[Bug 269656] Re: AN IRRELEVANT LICENSE IS PRESENTED TO YOU FREE-OF-CHARGE ON STARTUP

Wed Oct 8 09:17:23 UTC 2008

The Frankenphishing  Service.

>Mark Shuttleworth wrote:
>pj wrote:
>> Since Mark is asking for input on the service, I will tell you that the first thing I do is
>> turn off antiphishing services, along with every other thing that tends to track my
>> surfing. I turn off Javascript and cookies too, for example, so I'm definitely not the
>> average person in my habits. I turn stuff on as needed, clean up, and turn it off
>> again.
>>
>In the community of folks who are very aware of the sort of abuse that
>goes on, being conservative about JS and cookies isn't unusual. Those
>are definite attack vectors on one's online identity and privacy.

>Out of curiosity, would you prefer that cookies and javascript be
>disabled in the default case for Ubuntu, too? If the argument is that
>anti-phishing might be used to track your surfing, like cookies and JS,
>and therefor it should be turned off, would it not also be consistent to
>want JS and cookies disabled by default? We certainly take the view that
>we (Ubuntu) are entrusted with our users security, so this would be
>worth exploring. My gut feel would be though that most people would say
>"I'll turn that off for myself where I'm concerned, but I understand
>that the default should for JS to be switched on".

The bug is in the way the antiphishing services works...

The old implementation was a choice between checking with google for
each site you visited and downloading a blacklist that did its checking
without calling home to google.

I had no problem with the second approach but then things changed and
you now get the Frankenphishing  service which does the "download the
blacklist file and check thing" BUT if it gets a hit it then does a
phone home to google to double check in realtime.

I would say that the downloading of the blacklist and local anti-
phishing checking with no phone home should be the default.

No privacy concerns with this.

The problem is the phoning home to check thing.

So this whole problem with the anti-phishing services is just bad
implementation.

1. The default should be that a file is downloaded every day\hour and this is used to check for bad sites.
No phone home or anything.

2. On first hit of a phishing site, ask for user to accept Terms an
Conditions of the service.

3. Also ask if user wants to start checking with google in realtime or
not (point out the privacy issues).

-- 
AN IRRELEVANT LICENSE IS PRESENTED TO YOU FREE-OF-CHARGE ON STARTUP
https://bugs.launchpad.net/bugs/269656
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox-3.0 in ubuntu.