back to article Firefox hooks up with HaveIBeenPwned for account pwnage probe

Firefox has started testing an easier way for users to check whether they're using an online service that has been hacked, through integration with Troy Hunt's HaveIBeenPwned database. The hookup will work like this: part of a user's email address is hashed, and this hash is used to check if the address appears in …

  1. cbars

    "WebExtensions can now hide tabs"

    Hide tabs? Why would you do this? Doesn't bookmarking work?

    Can someone more knowledgeable than I please explain why you would hide a webpage, other than to run a malicious cryptocoin miner and prevent the user from finding it....?

    1. tony72

      Re: "WebExtensions can now hide tabs"

      The example given on the Mozilla blog; "Sometimes you’re listening to music in a tab, but you don’t really want that tab taking up space as you browse the web.". Sounds reasonable to an extent, although I can't think of too many other use-cases. And when I'm listening to TuneIn Radio on the desktop, I open it in a separate window and minimize that, hence no unnecessary tab in the window I'm browsing in, so even that use-case is sketchy. But I'm sure more creative minds will think up some ways to use the feature.

      1. cbars

        Re: "WebExtensions can now hide tabs"

        being unhappy about an extra tab sounds a bit OCD considering most browsers are happy to have 10s or 100s of tabs open and scrollable. hiding a music tab..... ok so when I want to pause the music, or skip track, how will the web extension "unhide" the tab, or do you have to go off into the settings menu - find "hidden tabs", "unhide tab" then navigate to it.....

        I don't want to sound harsh as I'm sure the devs are really happy with this new functionality, but this sounds like a terrible idea. Well, at least a solution looking for a problem

        1. DropBear Silver badge

          Re: "WebExtensions can now hide tabs"

          "happy technically capable to have 10s or 100s of tabs open" sounds more like it; I have FF set to "don't load inactive tabs" and it still looks like it's downloading the Internet for a while each time it starts up, visibly going through immense effort constructing the tabs that aren't supposed to be anything other than a literal set of tabs on top of a single window. And that's a quad core on an SSD (which FF is killing at a brisk pace btw. by virtue of infinity NAND writes each day)...

  2. cbars

    on the other hand

    on a more positive note, the HAPB integration sounds well thought out and 'generally a good thing'(TM)

  3. lansalot

    handy..

    But here's a crazy idea - all browser manufacturers, why not integrate with VirusTotal as well?

    You're downloading the file, calculate the checksum as you're doing so, and at the end - submit it to VirusTotal to see if it's in their database. Present warnings accordingly.

    1. Solarflare

      Re: handy..

      Because of the amount of hot water they would get in if a confidential document was uploaded to Virustotal as an automatic action by a browser. The lawyers would love it.

      1. Martin Summers Silver badge

        Re: handy..

        "Because of the amount of hot water they would get in if a confidential document was uploaded to Virustotal as an automatic action by a browser. The lawyers would love it."

        He's not suggesting that he's suggesting comparing the checksum created by the browser for the file just downloaded compared to checksums of known dodgy files held in an AV providers database. No uploading of actual files necessary.

    2. DropBear Silver badge
      Facepalm

      Re: handy..

      Because it's not worth the effort for all of the five files in existence that the VirusTotal collective of scanners unanimously finds clean. Everything else gets flagged by at least three of them, and that occasionally gives pause even to the more seasoned players never mind how confused Joe Bloggs would become...

      1. Lee D Silver badge

        Re: handy..

        Virus scanners are also REALLY easy to evade.

        Take anything from your inbox, even years old, that's malware.

        Change the javascript / whatever around a bit, to produce pretty much identical code but breaking the existing signature (usually, the lines nearest the "exploit vector" itself are most heavily detected - jumble them up and introduce some intermediate variables, etc.). Upload to VirusTotal. Watch it sail through every commercial antivirus in the world, while still capable of performing a (years old) exploit.

        What things like VirusTotal show you is that anything can be a virus, and also that even the things that packages think are viruses aren't necessarily (e.g. an awful lot of apps are detected as "malware"... everything from sysinternals tools to scripts from Microsoft's own knowledgebase. Because they have, or could, be used maliciously).

        I'm fairly sure I could knock up a self-replicating drive-wiping virus in a few hours. A bit of tweaking and I bet I could get it past VirusTotal with a clean slate. Should it ever run rampant, and end up on the signatures list, I could make a variation in minutes that would slip past the same scanners again.

        Generally speaking, I'm the one telling Sophos that something that came into work is a virus, not the other way around.

        And there are private and manufacturer-supported tools that do exactly this - have a VirusTotal-like equivalent sandbox for people to check their apps aren't going to be blocked on release, to submit and test things that might flag, etc. And you can guarantee that the bad guys have the exact same services available to themselves (hey, they don't even need to worry about licensing the antivirus, do they, really?).

        The number of actual malware websites is pitifully tiny, and obvious the second you hit them. Any modern browser is defended by "Don't hit download and then run the program it downloads". The browser DOM does more than antivirus, or low-privilege sandboxing setup programs, ever did.

        Though it could be helpful, there are browser extensions that do just what you say already. But it's a false sense of security. A VirusTotal check will happily let you download all kinds of crap, but will stop you getting basic admin tools off microsoft.com and things like that.

    3. Anonymous Coward
      Anonymous Coward

      Re: handy..

      Biggest reason I see with that is cost. Virus Total isn't free to use at that scale and I don't see everyone signing up for an account at scale.

  4. Lee D Silver badge

    Stop using just one email address for everything, the same way you should stop using one password for everything.

    I can't look up my details on that site because I own the whole domain, and I have thousands of unique email addresses at that domain.

    And it's really easy if your details are compromised then - even if you have a complete email and password, that combination won't work on ANY OTHER WEBSITE. Even if you get smart and think "Ah, maybe he uses otherbankname@hisdomain.com with the same password". And I can literally just turn off an email that was used without my permission (e.g. signed up for spam) without affecting any other service.

    1. Anonymous Coward
      Anonymous Coward

      "Stop using just one email address for everything, the same way you should stop using one password for everything."

      Not an option for the vast majority of the public though. Buying a domain and setting up a wildcard redirect is beyond the knowledge/skillset of the vast majority of the population (certainly those I come into contact with...)

    2. groovyf

      "I can't look up my details on that site because I own the whole domain, and I have thousands of unique email addresses at that domain."

      ...you can, you just need to use the "Domain search" option at the top of the page.

      https://haveibeenpwned.com/DomainSearch

      1. Lee D Silver badge

        Never used to be an option, because you'd need to do the domain verification (otherwise someone could just request @gmail.com). Now they have domain verification, though, it seems.

        1. Lee D Silver badge

          Breaches — 41 emails found.

          Three of which contain an email address that I know to be a service I signed up for (all of which were spammed to oblivion years ago so they were made public before this service even existed). All of which are blocked at my mailservers with a "This email address was distributed without permission, all emails blocked" message. All of them were "give us an email to register" style emails, so nothing of value there, where some employee later sold on the list of emails presumably (one of them that I know for sure was theft of emails by a "former employee" of the company I gave that email and spammed to try to drum up business for their related spin-off...).

          Five of which are my "You don't need a real email" nonsense emails "johnsmith@" etc. before I started tying them to the services I had given that address to. They've been spammed to oblivion for years, and could have come from anywhere but certainly don't have any passwords associated with them.

          The rest are all made-up, poorly-copied/pasted (e.g. "ohnsmith@" etc.) or just plain nonsense that never existed ("junk_maildd") and seem to have been culled from spam people try to falsely send with my domain as a "from" (I'm SPF'd up but lots of people don't care and I still get bouncebacks).

          Ironically, among the list are:

          - LinkedIn

          - Adobe/Macromedia

          - Disqus

          "compromised" emails... which is strange because the emails listed are junk and nothing to do with me, and I have real accounts for those that *aren't* listed, all of them far pre-dating the so-called exposure of the compromised lists.

          I'm not at all convinced about the utility of this service at all.

  5. Anonymous Coward
    Anonymous Coward

    On Waterfox "restored session" - previously paused YouTube tabs start playing again if you select the tab.

    It is going to be annoying if they do that if the pointer happens to move over the tab. Will Waterfox inherit this new feature?

  6. jMcPhee

    Oh Goodie

    More bloat and other junk in Firefox. Someone was just saying the other day "Oh look, FF isn't running slow enough. Why can't someone fix that."

    1. phuzz Silver badge
      Headmaster

      Re: Oh Goodie

      Since they dumped the old extension tech in FF57, Firefox has been using less CPU and memory. Last time I checked it was using quite a bit less memory than Chrome for the same bunch of tabs, but that was about a year ago, I should probably test again.

      Or I could just hold an opinion based on no data whatsoever like you I suppose, this is the internet after all.

    2. Doctor Evil

      Re: Oh Goodie

      ""Oh look, FF isn't running slow enough."

      I essentially abandoned the ESR stream at about v52.3, finding it bog-slow with multiple tabs/windows, and simply reverted to v50 with updates turned off. I rechecked periodically but found no improvement -- until now, when I tried v52.9.0 ESR and found that to be a huge improvement over its predecessors. It's crisp and snappy again (with all the same add-ons/plugins) and I haven't seen the slowdowns in startup and page-rendering I used to.

      Well done, Firefox developers! Seriously.

  7. Anonymous South African Coward Silver badge
    Trollface

    WebExtensions can now hide tabs as well as manage the behavior of the browser when a tab is opened or closed, so you can expect to see exciting new ...

    ...rickrolling features to pop up all over the place".

  8. adam payne Silver badge

    Another new feature is called "WebExtension Tab Management" and will mean that "WebExtensions can now hide tabs as well as manage the behavior of the browser when a tab is opened or closed, so you can expect to see exciting new extensions that take advantage of these features in the near future."

    I can see it now malware hiding tabs and reopening tabs you've closed.

    Hope this feature is very secure or at least can be disabled.

  9. Andraž 'ruskie' Levstik

    So glad I dumped firefox ages ago. Really don't like it sending anything to a thrid party website when I want to create stuff.

  10. anothercynic Silver badge

    HIBP extension

    1Password already uses k-anonymity and it's a good thing.

    I would love to see more systems use this, purely to make things safer/better. I trust Troy Hunt more than other people... he's always been upfront and honest about what he does, and Cloudflare's been kind to him since it seems they both are on the same moral compass direction...

  11. onefang Silver badge

    Make managing search engines easier? I set them up once, long ago, no need to manage them any more since then. Does anybody manage their search engines often enough for this to be a useful feature?

    1. DiViDeD Silver badge

      Managing your search engines

      I only ever use DuckDuckGo. I believe they have their own management team. What would I be expected to 'manage' with this exciting new feature?

      Just afraid of missing out on the fun, really.

  12. Anonymous Coward
    Anonymous Coward

    Ah, another "partnership"

    "Firefox has started testing an easier way for users to check whether they're using a leaked password"

    As an optional plugin this time around, I would like to think.

  13. DougS Silver badge
    Pirate

    I'm sure I've been pwned

    I've been using the same email / password combo for at least 15 years to a ton of sites that I consider throwaway and not worth anyone exploiting - the Reg included. So what if someone can login as me to various web boards, or shopping sites where I can pay via Paypal so I don't have to worry about them saving credit card info, and so forth?

    Anything that matters gets some other password, which I have to keep filed away for sites I don't visit often. But it makes it damn easy to login to everything else, since my fingers can type my email and password very quickly after having done it tens of thousands of times over the years!

  14. Claptrap314 Bronze badge

    I always assumed

    That if you want to HaveIBeenPwned, that the response would be, "You have now".

  15. Eddy Ito Silver badge
    Facepalm

    And with the finding that Exactis left their database open online with 320 million exposed my guess is that soon everyone not already pwned in the US is now on the list. Hmmm, seems their website is down at the moment. I wonder why.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019