A lot of the things I write here are for geeks. That’s unsurprising, given my own wonkish leanings, but I appreciate that it makes me a tough guy to love, much less read, at times. Sorry about that, and thanks for sticking with me.
With Firefox 3 on the cusp of the precipice of the knife’s edge of release, though, I wanted to stop pretending that everyone reads the same articles I do and talk about one of the many, really concrete things we’re doing to keep our users, like you, safe. There will be graphs.
The Age of Dorks
In Gang Leader For A Day, Sudhir Venkatesh writes about the embarrassment inner city drug dealers feel when they see what passes for a “gang†out in the suburbs; little more than young kids with nothing better to do than smash windows for the fun of it. That’s what internet crime was in the early days. The typical criminal might have looked a little different, and the typical crime a little more confusing, but the net effect was about the same: some people, particularly people who visited the wrong parts of town, were victimized in relatively unexciting ways. Maybe a sensitive email got forwarded around to your coworkers by a mysterious hacker. Maybe your computer started acting funny. Ho hum.
There Goes the Neighbourhood
After a while, your less geeky friends started getting online. Words like “online banking†stopped sounding like something out of a bad movie. Everything started getting the letter ‘e-’ attached to it. Most importantly, there started to be money. Money begets lots of fun things, like Diet Black Cherry Vanilla Dr. Pepper and Turtle Wax. But it also begets crooks.
In terms of crime (okay, e-crime), the e-crooks were still mostly e-clueless, because they were still mostly e-newbies. They weren’t very efficient, they weren’t very organized, they were actually pretty dumb. But the internet was also wide open and didn’t have a lot of rules. Ask an American Bison how that heady mix tends to play out.
So this legion of idiots started ruining it for everyone: they started spamming, because the internet made it cheap; they started defacing web sites of Fortune 500 companies and world governments, because the internet made it easy; and they started mass-mailing bank fraud, “phishing,†because the internet made it hard to stop.
Phishing is the emails you see every day telling you that your bank accounts will be closed for some reason unless you log in right away. Of course, the link in the email doesn’t take you to your bank, but to a clever forgery that steals your information, and then uses it to steal your money. It’s not a trick you would fall for in real life, because a criminal would have trouble setting up shop in your actual bank branch, but online, it can be hard to tell your bank’s real web site from one of these fakes. Firefox 3 includes some features to help you do that, but really, it would be far better to just not go there in the first place. That’s why we keep a list of known phishing sites in the browser, and warn you when you’re about to visit one. We’ve done that since Firefox 2; maybe you’ve even seen one of our warning messages. If not, well… that’s good!
The Heavies
The internet isn’t new any more. We don’t bother pasting “e-†to the front of everything, because the fact that a service is available online isn’t exceptional any more. That’s really fantastically awesome, as far as I’m concerned, but there’s a catch. The really bad people out there, who were busy doing really bad things in the real world to make money before, they don’t ignore the internet as a passing fad any more. There are ways for them to make real money online now: protection rackets extorting online casinos or major web sites for hundreds of thousands of dollars; selling 10,000 hacked computers to a major spam operation so that they can evade filters; enslaving millions of computers to click ads all day in order to scam ad companies. The legion of idiots is making way for genuine organized crime, and it sucks. The way they’re running a lot of these operations is with a thing called malware.
Malware (think “softwareâ€, but bad) is the name we give to web sites and software that try to take over your computer, in order to do bad things, in the service of bad people. Sometimes they use the old trick of getting you to run the program yourself – promising screensavers or greeting cards or otherwise nice-sounding things. More and more though, they’re trying to attack you through the web sites you visit. Here’s one way it can work:
- You visit a web site that you trust – maybe a news site, or an interesting blog.
- Unbeknownst to you (Aside: do we ever talk about things being knownst? “Knownst to me, this bagel contained bagel.†Anyhow…) Unbeknownst to you, the malware guys have injected some new code into the website. They can do this by hacking the site, or by buying “ad space†as a way to get their content in there.
- As soon as you load the page, this code starts trying to attack your computer by exploiting some unpatched security hole. In fact, it will try hundreds of attacks, looking for any weakness. This can happen in seconds, and invisibly, while you read about the rising price of Turtle Wax.
Obviously, we work very hard to make sure that Firefox is never the “unpatched security hole†and I think we do a pretty good job, as long as you make sure to apply those security updates when we send them to you. But there are lots of programs on your computer, so Firefox’s own security isn’t a guarantee. The best thing we can do is stop the page from ever getting the chance.
In Firefox 3, we have juiced up your protection in a couple of pretty hard core ways. First of all, we’ve added a second list, tracking all reported malware sites live on the net, in addition to the forgeries we blocked in Firefox 2. Second, we now block the page right up front, before it even loads, so that your computer is not at risk. And third, for people who are curious, we provide a report for malware sites that explains exactly what badness is going down. This report is pretty technical, but it’s there if you’re interested. It’s your browser. You can even choose to ignore the warning, if you want, and go through to the site. Obviously, I sort of hope you don’t.
We’ve got the real bad dudes and dudettes online now, and they’re not going to like having their income shut down, so we’re going to have to stay on our toes. But when Firefox 3 comes out (and we’re getting it out as quickly as we can, believe me), I’m going to feel a lot better about you getting online.
meandering wildly 
Awesome post. Thanks for dumbing it down so folks like me can understand all the cool stuff you guys have done.
Ops!
I never have thought that the Firefox which i m using might be having such Loopholes in it…..??????
Very nice, but you definitely need to ensure that in the final, or as soon as possible, that a link which allows one to bypass the warning is in place. Risk or not, people are already publicly complaining (perhaps unfoundedly) that there’s no way to bypass the warnings.
@Neko Ed: As I say in the article:
I hope that this is MCH better implemented than the “link protection plugin” that comes with AVG8 — that makes the browser practically unusable, having to make queries before actually opening the page.
This stuff has been done before, and never succeeded (Mac.com, AVG and probably others).
I also hope that there is a config option to turn this off….
thats so crazy, firefox having the lopholes like this. Who would have thought. makes me more aware. thanks for a great article explaining this. helps me out a lot.
The basic idea is good.
But why isn’t there a possibility to “whitelist” single urls???
This service has for sure – like other services – a mass of “false positives”.
Sorry, but without a whitelist, this feature is not completly useful
I’m apalled by this uncompromising rise in Turtle Wax costs!
How are we too wax our turtles? 😦
Good article.. tnx