On Thu, 29 Aug 2019 18:44:11 -0700 (PDT) Kirk Hall via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do > browser phishing filters and anti-virus apps use EV data in their > anti-phishing algorithms). For the AV apps I can totally believe they'd do this because bogus assumptions are more or less their bread and butter. "It's an EV cert so it's safe" is exactly the kind of logic I can imagine them employing. But it really doesn't seem like a good fit for Google Safe Browsing, if they do try to triangulate from EV that seems like a big leap to me. For readers unfamiliar, let me briefly explain what Safe Browsing gives browsers: For every URL you're considering displaying you calculate a whole bunch of cryptographic hashes, of the whole URL, just the FQDN and certain other combinations. Then you truncate the hashes and you see if the truncated hashes are in a small list Google gave you (a browser will update this list periodically using a synchronisation API Google designed for the purpose). If one of your truncated hashes /is/ in the list, maybe this is Phishing! You call Google, telling them the truncated hash you are worried about, and Google gives you a complete list of full (not truncated) hashes you should worry about with this prefix. It might be empty (the phishing attack is gone) or have multiple entries. Only if the full hash you were worried about is in that fresh list from Google do you tell the user "Ohoh. Phishing, probably go somewhere else" in all other cases everything is fine. This design has important privacy properties because it means Google definitely isn't told which pages you visit, and ordinarily it doesn't even learn roughly how many pages you're visiting or anything like that. Only when you try to visit a phishing site, or there's a random coincidence, it learns (if it chooses to remember) that someone from your IP either tried to visit a phishing site or there was a random coincidence, and not which of those options it was. Most Phishing detections aren't for a whole site, they are page-specific. So maybe jims-oil-change.example is a perfectly legitimate site for Jim the auto mechanic with a Let's Encrypt cert, but his poorly configured PHP setup means bad guys create https://jims-oil-change.example/.temp/PayPal.com/security which is a PayPal phish form. The Safe Browsing design lets Google add the hash for that nasty phishing page, without also making Jim's harmless front page get an angry message in browsers. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
