Opera 9.1 to include Fraud Protection (aka a Phishing Filter)
"When you go to a new site for the first time, Opera will check against a database if the site is trusted or if it is a known fraud site. If we know the site, there will be a small information "i" in the right end of the address field. If it's unknown/not verified there will be a "?" and if it's known as a fraudulent site we will display a warning and block the user from accessing the site."
The Opera Team says:
"Why don't we use a downloaded blacklist like Firefox 2?
Firefox 2 only checks against a blacklist unless you turn on real-time protection from Google or other providers. We feel that only real-time protection is real protection, since phishing attacks tend to be more and more like virus attacks, most of their damage is done in a very short time."
I agree with the above statement, although I wouldn't compare then with virus attacks - heck, look at the Apple debacle where iPods were shipped infected with a Trojan that had been detectable since June. Phishing sites have a very short lifespan, sometimes lasting only hours before being shut down, but this is long enough to capture victims. A blacklist that is updated every (unknown) period of time is not sufficient protection.
I've been testing how Firefox reacts to phishing sites when set to use only the blacklist for several days now. I am lucky enough to receive information about discovered, and reported, phishing sites via the Phishing Incident Reporting and Termination (PIRT) Squad and therefore have a steady stream of fresh phishing sites to play with.
I am seeing a consistent problems where Firefox is not detecting very new phishing sites that are *always* being detected by IE7 *when tested at the same time*. I'm not sure of the specifics, but it seems as if Firefox only updates its blacklist if the Firefox browser is running. Firefox will invariably fail to detect the first few URLs that I test if it is not already running, but when I go back and check again a short time later, the sites are then detected, but by then it may be too late for the inexperienced user depending on Firefox to protect them. Therefore, I strongly recommend you enable the option to use Google's dynamic phishing protection when using Firefox.
The Opera team then goes on to say:
"Why don't we use a downloaded whitelist like IE 7?
This makes some sense, especially to save bandwidth for our servers. But for the privacy-concerned user, we don't think it changes anything, since it's typically the more obscure sites that you really want to keep to yourself. We've made it easy to turn on and off the fraud protection from the information dialog you get when clicking the icon."
The Opera team are wrong when they say that the IE7 white list does not change anything. When IE checks the local whitelist, and discovers that the URL you wish to visit is in that list, then the Phishing Filter engine will not contact the URL Reputation Web Server. It should also be remembered that the IE7 white list not only stores the original list of known safe URLs but, as time goes on, it also builds a local cache record of already checked URLs, further reducing the need for online checks - something that you would think people would see as *increasing* privacy, not decreasing it.
Finally the team says:
"The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home"."
Hang on a sec. I would expect that privacy concerned individuals would NOT want data to be transmitted in plain text. If the user can inspect the data, then so can anybody else that happens to capture it. Because the data is transmitted in plain text I have no choice but to recommend that Opera users NOT use 9.1's inbuilt Fraud Protection unless Opera switches to SSL between now and the release of 9.1.
Firefox and IE7 both transmit phishing checks and data via SSL. Further information about how the IE7 Phishing Filter addresses privacy concerns can be found here:
I see one problem with IE7, Firefox and Opera's phishing protection - they all offer asynchronous protection - that is, the phishing page is allowed to continue to load while the checks are being made. Considering the risk to users from the use of exploits and hostile code on phishing sites I would prefer it if sites were not allowed to load until they were checked, or at the very least were loaded in the Web browser's Restricted Sites zone, effectively crippling any hostile code, until checks are completed, at which time the site will be treated as being in the user's standard Internet zone if it proves to be safe.