Hi Kyle, Thanks for forwarding this along. I can confirm that you have found what appears to be a new phishing site. It's unfortunate that our protection didn't already know about that, but when you discover such things, it would be helpful if you could use the "Report Web Forgery" item in the Help menu to let us know about them. Sites that are reported are investigated and listed as quickly as possible, and as you anticipate, that is the single best way to keep our users away from them.
The fact that it uses a paypal rebounder is pretty unfortunate too, and it's arguably worth having a conversation with paypal about the availability and exploitability of that CGI, since it makes attacker URLs look more believable. There's not a lot that I think Firefox should be doing on that front - introspecting these URLs and pages to try to determine which ones are malicious and which ones are run of the mill advertising redirects and the like sounds fraught with false positives and false negatives, but I don't think you were suggesting any such approach either. As for the EV treatment - when I went to the site, the redirect happened so quickly that I didn't see any EV treatment, but it is certainly conceivable that during the redirect a user would spend some non-zero time on paypal's page, and potentially displaying the EV UI. I understand, therefore, why you'd be inclined to ask if we should have some kind of alert when you leave an EV page, but I resist doing that for a couple reasons, chief among them being questions about whether a dialog would actually change anything. There is reasonably ample evidence that dialogs that have "ok" as their only really "useful" option tend to be quickly ignored by users, at which point they stop having any impact on user behaviour. Tech support folks have stories of people seeing *right through* things like the FF2 certificate errors, saying "No, no warnings, everything's fine." Professor Peter Gutmann has all kinds of good reading here, if you're interested and haven't yet encountered it. Such a dialog is also going to be very noisy - EV deployment is still pretty modest, but it's increasing pretty rapidly and the number of benign instances where people navigate, or are navigated, from EV to non is going to be vastly higher than the number of fraudulent instances. That's a bald assertion on my part, but I'll stick with it - if the average paypal user was suckered by 5 of these paypal- rebounding phishing attacks, that would still pale in comparison to the (presumably) hundreds of interactions they've had with the legitimate site, many of which may well finish with navigation away from the EV site. Finally, fiddling with our EV indicator is not a good way to prevent phishing. I actually do think that EV is part of the solution there or at least, more generally, that equipping users with better tools for knowing who they interact with online will lead to higher phishing- resistance over the long term, but in the case of a particular example like the one you link to, the way we shut that down is by getting it on the blacklist. In the short term, no opportunistic UI indicator or dialog is going to have anywhere near the preventative value of a full stop, blocked page with affirmative warning text. I apologize for the length here, and hope I haven't sounded dismissive; the length is really more about explaining why we have made the decisions we did, in an effort not to sound that way. You talked about the absence of this dialog being an oversight. I hope that if nothing else, I have managed to impress upon you the fact that we do think a fair bit about these things, and that there are reasons why we don't take certain apparently-obvious steps. Cheers, Johnathan On 4-Jul-08, at 1:40 AM, Kyle Hamilton wrote: > (crossposting this between dev-tech-crypto and dev-security per Nelson > Bolyard's suggestion) > > One of my colleagues has managed to locate a site that: > a) goes to the official paypal site > b) redirects off of the paypal site > c) ends up landing on a paypal spoof > > without: > d) triggering any notification of an EV site being left > e) triggering the phishy/phorgery warning (this has changed at > approximately 10:30pm on 03Jul2008) > > We have been unable to figure out any way to submit a site to the > phish filter (in firefox3), and given the recent hoohah about EV > certificates and their usage for validation I'm concerned that people > who have their navigation toolbars turned off aren't going to see the > problems until it's too late. > > I'm told that there is no code in place for notification of leaving an > EV site for another site; I believe this is an oversight that should > be fixed (this is separate from the "SSL to non-SSL" config preference > which isn't enabled by default). > > Thanks, > > -Kyle H > > On Thu, Jul 3, 2008 at 9:09 PM, Nelson Bolyard > <[EMAIL PROTECTED]> wrote: >> Kyle Hamilton wrote, On 2008-07-03 19:51: >>> https://www.paypal.com/cgi-bin/webscr/cgi-bin/webscr?cmd=_ssr&return=http%3A%2F%2Fpaypal-cgi-bin.s6.pl/?cgi-bin.webscrcmd=_login-run.webscrcmd=_account-run.DisputeTransactionID.2LC956793J776333Y >>> >>> This is a valid PayPal URL that issues a redirect to an external >>> site, >>> which just happens (at this moment) to spoof the PayPal layout. >> >> It doesn't even trigger any kind of a phishy site warning. >> >>> Is there any provision anywhere for a "you are leaving an EV site to >>> go to a non-EV SSL site or an unencrypted site" kind of warning? >> >> I think that's a great question. I think the answers are: >> >> - there is a message for encrypted->unencrypted transition, but >> it's off by >> default and you have to know how to use about:config to turn it on >> >> - there's no EV->nonEV https transition message >> >>> And if this isn't the best place for this kind of discussion, is >>> there a >>> discussion group/list/newsgroup that would be better? >> >> I think the person you need to engage is Johnathan Nightingale. >> I suggest cross posting to both this group mozilla.dev.tech.crypto >> and >> also to mozilla.dev.security. Maybe even to >> mozilla.dev.apps.Firefox. >> >> /Nelson >> _______________________________________________ >> dev-tech-crypto mailing list >> [EMAIL PROTECTED] >> https://lists.mozilla.org/listinfo/dev-tech-crypto >> > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security --- Johnathan Nightingale Human Shield [EMAIL PROTECTED] _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
