Comments on: San Diego Firefox party http://www.squarefree.com/2006/10/28/san-diego-firefox-party/ Jesse Ruderman on Firefox, security, and more Thu, 20 Nov 2008 09:54:05 +0000 http://wordpress.org/?v=2.5 By: Lawrence Eng http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2752 Lawrence Eng Tue, 31 Oct 2006 01:10:01 +0000 http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2752 Hey Jesse, thanks for the mention. Here's some more info and discussion regarding our fraud protection feature, currently only available in the latest weekly build of Opera: http://my.opera.com/desktopteam/blog/2006/10/17/opera-9-1-includes-fraud-protection I also blogged about the party here: http://my.opera.com/Lawmune/blog/2006/10/31/firefox-party See you around! Hey Jesse, thanks for the mention. Here’s some more info and discussion regarding our fraud protection feature, currently only available in the latest weekly build of Opera: http://my.opera.com/desktopteam/blog/2006/10/17/opera-9-1-includes-fraud-protection

I also blogged about the party here: http://my.opera.com/Lawmune/blog/2006/10/31/firefox-party

See you around!

]]> By: Jesse Ruderman http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2750 Jesse Ruderman Sun, 29 Oct 2006 12:16:12 +0000 http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2750 Or visiting any geocities page could give you a geocities-specific blacklist. That way, I only have to download the pieces of the blacklist that are relevant. Or visiting any geocities page could give you a geocities-specific blacklist. That way, I only have to download the pieces of the blacklist that are relevant.

]]> By: Dao http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2748 Dao Sun, 29 Oct 2006 11:11:01 +0000 http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2748 I guess they hash the entire URL, which means every single page would have to be reported. I thought that's good enough. It could be improved by doing a remote check *and* using a local black list, so geocities.com/phisher/* could be part of that. I guess they hash the entire URL, which means every single page would have to be reported. I thought that’s good enough. It could be improved by doing a remote check *and* using a local black list, so geocities.com/phisher/* could be part of that.

]]> By: Jesse Ruderman http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2745 Jesse Ruderman Sun, 29 Oct 2006 09:35:32 +0000 http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2745 Yes, a phisher could easily have a bunch of pages under http://www.geocities.com/phisher/ and they'd all hash to different values. So Opera would have to block all of Geocities or none of it. Unless Opera was clever enough to hash each directory prefix of the URL, but it sounds to me like the entire URL is hashed. Yes, a phisher could easily have a bunch of pages under http://www.geocities.com/phisher/ and they’d all hash to different values. So Opera would have to block all of Geocities or none of it. Unless Opera was clever enough to hash each directory prefix of the URL, but it sounds to me like the entire URL is hashed.

]]> By: Dao http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2743 Dao Sun, 29 Oct 2006 09:18:48 +0000 http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2743 In the end, encrypted data is intended to be decrypted. So if you don't trust your service provider to respect your privacy completely, that's not really what you want. I think hashing isn't only nice but even better than encryption. Re Geocities, what particular problem do you see? Could a phishing site have varying URLs and thus varying hashes? Or could multiple sites share a hash value? In the end, encrypted data is intended to be decrypted. So if you don’t trust your service provider to respect your privacy completely, that’s not really what you want. I think hashing isn’t only nice but even better than encryption.
Re Geocities, what particular problem do you see? Could a phishing site have varying URLs and thus varying hashes? Or could multiple sites share a hash value?

]]> By: Jesse Ruderman http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2742 Jesse Ruderman Sun, 29 Oct 2006 02:26:30 +0000 http://www.squarefree.com/2006/10/28/san-diego-firefox-party/#comment-2742 Dao, I see how that's nice if you have a "secret URL" on your local or https site and don't want to bother with encryption, but doesn't it make it hard to protect against Geocities-hosted phishing sites? Dao, I see how that’s nice if you have a “secret URL” on your local or https site and don’t want to bother with encryption, but doesn’t it make it hard to protect against Geocities-hosted phishing sites?

]]>