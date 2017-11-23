Firefox Will Warn Users When Visiting Sites That Suffered a Data Breach (bleepingcomputer.com) 22
An anonymous reader writes: Mozilla engineers are working on a notifications system for Firefox that shows a security warning to users visiting sites that have suffered data breaches. The notifications system will use data provided by Have I Been Pwned?, a website that indexes public data breaches and allows users to search and see if their details have been compromised in any of these incidents. Work on this project has only recently started. The code to show these warnings is not even in the Firefox codebase but managed separately as an add-on available (on GitHub). The alert also includes an input field. In the add-ons current version this field doesn't do anything, but we presume it's there to allow users to search and see if their data was exposed during that site's security breach. Troy Hunt, Have I Been Pwned's author has confirmed his official collaboration with Mozilla on this feature.
Yes! (Score:2, Insightful)
Finally, a feature that makes me want to use Firefox.
Except how useful is this given that it's going to warn me about every single site I visit?
Re: Yes! (Score:2)
Re: (Score:2)
Finally, a feature that makes me want to use Firefox.
Except how useful is this given that it's going to warn me about every single site I visit?
Look on the bright side, at least you'll get a giggle out of seeing a warning banner with an announcement that reads something like this 'Warning: This organisation was hacked by the Russian intelligence services due to the utterly inadequate security measures employed by this organisation.' every time you visit gop.org and democrats.org.
Re: (Score:2)
I wonder if it might give people a false sense of security. Just because a site isn't flagged up doesn't mean it hasn't been hacked or is secure.
Harvesting the sites I visit (Score:1)
Re: (Score:3)
So now, Firefox will be tracking and harvesting the sites I visit? Wow, Mozilla really is turning Firefox into a Chrome clone.
Having looked at the code: No, it downloads a breach list from here: https://stage.haveibeenpwned.c... [haveibeenpwned.com] It does not send all your browsing history to them.
If you enter your email address that will be the sent to the site for checking, but that's obviously optional.
Re: (Score:2)
Why am I reading this as "Firefox will share your browsing history with another partner."
Probably because you have a bias.
Is this list downloaded and compared locally? I doubt it too.
Yes, this is exactly how it works. It downloads a list from here: https://stage.haveibeenpwned.c... [haveibeenpwned.com]
The beauty of open source code is you can see how it works, if you aren't too lazy to just not bother.
Mozilla.org plans: Firefox for gov. surveillance? (Score:2)
Or: "Firefox will continuously do hidden things you don't want it to do. That will be the 1st step in other planned surveillance."
Doing sneaky acts that are bad for other people is also extremely unhealthy for those who plan and do those acts. It is degrading mentally.
"Just a list" is still notifying about activity. (Score:2)
The underlying problem? One problem that the management of mozilla.org has is being very poor at communicating. It is common that technically-knowledgeable people don't communicate well. It is common that even people who are especially socially capable make mistakes by communicating in a flawed way.
Another example of poor communication: Mozilla.org management did not handle communicating the
Re: (Score:2)
I do trust others more when it comes to CA and TLS, because I have not enough clue to what I am doing and so I might make it worse.
At some point you need to do a trade off between being able to do everything yourself and trusting other people. As long as you want to have a sane life.
This does not stop with IT security. Does not mean I trust anything blindly, but I often trust them more than myself.
The fact that you say "Yes, if it is your own CA, then TLS might be OK." and not that it is means you have the
"that have suffered data breaches" (Score:3)
Hmm, I don't think that's going to work. I mean, in this day and age, it'd be easier to maintain a list of sites that haven't suffered such!
Next step: totally unbiased fact checking built-in (Score:1)
When Mozilla starts annotating sites you visit, I wonder how long until they copy Google and automatically show totally unbiased and neutral "fact checkers" when you visit an offensive website? They already have their own ministry of truth initiative after all: https://blog.mozilla.org/blog/2017/08/08/mozilla-information-trust-initiative-building-movement-fight-misinformation-online/
I would like to be warned of session replay script (Score:2)
https://freedom-to-tinker.com/... [freedom-to-tinker.com]
I already have a script to do that... (Score:2)
It just throws up a warning icon and leaves it there regardless of what site I visit.
ANY site you allow to run client-side scripts should be assumed to be logging your activity. Any site you give personal information to should be assumed to be either selling it or at imminent risk of having it stolen. Or both.
That's not even paranoia, that's just common bloody sense; it's what financial self interest on the part of content providers and hackers leads to.
Corporate response should be amusing (Score:2)
They -HATE- having to report such incidents as it is and only do so because they have to.
Nothing like a glaring spotlight on your front door that says " Your personal information isn't safe with us " to help your customers feel at ease.
Maybe the List of Shame will motivate corporate folks to secure their networks and quit treating their IT / Network Security as an expense instead of an investment.
Maybe.
But I doubt it.
They'll just whine to Congress about how unfair it is that they're getting picked on and ho