
Enhancing Download Protection in Firefox - ehPReth
https://blog.mozilla.org/security/2016/08/01/enhancing-download-protection-in-firefox/
======
elcapitan
> The second category, uncommon downloads, covers downloads which may not be
> malicious or unwanted but that are simply not commonly downloaded.

> it is possible that you have been tricked into downloading a malicious file
> from a phishing site which has not yet been identified as such by the Google
> Safe Browsing service.

Does this mean that sites that have some kind of personalized downloads or
downloads that are created on the fly (like generated PDFs for example, or
watermarked content) will always create a warning for the user on download?

~~~
TD-Linux
This only applies to executables I think, as I've never seen the warning on
Firefox Nightly.

~~~
creshal
Still something I'd consider an anti-feature, as it both punishes small
software authors/projects and creates confusion on new releases even for
bigger projects.

~~~
r1ch
Browser security and anti-malware in general is increasingly a nightmare for
small ISVs that release software that does anything remotely suspicious (eg
DLL injection).

As a personal anecdote, my website has been blacklisted multiple times by
safebrowsing, downloads have been blocked as "XXX is malicious", multiple AV
products have found "malware" in a program that's never even been released
before, etc. I have to email 10-20 different anti-virus companies with samples
every release and then deal with the ones who want it in a different format or
submitted through a web portal instead.

Then we have the problem that contacting any human about safebrowsing false
positives is nigh impossible. Take a look at the report right now -
[https://www.google.com/transparencyreport/safebrowsing/diagn...](https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en#url=r1ch.net)
\- "Some pages on this website send visitors to dangerous websites. Some pages
on this website install malware on visitors' computers." yet it says "Current
status: Not dangerous". And Webmaster tools can't seem to find anything
specific: [http://i.imgur.com/HzT8xfC.png](http://i.imgur.com/HzT8xfC.png)

~~~
Hupriene
Given that google has proven pretty indifferent to who its robots run over,
one wonders why we should trust them to build self driving cars.

------
AdmiralAsshat
I can see this being useful to the average user who is encouraged to download
"video.mp4" from Popular-File-Upload-Site, but thanks to a dark pattern on the
website, is presented with a "video.exe" download instead.

------
saynsedit
Of course, if you're running Windows 10 and trying to avoid spyware, it's
already too late.

~~~
LeoPanthera
I don't much like it either, but there's no need to inject anti-Windows
propaganda into every single post about everything.

~~~
saynsedit
There is nothing "anti-Windows" about my post. It isn't a biased take, it's
not propaganda, it's just fact.

There is somewhat of a logical inconsistency in trying to avoid spyware on
Windows 10 that is hopefully explained by lack of knowledge. The purpose of my
post is to inform. Not everyone is aware.

[http://www.networkworld.com/article/2956574/microsoft-
subnet...](http://www.networkworld.com/article/2956574/microsoft-
subnet/windows-10-privacy-spyware-settings-user-agreement.html)

------
currywurst
The one thing I've always wanted is for the browser to automatically verify
the file hash if it is provided on the download page .. Any plans in this
direction, Mozilla ?

~~~
the_mitsuhiko
What would be the point in that? Security it is not.

~~~
currywurst
Ensuring the integrity of the download (especially when served from mirrors)
is not valuable? [No snark .. just genuinely curious]

------
lewisl9029
Is it possible to whitelist certain domains from the safe browsing feature in
Firefox?

One of the sites I frequent has all their torrents marked by safe browsing as
malware (mistakenly AFAIK), so ideally I'd like to whitelist that one site
without opting out of the feature entirely.

~~~
gcp
Not possible. Normal torrent sites work fine and aren't marked, so that's
weird. You do get the occasional blacklisting for ads that inject malware.
Maybe you're not seeing them due to an Adblocker?

------
awqrre
I always disable the "Block reported attack sites" and "Block reported web
forgeries" protections in the settings... I don't need my browsing history to
be sent to yet someone else...

~~~
jonchang
But these features don't send your browsing history anywhere. The Firefox safe
browsing service downloads a list of bad URLs in form of hashed prefixes from
the Google service. Then every page you visit is compared against the
downloaded list (offline). If there's a match, Firefox sends the hashed prefix
up to Google and downloads a list of all full URLs that match that hashed
prefix. There's another offline comparison and if the web page you are
visiting still matches, then the page is blocked and the phishing/malware
warning is shown. At no point is an actual URL sent to Google or anyone else.

[https://developers.google.com/safe-browsing/v4/update-
api](https://developers.google.com/safe-browsing/v4/update-api)

~~~
jlgaddis
Honest questions:

How could they say "This file is not commonly downloaded" without knowing how
often it is downloaded?

If they know how often files are downloaded, where are they receiving that
information from?

~~~
niftich
Microsoft introduced a similar feature in 2010. In that scheme, "file
identifier" and the signature, if the application is signed, is sent to a
cloud service [1][2][3]. Therefore they can track attempts for downloads,
without having to know the URL itself.

[1] [https://blogs.msdn.microsoft.com/ie/2010/10/13/stranger-
dang...](https://blogs.msdn.microsoft.com/ie/2010/10/13/stranger-danger-
introducing-smartscreen-application-reputation/)

[2]
[https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/ever...](https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/everything-
you-need-to-know-about-authenticode-code-signing/)

[3]
[https://blogs.msdn.microsoft.com/ie/2011/03/22/smartscreen-a...](https://blogs.msdn.microsoft.com/ie/2011/03/22/smartscreen-
application-reputation-building-reputation/)

------
zymhan
I wonder how they're gathering that information and using it to alert the
user. Is it a checksum of the file that Firefox is comparing to a central
database? Or is the check entirely client-side?

~~~
gcp
[https://wiki.mozilla.org/Security/Application_Reputation](https://wiki.mozilla.org/Security/Application_Reputation)

[https://wiki.mozilla.org/Security/Features/Application_Reput...](https://wiki.mozilla.org/Security/Features/Application_Reputation_Design_Doc)

Local database with whitelists and blacklists, file signature inspection, and
remote lookup for files with unknown, unsigned binaries in them.

------
lawl
Yay, another shitty feature to disable in about:config.

Signature based systems are still useless. And you send more data to google!

(Yes, yes they probably download lists and don't directly send the hash. The
lists are most likely still sharded enough to get an idea, as it is with the
regular safe browsing crap)

~~~
JohnTHaller
Useless? Except that they aren't. Because the vast majority of users are only
ever downloading very popular things which have already been scanned and
confirmed safe. We're edge cases.

