Earlier today, I wrote about the new anti-phishing feature in Firefox 2 Beta 1, which was unable to catch a single scam e-mail in my testing. This afternoon, a Mozilla spokesperson sent me an e-mail that said, yes, it doesn’t work yet. In fact, said the spokesperson, this feature “was intended to test the core Phishing Protection framework within the browser, not to provide a full list of suspected scam sites.”
Mozilla really needs to get its act together here, because that’s not the message they’re sending out to people who download the beta version of Firefox 2. Exhibit A is the announcement page for Firefox 2 Beta 1, which provides a bulleted list of 16 “new features and changes to the platform.” The #1 item on that list? See for yourself (yellow highlight added):
See anything there that says the feature isn’t implemented? Me neither.
In fact, if you follow the link to read more about the Phishing Protection feature, you get to Exhibit B, which has this box prominently displayed at the top (again, the highlighter is mine):
“If you encounter a web forgery and don’t see the anti-phishing warning … let us know about the problem and we’ll update our lists…”
Again, nothing to suggest that this feature isn’t working in Firefox 2 Beta 1. In fact, this blurb clearly suggests that the feature is enabled and intended for use today.
Here’s the second item on the FAQ:
2. How does the Phishing Protection feature work in Firefox 2 Beta 1?
Phishing Protection is turned on by default in Firefox 2 Beta 1, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 Beta 1 when the anti-phishing feature is enabled. Since phishing attacks can occur very quickly, there’s also an option check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Anti-Phishing preferences pane. (Note: final set of anti-phishing service providers TBD.)
Based on what the PR spokesperson told me, that paragraph is essentially inaccurate. It isn’t until you get nearly to the end of the FAQ that you see this little disclaimer:
7. I tried browsing to some known phishing sites and I didn’t receive a warning. What happened?
At this time we are using a limited list to test the core Phishing Protection framework within the browser. Users are encouraged to verify that the above test links properly display a warning dialogue, but to wait until a future beta release of Firefox 2 to verify the accuracy of the list of web forgeries.
Meanwhile, the Google Safe Browsing feature is available in the Google Toolbar for Firefox, which is shipping now. In my tests so far today, it correctly identified one phishing site and missed two others. IE7 blocked navigation to all three and flagged them as “confirmed phishing sites.”
Ed Bott 
Hey, what did you expect…it’s beta software! 🙂 Seriously, Mozilla is all but begging for a lawsuit from the first person who gets taken in by a pfishing site because of the misleading announcement.
Indeed, it is beta software, but that doesn’t give Mozilla excuses for blatantly claiming it works and then saying that they’re still working on it. I guess they were interested in attracting attention about how Firefox’s security is a lot better than IE7’s. 🙂
This is HUGE news, thanks Ed. Looks like more content for the Firefox Myths site 🙂
http://www.firefoxmyths.com
They try to pull crap like this all the time.
OK, it’s a beta, but what about the Google Toolbar where you had the same problem?
David, I mentioned the Google Toolbar in my final paragraph here. It failed on two out of three sites, which is too small a sample to judge by. I have a query in to the PR people at Mozilla/Google asking for clarification on whether the Google Toolbar is also “limited” in its functionality.
Ooops – sorry I missed the last paragraph.
I may have missed a few Digg postings but I couldn’t find a mention of this story. Imo Digg likes to mod down stuff that might appear to be anti-firefox. I have a feeling they buried this one entirely.
For the sake of being upfront, I must say I don’t like Digg much these days… too many people there of the kind who don’t wash their hands after going to the bathroom. That’s the overall mentality that Digg gives off lately.
Firefox 2.0 doesn’t offer nothing more than FF 1.5.
That’s crummy. Maybe something just missed the deadline for release or something. If not, I can’t really think of a reason why they would claim it works when it doesn’t. And, in any case, they should remove the statements now, instead of leaving them up there…
I haven’t heard, but I am tempted to agree with Randy, at least for now – 1.5 seems to be great, and haven’t seen much reason to upgrade.
This is a pretty glaring error, but you should also note that they have this warning in bold at the top of the page:
“Please note: We do not recommend that anyone other than developers and testers download the Firefox 2 Beta 1 milestone release. It is intended for testing purposes only.”
This release is not for everyday users, but for testing only. Still, they should indicate on that page that the filter is not fully functional yet.
[Final sentence deleted – EB]
Aaron, I deleted one sentence from your post. You know why. If you (or anyone else) want to have a flame war, do it somewhere else, not here.
No problem Ed. Your site, your rules. But I would hope you would have the same attitude towards innaccurate, slanderous statements posted here as you do towards my completely true accusation.
Ed,
I got my first phishing attempt to my main email account today and just for grins thought I’d run the same test you did. This particular URL is obviously not to Peoples Trust Federal Credit Union because it has an IP address in the begining of it but I’ve got to say they did a good job faking the design. I’ve also never done business with them so I know its fake. Firefox 1.5.0.6 with the Google toolbar immediatly warned me the site was likely a fake. I fired up the latest IE7 beta, did a phish check, and was told the site was safe.
Telling someone a site is not suspicous is pretty bad.
To me all this stuff is 50/50. Sometimes your overwhelming Pro Microsoft opions are just as bad as the Pro Linux boot camp. I don’t remember your writings from your Techrepublic days being so Pro-MS.
James,
I call ’em like I see ’em. I find it amusing that you would accuse me of bias when all I did was to report exactly what I experienced. Where is the bias in that? So far, I haven’t seen any that have been blocked by the Google Firefox toolbar and labeled safe by IE7. I’m sure those sites exist.If I get the phishing email you received, I’ll add it to my tests and I’ll accurately report the results.
Ok, my bad not exactly bias, just calling it as you see it. Everybody sees things differently and there’s nothing wrong with that.