Is Firefox 2.0 a Google Mole?

33 comments

The newest version of Firefox intends to have a Google spying mechanism built into the browser.

Anti-phishing capability, which Mozilla has branded "Safe Browsing," is one of the marquee features in Firefox 2.0 and one of the reasons a third alpha is necessary. Now baked into Firefox 2.0 alpha 3, Google Safe Browsing is triple-licensed under the Mozilla Public License (MPL) 1.1, the GPL 2.0 (define) and the LGLP (define).

Safe Browsing inspects a visited site against a regularly updated list of known phishing sites. The list of phishing sites may be downloaded automatically within the browser or can optionally be checked against Google's online list of known miscreants.

A while ago I noticed the new IE beta labeled one of my sites as a risky potential phishing site (although it had nothing but a general search box on it). Does Google consider you a miscreant? What happens if they do? Imagine if these companies ever compete in your market and accidentally destroy your brand. How much can we trust the new gatekeepers?

Comments

Google Please Keep Out

You know some people really know how f*ck something good up. Mozilla please don't force something down my throat even if you think it's "good for me" or makes my "browsing experience" better. I'm a big boy and can make my own decisions thank you. At the very least allow me to turn it off.

Firefox is one of the most powerful and useful tools for a power user who spends a tremendous amount of time and works online, and the spectre of "spying" or "aggregating" my browsing history just completely kills it for me.

No need ...

... for this BS. The Netcraft already does this job very well, has nice additional features, and is opt-in.

MoFo Totally Bought Out

MoFo, the apt abbreviation for the Mozilla Foundation, has been thoroughly bought out even before Firefox became the "standard."

Back in the day, Firefox was merely supposed to be a GUI shell with "extensions" around Mozilla and would eventually be co-opted back in to the main browser. Thunderbird started as a complete rewrite of Mozilla Mail which it really needed, but nothing was ever wrong w/ the Mozilla browser in itself.

Then the main developer of Firefox got greedy. Not only was he being paid by MoFo to dev firefox full time, he put an affiliate GOOG link on the browser and heralded it "quick search bar". Unbeknownest to the rest of us plebians, even in the developer community (such as myself), this freak was earning upwards of 30 to 50% commission every time some one clicked on an advert using this browser.

The news hit the other MoFo coders like a ton of bricks: You mean, we did all that code for all those years for free while this guy scams people by secretly colluding with Google?!

The idea -- and official plans -- were for Firebird and Thunderbird to remerge with Mozilla as 99% of the code people *REALLY* care about is the Gecko (X)HTML rendering engine, and that is what required the most skill. But these firefox coders, all three of them, they were rank amateurs. First thing they did was snub their noses as the Mozilla's developer heirarchy system and then at their code testing processes. The result? I had to go out and buy 1 GB of RAM just for Firefox. As have millions of others, probably. Firefox's GUI is *not* the most complicated part, that is Gecko, and they don't touch gecko, they just use it like a parasite.

Well, all the MoFo devs got pissed off and said, we're going to implement the features of Firefox in a clear consistent way, but GOOG shouted NOOOOOOOOO. So, MoFo denies these devs the right and forces their hand by officially ending the Mozilla browser, about a year ago. No bother, these devs start out and create the project SeaMonkey, which I am using now.

Firefox has technically forked two times; flock is the new bastard child. They're technically just as bad imho because they side with Yahoo. But MoFo started going bad when GOOG money started pouring into their coffers. That GOOG money is worth $170 million a year; now wouldn't you welcome your new GOOG overlords at that price?

Download firefox; go ahead, grab that carrot; you might not like the dark little box you find yourself trapped in when GOOG becomes the explicit capstone of the Panopticon.

Guess I'll be keeping my 1.5

Guess I'll be keeping my 1.5 install file. I never thought I'd see the day that I'd consider refusing a Firefox upgrade.

That's interesting, Aaron.

That's interesting, Aaron. I'd like to know how Google comes up with it's list of phishing sites.

I'm sure they crawl sites to get the information, so what triggers the machine to say "This site is a phishing site" ?

>Google's online list of

>Google's online list of known miscreants

where is that?

corrupt

So firefox is a corrupt browser, in a worse sense than IE?

I hope you can justify thoose claims hopeseekr, as it's the first time I hear that story, and it sounds very serious and pretty uncomfortable to me. I can easily imagine others that would want to put a few hooks in the browser for a modest lump sum.

I am just now trying to find out what this SeaMonkey is, and I've found this SeaMonkey Mozilla wiki page which describes it as an "all-in-one internet application suite".

I must say that this is exactly what I don't want as I want a browser for my browsing, an email client for my email, etc.

Further, the SeaMonkey FAQ states that "the SeaMonkey Suite is a Mozilla Foundation project" so by using that aren't you just supporting the same allegedly corrupt organization?

Time to try Opera again perhaps?

----
Added: That Google is interested in clickstream data is't new, any online advertising agency would want that information. But if it is true that you can buy FF developers as an advertising agency... well...

When did this site turn into Digg?

Sensational headlines and kneejerk comments? Sweet.

My web browser checks the authenticity of any SSL certificates that it encounters. Is that spying too?

This is a good thing

Good for Google trying to proactively help stop at least one type of online fraud.

As long as it can be disabled for the paranoid, I see no problem with it.

Besides, have you considered the fact that more people might be willing to shop online if they have a bit more confidence in the websites they are visiting?

All of you and your customers could potentially profit from this windfall of online confidence but instead you would rather bitch about it. I know people that are afraid to just randomly surf the net because of all the BS out there so they won't be shopping from your site or clicking your AdSense or whatever unless they feel safe to navigate the web again.

Besides, this type of technology is needed to help the naive from getting scammed and the audience of TW probably isn't the intended target of that technology. Google's "Safe Browsing" is no worse than McAfee's Site Advisor, might even be better as it comes BUILT-IN so people don't have to get McAfee or even know they even need it.

Hell, if people weren't so damn stupid we wouldn't need virus scanners on our INBOX as nobody would be dumb enough to open email from people they don't know and then be crazy enough to open random file attachments from strangers. However, they ARE that stupid, they BELIEVE some nitwit in Nigeria is going to give them part of that USD $10M inheritance, and they rush to update their PayPal information every 30 minutes when a new PayPal security warning hits their inbox about "closing your account unless you update it ASAP". Those people are the intended targets, they need protection.

Random web sites are much worse than email as the naive don't have a clue until it's way to late and only safe way for those same people to use the net would be to restrict their activities to just the big sites like Amazon, Yahoo and MSN, and maybe not even safe at that.

The upside could even be felt in your wallet because CONSUMERS pay for online fraud. If a stolen CC is used in a fraud, VISA/MC/AMEX doesn't absorb it, they just shove it down the merchant's throat. In turn the merchant raises prices to cover his losses.

Therefore, anti-phishing software that helps stop CC theft could result in money in your pocket so unless you like having "fraud" computed into your price of goods, stop whining and back these efforts to stop the criminals.

BTW, many innocent webmasters WILL be red-tagged because they don't know they've even been hacked by phishers. It's not Google's fault when your host can't secure a server and the next thing you know phishing emails are being cranked out by the millions pointing to "http://www.myserver.com/CitiBank/" or where ever they drop the phishing files. Hopefully there will be an appeals process for being "unflagged" when the problem is corrected, if not, get a new secure webhost and hire a lawyer.

from gmail?

gmail is pretty good at seperating out the phishing sites based on what people report as phishing mails I think.

Gmail

There are a few that work, and not everyone uses them, not everyone knows about them. Many still use the email which comes with their services direct from Comcast, Bellsouth, etc.

Besides, the viruses and trojans still work or there wouldn't be botnets out there in home computers awaiting commands,so someone is opening those emails or doing other stupid things like downloading random software.

human review required ...

The list had better be subject to human review. They drop the ball using automation too often.

On the subject of Seamonkey/Mozilla, I prefer the Netscape packaged version.

As far as code quality goes, hopeseeker has some justification for his views. Did you know that the relatively obscure but extremely useful ability of the old NS 4.x to implement javascript mail filters was dropped by Mozilla Foundation because it was considered too difficult to maintain the code? Instead we now have mail filters that are limited to the preconfigured triggers and actions. No regex functionality as in the original 4.x versions.

The code quality and organisation is abysmal. If you are considering a custom modification be prepared to hold your nose and shake your head. Of course, the same holds true for Apache.

Stick to the facts.

Firefox users are right to be concerned about the increasing integration of Google technology into the browser and particularly the Anti Phishing feature for the upcoming Firefox 2.0.

However, I think we need to keep things in perspective and look at exactly what the options are in the new version. If you (like me) don't want to use this piece of crap, it's very easy to turn it off.

How do I turn Anti-Phishing protection on or off?

On Windows and Linux, go to Tools > Options ... > Advanced. On Mac, go to Preferences > Options ... > Advanced.

The full story at http://www.mozilla.org/projects/bonecho/anti-phishing/

it's very easy to turn it off

But isn't the whole point with FF that things start 'off' and then you choose to turn them on. Least that is the main reason I left IE for FF. If they start telling me what I need it will be time to look for other options.

Think of the idiots...

On Windows and Linux, go to Tools > Options ... > Advanced. On Mac, go to Preferences > Options ... > Advanced.

How the heck are these stupid non-webmaster, non-TW surfers who incrediBILL talks about ever going to figure out complicated procedures like Options >... Advanced?

Advanced? Oh, I'd better stay the fuck away from that.

So that leaves about 90% (?) of users blindly following Google's occasional, ever so occasional mistake and blocking an innocent site / competitor site. And to heck with the company who's the victim of that "mistake".

if goog

has its hands on it you have to KNOW its moleish, nothing altruistic about the boys from Mountain View.

They will probably screw up a perfectly fine browser.

>Advanced? Oh, I'd better

>Advanced? Oh, I'd better stay the fuck away from that.

exactly. and Google was bitching about how hard it was to change the default engine in the new IE browser, which to me seemed to be far more intuitive than this option.

Default

Absolutely agree, the default setting for this feature should be OFF purely on the grounds that what is being offered as a security tool is in fact inherently insecure itself. Phoning home post data in plain-text back to Google renders it not fit for purpose.

"How the heck are these stupid non-webmaster, non-TW surfers who incrediBILL talks about ever going to figure out complicated procedures like Options >... Advanced?"

My twelve year old kid seems to manage ok.

Er

Canaira, my comment was, "How the heck are these stupid non-webmaster, non-TW surfers who incrediBILL talks about..."

So if your twelve year old can do the obvious then he's not in the 90% group. See, the private school fees were worth it after all :)

>> Default = Off
No argument there. If users are smart enough to turn it off they are smart enough to turn it on, aren't they?

um...a small thing..

Quote:
Hell, if people weren't so damn stupid we wouldn't need virus scanners on our INBOX as nobody would be dumb enough to open email from people they don't know and then be crazy enough to open random file attachments from strangers.

While I do believe people are tooth grindingly stupid in many respects, some email programs out there automatically open emails when you put your mouse on the subject line. So, if 'read with your mouse' you'll open something without knowing it.

There's nothing wrong with

There's nothing wrong with anti-phishing being on - it's just that people like myself aren't keen on the idea that an ISP may be sponsoring an open source project simply to get free data from it.

Opened by Mouse

Trust me, when I was writing corporate email software we would've never done anything that stupid as we knew the risks of too much automation with the intrinsic vulnerabilities of the media.

Besides, just opening the email, assuming it's only text or plain html (no scripts) is typically is safe enough. But you can get into real trouble if the only content is an attached file and it's automatically launched.

Whoever wrote the code to auto-open an email knowing the risks involved should be shot on principle alone.

Blind leading the blind

You must be joking...

So that leaves about 90% (?) of users blindly following Google's occasional, ever so occasional mistake and blocking an innocent site / competitor site. And to heck with the company who's the victim of that "mistake".

With your logic you might as well turn off your anti-virus too just in case it whacks an innocent file attachment or a file that wasn't infected. It's happened but I sure wouldn't want to risk my PC running it wide open "bare back" with no protection.

>> Default = Off
No argument there. If users are smart enough to turn it off they are smart enough to turn it on, aren't they?

Some people will install it and assume it's on by default, not OFF, just like they assume their anti-virus is ON by default. Even MSIE turns up the security by default which interferes with some web sites, but I think for the novice users that's a good thing.

Phoning home post data in plain-text back to Google renders it not fit for purpose.

Why would you be concerned about that?

If it's sending a domain name in plain text to Google and someone is sniffing your packets to get this data then most likely they've already sniffed the packet that exposed the domain name you requested in the first place.

Besides, if you found that domain name using Yahoo/Google/MSN then one of those 3 already knew where you were going when you clicked the link, big whoop.

The only real security on the Internet is to simply NOT USE IT and thinking anything else is naive.

Post data

Why would you be concerned about sending post data in these circumstances?

"Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to http://www.google.com/safebrowsing/lookup in clear-text, allowing someone on your network segment, or any router in between yourself and google.com to sniff the information off the wire."

This is a quote from an article by Nitesh Dhanjani over at O'reilly Net. Seems like a good enough reason to be concerned.

Full article @
http://www.oreillynet.com/pub/wlg/8760

Plain Text

To be honest, if you're in mid-phish already, which is worse?

a) having your CC # transferred to Google in plain text
or
b) handing your CC # directly to the phishers

It's the lesser of 2 evils at that point and I'll opt, assuming it's being sent exposed using a GET, to send it unprotected to Google to stop it from being hijacked by phishers.

Obviously there is potential sniffing risks but SSL can be busted as well, not as secure as everyone thinks and is particularly vulnerable over Wifi.

The correction to the Firefox extension is painfully obvious and could be easily fixed just to send the domain name only without any parameters which resolves the security concern without the need to bog down the service with SSL.

screw firefox

its just spyware from the G$$Gplex.

Better to just use ie, they are regulated, not allowed to play "secrecy" games.

Con 101: sell the BIG lie.

Eric Schmidt:

"We would make the decision based on what end users want"

lol

Spyware

Sure, let's use IE, Virusware.

The ONLY time my computer was ever infected since 1978 was thanks to the hundreds of IE vulnerabilities.

And you don't think MS has spyware too?

Opera

This thread got me to take a second look at Opera 8.54 as the browser for use on my iBook and dialup rather than upgrading my version of FF. So far I like the way Opera is working for me on the laptop.

Now, Opera also has a commercial relationship with Google, but I don't mind since Opera is a commercial browser and never pretended to be anything else. FF still has nice functionality but the thought of it phoning home to Google leaves me cold.

Ahem

Quote:
With your logic you might as well turn off your anti-virus too just in case it whacks an innocent file attachment or a file that wasn't infected.

Ah, so Google will actually flag sites like AV programs flag files? And ask for all users' approval before nuking any site?

Quote:
a) having your CC # transferred to Google in plain text
or
b) handing your CC # directly to the phishers

And an idiot coming to TW for the first time could be forgiven for thinking those were the only two options ;)

Quote:
Some people will install it and assume it's on by default, not OFF

OK, so have a big flashing sign for IDIOTS telling them: IT'S OFF BY DEFAULT YOU NEED TO TURN IT ON.

Of all the pathetic excuses...

mid phish?

To be honest, if you're in mid-phish already, which is worse?

That presumes that the user *is* in "mid-phish".

It's not like the big G couldn't afford to buy a wild card cert, or even buy a certificate authority. And the SSL hardware accelerators to handle the load. It's just the usual laziness and inattention to implementation details that the big G is known for.

As for defaulting to ON or OFF, what would be wrong with a great big blinking dialogue box asking

TURN ON THIS FRICKING FEATURE

yes

no

as the last step of the install? In addition to the EULA stating "you agree to bend over in any way we deem proper now and in the future through auto updates" of course.

wild card cert

Are you aware of the overhead on SSL?

It would take a ton of CPU power to handle the volume of requests using SSL just to worry about the random risks of being exposted with the rare GET with a CC #.

Ecommerce sites are required by CC companies to only use POST or they could lose their merchant account, so unless the webmasters working in ecom are technically inept or the merchants are insane, or they simply don't care, then only phishing should be using the GET method people are complaining about that makes this feature insecure.

And if you're dumb enough to get phished in the first place, you need this feature.

Google could fix it without resorting to SSL, strip the data off the domain before making the request, as just the domain name without the extra data isn't worth worrying about as domains are passed plain text by your browser on the net already.

OK, here we go...

Something slipped thru my spam filter that was VERY convincing today as I had recently used Paypal and the date referenced was very close, but I'm on full alert with anything about Paypal so I scoped it out carefully.

If it wasn't for the domain name, nobody would've thought it wasn't Paypal.

If you go the to root of that domain it's "This site is under construction.", big shock.

Hurry up with FF 2.0 already, we need the anti-phish.

if you're in mid-phish

if you're in mid-phish already, which is worse?

a) having your CC # transferred to Google in plain text
or
b) handing your CC # directly to the phishers

For those not in a phish, a) shouldn't even be on the table.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.