So here's the question: Who's dealing with phishing in Mozilla?
Discussion below, ending in the question. Previous emails on this subject are on the Mozilla security maillist. iang On Tuesday 07 June 2005 03:11, Tyler Close wrote: > On 6/5/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > > You can drive all the anti-phishing work you want without ever getting > > into the Mozilla Security Group. Although if you did significant work, > > you'd probably be invited anyway. > > OK, so after you've written the papers and the code what's the next > step along this path? > > I've implemented the petname tool, an anti-phishing browser extension. > You can find it at: > > http://petname.mozdev.org/ > > There's a fully functional Firefox extension available at that site. > The code has been written. I've also written several papers about the > petname tool and why it works. There's been an extensive review of > this work on another security focused mailing list. Now how do I go > about getting the Mozilla Security Group to review this work and > incorporate it into the main Firefox UI? If noone has the time or > inclination, how do I become a member of the Mozilla Security Group so > that I can commit the changes to CVS myself. I have extensive > experience producing security critical code, much of which has been > scrutinized by some of the best minds in the field. I've previously looked at the pages on /security/ for guidance and not found a way forward. I think we need more help from Mozilla in how to deal with this. This page speaks about the security bug group. Now in my mind, this was the "security team" but I am now uncertain, I can't find the page that shows the security team in order to check if they are the same thing. http://www.mozilla.org/projects/security/security-bugs-policy.html Regardless, I think that this group is an inappropriate venue for discussion of the issue at hand. It is all oriented to sensitivity / disclosure. It's a closed group, with a closed list, set up to discuss security-sensitive bugs in private. Phishing is not that, it's been a documented issue since about 1997 that I know of. People write papers on it, they form associations, the Congress in the USA holds hearings on it, there has been code addressing it for Mozilla since 2000 or so (Ye and Smith)... But if it is then let's hear it directly from someone who is in a position to know these things. There is the bug bounty program but that's irrelevant to the issue at hand - rule #1 states it should be an original reporting of the bug, and a later rule says it should be a security-sensitive bug. http://www.mozilla.org/security/bug-bounty.html Either way it appears that Phishing will not be recognised as an issue by Mozilla until it is reported to the security bug group. It's not mentioned on any of the pages that I could see, even though it is the #1 threat to browsers. As it has been filed / mentioned in a few bugzilla bug reports, generally as a reference because it is a syndrome not a bug, and as that has not caused it to be elevated to an issue in its own right, bugzilla has not been the way forward. I think we need more guidance. There were a few places where it suggested anything security related be sent to [EMAIL PROTECTED] so I that's what I've done. It seems that everything is organised in modules, but there are about 6 or 7 modules that are to do with security, and that's without thinking of the browser and UI components. In this case, there is a suggestion that the question be directed to [EMAIL PROTECTED] So here's the question - who's dealing with phishing? iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
