Security threats Toolkit

Firefox to get phishing shield

Joris Evers CNET News.com

Published: 09 Mar 2006 13:55 GMT

An upcoming version of Firefox will include protection against phishing scams, using technology that might come from Google.

The phishing shield is a key new security feature planned for Firefox 2, slated for release in the third quarter of this year, Mozilla's Mike Shaver said in an interview on Tuesday.

"Everybody understands that phishing is a significant problem on the Web," said Shaver, a technology strategist at the company, which oversees Firefox development. "We are putting antiphishing into Firefox, and Google is working with us on that."

With the continued rise in online attacks, security tools have become something Web browser makers can use to try to stand out. Microsoft plans to include features to protect Web surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year.

"It is another example of the energy that has returned to the browser marker," Shaver said.

Phishing is a prevalent type of online scam that attempts to steal sensitive data such as user names, passwords and credit card details. The attacks typically combine spam e-mail and fraudulent Web pages that look like legitimate sites. A record 7,197 phishing Web sites were spotted in December, according to Anti-Phishing Working Group.

While Firefox 2 will get a phishing shield, no decision has been made on how it will be incorporated in Firefox, Shaver said. "Google, like others who contribute to the project, has contributed code and expertise for us to experiment with," he said. "We haven't committed to a given approach, a given technology or a given partner."

Google has close ties to Firefox. A year ago, the search engine giant hired Ben Goodger, a lead engineer on the open-source Web browser. Firefox is also part of the Google Pack, a bundle of Google's own and third-party applications. The search company could not be immediately reached for comment.

Although IE and Firefox, the two most-used Web browsers, don't include antiphishing features yet, there are browser add-ons that guard against such scams. These include the Google Safe Browsing plug-in for Firefox and Microsoft's MSN Toolbar for IE. Other providers include Netcraft and SiteAdvisor.

The various phishing shields use a variety of techniques to protect against the online scams. These include blacklists of known fraudulent Web sites, white lists of good sites and analyses of Web addresses and Web pages. Firefox 2 might be different, since the developers aren't married to those approaches, Shaver said.

"I don't think anybody has found a perfect solution," he said. "We would not look to do something different just for the sake of being different, but we don't want to be constrained by recent history either."

Regardless of what technology ends up in Firefox 2, people who want to use a different antiphishing product will be able to do so, Shaver said.

Adding antiphishing technology to Web browsers helps with online security, but is not a panacea, said Amir Orad, vice president of marketing at RSA Security's Cyota group. "We think it is very important. It doesn't solve the problem, but it is a step in the right way," he said.

Cyota, an antiphishing specialist, provides lists of known fraudulent Web sites to Microsoft for IE 7 and to Netscape, as well as others. "It is an arms race, another tool in the arsenal," Orad said. RSA Security acquired Cyota last year.

An early, alpha release of Firefox 2 is expected later this month, but it likely won't include the antiphishing features. "We don't want to rush it to get it into that alpha," Shaver said. "But things can move pretty fast in our world and if we come up with something that we like the looks of we might put something in experimentally."

Other planned security features in Firefox 2 are support for a stronger type of digital certificate, a so-called high-assurance certificate. At the same time, the new browser likely will drop support for less secure certificates, Shaver said.