Sunday, October 29, 2006
Are anti-phishing tools safe?
Microsoft's Internet Explorer, version 7, and version 2.0 of Firefox, both have features to warn you if you go to a web site that impersonates your financial institution so as to steal passwords.
Which makes us ask, how do they know that you're going to a fake site?
They try to keep a list of web sites being used to impersonate other sites. There's a problem. Phishing sites get shut down pretty quickly. Usually they're up for a few days at the outside. So that list is always changing, changing fast, and it's lamentably big.
So technically, the answer is to keep the list of crooked web sites someplace central, and then have your browser check in at that central place and ask whether the site it's about to visit is on the blacklist.
That's right. All the places you visit, the central site hears about. Do they keep records? If they promise not to, could they change their minds later?
Microsoft has a clear discussion of privacy in IE7's anti-phishing feature. They do some good things. For example, they don't look at the entire string your browser is sending. For example, if you make a Google query then your search is stuck at the end of http://www.google.com after a question mark. If you search for something embarrassing, your browser might ask Microsoft whether "http://www.google.com?q=aardvarks+on+spring+break" is safe. Microsoft promises that they'll only look at the "google.com" part. [Actually it won't even get that far because there will be a list of known good websites stored on your machine, so that one would never go to Microsoft to be checked]. However, Microsoft will hear about it if you go to http://www.aardvarksonspringbreak.com. If that's a real web site, please don't tell me about it, I don't want to know.
Here's what the anti-phishing feature of IE7 looks like.
Firefox 2.0, if you don't do anything to change it, works off a local list of dangerous web sites. That doesn't protect you against new phishing sites that have only just appeared. You can turn on real time checking, which uses some programming donated by Google and checks your destinations against Google's real time list of crooks. Unfortunately, according to one respectable source, Firefox sends the entire browser request to Google. The privacy implications are worse than for the Microsoft product. Not only does it report what web site you were on, it reports which page of the site you were looking at, and any searches you make there.
Unless you lead a very boring life and never research embarrassing medical problems online, I'd suggest turning off the real time anti-phishing features and relying on street smarts instead.
|
Which makes us ask, how do they know that you're going to a fake site?
They try to keep a list of web sites being used to impersonate other sites. There's a problem. Phishing sites get shut down pretty quickly. Usually they're up for a few days at the outside. So that list is always changing, changing fast, and it's lamentably big.
So technically, the answer is to keep the list of crooked web sites someplace central, and then have your browser check in at that central place and ask whether the site it's about to visit is on the blacklist.
That's right. All the places you visit, the central site hears about. Do they keep records? If they promise not to, could they change their minds later?
Microsoft has a clear discussion of privacy in IE7's anti-phishing feature. They do some good things. For example, they don't look at the entire string your browser is sending. For example, if you make a Google query then your search is stuck at the end of http://www.google.com after a question mark. If you search for something embarrassing, your browser might ask Microsoft whether "http://www.google.com?q=aardvarks+on+spring+break" is safe. Microsoft promises that they'll only look at the "google.com" part. [Actually it won't even get that far because there will be a list of known good websites stored on your machine, so that one would never go to Microsoft to be checked]. However, Microsoft will hear about it if you go to http://www.aardvarksonspringbreak.com. If that's a real web site, please don't tell me about it, I don't want to know.
Here's what the anti-phishing feature of IE7 looks like.
Firefox 2.0, if you don't do anything to change it, works off a local list of dangerous web sites. That doesn't protect you against new phishing sites that have only just appeared. You can turn on real time checking, which uses some programming donated by Google and checks your destinations against Google's real time list of crooks. Unfortunately, according to one respectable source, Firefox sends the entire browser request to Google. The privacy implications are worse than for the Microsoft product. Not only does it report what web site you were on, it reports which page of the site you were looking at, and any searches you make there.
Unless you lead a very boring life and never research embarrassing medical problems online, I'd suggest turning off the real time anti-phishing features and relying on street smarts instead.
# posted by Frederick @ 8:57 PM Email to a friend:
Haloscan: they provide trackback