌÀ½ñ and so hopefully the CA can ¼è¤ê¾Ã¤¹ it, and Àפò¤Ä¤±¤ë them É餫¤¹¡¿·âÄƤ¹¤ë through the ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë they submitted that the CA Ω¾Ú¤¹¤ëd.

Possible È¿ÂÐs

What if a ¹çˡŪ ¾ì½ê¡¿°ÌÃÖ doesn't use SSL?

If a ¾ì½ê¡¿°ÌÃÖ has a login which gives Àܶá to money, it should be. That's a bug in the ¾ì½ê¡¿°ÌÃÖ.

Status

As far as I know, apart from the homograph attacks (which, at the moment, have not been seen in the wild), the advice is ¸½ºß¡¿°ìÈÌ¤Ë true.

I'm probably wrong about this. If I am, I want to know about it.