I think, you're being a bit unfair to Mozilla and Google here. Indeed, Google is best positioned to find phishing sites and it would be nice of them to provide all of us with some help in identifiing them. It would also be nice of Mozilla to build this capability into their next browser.
Finally, it does not necessarily entail sending all URLs for check to Google; it's neither practical nor necessary.
Here's how I would do it: create a LOAF of phishing sites -- a (let's say 1 megabit) array of bits, where phishing sites are denoted by ones in the following way: the phishing URL is hashed and the last few (in this example 20) bits are used as an address in the LOAF. Only suspects (those colliding with this 20-bit hash of phishing sites) are sent over to Google for verification.
This solution would be efficient and privacy-preserving at the same time. I won't be surprised if the actual thing was something along these lines.
Iang wrote:
> It seems to be the central database model, which I
> sometimes call the Netcraft model:
Gets better, google just got more access to your information...
"Google has just released the Google Browser Sync extension [CC] for Firefox. This extension allows you to save your bookmarks, history and passwords on Google servers, effectively giving you a 'roaming profile,' which you can sync on any computer running Firefox (and the extension, of course)."
http://www.google.com/tools/firefox/browsersync/index.html
Posted by Duane at June 9, 2006 05:25 AMHi Daniel, thanks for taking me to task! Here's my response, somewhat belated.
1. is Google the Best?
It is perhaps plausible that Google is well positioned to manage a database of potential phishing sites. But, consider that this is actually an "old" idea. I understand that Netcraft published the first version, and since then I've seen 6 or so variants. Which is to say, why Google? Why not me? Why not the US Department of Justice? The KGB?
Centralisation is a seductive concept. Although their implementation may be googley, does this really merit taking the risk that this information will inevitably be attached for other purposes?
2. Does Google preserve Privacy?
It didn't occur to me to consider whether they have designed in some privacy preserving system. That's because I assume it to be irrelevant to the long run. If they do privacy preserving now, that just means that they will unwind that some time in the future, when it becomes convenient.
Of course, I can't promise that. But experience with large corporations and such data issues would make assuming any other thing unreasonable. "First they say they don't collect that data, then they say ..."
I suppose to put this in a different context, let us consider that Google just successfully defended against an attempt of USDOJ to mine their data for some bogus reason or another. The other companies didn't bother. So Google is good, right? No, they are young. When they are as old as Yahoo or Microsoft or eBay, they won't be challenging in court. That's my prediction.
3. Is it unfair to criticise?
Well, I think the above answers it. If there is any merit in those arguments, someone has to criticise it (much as I hate being the public whipping boy here). Otherwise they'll just snowball the issue again and again, which is easier than doing the debate properly. Neither of these organisations seem to have engaged in public debate on this issue of privacy - that's fair?
Posted by Iang at June 10, 2006 02:50 PM