Phishing Filter in IE7

re: Phishing Filter in IE7

Nick Davis — Sat, 10 Sep 2005 02:11:05 GMT

A couple of questions, out of curiosity:

1) How are you expecting the general public to respond to the phishing filter?

2) Do you expect people to just grasp the concept of phishing? Is there a different term that might convey more clearly what a phishing attack is to my grandmother?

re: Phishing Filter in IE7

asdf — Sat, 10 Sep 2005 02:18:04 GMT

You should make the arrow next to "Continue (not recommended)" red or yellow. It looks too friendly being green :)

Public database search for site owners

Maurits — Sat, 10 Sep 2005 02:54:42 GMT

As a site owner who does not have a copy of IE7, how can I tell if my sites are misidentified as phishing sites?

Can you make a webform somewhere saying:

QUERY THE PHISHING SITE DATABASE

Enter a web site URL to determine whether it is in the Microsoft "phishing site" database:

URL: _________________________ [ Search ]

Or, where can I download IE7? ;)

Privacy

Maurits — Sat, 10 Sep 2005 02:59:03 GMT

I just realized that you're effectively receiving a copy of every IE 7 user's browsing history, sans querystrings. Isn't this a major privacy breach? Surely the phishing blocklist can't change THAT quickly.

re: Phishing Filter in IE7

Lonnie McCullough — Sat, 10 Sep 2005 03:02:01 GMT

I agree with Nick. The term Phishing has absolutely no meaning to my mom. How about:

"This website is a known suspicious website. Visiting it could leave you open to identity theft and/or other crazy stuff..."

-Lonnie

re: Phishing Filter in IE7

C++ guy — Sat, 10 Sep 2005 03:07:22 GMT

Users don't read dialogs.

re: Phishing Filter in IE7

Cheong — Sat, 10 Sep 2005 05:34:00 GMT

It'll be more helpful that if the reported phishing URL is stored in database, the warning page also show a link to the REAL website's base URL. (Just like what IE now will suggest when it can't find a page.)

So the warning page of HTTP://WWW.MlCROSOFT.COM will also give a link to http://www.microsoft.com and the user can use the "Contact us" at the page to report the phishing page to the company.

re: Phishing Filter in IE7

AndyG — Sat, 10 Sep 2005 07:24:10 GMT

Re: Privacy

I wouldnt think any Privacy laws are broken as no user identifiable information is transmited linking the URL to the client! All that MS are recieving is a web address from somewhere, out there, by someone unknown.

re: Phishing Filter in IE7

Aaron — Sat, 10 Sep 2005 08:23:23 GMT

Not much of a browse history for two reasons:

1. All "legitimate" websites are always missed since the client never checks any with the server.

2. Only unknown websites that the heuristics deem "suspicious" are checked.

So at best you get a spotty view of someone's history, and the feature is opt-in anyway, so you could always simply choose not to use it.

The bigger problem I see is how you would update the "legitimate" website list on the client. Does this list only get updated via Windows Update? And I assume it has the appropriate protection on it so not just any script can modify it?

re: Phishing Filter in IE7

jace — Sat, 10 Sep 2005 08:35:10 GMT

Please change the color of the "continue" button if possible. Red would be good.

Also how about a dialog that says something like "Malicious Website Filter" etc...

Phishing is a silly term to begin with and I don't think it's going to resonate with aunt maude....

When is Beta2 coming out?

Matt — Sat, 10 Sep 2005 09:45:01 GMT

When will be the Beta2 released? In one month, in two months?

Thanks for the hardwork,
Matt

re: Phishing Filter in IE7

Harold J. Johnson — Sat, 10 Sep 2005 09:49:11 GMT

I love that band, but why would you want to filter it out? What do you guys have against Phish?

re: Phishing Filter in IE7

Sat, 10 Sep 2005 12:21:29 GMT

Is there a 'test' or 'demo' server we can test it on? I'd love to try it out!

re: Phishing Filter in IE7

kL — Sat, 10 Sep 2005 15:36:45 GMT

IMHO anti-phishing heruistics is useless. All phishers will check their websites against IE7's filter and modify/obfuscate their techniques till IE7 stops detecting them.
If you tweak filter to be more sensitive, false positives will damage reputation of legitimate websites...

re: Phishing Filter in IE7

Alberto — Sat, 10 Sep 2005 15:44:08 GMT

Phishing may be a non user friendly name so the suggestion of including a brief explanation is a good one - sort of "A Phishing website performs an attempt to impersonate illegitimately another website in order to persuade you to input sensitive data meant for the legitimate website, with the intention to employ at a second time such data on the legitimate website impersonating yourself".
Sort of, and has to convey the sense of the threat.

Although Phishing sounds as a neologism, yet its origin seems clear: the sounds is that of "fish", and reminds the latin: pescare, to fish.

I noticed that for privacy concerns the query string is stripped. This is well done, but of course all the future problems with it will derive exactly by exploiting this feature.

An organized crime approach (my italian fantasy lol?) might work as follows:

1) an apparently legitimate online venture gets started for the purpose of phishing.
2) for one year it keeps pretty low profile, simulating a legitimate environment. It knows it will cash later exploiting this feature.
3) after one year it performs its Ocean's Eleven: it raids 1,000,000 users in one day exploiting exactly a query string, it takes the money and runs.
4) all the online magazines start making headlines and complaining that IE is insecure and is not standard compliant, which latter has nothing to do with it but war is war.

All bugs and all exploits prosper in the assumptions.

IE7 Phishing Filter

MicrosoftBlog.com — Sat, 10 Sep 2005 16:42:50 GMT

Tariq Sharif, Program Manager of the Internet Explorer Security Team, details how the Phishing Filter in IE7 will work.

re: Phishing Filter in IE7

Tony Dickins — Sat, 10 Sep 2005 17:36:58 GMT

Having used the netcraft antiphishing tool bar for some time with IE6.sp2 I found it to be very effective but a bit too touchy when downloading music from legitimate sites (music bought and paid for). however I did like the display of the country of origin, risk rating, sites date of origin and site ranking of all web sites visited regardless of the phishing filter. All of which made it easier to detect suspect sites and allow the user to decide for themselves using the info given when a phishing site was flagged up and possibly report a site to netcraft, which I had to do twice. Would it be possible to integrate some of these features into IE7 in the future. If anyone would like to try out the netcraft toolbar or check the specs it is available for free from http://toolbar.netcraft.com/ but I have not tried it with IE7 so no guarantees.

re: Phishing Filter in IE7

Ron — Sat, 10 Sep 2005 17:51:48 GMT

In my opinion if someone knows what a phishing website is then they don't need a phishing filter.

And if they don't know what a phishing site is then they probably wouldn't understand the importance of enabling the phishing filter.

As soon as I got IE7 beta1 I disabled the filter because it seemed to be slowing things down. (I've uninstalled the beta btw)

On another note, if Microsoft just happened to block google.com (for example) for 1 day would Microsoft be held responsible for the damages it did to Google?

re: Phishing Filter in IE7

Alan Trick — Sat, 10 Sep 2005 17:57:54 GMT

http://207.68.172.246/result.aspx?u=Tariq&p=Tariq’sPassword

aw come on, we *all* know that shoud be:

http://207.68.172.246/result.aspx?u=Tariq&p=Tariq%27sPassword

;)

Privacy

Maurits — Sat, 10 Sep 2005 18:20:28 GMT

AndyG
"I wouldnt think any Privacy laws are broken as no user identifiable information is transmited linking the URL to the client! All that MS are recieving is a web address from somewhere, out there, by someone unknown."

Huh. The connecting IP might be enough in the short-term to identify someone. It's certainly enough to tie all of a single user's queries to each other... and if they have a personal homepage they visit often, it shouldn't be too hard to figure out who they are from their history.

And there are plenty of sites that use personal information in the URL /path/, not the querystring... like the ones that use a CGI engine that accepts a slash where the question mark is supposed to go.

I do have a solution to this problem... use DNS as the lookup mechanism. That way the query comes from the user's ISP... or, if the idea linked below is used, no query needs to come to Microsoft at all.

See http://channel9.msdn.com/ShowPost.aspx?PostID=112349

re: Phishing Filter in IE7

AC — Sat, 10 Sep 2005 19:16:51 GMT

Will you be sharing the data you gather so that other companies/individuals may use it and contribute to it in a free manner (meaning create a FreeDB not another CDDB)? If the objective is to protect people, I think this would be an obvious choice.

re: Phishing Filter in IE7

Hans — Sat, 10 Sep 2005 19:52:19 GMT

Good work.

I agree with others that using another term than phishing will be most helpful for the ones needing it.

Another concern is that the sites on the white-list will be attractive targets for phishers, i.e. breaking into one of those computers and replacing the normal business with a phishing site. [I understand already break into the computers to send spam-mail so it seems like a logical next step.]

Basically Alberto's fantasy above, but letting someone else run the business the first year.

So what types of sites will be on the white-list? Just large companies like CNN or small-sized businesses as well? Will some certification be required?

The white-paper indicate that in order to avoid a yellow flag a smaller company should have a firewall and install all necessary security updates.

Is that just normal good practice or does it imply that IE 7 will check if the server string identifies a version with known holes?

BTW: Why is the row-spacing so large in the white-paper?

re: Phishing Filter in IE7

Simon — Sat, 10 Sep 2005 19:56:06 GMT

And who are exactly affected by phishing sites? Stupid users. It means IE will remain a product for stupid users. The real guys use Firefox.

re: Phishing Filter in IE7

Matthew Ratzloff — Sat, 10 Sep 2005 19:58:38 GMT

Doesn't this open up Microsoft to liability if a legitimate website is flagged as a phishing site and can't do business with the majority of its clients as a result of the filter?

re: Phishing Filter in IE7

John A. Bilicki III — Sat, 10 Sep 2005 21:18:14 GMT

What percentage of surfers in general do you folks expect will come across a phishing site?

I agree that the arrow colors need to match.

Microsoft have shown poor ability to work interchangeably between basic and advanced users. Yes Lonnie's mother won't know what Phishing is, but me and Lonnie do. Vista SEVERELY needs a quick and easy way to universally switch between basic and advanced user modes. However since we're talking about IE7 would suggest something like this...

* Phishing security issue! *
Phishing is the act of.....

Keep the exclamation simple, we technologically advanced people know what they mean or at least know how to make reference and figure out what they mean. Display a simple and brief description of the the problem is. Provide a link the user can choose if they are still curious to open in a new window/tab (heh) that has a well formed page with information the user can understand with non-technical explanations. "This warning means there are really two websites being loaded and if you send money chances are overwhelming it will go to an unintended party (fraud)." if say a frame site is being loaded that is cross domain.

C++ guy is only half correct. Advanced users overwhelmingly do NOT read prompts, basic users overwhelmingly DO read, and a little of both do the opposite.

-- "On another note, if Microsoft just happened to block google.com (for example) for 1 day would Microsoft be held responsible for the damages it did to Google?" -- Ron.

Ron has a dam good point! I think a clear cut explanation for technical users would benefit us so legit webmasters such as myself can consciously avoid even accidentally being seen as a potential threat.

Additionally there are third party agencies such as those who give SSL certificates that IE could reference. In example if there is a <form, second IP/domain, certain symbols such as those that represent currency, IE could check if the location has any third parties backing that location up and if none are found prompt the user during their clientside interaction.

I see there is a bit of controversy...but I'd rather see Microsoft be in controversy for addressing an issue rather then controversy in regards to in-action as I am to a designer who doesn't design for but deals with IE. So far I think it's a good effort and we'll just have to wait and see if the coding, testing, and implementation works out in the end.

re: Phishing Filter in IE7

Jens Meiert (of UITest.com) — Sat, 10 Sep 2005 21:21:08 GMT

"Click here to close this webpage" should be "Close this webpage". Or "Close this web page".

re: Phishing Filter in IE7

Daniel E. Renfer — Sat, 10 Sep 2005 21:49:11 GMT

What happens if I make a phishing site like: http://www.stealmyidentity.com/index.php?mode=phish">http://www.stealmyidentity.com/index.php?mode=phish which will try to do all sorts of nasty things to you, but if you navigate to http://www.stealmyidentity.com/index.php it shows a completly harmless kid-friendly page? You lose a lot of information by stripping all of the GET args from the URL.

re: Phishing Filter in IE7

Daniel E. Renfer — Sat, 10 Sep 2005 21:50:15 GMT

re: Phishing Filter in IE7

Big Al — Sat, 10 Sep 2005 23:44:53 GMT

I would recommend to make the text "Click here to close this webpage" big and with a green arrow. And the text "Continue to this website (not recommended)." should be smaller and have a red warning sign. If you still click that second option, there should be another warning like "Are you sure you want to visit this website? There are reports that this website may threaten your computer security. Click here to read more about security and phishing".

re: Phishing Filter in IE7

Will — Sun, 11 Sep 2005 01:20:16 GMT

<An organized crime approach>

That's not phishing, it's fraud. Phishing is when the user thinks they're at one place, but they're at another.

re: Phishing Filter in IE7

Will — Sun, 11 Sep 2005 01:33:08 GMT

Alan, are you sure that ' is not permitted in a HTTP URL? It doesn't have any reserved meaning, and RFC1738 appears to permit it...
http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

Simon, are you calling my dad stupid? Shame on you.

Daniel-- They mentioned that they get data from a lot of sources. Don't forget that the spam mails that lure people to begin with are used in the serverside filter. I bet the entire domain could get nuked for hosting a scammer.

re: Phishing Filter in IE7

Jim — Sun, 11 Sep 2005 05:19:16 GMT

> It only sends those which are not on a known list of OK sites

It seems to me that sites on this list will be accessed quicker, and thus give a better impression to the end user, than sites that aren't on this list.

What does it take to get on this list? Can Joe Random Weblogger get on it, or will it be reserved for Microsoft affiliates and subsidiaries like MSN?

Conversely, if it is open for all comers, what stops people from changing a previously legitimate site to a phishing site?

re: Phishing Filter in IE7

Jim — Sun, 11 Sep 2005 05:22:06 GMT

> It'll be more helpful that if the reported phishing URL is stored in database, the warning page also show a link to the REAL website's base URL.

I disagree. If I know end users, they'll just get into the habit of being lazy and relying on the warnings to bring them to the right place. It will do nothing to discourage clicking on links in suspicious emails, and so, in the 1% of times something makes it through the phishing filter, they will fall victim to the scammers (which, IMHO, is a much better term to present to the end user than "phishers").

re: Phishing Filter in IE7

game kid — Sun, 11 Sep 2005 06:13:41 GMT

(Jim) What does it take to get on this list? Can Joe Random Weblogger get on it, or will it be reserved for Microsoft affiliates and subsidiaries like MSN?

Hopefully MS won't be dumb enough to leave sites like http://slashdot.org/ (or my site!) on a "not certain" list. That'd leave them open to a LOT of (further) ridicule (e.g. said Slashdot may report "Slashdot on Phishing Site List"; they kinda blow up news a bit ;) ).

(Jim) Conversely, if it is open for all comers, what stops people from changing a previously legitimate site to a phishing site?

Then we, the collective End User, report it upon the change, maybe? I know if someone suddenly bought http://citi.com/ or something, I'd get the report done yesterday.

(Tariq) This is another reason that Phishing Filter has to contact a server to detect phishing sites and keep the number of false positives to its lowest.

...but does it have to be your server? At least get together with some groups (or even just a few big companies) and create an independent scam site server. (Oh, and I prefer "scam site" over "phishing site.")

"Phishing" is a confusing word

Ron — Sun, 11 Sep 2005 14:59:41 GMT

I agree that the word "phishing" is awful and should not be used for this feature. "Phishing" means nothing to me, but "scamming" does. Why create so much confusion for what should be straight forward and obvious?

___________________________________________
Reported Scamming Website

This Website has been listed as a scamming website and should not be trusted.

We recommend that you do not continue to the above website, as it may have been created to decieve you and make false claims.

You may continue to the website at your own risk.

- Click here for more information.
- Click here to go to the unsafe website (not recommended).

How Scamming Works:

Description of how scammers try to deceive internet users.
___________________________________________

Neither of the alerts you posted above would make any sense to internet new-commers.

The first alert says - "For more information, read the Internet Explorer Terms and Conditions". Well I wouldn't expect to find anything in the terms and conditions about "Phishing", so I wouldn't click there and expect to find out.

Then there's a link that says "How does Phishing filter help protect me?" Again, this link doesn't mention anything about what "Phishing" is, it just seems to explain how the "Phishing Filer" would work. I wouldn't click there.

Then there's - "What is Phishing Filter?". Well I don't care what the "Phishing Filter" is, I WANT TO KNOW WHAT "PHISHING" MEANS.

re: Phishing Filter in IE7

Thomas Tallyce — Sun, 11 Sep 2005 21:06:51 GMT

> I noticed that for privacy concerns the query string is stripped. This is well done, but of course all the future problems with it will derive exactly by exploiting this feature.

Most obviously, sites will just switch to a (mod_)rewrite-based approach.

And, as others have pointed out too, absence of a query string can completely change the context of the page by the application serving the page, quite trivially.

So I rather suspect the query string approach will quickly become next to useless.

Agreed with the above poster. Scamming is a far more understandable word than phishing, which probably even only a minority of technical users will know.

re: Phishing Filter in IE7

codemastr — Sun, 11 Sep 2005 21:17:48 GMT

1.) Still no explanation on why MS insists on sending the real URL rather than a hashed URL... at this point I'm starting to lean towards MS is going to use the browsing history for shady purposes, otherwise, why won't you even give a reason why you refuse to do this?

2.) The "known good sites" list is a terrible idea. Read up on pharming and you'll see why. I type in www.microsoft.com, however, someone has hacked MS's DNS server so that it gives me an illegitimate IP rather than Microsoft's real IP. With the known good site stuff, IE is going to tell me that I am safe.

re: Phishing Filter in IE7

game kid — Sun, 11 Sep 2005 22:55:55 GMT

(codemastr) Still no explanation on why MS insists on sending the real URL rather than a hashed URL...

Note the above, IE Team. Or send it via SSL/TLS, even if said security methods are disabled via Internet Properties. Otherwise, expect to see YOUR site recommended to the list instead.

(codemastr) The "known good sites" list is a terrible idea. Read up on pharming and you'll see why. I type in www.microsoft.com, however, someone has hacked MS's DNS server so that it gives me an illegitimate IP rather than Microsoft's real IP.

When users visit Internet sites, check that the scam-site list server is up. If it is down, alert with:

---------------------------
Unable to check site legitimacy
---------------------------
(MB_ICONWARNING) A problem is preventing Internet Explorer from verifying any sites. Any further Web sites you visit, including this one, cannot be verified as trustworthy at this time. Do not continue unless you are already sure of the site's legitimacy.
---------------------------
Continue Anyway STOP
---------------------------

re: Phishing Filter in IE7

Alberto — Mon, 12 Sep 2005 00:53:54 GMT

Perhaps, although definitely not appealing, the case for dropping the anti phishing feature could or should be stated. I know you have worked tough on it.
Yet, there are reasons you may want to evaluate.

It is not just that, as pointed out by many, whatever assumption may be exploited once known: a list of trusted sites implies that _all_ one has to do is to become trusted first.

If then all of a sudden the site administrators perform an illegal operation (sounds like a OS warning of old times lol), and, moreover, they do it exploiting a query string, you might not even know about it but when the outcry's got too loud already.

Now, if you provide a system that is electively meant to overcome phishing, and you are the only company that sports it so openly, it won't matter any longer how commendable it can be and how commendable it actually is.

Exposed as _the_ company that set up itself to block phishing, you are going to be double exposed to critics at your first failure - which is bound to come as we all know: absolute security simply doesn't exist.
We are such stuff as bugs are made on, and our little program is rounded with threats.

You may have to face a paradox situation whereas a product that did NOT implement any anti phising feature will go absolved of all blame, and you who did imputed with all faults.

Such a failure wouldn't be your fault in the least: that a browser _attempts_ to fight phishing is _plain_and_simply laudable, no matter how it tries that.

But you are probably aware that your product is subject to a campaign, and that the purpose of the campaign is exactly that of taking away slices of market from you, leveraging "real or _perceived_ security issues".

If you provide a significant anti phishing feature, all its failuers are going to be blamed onto you as if you would have _invented_ phishing in the first place.

That is, you can still keep it in place, but _if_ so prepare your own Chief Evangelist Campaign too, because it is with such engineered propaganda campaigns that your engineers will be vilified, at your first anti phishing failure - which would be doomed to come sooner or later.

Do not fight just with the product. Many won't be satisfied with it even if it would be made In Heaven.
Meet the challenge on _all_ its grounds, and prepare the counter-drumbeat besides your counter phishing, if you plan to keep the latter in place.

re: Phishing Filter in IE7

Jim — Mon, 12 Sep 2005 02:08:05 GMT

Just to follow up on the whitelist being flawed - Jim Ley points out in this article that for a long time, Google could be tricked into displaying whatever information phishers wanted:

http://jibbering.com/blog/index.php?p=148

It's not too unreasonable to assume websites that will appear on the whitelist will also be vulnerable to similar attacks at one time or another.

What is the value of a whitelist to the *end-user*? The only value I see goes to the people on the whitelist, at the expense of the end-user.

re: Phishing Filter in IE7

codemastr — Mon, 12 Sep 2005 02:26:04 GMT

game kid: "When users visit Internet sites, check that the scam-site list server is up. If it is down, alert with"

Good point, but that wasn't what I meant. What I'm saying is, I go type into my browser www.microsoft.com. Phishing Filter says -> It's on the white list, it's OK. So then IE does a DNS request which returns 123.456.789.321, which is NOT the valid MS IP. In fact, the Microsoft.com DNS server has been "pharmed." Someone hacked the server and has set it to return an IP of a scam site. Hence, the phishing filter tells me "it's on the whitelist, so it's ok" when the DOMAIN is on the whitelist, but the IP that domain resolves to is actually fraudulent.

Jim: "What is the value of a whitelist to the *end-user*? The only value I see goes to the people on the whitelist, at the expense of the end-user."

I totally disagree. For one, I don't see any mention of how we, the end users, can modify or even view the white list. We have no clue what is on it and no way to decide what is on it. If nothing else, I think it should be entirely user controllable and even able to be turned off.

Finally, I agree that calling it phishing might not be the best idea. I think phishing should be mentioned but an explanation should be given. In late July the results of a Pew Internet and American Life research group reported that only 29% of American Internet users knew what phishing was. That means more than 2/3 of the American Internet users will be totally confused by these messages. I suspect that the percentage will be even lower in less developed countries where the media doesn't have as much influence on the people's lives.

re: Phishing Filter in IE7

codemastr — Mon, 12 Sep 2005 02:27:55 GMT

Woops, fingers were moving faster than my brain for a second there, that should have read "I totally agree" not disagree :)

re: Phishing Filter in IE7

Dub Dublin — Mon, 12 Sep 2005 06:05:00 GMT

PLEASE do not make the default to blindly strip off query strings, or at least make sure it only does so for the Internet Zone. The web is a LOT bigger than just public web sites, and this action will BREAK a very large number of devices with embedded web interfaces that legitimately use query strings as a means of passing state and request information.

At the very least, make sure the user is given an option to submit the query as requested, so that they have a prayer of actually being able to talk to a remote printer, firewall, sensor, camera, or other device, even if it's not on their LAN. Maybe something like: "IE can't tell if this site is trustworthy or not, proceeding could potentially be dangerous, but may be necessary in order for your request to work correctly. Proceed or Cancel?"

Oops.

game kid — Mon, 12 Sep 2005 06:11:02 GMT

(codemastr) Good point, but that wasn't what I meant.

My brain must've died there. Replace my part (the one after your quote) with:

When users visit Internet sites, check that the scam-site list server is up. If it is down OR TAKEN DOWN BY ADMINS BECAUSE THE SERVER OR ITS USERS DETECTED AN UNAUTHORIZED FILE CHANGE, alert with:

---------------------------
Unable to check site legitimacy
---------------------------
(MB_ICONWARNING) A problem is preventing Internet Explorer from verifying any sites. Any further Web sites you visit, including this one, cannot be verified as trustworthy at this time. Do not continue unless you are already sure of the site's legitimacy.
---------------------------
Continue Anyway | STOP
---------------------------

...you guys DO have soft/hard/firm/*ware to detect and alert admins of intrusions, right?

P.S. ADD POST-PREVIEW TO THIS BOARD. If http://slashdot.org/ can do it...

"Off Topic"

Fernando Bittencourt — Mon, 12 Sep 2005 07:13:00 GMT

I've searched a valid method to insert a flash object in a XHTML document and did the code below:

<object type="application/x-shockwave-flash" data="flash/index.swf">
<param name="movie" value="index/index.swf" />
<img src="imagens/index.gif" alt="" />
</object>

The browser IE 6.026, however, don't load the movie, being extremely slow. How I can to correct it?

P.S.: Excuse my poor English.

re: Phishing Filter in IE7

Wow — Mon, 12 Sep 2005 12:16:34 GMT

So, Microsoft is going to have the ability to blackmail every governor that visits 16-year-old-sluts.com without first taking the precaution of turning off the filter…

I can't think of any possible harm that could come from that.

re: Phishing Filter in IE7

Wow — Mon, 12 Sep 2005 12:30:36 GMT

Thinking about this even more, this is completely back-asswards. Why is the whitelist on the client-side and the blacklist on the server side? Are you suggesting the number of phishing sites out numbers the number of legit sites in the world by such a huge margin that it cannot be held on an average sized hard drive? I find that hard to believe. So what's the utility of having a blacklist online? Well, if it's online, it's easier to keep it up-to-date. But will thousands of new phishing sites really be reported every second of every day? Isn't checking for updates once a day enough?

Both lists should be on the client side and periodically updated. To do otherwise is a gross violation of privacy.

re: Phishing Filter in IE7

Samuel Poulton — Mon, 12 Sep 2005 13:32:53 GMT

I think this is a great idea so far. Phishing is one of the biggest threats on the internet and can make users more aware of what it is, and what it can do.
This looks like when you are downloading a file, it prompts you to check if it has any malicous code.
Nice, stuff we have got here. I think IE7 + XP SP2 is a big plus to security.

re: Phishing Filter in IE7

John C. Kirk — Mon, 12 Sep 2005 14:27:20 GMT

<i>Why is the whitelist on the client-side and the blacklist on the server side?</i>

I'd guess that most people tend to visit a small group of websites fairly frequently (e.g. going to the Dilbert website every morning), and having a local "approved list" will speed up those accesses.

More generally, I'd like to see anti-phishing stuff put into mail clients as well as the web browser. This may be off-topic for the IE blog, although I'm not sure whether Outlook Express still counts as an IE component. Anyway, my standard approach is to hover over a hyperlink and see whether the actual URL is completely different to the one in the text (e.g. an IP address vs www.paypal.com). It would be nice for the mail client to do that kind of test for me, although I can also see some complications (e.g. text that says "our shop" to legitimately hide a long URL).

More to the point, if I see an iffy thing like that, I'd be happy to report it to Microsoft for their blacklist, but I don't actually want to visit the site, so it would be good to have an option in the context (right-click) menu to deal with that.

re: Phishing Filter in IE7

Alberto — Mon, 12 Sep 2005 15:59:16 GMT

[
<An organized crime approach>

That's not phishing, it's fraud. Phishing is when the user thinks they're at one place, but they're at another.
]

My reply is for a laugh, not for arguing ok? :-)

That's not phishing, that's simply having clicked the wrong link.

Phishing is when the users think they're at one place, but they're at another - and in this other they get robbed, not given a chance to realize the error and go away :-)

re: Phishing Filter in IE7

AC — Mon, 12 Sep 2005 17:14:14 GMT

To be honest, I don't like the approach taken with the anti-phishing filter. It's a clear case of "#2 - Enumerating Badness" (http://www.ranum.com/security/computer_security/editorials/dumb/). Maybe it's time you should update your bag of tricks.

re: Phishing Filter in IE7

RalfK — Mon, 12 Sep 2005 17:53:15 GMT

Some questions to Tariq Sharif:
Is it a special IE7 feature or is it integrated into the WebBrowser control?

Is the feature IE6 compatible - that means does the filter extents the IHttpSecurity interface that allows programmers handle the dialog programmatically?

re: Phishing Filter in IE7

EricLaw [MSFT] — Mon, 12 Sep 2005 23:57:36 GMT

<< Still no explanation on why MS insists on sending the real URL rather than a hashed URL>>

I've answered this before. Wildcard DNS and folder redirection make it so hashing is an unworkable approach. Furthermore, as noted before, the universe of registered domain names is so tiny that it would be trivial to create a hash dictionary containing all registered domain names.

<<The "known good sites" list is a terrible idea. Read up on pharming and you'll see why. I type in www.microsoft.com, however, someone has hacked MS's DNS server so that it gives me an illegitimate IP rather than Microsoft's real IP. With the known good site stuff, IE is going to tell me that I am safe. >>

No, we didn't solve every security problem with the phishing filter. It helps prevent phishing attacks. IE will not tell you you are safe, but it will tell you that you are unsafe if a phishing attack was detected.

To prevent Pharming, you have to use SSL.

Other answers:

1> The "IsPhishing?" query is sent via SSL.
2> The "stripping off the querystring" applies only to what's checked against the web service. We're obviously not disabling query strings on the internet.
3> This is an IE7 feature and is not part of the browser control. The feature is not IE6-compatible, but you can check out the MSN toolbar's Anti-Phishing plugin.

IE7 Phishing Filter

JD on MX — Tue, 13 Sep 2005 02:04:08 GMT

IE7 Phishing Filter: Tariq Sharif of Microsoft's Internet Explorer team describes how the next OS/browser will guard against counterfeit sites (an email which says it's from your bank, but which actually serves a duplicate page hoping you'll enter your passwords,...

re: Phishing Filter in IE7

codemastr — Tue, 13 Sep 2005 06:41:49 GMT

"I've answered this before. Wildcard DNS and folder redirection make it so hashing is an unworkable approach."

If this were really your reason then you would not be stripping query strings. Query string redirection is very common, possibly more common than folder redirection... every site I make uses it. www.blah.com goes to a default page, www.blah.com/?page=somethingelse else is how you browse to other pages. Yet, even so you are stripping query strings. So if you can remove this feature which significantly reduces the effectiveness, in the name of privacy, why can't you remove other features? Furthermore, couldn't the domain be hashed but not the path 78321738219734218937/blah/blah2 is much harder for someone to track than nudemonkeys.com/blah/blah2...

"Furthermore, as noted before, the universe of registered domain names is so tiny that it would be trivial to create a hash dictionary containing all registered domain names. "

First of all the number of registered domains grows daily so by the time you created a list it would be obsolete (the same argument you're trying to use for the remote phishing database, remember?) So if it applies to phishing, it applies to domains - you can't have it both ways. But lets even assume you do have such a list. It's still a step in the right direction. It makes it harder for some evil MS employee to steal my info (remember the AOL employee who sold email addresses to spammers?) But to be honest, the mere fact that you basically said, "even then we could get the urls if we wanted to" makes me wonder why such a thought would have ever crossed your mind if MS really has no intention of capturing our browsing history. No technology is perfect, but that doesn't mean we shouldn't improve it. We should make it as good as we can.

Personally I'd rather the *possible* threat of phishing than the *guaranteed* threat of privacy invasion, but that's just me.

re: Phishing Filter in IE7

ptorr — Tue, 13 Sep 2005 09:08:50 GMT

I have a response at http://blogs.msdn.com/ptorr/archive/2005/09/13/464376.aspx (although Eric has a very good short summary above).

Codemastr -- if you don't like the feature, you can simply choose not to use it. It is provided for customers who make a different choice than you do (ie, would rather be protected against phishing and accept the potential risk to their privacy).

re: Phishing Filter in IE7

phaylon — Tue, 13 Sep 2005 14:30:36 GMT

Well, there may be some people who would like to comment *and* don't want to use it. That should only be a problem if you're afraid of critiques.

Phishing Filter in IE7 - conceptually flawed

d-signet — Tue, 13 Sep 2005 14:42:29 GMT

MS may aswell resign themselves to the fact that there ARE going to be ways around this filter, wether through querystring manipulation (as mentioned above) or whatever. New methods will evolve over IE7's lifespan.

The problem with this, is that we are talking about being responsible for the end user's confidence in third party websites.

If you have a filter built in to your browser which you are told will warn you about dodgy websites, Aunty Mabel is going to start to rely on this feature.

So who do you think she is going to blame when her credit card shows she has just bought 7000 xbox's off eBay, when she KNOWS she hasnt proceeded onto any sites her browser has warned her about.

"This browser said it would protect me, and it didn't"

Sure, you COULD put in a load of text in the installer or whatever saying "this doesnt GUARANTEE your safety, but it helps it!" or words to that effect, but how many times do you think Mabel is going to read that text? Once probably, before she starts thinking "oh, its that damn warning box again" and blindly clicks OK.

Even worse if its in the installer, as most Aunty Mabel's out there get nephew Jimmy who "knows all about computers" to install things for her. Who so you think told Mabel to install IE7 in the first place, and will he pass on EVERY warning dialogue through the installation process? Of course not, he'll go DOWNLOAD NOW -> NEXT -> NEXT -> NEXT -> "I've finished Aunty! Look at this nice new GUI"

Finally, how many phishing sites do you think last more than a few hours anyway? By the time someone has been daft enough to log into these sites, realised whats happened, sent the phishing report off, got the site blacklisted... thousands of people got the email at the SAME TIME as this guy, and unfortunately, some of them fell for it.

Phishing filters are a "wouldnt it be nice if..." feature, but totally unrealistic to implement

IE's Phishing Filter

Hacking for Christ — Tue, 13 Sep 2005 14:46:01 GMT

The IE Blog has a post about the new Phishing Filter which will be built into IE 7. Basically, there's a client-side whitelist and a server-side blacklist; if you turn the filter on, every URL you visit which is not on the whitelist gets sent off to Microsoft's servers to be checked. And if you suspect a site is a phishing site, you can click "Report Phishing Site" on the Tools menu to send that URL off into a queue to be verified. However, for privacy reasons, IE strips off the URL parameters before sending off URLs. And this is where the problems with such an approach start to become apparent. What guarantees that the web page the manual URL checker person views (requested without URL parameters) is going to be the same one that the original reporter saw? The URLs phishers distribute by email can be mangled and made unique in many ways; DNS wildcards, mod_rewrite and query parameters are just three. Really smart phishing site implementations would continue to server the phishing content for a given unique URL to the same IP address or class C range, but send innocent content back to any different IP address. Or they could use cookies to achieve the same effect. Microsoft engineer Peter Torr lists quite a few methods of URL mangling while explaining why the phishing filter doesn't use hashing. However, he doesn't say that they are all quite effective at making the filter's life difficult even without hashing. Server-blacklist-based anti-phishing implementations put you in an arms race, and one in which the phishers hold all the cards. They have 20,000-strong botnets with automatic deployment tools; you have to check every submitted URL by hand. They can invent new ways of obfuscating and redirecting URLs; you are limited by the tools built into your deployed client. They have a large financial incentive; you are giving away a free product. There's no magic bullet, but I believe the correct route to take is a combination of greater SSL use (which means we need SSL vhosting), stronger certificate field verification and OCSP, combined with in-browser standalone heuristics and a sprinkling of user education. A minimal amount of the latter is IMO, sadly, unavoidable - it's very hard to protect people who will put their credit card number into just any web form which asks for it....

Internet Explorer 7 - Orwell für Anfänger

Möhrenfeld — Tue, 13 Sep 2005 17:10:27 GMT

Wie netzpolitik.org berichtet, soll der neue Microsoft Internet Explorer 7.0 einen Phishing Filter der ganz besonderen Art enthalten:Alle Webseitenaufrufe werden zuerst an einen Microsoft-Server übermittelt, wo sie mit einer Blacklist abgeglichen werden.

Phishing Filter in IE 7.0

delsites.net — Tue, 13 Sep 2005 21:56:23 GMT

I am a website designer, therefore I am trying to be up-to-date with news from web browsers market. Recently, I have read about an interesting feature a Phishing Filter, which is supposed to be included in new Microsoft's browser Windows Internet Ex

The problem is Microsoft's approach

Sestus Data Corporation — Tue, 13 Sep 2005 22:46:31 GMT

Your reasoning for discounting the use of hashing within Microsoft's "phishing filter" is a bit misleading. Hashing (when used correctly) is a completely acceptable method of authentication. Indeed, hashing is now the standard adopted by all branches of the Unites States government for securing confidential data. See: http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf

It would perhaps be more accurate to say that Microsoft's approach does not support authentication techniques using hashing. This is not a failing of the hashing approach in general; rather, it is a failing with Microsoft's conceptual approach to preventing phishing. Microsoft is adopting a repeatedly failed "filtering" approach, using a remote database of blacklisted phishing websites. Microsoft's approach, by the way, will most likely be redundant and useless since the average lifespan of a phishing website is only 2.65 days. By the time the phishing website has been reported to Microsoft, evaluated, and the database updated, the damage will already have been done and the phishing website long abandoned by the phisher.

On Dec 14, 2004, the U.S. Federal Deposit Insurance Corporation (the FDIC) published a study presenting their findings on how the financial industry and its regulators could mitigate the risks associated with Phishing. In this report, the FDIC identified TWO ROOT CAUSES for the problem of phishing: 1) Authentication methods are insufficiently strong, and 2) The internet lacks website authentication capabilities. Virtually all other anti-phishing solutions, including Microsoft's "phishing filter", fail to address these two root causes. Some solutions simply lookup IP or other domain records and calculate risk. Some solutions, like Microsoft's, rely on databases of blacklisted websites and selectively permit or block access based on company-defined filtering rules (while tracking your browsing habits in the process). Other solutions, like Passmark SiteKey, simply add additional "red tape" to an existing weak login process, using multiple layers of images, audio recordings, or other user-supplied information. Strictly speaking, none of these solutions are actually authenticating anything. At best, they are simply adding additional more process layers to an already weak approach using non-standard rules, vulnerable databases and questionable public records. At worst, they may actually be providing phishers with even more confidential user information through their use of user-supplied images, recordings, and other personal information.

Of all the available anti-phishing solutions, PhishCops by Sestus Data Corporation is the only anti-phishing solution that actually mitigates the two root causes of phishing as identified by the FDIC. PhishCops is a patent-pending two-factor anti-phishing solution which uses an innovative implementation of mathematic authentication algorithms developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce, to authenticate websites directly.

PhishCops recently successfully completed a 5 month technical vetting (evaluation) process by one of the world’s largest financial entities (supporting hundreds of thousands of online merchants, banks, etc.) Also, for the past month Sestus Data Corporation has been quietly negotiating with a number of banks, internet infrastructure companies, and other organizations who have an interest in enhancing internet security generally, in preparation for a "launch" later this year. Several licensing announcements are now pending. In June of 2005, PhishCops was also named a semifinalist for the 2005 Homeland Security Award by the Christopher Columbus Fellowship Foundation in Washington D.C., a U.S. government agency. It may be partly due to PhishCops pending release that Microsoft rushed its phishing filter to market ahead of schedule.

For more information:
http://www.phishcops.com

re: Phishing Filter in IE7

Wed, 14 Sep 2005 00:43:23 GMT

Nice bit of advertising there...

re: Phishing Filter in IE7

Will — Wed, 14 Sep 2005 01:40:51 GMT

...And here come the marketers. Anyone who claims they've "solved" the phishing problem is lying to you, either out of ignorance, or the desire to sell something.

At least Microsoft is willing to explain how their technology works, the limitations of it, and what it protects against.

re: Phishing Filter in IE7

codemastr — Wed, 14 Sep 2005 04:20:34 GMT

"Codemastr -- if you don't like the feature, you can simply choose not to use it. It is provided for customers who make a different choice than you do (ie, would rather be protected against phishing and accept the potential risk to their privacy)."

This is irrelevant. My point is that we can be protected from phishing *AND* privacy violations. Microsoft has *CHOSEN* to introduce a privacy issue, it is not a necessity of a phishing filter. Again I say, virus scanners, spyware scanners, spam filters, none of these require remote servers, yet Microsoft expects us to believe phishing is vastly different, a difference I fail to see.

Indeed, if you don't like the feature, don't use it (and I won't). I'm simply suggesting that this should not be an issue because Microsoft could design the system in such a way that privacy is never jeopardized and I think we can all agree that would be the best, no phishing and no invasion of privacy.

"Phishing" is just a stupid term.

JD — Thu, 15 Sep 2005 08:00:16 GMT

"Phishing" is NOT a term that needs wider usage.

The real issue is that the URL is suspicious.

Call it "Suspicious web address".

Or call it "Easily Confused Website".

That describes http://paypol.com vs http://paypal.com

Honestly you should include whitehouse.com in such a list, though I know you wouldn't push it that far.

re: Phishing Filter in IE7

Robert D. — Thu, 15 Sep 2005 21:08:32 GMT

I'm just not sure an inexperienced computer user should have to read a paragraph of text just to answer a question that should be, by default, chosen for them. Phishing Filter should be run by default.

My father is not going to know, nor should he HAVE to know, what the heck a "Phishing Filter" is. If he doesn't understand phishing (and he doesn't... no matter how many times I explain it to him), isn't there a good chance he'll choose NOT to enable Phishing Filter, and in doing so get himself in trouble?

This is a classic example of an unnecessary choice. Just turn it on by default and protect my father without asking him silly questions he won't understand anyway.

re: Phishing Filter in IE7

karsten — Thu, 15 Sep 2005 22:15:48 GMT

<blockquote>If you are a site owner and your website is shown as suspicious or blocked, you too can click on the red or yellow warning in the Security Status Bar and click on the link to send feedback about the mistake. On the feedback page you can fill out the necessary information and request to have your website reevaluated.</blockqute>

sounds good, but might prove goof. imagine my site gets blacklisted (by accident, by concerted influx of fake browser history lists from 20.000+ botnets phishers use, or whatever technique comes up their minds), and this causes me loss of money. imagine my site being a webshop, but without customers since no one can actually access it.
then, in the middle of chaos and lost revenue, I have to fill out a form and have to wait

<blockqute>Once a request has been submitted it is reevaluated by the Phishing Filter team. Based on the reevaluation, the site will either be removed from the list or left as it is.</blockqute>

how long will it take? are there guarenteed response times? is there any compensation if my income loss is severe? what kind of plans are there against mass misuse by botnets?

re: Phishing Filter in IE7

Will — Fri, 16 Sep 2005 02:41:55 GMT

Test it against a live phishing site: http://193.4.240.7/AccountVerification/index.php spoofs EBay.

RobertD: They could never have this on-by-default, as this is considered a phone-home feature and that's illegal to have on by default in a lot of places.

Karsten: Botnets can't make a non-phishing site appear to be a phishing site. Remember they said they review sites before blocking them.

re: Phishing Filter in IE7

Tyler Close — Wed, 21 Sep 2005 02:30:45 GMT

Will the "Phishing Filter" also transmit https URLs to the Microsoft server? I hope it will not, as the URL itself may be a secret and the "Phishing Filter" would destroy the privacy provided by SSL.

re: Phishing Filter in IE7

Chris Haynes — Mon, 26 Sep 2005 15:53:09 GMT

I shall be disabling this immediately, and recommending all my contacts to do so as well because:

1) I don't want Microsoft judging the 'goodness' of any site. How on earth are they, legally, going to do that world-wide. Wait for the law suites as they denegrate sites with are legally valid under _local_ laws.

2) Requiring site owners to have to apply to Microsoft for permission to be visible on the Web is just crazy.

3) There _IS_ a major privacy issue here - they can watch and cross-reference all my browsing by indexing it by my static IP address (available from the query my browser sends to them). My IP address can be linked to my eMail address, and hence the domain I own, by looking at the trace headers in any message I post to a public list. My full name and address can be obtained from that domain's DNS registration.

4) Second MAJOR security issue that has just occurred to me: Many web services use URL-rewriting to place a session identifier into the URL (e.g. Sun's Servlet spec) - necessary if Cookies are not in use. This session ID is not in the query part which Microsoft strips out, it is in the part sent to Microsoft. So session security will have been compromised - while the session is open!

5) We need the answer to the question posed by someone else here about whether or not HTTPS URLs are sent. That, in combination with the above point about session IDs in URLs whuld be 'the nuclear option' as far as security is concerned.

6)I have no desire to spend my bandwith and processing helping Microsoft build up frequency-of-access tables for their search-enging rival to Google.

7) An engineering point: How on earth are they going to implement and scale this? Has anyone there sat down and calculated the rate of referrals if every site visited by everybody with IE7 (asuming it is as successful as is intended) has to refer to their server. They will have to offer the world a guaranteed response time and honor it - say 50 millisecs from anywhere in the world - otherwise browser usability will be shot to pieces. How many servers / how much bandwidth does this take up? It's almost as as if there was one central router for all HTTP traffic - it is a single choke-point. No matter that the look-up is asynchronous, either the information is there when some reads the page, or it's too late and Microsoft's implied promise to protect users has been dishonoured.

Nope - this is BAD engineering and will cause widespread anger and re-ignite global paranoia as the world comes to believe that, yet again, Microsoft are trying to subvert and control the Internet!

Don't you guys ever learn (or have someone paid to work out for you) what madcap schemes like this look like to the rest of the world? PR disaster in the making, again!

re: Phishing Filter in IE7

EricLaw [MSFT] — Wed, 28 Sep 2005 01:20:39 GMT

Chris-- Yup, you can certainly turn off the feature if you'd like. In response to your concerns:

1> Microsoft isn't judging the goodness of anything. Microsoft is exposing third-party data about whether a site is likely being used to phish. Whether or not phishing is legal in some jurisdiction isn't relevent; the point of the feature is to warn the user. They can ignore or disable the warning if they prefer.

2> Please reread how the feature works. There's no "applying for permission" to be visible.

3> If Microsoft was snooping on your traffic in ways that it doesn't, then yes, this information could be gleaned. Our privacy policy explains that we don't do this. (Incidentally, your ISP is better positioned to spy on you.)

4> Passing session information in paths is not a recommended mechanism of maintaining state in HTTP. Such state will show up in any logs on the server or a proxy.

5> SSL urls are checked if the site isn't on the known list. The same mitigations (host and path only) apply.

6> As noted in the privacy policy, this isn't how the data is used. It wouldn't even be relevant anyway, given the relatively small number of anti-phishing enabled clients.

7> Yes, we have engineering teams that calculate this sort of thing, and they will scale appropriately. Furthermore, the Browser User-Experience is coded such that a delay on the Antiphishing code doesn't "shoot to pieces" the usability of the browser.

Thanks for the feedback.

re: Phishing Filter in IE7

Chris Haynes — Wed, 28 Sep 2005 13:11:50 GMT

Eric: Thanks for the feedback, and the confirmation that the URL & path of SSL/TLS 'protected' page access will be copied to Microsoft.

Will you be modifying the 'padlock' symbol on the browser while this feature is enabled, to warn people that their browsing is no longer secret?

Re: session IDs embedded in paths: In some cultures, notably Germany, there is strong mistrust of all Cookies, and the embedding of sessionIDs in the path is the accepted 'standard alternate' way of handling this. Microsoft can't just deprecate this indistry-standard practice by fiat. Now, with even 'SSL-protected' sessions compromised by Microsoft (above), the concerns about session security must be enormous.

You suggest that this info is also available to one's ISP, but ISPs can't see the path-encoded session IDs of SSL sessions. Microsoft can.

To summarise: with this feature enabled, Microsoft will be told the full URL+path of every HTTP / HTTPS page request made. This is more data than any ISP or national security agency gets to see, and it has great potential for privacy invasion, blackmail, industrial espionage, political surveillance, etc., etc.

The fundamental question is: will people trust Microsoft with this data?

Microsoft IS aware of this trust concern. Look at the care taken with product upgrade and licence validation to explain to users that no confidential information will be uploaded to Microsoft - that there is simply a download of passive information. You really should be using something with this kind of architecture - even if it is less optimal from an engineering POV.

You are obviously gambling that people, world-wide, have total faith in American corporations and their employees and will fully trust them - to the extend of giving them access to thir confidential SSL browsing history, and (for those who don't even trust cookies) to their open, 'secure' sessions.

You are also, within your product team, perhaps gambling / hoping, that Microsoft 'corporate' don't realize what you are planning and its full PR impact. Your scheme blows a hole in all the careful trust that has been built up around the licence-validation processes - essential for Microsoft revenue. Now your team is putting that trust at risk. Is this a career-limiting risk you are prepared to take - for a feature which brings with it no directly-attributable revenue - only cost?

I strongly urge you to use a different architecture. Phishing-site info is essentially transient; sites will usually be closed down within a matter of days. The total number of 'current' sites cannot be too large - maybe 10,000 at any one time. Why not have the browser download once per hour the current list, or even use HTTP If-Modified-Since every minute, combined with an incremental format.

Any of these would avoid the security issues, all of them would reduce the central load, and all of them would avoid the inevitable perceived degradation in browser performance.

Think again Microsoft! With greatness comes responsibility - rise to that responsibility.

Transmitting an https URL path

Tyler Close — Wed, 28 Sep 2005 23:39:38 GMT

Please reconsider sending the path of an https URL to a third party server.

You may have your own views on what is the 'recommended way', but these are just your views. The 'recommended way' may not actually be the best, or even a workable, way of implementing access control in a web application. But this programming change forces your view on everyone and detroys the design freedom that the HTTP and HTTPS specifications provide. HTTP treats the path as opaque and allows the site to encode whatever it wants there. HTTPS provides *socket level* privacy for an HTTP session. This programming change greatly restricts both these dimensions.

I also don't see the upside to this loss of design freedom. Since you are not sending the query string, you can't do the same GET operation that the user did. Of what benefit is the path without the query string?

If you have to send anything, please send just the hostname component of the URL. This is the only part of the URL with defined semantics, and that is already transmitted in the clear.

re: Phishing Filter in IE7

Niclas Hedhman — Mon, 03 Oct 2005 13:17:34 GMT

Microsoft will probably never stop to amaze us with what they think they can get away with.

Chris Haynes is spot on target. This is so serious, I hope a class action suit (governments, large corporations and NGOs could also join in) will come out of it, just from the potential of what a disgruntled MS employee could do with this information.

This is NOT about power users being told "just turn it off". That is an antic similar to phising itself; "Just don't go to the site."

We don't you guys concentrate on stuff that makes a difference, without potentially stealing my bank account?? (Or is that the big plan?)

* http://www.microsoft.com@somethingveryinteresting.whatever.hedhman.org is a common trick. Users should be warned against such URLs.
* <a href="http://phisher.com/give/me/your/secrets>http://www.ebay.com/signin</a> is another awfully common one, that technology-ignorant people fall for (and that is what this is all about - ignorant people). Big warning after some careful analysis. False positives are damaging, and result in turning such off.
* The above for mail clients as well.
* Default to text in non-trusted (certificates / marked senders) mails. Possibly combined with no link creation by default.

I am sure if you bother to ask the community at large, many other techniques could be employed to vastly improve the current situation.

So, can the 3 member (so called) security team go back to the drawing board and remove this stupendous "feature" (probably violation of Geneva conventions of human rights would be closer to the truth (no opening of a sealed envelope)).

I am also flabbergasted over the number of M$ d**ks**kers around here, not thinking about implications and arguing over whether phishing is fraud or not, and if it should be called Scam Filter instead. Stop arguing and just send your Bank account information straight to Eric, Tariq and the team, so they can empty it at their leisure instead of polluting the world with more crap.

re: Phishing Filter in IE7

Wow — Mon, 03 Oct 2005 19:19:17 GMT

I still have yet to hear a cogent explanation of why it's neccessary to send the path of all of my non-whitelisted sites to Microsoft every page load, instead of downloading a fresh copy of the changes into my local blacklist file. Approximately how many new phishing sites are created everyday? Can someone give me a number? I still refuse to believe it's more than a few megabytes of text per year.

Less seriously, re: http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx#469639, when will MS come out with a blog spam filter? ;-)

re: Phishing Filter in IE7

Jean Pascal — Fri, 07 Oct 2005 13:43:58 GMT

Microsoft-Developers:

How do you bar competitors from blaming each other using phishing websites?

There really comes a high risk of abuse with this phishing website suggestion tool.

Greets Jean

Why IIS may be the most important product in Microsoft's toolbox.

Tobin Titus — Tue, 31 Jan 2006 12:13:56 GMT

I've been asked a couple of times why I accepted a position working with IIS 7.&nbsp; Someone even quipped...

Internet Explorer Administration Kit and Group Policy in IE7

IEBlog — Wed, 22 Feb 2006 00:28:17 GMT

I am a program manager on the Internet Explorer team and in this post I would like to share what we are...

Why IIS may be the most important product in Microsoft's toolbox.

Tobin Titus — Fri, 24 Feb 2006 03:21:30 GMT

I've been asked a couple of times why I accepted a position working with IIS 7.&nbsp; Someone even quipped...

???????????? » IE7 ???????????????????????????

???????????? » IE7 ??????????????????????????? — Sun, 26 Feb 2006 10:46:41 GMT

PingBack from http://blog.istef.info/2005/09/12/phishing-filter-google/

Bernie’s ramblings… » Firefox + Google Safe Browsing plugin = no phishing

Bernie’s ramblings… » Firefox + Google Safe Browsing plugin = no phishing — Sun, 12 Mar 2006 00:30:46 GMT

PingBack from http://www.ebernie.net/blog/2006/03/12/firefox-google-safe-browsing-plugin-no-phishing/

Security tweaks in IE7

IEBlog — Wed, 15 Mar 2006 23:50:07 GMT

As we’ve described
previously, we’ve made some major architectural improvements to improve browsing...

New enhancements to Phishing Filter protection for IE

IEBlog — Fri, 17 Mar 2006 21:59:53 GMT

Hello, I’m John Scarrow and am the general manager for the Anti-Spam and Anti-Phishing Team at Microsoft....

Safety First at Mix06

IEBlog — Tue, 21 Mar 2006 03:25:15 GMT

I’m really excited for my talk tomorrow here at Mix06. This conference feels more like a party than work....

IE7 - フィッシング詐欺検出機能

ウィンドウズ開発統括部 — Fri, 12 May 2006 14:57:58 GMT

IE7 - フィッシング詐欺検出機能

HD DVD / Randomness... : Why not use hashes for the Anti-Phishing Filter?

HD DVD / Randomness... : Why not use hashes for the Anti-Phishing Filter? — Tue, 23 May 2006 00:33:04 GMT

PingBack from https://blogs.msdn.com:443/ptorr/archive/2005/09/12/604147.aspx

SBELYEA and stuff » Microsoft and Symantec go tit-for-tat?

SBELYEA and stuff » Microsoft and Symantec go tit-for-tat? — Tue, 27 Jun 2006 05:51:53 GMT

PingBack from http://sbelyea.wordpress.com/2006/06/26/microsoft-and-symantec-go-tit-for-tat/

IE7 Beta 3 at My Online Diary

IE7 Beta 3 at My Online Diary — Fri, 30 Jun 2006 20:44:58 GMT

PingBack from http://www.venukb.com/blog/2006/06/30/ie7-beta-3/

IE7 to become your befault browser - by default

David Overton's Blog — Thu, 27 Jul 2006 06:27:16 GMT

I read about this internally yesterday and then on the blog posts today - IE7 will become part of the

Revised IE7 Naming in Windows Vista

IEBlog — Sat, 05 Aug 2006 01:34:16 GMT

I had mentioned a while back that we planned to call the version of IE7 in Windows Vista “Internet...

微软把IE7…重新命名为IE7

hongquan — Sat, 05 Aug 2006 14:28:54 GMT

在五月底的时候，微软的IE开发小组曾说过要将Windows Vista中的IE命名为“Ineternet Explorer 7 ”。但现在他们又改变了注意，放弃了“ ”的称谓，没有后缀，没有.x，就只是“Internet Explorer 7”。

Revised IE7 Naming in Windows Vista at Windows X’s Shrine

Revised IE7 Naming in Windows Vista at Windows X’s Shrine — Sun, 06 Aug 2006 00:23:03 GMT

PingBack from http://www.windowsxlive.net/?p=55

iskenderiye » Revised IE7 Naming in Windows Vista

iskenderiye » Revised IE7 Naming in Windows Vista — Tue, 08 Aug 2006 19:16:07 GMT

PingBack from http://www.iskenderiye.com/wordpress/?p=79

IE7 to be distributed via Automatic Updates! » Dee’s-Planet! Blog

IE7 to be distributed via Automatic Updates! » Dee’s-Planet! Blog — Sat, 19 Aug 2006 23:33:20 GMT

PingBack from http://www.roks.xmgfree.com/blog/2006/08/19/ie7-to-be-distributed-via-automatic-updates/

Anti-Phishing Accuracy Study

IEBlog — Thu, 28 Sep 2006 16:00:23 GMT

As we’ve worked on the new Phishing Filter in IE7, we knew the key measure would be how effective it...

מסעותיו של מרק בשבילי החיים » ארכיון » בדרך לאבטחה טובה צריך לוותר על קצת פרטיות

Sat, 21 Oct 2006 02:40:24 GMT

PingBack from http://marksw.com/wordpress/?p=176

Google Toolbar's Safe Browsing Helps Fight Phishing Attempts

Technology Evangelist — Sun, 22 Oct 2006 19:07:58 GMT

I imagine just about everyone reading this has encountered some form of phishing emails. Common examples would be emails supposedly coming from sites like PayPal, Ebay, or large banks asking you to update your account information. Of course, the real..

Comparaci??n de los sistemas anti-phishing, Navegadores.org

Comparaci??n de los sistemas anti-phishing, Navegadores.org — Thu, 26 Oct 2006 06:34:37 GMT

PingBack from http://navegadores.org/comparacion-de-los-sistemas-anti-phishing

Blog Posible » Blog Archive » Y lleg?? Firefox 2.0

Blog Posible » Blog Archive » Y lleg?? Firefox 2.0 — Thu, 26 Oct 2006 11:12:43 GMT

PingBack from http://www.webposible.com/blog/?p=280

Internet - Articles, Tips, News, and Info - MsXLabs Organization

Internet - Articles, Tips, News, and Info - MsXLabs Organization — Fri, 27 Oct 2006 00:07:52 GMT

PingBack from http://www.msxlabs.org/forum/international-forum-english/11432-internet-articles-tips-news-and-info.html#post245892

The Browser Den » Blog Archive » Pointless Slashdot article

The Browser Den » Blog Archive » Pointless Slashdot article — Mon, 30 Oct 2006 10:15:13 GMT

PingBack from http://browserden.co.uk/blog/2006/10/29/pointless-slashdot-article/

dutacom.net: Another Web Blog Of Kliknet [Internet Public Service] » Blog Archive » Mozilla Firefox 2 Released

Tue, 31 Oct 2006 18:58:15 GMT

PingBack from http://dutacom.net/blog/2006/10/31/mozilla-firefox-2-released/

JurekS blog » Blog Archive » Nowa wersja Firefoxa - Firefox 2

JurekS blog » Blog Archive » Nowa wersja Firefoxa - Firefox 2 — Fri, 17 Nov 2006 20:20:53 GMT

PingBack from http://jureks.ovh.org/blog/?p=5

au8ust’s tech channel » Blog Archive » Microsoft Releases First IE7 Update

au8ust’s tech channel » Blog Archive » Microsoft Releases First IE7 Update — Fri, 15 Dec 2006 03:13:34 GMT

PingBack from http://www.au8ust.org/2006/12/15/microsoft-releases-first-ie7-update/

jon.oberheide.org - blog

jon.oberheide.org - blog — Sat, 06 Jan 2007 09:27:06 GMT

PingBack from http://jon.oberheide.org/blog/2006/11/13/google-safe-browsing/

cryptogon.com » Archives » Any Lawyers Out There Want to Help Me Sue Microsoft?

Sat, 20 Jan 2007 02:51:01 GMT

PingBack from http://cryptogon.com/?p=246

Montreal IT » Blog Archive » Better Browsing Part1

Montreal IT » Blog Archive » Better Browsing Part1 — Thu, 19 Apr 2007 03:11:58 GMT

PingBack from http://www.mtlit.com/blog/2007/04/18/better-browsing-part1/

Atoma pieraksti » K?? m??s aizsarg?? p??rl??ki ?

Atoma pieraksti » K?? m??s aizsarg?? p??rl??ki ? — Thu, 12 Jul 2007 13:31:47 GMT

PingBack from http://tups.lv/blog/2007/07/12/ka-mus-aizsarga-parluki/

Actors and Actresses » Archive du blog » Random Hacks! : Phishing - a social malice by e-Zombies

Fri, 04 Jan 2008 10:12:47 GMT

PingBack from http://actors.247blogging.info/?p=1442

Actors and Actresses » IEBlog : Phishing Filter in IE7

Actors and Actresses » IEBlog : Phishing Filter in IE7 — Tue, 11 Mar 2008 14:33:17 GMT

PingBack from http://actorandactressblog.info/ieblog-phishing-filter-in-ie7/

Actors, Actresses, and the Movies » IEBlog : Phishing Filter in IE7

Actors, Actresses, and the Movies » IEBlog : Phishing Filter in IE7 — Wed, 19 Mar 2008 01:43:05 GMT

PingBack from http://actorsnotinmoviesblog.info/ieblog-phishing-filter-in-ie7/

phishing filter wiki

phishing filter wiki — Mon, 12 May 2008 15:59:52 GMT

PingBack from http://jonah.clearmediainc.info/phishingfilterwiki.html

free spam filter for internet explorer

free spam filter for internet explorer — Tue, 20 May 2008 23:08:01 GMT

PingBack from http://elaine.starmedianews.info/freespamfilterforinternetexplorer.html

How to Protect Your Business from Phishing Scams - SEO EXPERTS

How to Protect Your Business from Phishing Scams - SEO EXPERTS — Thu, 29 May 2008 17:26:49 GMT

PingBack from http://seoxp.net/security-tips/how-to-protect-your-business-from-phishing-scams.html

Direct 2Dell » Uncategorized » Updating an old Friend

Wed, 04 Jun 2008 14:10:11 GMT

PingBack from http://toptunetech.com/wordpress_eng/?p=18

IE8 Security Part III: SmartScreen® Filter

IEBlog — Wed, 02 Jul 2008 19:01:05 GMT

As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

» IE8 Security Part V: Comprehensive Protection

» IE8 Security Part V: Comprehensive Protection — Wed, 02 Jul 2008 23:06:36 GMT

PingBack from http://internetexplorerblog.info/?p=145

» IE8 Security Part III: SmartScreen?? Filter

» IE8 Security Part III: SmartScreen?? Filter — Wed, 02 Jul 2008 23:09:08 GMT

PingBack from http://internetexplorerblog.info/?p=147

IE8 Security Part III: SmartScreen® Filter - Tech today

IE8 Security Part III: SmartScreen® Filter - Tech today — Thu, 03 Jul 2008 04:54:44 GMT

PingBack from http://techtoday.110mb.com/2008/07/03/ie8-security-part-iii-smartscreen-filter/

IE8 SmartScreen Filter: Security Part - 3 » D' Technology Weblog: Technology, Blogging, Tips, Tricks, Computer, Hardware, Software, Tutorials, Internet, Web, Gadgets, Fashion, LifeStyle, Entertainment, News and more by Deepak Gupta.

Thu, 03 Jul 2008 12:27:58 GMT

PingBack from http://www.ditii.com/2008/07/03/ie8-smartscreen-filter-security-part-3/

London Web Design & SEO Services » Blog Archive » Phishing

London Web Design & SEO Services » Blog Archive » Phishing — Mon, 29 Sep 2008 18:27:42 GMT

PingBack from http://www.londonwebdesignservices.com/phishing/2008/

Baby name meaning and origin for Sharif

Baby name meaning and origin for Sharif — Wed, 17 Dec 2008 18:31:37 GMT

PingBack from http://www.baby-parenting.com/baby/babyname/Sharif

IE8 보안 5부 : 통합 보호

IE8 팀 블로그 — Tue, 17 Mar 2009 11:53:26 GMT

    안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을

UnderForge of Lack » Blog Archive » IE8 is currently best anti-malware Browser ever?

Wed, 25 Mar 2009 04:46:03 GMT

PingBack from http://www3.atword.jp/gnome/2009/03/25/ie8-is-currently-best-anti-malware-browser-ever/

IEBlog Phishing Filter in IE7 | Paid Surveys

IEBlog Phishing Filter in IE7 | Paid Surveys — Sat, 30 May 2009 07:23:50 GMT

PingBack from http://paidsurveyshub.info/story.php?title=ieblog-phishing-filter-in-ie7

IEBlog Phishing Filter in IE7 | Wood TV Stand

IEBlog Phishing Filter in IE7 | Wood TV Stand — Wed, 03 Jun 2009 03:37:42 GMT

PingBack from http://woodtvstand.info/story.php?id=82701

IEBlog Phishing Filter in IE7 | Patio Chairs

IEBlog Phishing Filter in IE7 | Patio Chairs — Wed, 03 Jun 2009 05:34:49 GMT

PingBack from http://patiochairsite.info/story.php?id=27260

IEBlog Phishing Filter in IE7 | Toe Nail Fungus

IEBlog Phishing Filter in IE7 | Toe Nail Fungus — Tue, 09 Jun 2009 09:01:39 GMT

PingBack from http://toenailfungusite.info/story.php?id=2425

IEBlog Phishing Filter in IE7 | patio set

IEBlog Phishing Filter in IE7 | patio set — Sun, 14 Jun 2009 20:04:32 GMT

PingBack from http://patiosetsite.info/story.php?id=10

IEBlog Phishing Filter in IE7 | debt consolidator

IEBlog Phishing Filter in IE7 | debt consolidator — Mon, 15 Jun 2009 22:41:42 GMT

PingBack from http://mydebtconsolidator.info/story.php?id=2208

IEBlog Phishing Filter in IE7 | internet marketing tools

IEBlog Phishing Filter in IE7 | internet marketing tools — Tue, 16 Jun 2009 08:04:14 GMT

PingBack from http://einternetmarketingtools.info/story.php?id=1587

IEBlog Phishing Filter in IE7 | unemployment office

IEBlog Phishing Filter in IE7 | unemployment office — Tue, 16 Jun 2009 11:05:46 GMT

PingBack from http://unemploymentofficeresource.info/story.php?id=15173

IEBlog Phishing Filter in IE7 | alternative dating

IEBlog Phishing Filter in IE7 | alternative dating — Wed, 17 Jun 2009 10:08:07 GMT

PingBack from http://topalternativedating.info/story.php?id=3743