
Launch HN: Apozy (YC W17) – Use browsing habits to stop phishing and spot breaches - rickdeaconx
Hey all,<p>I’m Rick, the founder of Apozy. We’re a YC-backed company in the current batch and we&#x27;ve created a browser extension that stops people from getting hacked by things like phishing and malware. We&#x27;re excited to get your feedback, hear your ideas, and answer questions!<p>I’ve been a hacker and penetration tester for 10 years. I started out by poking around people’s computers in 7th grade, then moved to poking SQL databases behind forms around high school. I eventually wrote a talk about session hijacking on MySpace in 2007 and was absolutely beyond horrified to stand in front of a bunch of people and pretend I know WTF I’m doing.<p>Soon after I was hacking Fortune 500 companies at a few consulting firms and decided that phishing was a <i>way</i> bigger problem than people really knew at the time. That ended up being right, considering it’s now the most successful attack vector for breaching companies. I wanted to change the way people solved this problem and that’s how Apozy was born. I introduced the idea to my now cofounder, Erhan, and he was onboard almost immediately. Erhan was the best developer I knew, had run a development firm in the past and was a hacker by hobby.<p>Fast forward to today, we’re busy building our solution to next-gen attacks. Apozy’s browser extension immunizes you against phishing and malware attacks. Phishing is out of control--1 in 3 companies fall victim to CEO fraud emails alone--and the current approach of blacklisting sites can&#x27;t keep up. Instead, Apozy analyzes your browsing habits to stop you from entering data into suspicious sites that don&#x27;t fit your usage patterns. We also aim to protect privacy by providing objective site privacy ratings, stopping trackers, and upgrading connections to HTTPS. Apozy is currently free to download on the Chrome store and soon will be on Firefox.<p>To check out Apozy, you can visit our site at <a href="https:&#x2F;&#x2F;www.apozy.com" rel="nofollow">https:&#x2F;&#x2F;www.apozy.com</a> or head over to the Chrome store at <a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;apozy-trusted-browsing&#x2F;akgjbibhebefdjbebhpmknohhojhppeb" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;apozy-trusted-brow...</a>.
======
koolba
Does this send the users entire browsing history to Apozy?

If so, what bits are you sending? Just the top level domain, just FQDN, entire
URL, or are you tracking engagement time on websites as well? How long will
you maintain, or plan to maintain, the user's browsing history?

Any plans on monetizing the consumer end of this to build a profile of where
the users are spending their time?

~~~
rickdeaconx
There is no data collection by default. Everything is opt-in. The only
information we communicate is what you opt into. The browser history stays in
your browser and is not sent to Apozy.

If you're opted into privacy scoring it sends only the FQDN of the current
site to our service. We conduct privacy scoring on the server side because it
would slow down the browser otherwise. If you're opted into community
protection, CSP violations are sent with the URL. This allows us to detect
undiscovered malicious sites and share them back to the community.

Currently we have no plan to share any information to monetize on the consumer
end. We make money by enabling businesses to control fine grain permissions on
corporate rollouts.

~~~
koolba
> There is no data collection by default. Everything is opt-in. The only
> information we communicate is what you opt into. The browser history stays
> in your browser and is not sent to Apozy.

Maybe I'm not getting how this works, but how can a service like this function
without sending the URL (or FQDN etc) to a remote service? It's too much data
to have the entire map of all servers on the internet bundled locally
(probably a pain to update too...). That said, what does it mean to use this
plugin but not opt-in? Is that possible, or are you referring to users opt-in
as part of the install?

~~~
rickdeaconx
We don't need to send any information to our service to protect you from bad
sites because that is handled locally. The browser history already exists so
the load on your machine is the same with or without Apozy. We use the headers
to make it efficient for a large number of sites - 1M+

Using the extension without opting in means you don't see site privacy grades
but you're still protected using a Trust on First Use model of security
created with your browsing history.

~~~
koolba
> We don't need to send any information to our service to protect you from bad
> sites because that is handled locally. The browser history already exists so
> the load on your machine is the same with or without Apozy. We use the
> headers to make it efficient for a large number of sites - 1M+

Okay so the local version is comparing the user's current page vs. the sites
they've gone to prior? And if it seems off based on some heuristics it flags
the page. Interesting idea.

Wouldn't work for me though as I have my browser set to nuke everything each
time it's closed.

> Using the extension without opting in means you don't see site privacy
> grades but you're still protected using a Trust on First Use model of
> security created with your browsing history.

I originally thought it was just this piece which would need _some_ type of
client / server interaction to either fetch the "bad lists" or send the
current URL/FQDN for validation.

~~~
uzay
> Wouldn't work for me though as I have my browser set to nuke everything each
> time it's closed.

If you don't nuke your local storage, it should still work. I do suspect it
may be more annoying without any browser history to go on because there's no
model built, so you have to 'prime the pump' a little more than a user who has
history would have to.

-Erhan

~~~
tptacek
Are you storing a shadow browser history in localStorage?

~~~
koolba
I would imagine it's either that or they're somehow querying localStorage for
the existence of any data for a given domain to indicate that you've been
there before (which obviously wouldn't work for sites that don't use
localStorage).

------
Mandatum
> 1 in 3 companies fall victim to CEO fraud emails alone

Citation needed. I'm sure the number will look like that at companies who open
and forward the email, doubt it's that high off the cuff.

------
hellcow
Hey Rick -- sounds like an elegant solution to a huge problem. Are browsing
habits transmitted in any way to your servers, or are they analyzed locally?

~~~
rickdeaconx
Browsing habits are analyzed locally. We only collect data if privacy grades
or community protection is enabled via opting in. For those features we only
collect the bare minimum to conduct analysis and the dataset is anonymous.

~~~
eganist
For corporate use -- does this discount the bill?

~~~
rickdeaconx
Community features allow us to improve the product across the board and we
would take that into account. :)

------
ben_jones
Do you have the statistics for browser usage at enterprise companies?
Obviously you don't support everything yet but I imagine the money in info sec
is all up enterprise/micro$oft. Curious what comes after the browser
extension.

~~~
rickdeaconx
MS definitely has a hold of the market but it's changing pretty rapidly. We
have big plans!

------
nikunjk
Genius idea. I just installed it! What are some things coming down the
pipeline?

~~~
rickdeaconx
Thanks! We're working on device support across the board, improved privacy
scoring, and toying with the idea of adding Google's Perspective -
[https://www.perspectiveapi.com](https://www.perspectiveapi.com).

~~~
Cowicide
Apple Safari support in the future? Also, if I'm using a self-updating malware
blocklist within extensions such as Ablock Plus, how would Apozy do better
than that to prevent phishing?

~~~
rickdeaconx
Safari will definitely be up soon.

The reason why we're better at that than an AdBlock is because we use a
whitelist approach. When using a whitelist, all the newest sites and attacks
are blocked by default. AdBlock will always be slightly behind on that.
Additionally, AdBlock won't protect you from inputting your credentials into a
phishing site if you somehow end up on a bad site. As a side benefit, since we
don't scan the DOM, we don't slow anything down!

------
Eridrus
Is this still useful without a solution that works on mobile?

~~~
rickdeaconx
We'll be launching a mobile version for FF + Android soon. We agree, mobile is
a place where this can also help immensely.

~~~
Eridrus
Not super clear from your post, Is it a version that works on FF on Android,
or one version that works on FF and one version that works on Android in
general?

~~~
problems
I'm assuming FF for Android because it's the only browser on the market with
decent extension support to my knowledge.

------
bijection
Neet idea!

What representation are you using for each site (ie a sparse vector, full
text, etc)? How do you compare newly visited sites to old ones?

~~~
rickdeaconx
Site comparison is done natively using Chrome's history APIs. As far as
representations for each site, we don't need to scan the DOM because our
extension relies on native sandboxing via CSP headers.

------
lumpio
Phishing is not hacking.

