Firefox takes aim at phishers

An upcoming version of Firefox will include protection against phishing scams, using technology that might come from Google.

The phishing shield is a key new security feature planned for Firefox 2, slated for release in the third quarter of this year, Mozilla's Mike Shaver said in an interview on Tuesday.

Shaver, a technology strategist at the company which oversees Firefox development, said: "Everybody understands that phishing is a significant problem on the web. We are putting anti-phishing into Firefox, and Google is working with us on that."

With the continued rise in online attacks, security tools have become something web browser makers can use to try to stand out. Microsoft plans to include features to protect surfers against online scams in Internet Explorer 7, due later in 2006. Similar functionality is already in Netscape 8 and Opera 8, both released last year.

Shaver said: "It is another example of the energy that has returned to the browser marker."

Phishing is a prevalent type of online scam that attempts to steal sensitive data such as user names, passwords and credit card details. A record 7,197 phishing websites were spotted in December, according to Anti-Phishing Working Group.

While Firefox 2 will get a phishing shield, no decision has been made on how it will be incorporated in Firefox, Shaver said. "Google, like others who contribute to the project, has contributed code and expertise for us to experiment with," he said. "We haven't committed to a given approach, a given technology or a given partner."

Google has close ties to Firefox. A year ago, the search engine giant hired Ben Goodger, a lead engineer on the open-source web browser. Firefox is also part of the Google Pack, a bundle of Google's own and third-party applications.

The search giant could not be immediately reached for comment.

Although IE and Firefox, the two most-used web browsers, don't include anti-phishing features yet, there are browser add-ons that guard against such scams. These include the Google Safe Browsing plug-in for Firefox and Microsoft's MSN Toolbar for IE. Other providers include Netcraft and SiteAdvisor.

The various phishing shields use a variety of techniques to guard against online scams. These include blacklists of known fraudulent websites, white lists of good sites and analyses of web addresses and web pages. Firefox 2 might be different, since the developers aren't married to those approaches, Shaver said.

He added: "I don't think anybody has found a perfect solution. We would not look to do something different just for the sake of being different but we don't want to be constrained by recent history either."

Regardless of what technology ends up in Firefox 2, people who want to use a different anti-phishing product will be able to do so, Shaver said.

Adding anti-phishing technology to web browsers helps with online security but is not a panacea, according to Amir Orad, vice president of marketing at RSA Security's Cyota group. "We think it is very important. It doesn't solve the problem but it is a step in the right way," he said.

Cyota, an anti-phishing specialist which was acquired by RSA Security last year, provides lists of known fraudulent websites to Microsoft for IE 7 and to Netscape, as well as others. Orad said: "It is an arms race, another tool in the arsenal."

An early, alpha release of Firefox 2 is expected later this month but it is unlikely to include the anti-phishing features. Shaver said: "We don't want to rush it to get it into that alpha. But things can move pretty fast in our world and if we come up with something that we like the looks of we might put something in experimentally."

Other planned security features in Firefox 2 are support for a stronger type of digital certificate, a so-called high-assurance certificate. At the same time, the new browser is likely to drop support for less secure certificates, Shaver said.

Joris Evers writes for CNET News.com