Hi All, I think we should implement a windows application reputation extension to Safe Browsing -- to help detect malicious binaries users download and for those we know are safe, stop prompting users.
== Background == Last year, Google started experimenting[0] with an extension to Safe Browsing that helps protect users from malware downloads. This is a binary-file reputation system based on a whitelist of binaries and domains, and identifies benign executables as windows users attempt to download them. Benign executables can bypass any "are you sure" UI, making it less annoying to users. This adds to Safe Browsing (which just blacklists URLs that are known to be phishing sites or distribute malware) so that no matter what page you're on when you download malware, the binary itself is checked. When they rolled it out in Chrome last year, it was unclear exactly how effective it would be. Since the feature involved sending some download URLs to Google (the reputation part of the system), there was no way to reason through benefit vs. download history leak. == Action == Well, they've told me a little bit about how it's worked in the last year, and I think we should put it into Firefox. I've created a feature page for the feature (https://wiki.mozilla.org/Security/Features/Application_Reputation) and *want your feedback* about it. Since sending URLs is the main difference between this and the rest of Safe Browsing, we have to think about whether Firefox users will be willing to trade some of their download history for the protection offered by the system and a less in-your-face download UI. I believe they will. == System Attributes == * List Size: roughly 300 domains and 100 app signers in whitelist (small) * Average Chrome users download about 2 binaries per day. * ~ 8% of files downloaded by users are executables (and subject to this new system) * ~ 65% of those executables are whitelist hits and cause no prompt or ping to Google (with URL of binary) * Roughly 5.2% of a user's downloads result in a URL being sent to Google's servers. Niels, Moheeb: if you have any public documents about the system or API, would you please reply to this with links? Everyone else: what do you think? Cheers, Sid [0] http://www.pcpro.co.uk/news/security/366577/chrome-targets-social-engineering-with-file-warnings _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
