back to article Firefox to warn users who visit p0wned sites

Mozilla developer Nihanth Subramanya has revealed the organisation's Firefox browser will soon warn users if they visit sites that have experienced data breaches that led to user credential leaks. A recently-released GitHub repo titled “Breach Alerts Prototype” revealed “a vehicle for prototyping basic UI and interaction flow …

Flame

Should fit right in

Giving users what they don't want is classic Mozilla, as are poorly thought through ideas implemented badly.

41
5
Anonymous Coward

'Giving users what they don't want is classic Mozilla'

Sadly agree! They're turning into Microsoft, but without any positive cashflow.... Bring back easy Javascript / Image 'Toggle' / 'Exception List' as per Chrome... Stop Cookies defaulting to 3rd Party. Stop the nanny-dialogs i.e. 'refreshing' Firefox. Add EFF Panopticlick browser-signature spoofing for Privacy. Add editable exception-list for websites that need full-screen, like YouTube etc.

22
0
Anonymous Coward

'Giving users what they don't want is classic Mozilla'

~~~~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~

Wish Firefox would just focus on the simple things

~~~~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~

#1. For family / friends etc... In the early days of Firefox [Tools -> Options Enable-Javascript / Show-Images] was easily available. However special interests at Mozilla obfuscated the Settings.. Why not instead add Javascript 'Website Exceptions' to Firefox.... We have this for Cookies. Why not extend that to Include JavaScript and Image 'Website Exception Lists' too.... Chrome offers this, so why not Firefox???

....Yes you can block it using Add-ons, but not if your work machine is locked-down, or there's many devices at home / away you're not responsible for. Plus, Add-ons can come with toxic baggage too, especially if the hosting site / distrib mechanism gets hacked etc. (ccleaner etc)

-

#2. ALWAYS accept 3rd party Cookies is the default when allowing cookies. Why do that, what's wrong with NEVER as a default? Can't think of any website that insists on explicit 3rd-Party-Cookies anymore to work (if they do dump them immediately). Where's the advantage to the End-User here, unless Mass-Tracking & Slurp is the goal... WTF Mozilla?

-

#3. I'd like to see 'about:config.javascript' etc shortcuts for toggling JavaScript etc. Having to Type 'pt.e' as a shortcut seems dumb. Same goes for toggling images etc. like having to set dom.image.srcset.enabled to FALSE after every install to block image loads, WTF???

-

#4. Please Mozilla remove nannying like 'Do you want to refresh Firefox'.

-

#5. Add editable exception-list for sites that need 'full-screen' like Youtube.

-

#6. Browser Spying & Tracking: Offer built-in 'EFF Panopticlick' option to prevent browser fingerprinting. (Sending fake Browser ID-strings / info to websites to mask real browser-version or OS-signatures). Similar to Privacy leveraging features like this:

21
1
Silver badge
Thumb Up

Re: Should fit right in

"Giving users what they don't want is classic Mozilla, as are poorly thought through ideas implemented badly."

definite thumbs-up on that comment. And you didn't even have to mention 'Australis' for us to know exactly what you meant.

13
1
Silver badge
Mushroom

Re: 'Giving users what they don't want is classic Mozilla'

"Bring back [snip featurelist]"

and ELIMINATE AUSTRALIS in all of its 2D FLATSO hamburger-menu forms

17
4
Silver badge

Re: 'Giving users what they don't want is classic Mozilla'

1 - There is a per-site image exception list. It's in Page Info.

1
0
Anonymous Coward

'There's a per-site image exception list. It's in Page Info.'

True, but correct me here: Its not as easy to use as Chrome's 'Exclusions List'. You have to load the page first before being able to disable images. Its not possible to lock down the browser in advance and after only re-enable what you actually want. Plus, the JS 'Exclusion List' is obviously a greater priority here, as images on many websites don't even load without JS!

6
0
Silver badge
Facepalm

There's only one thing worse that Mozilla's idea of what the punters want

And that's the misguided tech heads on here saying what they want and thinking that's what the punters want. An exception list for javascript sites? Yeah, my nan won't stop going on about that....

8
8
Silver badge
Flame

Re: 'Giving users what they don't want is classic Mozilla'

On the occasions I use my mobile to browse, the baked-in list of suggestions really fucking annoys me.

There are two sites I visit regularly which start with "n" (I'm lazy, so never type the "www." unless the site is so badly designed that it won't work without it). Neither of them is netflix. I have never visited netflix on any computer, let alone my mobile. Guess which site is suggested as soon as I type "n", forcing me to type at least one more letter. For one of those two sites, the second letter is "e", so guess which one doesn't appear in the URL bar unless I type a third letter (it does, however, appear near the top in the suggestions list, but that requires moving my finger further to activate).

If it were just that one site, I might not be so annoyed. But it's just about every site, even the ones I use regularly and frequently.

If the rankings of baked-in suggestions changed as I visited other sites, I could live with that. But the ranking never changes. It doesn't matter how many times I visit the other "n" sites, netflix is the first suggestion. It doesn't matter how many times I visit a "w" site, up pops fucking walmart (which I've never been to on any computer and have no intention of ever visiting). That's what changes it from being a useful feature (start out by offering popular sites and learn from what the user actually visits) to a piece of fucking stupid incompetent shit implemented by people who should be banned from ever designing a user interface.

13
0
Silver badge
Flame

Re: 'Giving users what they don't want is classic Mozilla'

Also let you have Classic GUI, build in NoScript and User agent (esp needed on Linux or Mac & Windows download links vanish on stupidly designed sites).

Disable URL guessing

Allow easy toggle to turn off Awesome to have URL only bar.

Fix all the blank pages that print before selected point on webpage.

Etc.

8
0
Anonymous Coward

Re: 'Giving users what they don't want is classic Mozilla'

>NoScript

Priority No1, give Giorgio Maone the API's he needs to re-implement Noscript in it's formerly glory as currently it's badly broken for FF57 and frankly an abomination.

9
0

Re: 'Giving users what they don't want is classic Mozilla'

are you saying there IS an 'EFF Panopticlick' option? (i.e. something which defeats the browser id attack) If so, I, for one would bite yer arm off for a link...

So far I've been to the 'EFF Panopticlick' page but other than the depressing evidence that I still haven't managed to defeat their identifier test, could see nothing that suggests solution or even mitigation...

1
0
Anonymous Coward

Re: 'Giving users what they don't want is classic Mozilla'

Amen. I've retired my Firefox Quantum w/Noscript until they come up with a usable system. FF has sunk to low single-digit market share, and this could knock it out. Mozilla's declining performance over the last two years should be a lesson to those who put political correctness ahead of merit when picking a CEO.

0
0
Silver badge

From the repo..

"This is an extension that I'm going to be using as a vehicle for prototyping basic UI and interaction flow for an upcoming feature in Firefox"

If it stayed as an extension almost no one would install it and no one would give a shit.

But no this is Mozilla - so it will be baked in bloat because Firefox users get what Mozilla wants not what Firefox users want. That and/or having crippled the framework for extensions in quantum it can no longer be implemented as one.

To avoid this loss of privacy in exchange for crap they don't want I expect users will have to dick around in about:config to disable it.

11
0

UI for alerts already exists?

I thought FF (and all browsers) already had a UI for alerts about this sort of thing:

1) Launch browser

2) Type something like "www.theregister.co.uk" or "data breach <company name>" into the URL/search bar.

3) Click on links that mention data breaches, etc.

2
0
Silver badge

Re: UI for alerts already exists?

That's Google's safe browsing list. They'd need something similar for haveibeenpwned.

But as it would show sites from years ago it'd be essentially useless as the average user doesn't understand what this means or what to do about it or if it's a problem any more, and a message box in Firefox isn't going to be educate them.

4
0

Re: Alternatives?

That involves the user stopping what they are doing and actively searching to check the site is safe. They then have to make an informed choice based on the results. With the exception of a small minority of security conscious people no one will do that. They just want to get on the internet to get their information, not go through hoops they don't understand anyway.

3
0

This post has been deleted by its author

Bronze badge

about:config

"To avoid this loss of privacy in exchange for crap they don't want I expect users will have to dick around in about:config to disable it."

I'm wondering if the next major release will have about:config removed as well.

18
0
Silver badge
Unhappy

Re: about:config

Please don't give them ideas.

15
0
Silver badge

Re: about:config

No matter, someone could do an add-on to bring it back... Oh.

1
0
Silver badge
Joke

Maybe

The default could be: "You've been hacked".

Just code the remaining 23 or so secure web sites as "OK".

12
0
Big Brother

Until we can breed more clueful users...

Look, I know it sounds stupid and obnoxious now, but I deal with people every day that think the way to go to a site is NOT to bookmark it or enter it into the address bar, but to search for it every time. I have told them time and time and time again not to, but they do. I deal with helping people whose brains shut down at the idea of free money and have only been lucky that I have stopped a pile of 419 scams against people I know. I have seen people with Flash, Java, and Firefox dating from the XP days in this TYOOL 2017.

Until we can reasonably expect users to take responsibility for what they do online, even accept that they even HAVE any responsibilities for a secure Internet, and that can actually prevent everything above the brainsteam from shutting down online then we need to start removing empowerment from their hands, and start automating steps like updates for the OS and apps, and forcing checks against sites. I don't much like it, granted, but I am accepting it has to be this way until human nature changes, sadly.

(Also, FWIW, I have said it before and will again, Troy Hunt is doing God's work...)

7
1
Silver badge
Unhappy

Re: Until we can breed more clueful users...

"I deal with people every day that think the way to go to a site is NOT to bookmark it or enter it into the address bar, but to search for it every time"

Being able to search through the address bar doesn't help educate the users either. It is very easy to get into bad habits and drop off the domain part of the name resulting in a search instead of an error. I know this can be disabled (or could before) but how many users even realise, let alone understand the difference, and potential problems that could be caused?

5
0
Silver badge

Re: Until we can breed more clueful users...

If you remove empowerment from their hands, people aren't going to magically learn on their own before you give it back to them. It just means there's no need to learn.

See parents or grandparents who are much more handy with a screwdriver and cavemen who look down on everyone else because they don't go out and kill their dinner.

8
0
Silver badge

Re: Until we can breed more clueful users...

"If you remove empowerment from their hands, people aren't going to magically learn on their own before you give it back to them. It just means there's no need to learn."

^ This.

Also, the sort of person who does stupid (searching for regularly visited sites instead of bookmarking* etc) is the sort of person who will develop a blind spot for notifications popped up by Firefox, and just click them away.

* Pet bloody hate - especially when they do that for important sites such as their bank. GAH!

6
0
Bronze badge

Re: Until we can breed more clueful users...

its still better than idoits like the Dartford crossing that put up signs saying "search for dartford crossing to pay the toll"

not go to www.gov.uk/dart-charge or https://www.gov.uk/pay-dartford-crossing-charge

Signage link below:-

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/image_data/file/33480/Dartford_signage.png

2
0
Silver badge

Re: Until we can breed more clueful users...

I deal with people every day that think the way to go to a site is NOT to bookmark it or enter it into the address bar, but to search for it every time.

There is a reason some people do that. It may even be a valid one.

The theory goes that the more people who use Google to search for a specific web site, the more popular that site becomes in the rankings. Therefore, going to your own website that way pushes it up (even if ever-so-slightly) in the rankings.

Even if that theory is correct (I'm not saying it is), most people search for web sites that way because they're clueless idiots.

1
0

Re: Until we can breed more clueful users...

@EnviableOne I think that's done to stop the dimwits slamming the brakes on to stop and write down the URL. Lesser of two evils.

0
0
Mushroom

Re: Until we can breed more clueful users...

Don't even get me started on the browser cancer that is removing part of the URL from display. One of the stupid bass-turds even removes a leading "www.", regardless of whether the result will work, and only copying the URL will get you the actual thing, protocol and full server name.

Eh, where's my pills…

1
0

Dumb idea

All this does is make it even more appealing for a company to keep quiet about any possible data breaches. And that's just the thing you don't want, because transparency can actually help others from protecting themselves.

Another problem I have with this is that Mozilla is basically placing the 'blame' on the website owner. But sometimes that simply isn't the case. Then what?

How does this work when an ISP had a databreach and you're visiting a website from a user of said ISP (so: they're also hosting the site with that ISP)?

3
0
Alert

As long as I can disable it

I don't want to send every single website I visit to Firefox or HavIbeenPwned. For that same reason I disable similar protections on Chrome and also site prediction features.

I get that many of the population don't know or care how much data they give different companies for these kind of features to workand this may be of use to them, but let me disable it.

As for storing info, some of the previous database searching sites similar to HaveIbeenPwned, have been pwned and had all the database stolen. Ie, the big exploit.in mentioned on Troys site. So having all the info in one place...it's going to hacked eventually.

3
0

Maybe not terrible

This doesn't have to be done in a privacy-violating way. It could just query a server for a list of recently compromised sites each time you start it/daily or whatever and then alert you if you visit one on the list, rather than checking each site you visit individually. Checking each site separately would be bad from a speed standpoint too, and Firefox is all about speed now...

4
0
Silver badge
Facepalm

Re: Maybe not terrible

Yes, but that would be the sane way. Wanna bet that's not what they are going to do...?

0
0

This post has been deleted by a moderator

Anonymous Coward

> I do appreciate these Firefox features, but I just can't stand the bookmark manager.

Because the poor sods are too busy bloating up what used to be a browser with "cool" stuff to actually give a shit about any of the hundreds of bugs related to the bookmarks manager that have been languishing in their bug tracker since... well, since when Bugzilla was the state of the art.

0
0
JLV
Silver badge
Happy

Good thing I've already sold off Yahoo...

signed: Fake Marissa Mayer

0
0
Bronze badge

Nice to see Mozilla setting themselves up as internet vigilantes to decide what sites we can visit. Because we all know how well internet vigilantism works out.

0
1
Anonymous Coward

... but also have built in telemetry

ROFL!

But they don't care to sell you by hardcode the most famous fullshit generator called "facebook" into the new browser. They want to pwn you themself to earn money. They sold their soul.

0
0
Anonymous Coward

Who hasn't been hacked?

They'd have to start their list with the NSA and work down from there. It might be easier to make a list of those who haven't reported being hacked yet.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018