Phishing Filter in IE7


Hi, my name is Tariq Sharif and I am a Program Manager on the IE Security team. One of the threats users face on the web is phishing. Today, I want to tell you about the Phishing Filter in IE7, a new security feature designed to dynamically warn users if they visit a phishing site.  I’ll cover the filter service communication flow, show you what some of the filter notifications look like, how can you report a phishing site and most importantly I will let you know the process of reporting an incorrectly marked site.

What Phishing Filter does to help protect users

To use Phishing Filter, you will have to decide if you want to automatically check sites you visit against the list of known phishing sites on the Microsoft server, or if you only want to check when you have reason to suspect a site and opt out of automatic checking.

You can get the most protection from Phishing filter by setting it to automatically check sites so I’ll focus on that experience today.

When you go to a known phishing site, Phishing Filter will detect the attack in progress and automatically take you away from the phishing site and show a strong warning.

To determine if a website is a reported phishing website or not, the Phishing Filter will check the address of the website you are trying to visit on a Microsoft server to see if it’s a reported phishing site.

You might visit a phishing website that hasn’t been reported yet, you might even be the first person to find the phishing site. When you visit a site that uses common phishing tactics but isn’t listed on the server as a known phishing site, Phishing Filter will display a strong yellow alert in the Security Status Bar, a new feature area located next to the address bar. Now that you are alerted about the possible phishing site, you will be able to help us fight back.

How you can make help us hook the “phishers”

IE7 has a menu option for you to report any phishing website that you find. Clicking on the warning message will open a menu where you can select a link to begin the process of reporting a phishing site. You can also find this option on the Tools menu at any time. Within a short period of time, reported phishing sites will be evaluated and added to the list of reported sites on the server.

What information is sent to Microsoft for checking a website

Phishing Filter does not check every URL on the Microsoft server. It only sends those which are not on a known list of OK sites or those that appear suspicious based on heuristics. If an URL is checked on the Microsoft server, first the URL is stripped down to the path to help remove personal information, then the remaining URL is sent over a secure SSL connection.  The communication with the Microsoft server is done asynchronously so that there is little to no effect on your browsing experience.

So, for example, if you were to visit http://www.msn.com, nothing will be checked on the Microsoft server because “msn.com” and other major websites are on the client-side list of OK sites. However, let’s say the URL looked like this: http://207.68.172.246/result.aspx?u=Tariq&p=Tariq’sPassword, in this scenario phishing filter will remove the query string to help protect my privacy but it will send “http://207.68.172.246/result.aspx” to be checked by the Microsoft Server because 207.68.172.246 is not on the allow list of OK sites. As it turns out, 207.68.172.246 is just the IP address of MSN.com server, so its not a phishing site but this example should help you understand more about how Phishing Filter checks sites on the server.

To read more about how phishing filter checks sites and how your privacy will be protected, you should check out the privacy statement and also Rob’s recent post on it.

Making sure your website isn’t flagged by Phishing Filter

If you are a site owner and your website is shown as suspicious or blocked, you too can click on the red or yellow warning in the Security Status Bar and click on the link to send feedback about the mistake. On the feedback page you can fill out the necessary information and request to have your website reevaluated.  Once a request has been submitted it is reevaluated by the Phishing Filter team. Based on the reevaluation, the site will either be removed from the list or left as it is.

I want to tell you a little about how Phishing Filter flags some sites as suspicious sites so you can keep your legitimate site from showing up as suspicious.

Phishing Filter has a machine learning filter and it uses heuristics to determine if a particular web site looks suspicious or not by looking for characteristics in the page that are common in phishing scams. Since the Phishing Filter heuristics are based on a learning machine, there might be a case where an actual phishing site may not even be flagged as suspicious (false negatives) and some sites which are legitimate could be marked as suspicious (false positive).

This is another reason that Phishing Filter has to contact a server to detect phishing sites and keep the number of false positives to its lowest. If Phishing Filter was to download a block list every few hours, then Phishing Filter mistakes could not be quickly corrected. To correct the mistake in a timely fashion we would have to push the bits down constantly, and this approach does not scale very well. Therefore to keep the number of mistakes to its lowest and for Phishing Filter to work most effectively it contacts the Microsoft servers to determine if a website is phishing or not.

For more information on this feature, see “Introducing Phishing Filter in IE” and “Anti-Phishing Whitepaper

 – Tariq

Comments (134)

  1. Anonymous says:

    A couple of questions, out of curiosity:

    1) How are you expecting the general public to respond to the phishing filter?

    2) Do you expect people to just grasp the concept of phishing? Is there a different term that might convey more clearly what a phishing attack is to my grandmother?

  2. Anonymous says:

    You should make the arrow next to "Continue (not recommended)" red or yellow. It looks too friendly being green 🙂

  3. Maurits says:

    As a site owner who does not have a copy of IE7, how can I tell if my sites are misidentified as phishing sites?

    Can you make a webform somewhere saying:

    QUERY THE PHISHING SITE DATABASE

    Enter a web site URL to determine whether it is in the Microsoft "phishing site" database:

    URL: _________________________ [ Search ]

    Or, where can I download IE7? 😉

  4. Maurits says:

    I just realized that you’re effectively receiving a copy of every IE 7 user’s browsing history, sans querystrings. Isn’t this a major privacy breach? Surely the phishing blocklist can’t change THAT quickly.

  5. Anonymous says:

    I agree with Nick. The term Phishing has absolutely no meaning to my mom. How about:

    "This website is a known suspicious website. Visiting it could leave you open to identity theft and/or other crazy stuff…"

    -Lonnie

  6. Anonymous says:

    Users don’t read dialogs.

  7. Anonymous says:

    It’ll be more helpful that if the reported phishing URL is stored in database, the warning page also show a link to the REAL website’s base URL. (Just like what IE now will suggest when it can’t find a page.)

    So the warning page of http://WWW.MlCROSOFT.COM will also give a link to http://www.microsoft.com and the user can use the "Contact us" at the page to report the phishing page to the company.

  8. Anonymous says:

    Re: Privacy

    I wouldnt think any Privacy laws are broken as no user identifiable information is transmited linking the URL to the client! All that MS are recieving is a web address from somewhere, out there, by someone unknown.

  9. Anonymous says:

    Not much of a browse history for two reasons:

    1. All "legitimate" websites are always missed since the client never checks any with the server.

    2. Only unknown websites that the heuristics deem "suspicious" are checked.

    So at best you get a spotty view of someone’s history, and the feature is opt-in anyway, so you could always simply choose not to use it.

    The bigger problem I see is how you would update the "legitimate" website list on the client. Does this list only get updated via Windows Update? And I assume it has the appropriate protection on it so not just any script can modify it?

  10. Anonymous says:

    Please change the color of the "continue" button if possible. Red would be good.

    Also how about a dialog that says something like "Malicious Website Filter" etc…

    Phishing is a silly term to begin with and I don’t think it’s going to resonate with aunt maude….

  11. Anonymous says:

    When will be the Beta2 released? In one month, in two months?

    Thanks for the hardwork,

    Matt

  12. Anonymous says:

    I love that band, but why would you want to filter it out? What do you guys have against Phish?

  13. Anonymous says:

    Is there a ‘test’ or ‘demo’ server we can test it on? I’d love to try it out!

  14. Anonymous says:

    IMHO anti-phishing heruistics is useless. All phishers will check their websites against IE7’s filter and modify/obfuscate their techniques till IE7 stops detecting them.

    If you tweak filter to be more sensitive, false positives will damage reputation of legitimate websites…

  15. Anonymous says:

    Phishing may be a non user friendly name so the suggestion of including a brief explanation is a good one – sort of "A Phishing website performs an attempt to impersonate illegitimately another website in order to persuade you to input sensitive data meant for the legitimate website, with the intention to employ at a second time such data on the legitimate website impersonating yourself".

    Sort of, and has to convey the sense of the threat.

    Although Phishing sounds as a neologism, yet its origin seems clear: the sounds is that of "fish", and reminds the latin: pescare, to fish.

    I noticed that for privacy concerns the query string is stripped. This is well done, but of course all the future problems with it will derive exactly by exploiting this feature.

    An organized crime approach (my italian fantasy lol?) might work as follows:

    1) an apparently legitimate online venture gets started for the purpose of phishing.

    2) for one year it keeps pretty low profile, simulating a legitimate environment. It knows it will cash later exploiting this feature.

    3) after one year it performs its Ocean’s Eleven: it raids 1,000,000 users in one day exploiting exactly a query string, it takes the money and runs.

    4) all the online magazines start making headlines and complaining that IE is insecure and is not standard compliant, which latter has nothing to do with it but war is war.

    All bugs and all exploits prosper in the assumptions.

  16. Anonymous says:

    Tariq Sharif, Program Manager of the Internet Explorer Security Team, details how the Phishing Filter in IE7 will work.

  17. Anonymous says:

    Having used the netcraft antiphishing tool bar for some time with IE6.sp2 I found it to be very effective but a bit too touchy when downloading music from legitimate sites (music bought and paid for). however I did like the display of the country of origin, risk rating, sites date of origin and site ranking of all web sites visited regardless of the phishing filter. All of which made it easier to detect suspect sites and allow the user to decide for themselves using the info given when a phishing site was flagged up and possibly report a site to netcraft, which I had to do twice. Would it be possible to integrate some of these features into IE7 in the future. If anyone would like to try out the netcraft toolbar or check the specs it is available for free from http://toolbar.netcraft.com/ but I have not tried it with IE7 so no guarantees.

  18. Anonymous says:

    In my opinion if someone knows what a phishing website is then they don’t need a phishing filter.

    And if they don’t know what a phishing site is then they probably wouldn’t understand the importance of enabling the phishing filter.

    As soon as I got IE7 beta1 I disabled the filter because it seemed to be slowing things down. (I’ve uninstalled the beta btw)

    On another note, if Microsoft just happened to block google.com (for example) for 1 day would Microsoft be held responsible for the damages it did to Google?

  19. Anonymous says:

    http://207.68.172.246/result.aspx?u=Tariq&p=Tariq’sPassword

    aw come on, we *all* know that shoud be:

    http://207.68.172.246/result.aspx?u=Tariq&p=Tariq%27sPassword

    😉

  20. Maurits says:

    AndyG

    "I wouldnt think any Privacy laws are broken as no user identifiable information is transmited linking the URL to the client! All that MS are recieving is a web address from somewhere, out there, by someone unknown."

    Huh. The connecting IP might be enough in the short-term to identify someone. It’s certainly enough to tie all of a single user’s queries to each other… and if they have a personal homepage they visit often, it shouldn’t be too hard to figure out who they are from their history.

    And there are plenty of sites that use personal information in the URL /path/, not the querystring… like the ones that use a CGI engine that accepts a slash where the question mark is supposed to go.

    I do have a solution to this problem… use DNS as the lookup mechanism. That way the query comes from the user’s ISP… or, if the idea linked below is used, no query needs to come to Microsoft at all.

    See http://channel9.msdn.com/ShowPost.aspx?PostID=112349

  21. Anonymous says:

    Will you be sharing the data you gather so that other companies/individuals may use it and contribute to it in a free manner (meaning create a FreeDB not another CDDB)? If the objective is to protect people, I think this would be an obvious choice.

  22. Anonymous says:

    Good work.

    I agree with others that using another term than phishing will be most helpful for the ones needing it.

    Another concern is that the sites on the white-list will be attractive targets for phishers, i.e. breaking into one of those computers and replacing the normal business with a phishing site. [I understand already break into the computers to send spam-mail so it seems like a logical next step.]

    Basically Alberto’s fantasy above, but letting someone else run the business the first year.

    So what types of sites will be on the white-list? Just large companies like CNN or small-sized businesses as well? Will some certification be required?

    The white-paper indicate that in order to avoid a yellow flag a smaller company should have a firewall and install all necessary security updates.

    Is that just normal good practice or does it imply that IE 7 will check if the server string identifies a version with known holes?

    BTW: Why is the row-spacing so large in the white-paper?

  23. Anonymous says:

    And who are exactly affected by phishing sites? Stupid users. It means IE will remain a product for stupid users. The real guys use Firefox.

  24. Anonymous says:

    Doesn’t this open up Microsoft to liability if a legitimate website is flagged as a phishing site and can’t do business with the majority of its clients as a result of the filter?

  25. Anonymous says:

    What percentage of surfers in general do you folks expect will come across a phishing site?

    I agree that the arrow colors need to match.

    Microsoft have shown poor ability to work interchangeably between basic and advanced users. Yes Lonnie’s mother won’t know what Phishing is, but me and Lonnie do. Vista SEVERELY needs a quick and easy way to universally switch between basic and advanced user modes. However since we’re talking about IE7 would suggest something like this…

    * Phishing security issue! *

    Phishing is the act of…..

    Keep the exclamation simple, we technologically advanced people know what they mean or at least know how to make reference and figure out what they mean. Display a simple and brief description of the the problem is. Provide a link the user can choose if they are still curious to open in a new window/tab (heh) that has a well formed page with information the user can understand with non-technical explanations. "This warning means there are really two websites being loaded and if you send money chances are overwhelming it will go to an unintended party (fraud)." if say a frame site is being loaded that is cross domain.

    C++ guy is only half correct. Advanced users overwhelmingly do NOT read prompts, basic users overwhelmingly DO read, and a little of both do the opposite.

    — "On another note, if Microsoft just happened to block google.com (for example) for 1 day would Microsoft be held responsible for the damages it did to Google?" — Ron.

    Ron has a dam good point! I think a clear cut explanation for technical users would benefit us so legit webmasters such as myself can consciously avoid even accidentally being seen as a potential threat.

    Additionally there are third party agencies such as those who give SSL certificates that IE could reference. In example if there is a <form, second IP/domain, certain symbols such as those that represent currency, IE could check if the location has any third parties backing that location up and if none are found prompt the user during their clientside interaction.

    I see there is a bit of controversy…but I’d rather see Microsoft be in controversy for addressing an issue rather then controversy in regards to in-action as I am to a designer who doesn’t design for but deals with IE. So far I think it’s a good effort and we’ll just have to wait and see if the coding, testing, and implementation works out in the end.

  26. Anonymous says:

    "Click here to close this webpage" should be "Close this webpage". Or "Close this web page".

  27. Anonymous says:

    What happens if I make a phishing site like: http://www.stealmyidentity.com/index.php?mode=phish”>http://www.stealmyidentity.com/index.php?mode=phish which will try to do all sorts of nasty things to you, but if you navigate to http://www.stealmyidentity.com/index.php it shows a completly harmless kid-friendly page? You lose a lot of information by stripping all of the GET args from the URL.

  28. Anonymous says:

    What happens if I make a phishing site like: http://www.stealmyidentity.com/index.php?mode=phish”>http://www.stealmyidentity.com/index.php?mode=phish which will try to do all sorts of nasty things to you, but if you navigate to http://www.stealmyidentity.com/index.php it shows a completly harmless kid-friendly page? You lose a lot of information by stripping all of the GET args from the URL.

  29. Anonymous says:

    I would recommend to make the text "Click here to close this webpage" big and with a green arrow. And the text "Continue to this website (not recommended)." should be smaller and have a red warning sign. If you still click that second option, there should be another warning like "Are you sure you want to visit this website? There are reports that this website may threaten your computer security. Click here to read more about security and phishing".

  30. Anonymous says:

    <An organized crime approach>

    That’s not phishing, it’s fraud. Phishing is when the user thinks they’re at one place, but they’re at another.

  31. Anonymous says:

    Alan, are you sure that ‘ is not permitted in a HTTP URL? It doesn’t have any reserved meaning, and RFC1738 appears to permit it…

    http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

    Simon, are you calling my dad stupid? Shame on you.

    Daniel– They mentioned that they get data from a lot of sources. Don’t forget that the spam mails that lure people to begin with are used in the serverside filter. I bet the entire domain could get nuked for hosting a scammer.

  32. Anonymous says:

    > It only sends those which are not on a known list of OK sites

    It seems to me that sites on this list will be accessed quicker, and thus give a better impression to the end user, than sites that aren’t on this list.

    What does it take to get on this list? Can Joe Random Weblogger get on it, or will it be reserved for Microsoft affiliates and subsidiaries like MSN?

    Conversely, if it is open for all comers, what stops people from changing a previously legitimate site to a phishing site?

  33. Anonymous says:

    > It’ll be more helpful that if the reported phishing URL is stored in database, the warning page also show a link to the REAL website’s base URL.

    I disagree. If I know end users, they’ll just get into the habit of being lazy and relying on the warnings to bring them to the right place. It will do nothing to discourage clicking on links in suspicious emails, and so, in the 1% of times something makes it through the phishing filter, they will fall victim to the scammers (which, IMHO, is a much better term to present to the end user than "phishers").

  34. Anonymous says:

    (Jim) What does it take to get on this list? Can Joe Random Weblogger get on it, or will it be reserved for Microsoft affiliates and subsidiaries like MSN?

    Hopefully MS won’t be dumb enough to leave sites like http://slashdot.org/ (or my site!) on a "not certain" list. That’d leave them open to a LOT of (further) ridicule (e.g. said Slashdot may report "Slashdot on Phishing Site List"; they kinda blow up news a bit 😉 ).

    (Jim) Conversely, if it is open for all comers, what stops people from changing a previously legitimate site to a phishing site?

    Then we, the collective End User, report it upon the change, maybe? I know if someone suddenly bought http://citi.com/ or something, I’d get the report done yesterday.

    (Tariq) This is another reason that Phishing Filter has to contact a server to detect phishing sites and keep the number of false positives to its lowest.

    …but does it have to be your server? At least get together with some groups (or even just a few big companies) and create an independent scam site server. (Oh, and I prefer "scam site" over "phishing site.")

  35. Anonymous says:

    I agree that the word "phishing" is awful and should not be used for this feature. "Phishing" means nothing to me, but "scamming" does. Why create so much confusion for what should be straight forward and obvious?

    ___________________________________________

    Reported Scamming Website

    This Website has been listed as a scamming website and should not be trusted.

    We recommend that you do not continue to the above website, as it may have been created to decieve you and make false claims.

    You may continue to the website at your own risk.

    – Click here for more information.

    – Click here to go to the unsafe website (not recommended).

    How Scamming Works:

    Description of how scammers try to deceive internet users.

    ___________________________________________

    Neither of the alerts you posted above would make any sense to internet new-commers.

    The first alert says – "For more information, read the Internet Explorer Terms and Conditions". Well I wouldn’t expect to find anything in the terms and conditions about "Phishing", so I wouldn’t click there and expect to find out.

    Then there’s a link that says "How does Phishing filter help protect me?" Again, this link doesn’t mention anything about what "Phishing" is, it just seems to explain how the "Phishing Filer" would work. I wouldn’t click there.

    Then there’s – "What is Phishing Filter?". Well I don’t care what the "Phishing Filter" is, I WANT TO KNOW WHAT "PHISHING" MEANS.

  36. Anonymous says:

    > I noticed that for privacy concerns the query string is stripped. This is well done, but of course all the future problems with it will derive exactly by exploiting this feature.

    Most obviously, sites will just switch to a (mod_)rewrite-based approach.

    And, as others have pointed out too, absence of a query string can completely change the context of the page by the application serving the page, quite trivially.

    So I rather suspect the query string approach will quickly become next to useless.

    Agreed with the above poster. Scamming is a far more understandable word than phishing, which probably even only a minority of technical users will know.

  37. Anonymous says:

    1.) Still no explanation on why MS insists on sending the real URL rather than a hashed URL… at this point I’m starting to lean towards MS is going to use the browsing history for shady purposes, otherwise, why won’t you even give a reason why you refuse to do this?

    2.) The "known good sites" list is a terrible idea. Read up on pharming and you’ll see why. I type in http://www.microsoft.com, however, someone has hacked MS’s DNS server so that it gives me an illegitimate IP rather than Microsoft’s real IP. With the known good site stuff, IE is going to tell me that I am safe.

  38. Anonymous says:

    (codemastr) Still no explanation on why MS insists on sending the real URL rather than a hashed URL…

    Note the above, IE Team. Or send it via SSL/TLS, even if said security methods are disabled via Internet Properties. Otherwise, expect to see YOUR site recommended to the list instead.

    (codemastr) The "known good sites" list is a terrible idea. Read up on pharming and you’ll see why. I type in http://www.microsoft.com, however, someone has hacked MS’s DNS server so that it gives me an illegitimate IP rather than Microsoft’s real IP.

    When users visit Internet sites, check that the scam-site list server is up. If it is down, alert with:

    —————————

    Unable to check site legitimacy

    —————————

    (MB_ICONWARNING) A problem is preventing Internet Explorer from verifying any sites. Any further Web sites you visit, including this one, cannot be verified as trustworthy at this time. Do not continue unless you are already sure of the site’s legitimacy.

    —————————

    Continue Anyway STOP

    —————————

  39. Anonymous says:

    Perhaps, although definitely not appealing, the case for dropping the anti phishing feature could or should be stated. I know you have worked tough on it.

    Yet, there are reasons you may want to evaluate.

    It is not just that, as pointed out by many, whatever assumption may be exploited once known: a list of trusted sites implies that _all_ one has to do is to become trusted first.

    If then all of a sudden the site administrators perform an illegal operation (sounds like a OS warning of old times lol), and, moreover, they do it exploiting a query string, you might not even know about it but when the outcry’s got too loud already.

    Now, if you provide a system that is electively meant to overcome phishing, and you are the only company that sports it so openly, it won’t matter any longer how commendable it can be and how commendable it actually is.

    Exposed as _the_ company that set up itself to block phishing, you are going to be double exposed to critics at your first failure – which is bound to come as we all know: absolute security simply doesn’t exist.

    We are such stuff as bugs are made on, and our little program is rounded with threats.

    You may have to face a paradox situation whereas a product that did NOT implement any anti phising feature will go absolved of all blame, and you who did imputed with all faults.

    Such a failure wouldn’t be your fault in the least: that a browser _attempts_ to fight phishing is _plain_and_simply laudable, no matter how it tries that.

    But you are probably aware that your product is subject to a campaign, and that the purpose of the campaign is exactly that of taking away slices of market from you, leveraging "real or _perceived_ security issues".

    If you provide a significant anti phishing feature, all its failuers are going to be blamed onto you as if you would have _invented_ phishing in the first place.

    That is, you can still keep it in place, but _if_ so prepare your own Chief Evangelist Campaign too, because it is with such engineered propaganda campaigns that your engineers will be vilified, at your first anti phishing failure – which would be doomed to come sooner or later.

    Do not fight just with the product. Many won’t be satisfied with it even if it would be made In Heaven.

    Meet the challenge on _all_ its grounds, and prepare the counter-drumbeat besides your counter phishing, if you plan to keep the latter in place.

  40. Anonymous says:

    Just to follow up on the whitelist being flawed – Jim Ley points out in this article that for a long time, Google could be tricked into displaying whatever information phishers wanted:

    http://jibbering.com/blog/index.php?p=148

    It’s not too unreasonable to assume websites that will appear on the whitelist will also be vulnerable to similar attacks at one time or another.

    What is the value of a whitelist to the *end-user*? The only value I see goes to the people on the whitelist, at the expense of the end-user.

  41. Anonymous says:

    game kid: "When users visit Internet sites, check that the scam-site list server is up. If it is down, alert with"

    Good point, but that wasn’t what I meant. What I’m saying is, I go type into my browser http://www.microsoft.com. Phishing Filter says -> It’s on the white list, it’s OK. So then IE does a DNS request which returns 123.456.789.321, which is NOT the valid MS IP. In fact, the Microsoft.com DNS server has been "pharmed." Someone hacked the server and has set it to return an IP of a scam site. Hence, the phishing filter tells me "it’s on the whitelist, so it’s ok" when the DOMAIN is on the whitelist, but the IP that domain resolves to is actually fraudulent.

    Jim: "What is the value of a whitelist to the *end-user*? The only value I see goes to the people on the whitelist, at the expense of the end-user."

    I totally disagree. For one, I don’t see any mention of how we, the end users, can modify or even view the white list. We have no clue what is on it and no way to decide what is on it. If nothing else, I think it should be entirely user controllable and even able to be turned off.

    Finally, I agree that calling it phishing might not be the best idea. I think phishing should be mentioned but an explanation should be given. In late July the results of a Pew Internet and American Life research group reported that only 29% of American Internet users knew what phishing was. That means more than 2/3 of the American Internet users will be totally confused by these messages. I suspect that the percentage will be even lower in less developed countries where the media doesn’t have as much influence on the people’s lives.

  42. Anonymous says:

    Woops, fingers were moving faster than my brain for a second there, that should have read "I totally agree" not disagree 🙂

  43. Anonymous says:

    PLEASE do not make the default to blindly strip off query strings, or at least make sure it only does so for the Internet Zone. The web is a LOT bigger than just public web sites, and this action will BREAK a very large number of devices with embedded web interfaces that legitimately use query strings as a means of passing state and request information.

    At the very least, make sure the user is given an option to submit the query as requested, so that they have a prayer of actually being able to talk to a remote printer, firewall, sensor, camera, or other device, even if it’s not on their LAN. Maybe something like: "IE can’t tell if this site is trustworthy or not, proceeding could potentially be dangerous, but may be necessary in order for your request to work correctly. Proceed or Cancel?"

  44. Anonymous says:

    (codemastr) Good point, but that wasn’t what I meant.

    My brain must’ve died there. Replace my part (the one after your quote) with:

    When users visit Internet sites, check that the scam-site list server is up. If it is down OR TAKEN DOWN BY ADMINS BECAUSE THE SERVER OR ITS USERS DETECTED AN UNAUTHORIZED FILE CHANGE, alert with:

    —————————

    Unable to check site legitimacy

    —————————

    (MB_ICONWARNING) A problem is preventing Internet Explorer from verifying any sites. Any further Web sites you visit, including this one, cannot be verified as trustworthy at this time. Do not continue unless you are already sure of the site’s legitimacy.

    —————————

    Continue Anyway | STOP

    —————————

    …you guys DO have soft/hard/firm/*ware to detect and alert admins of intrusions, right?

    P.S. ADD POST-PREVIEW TO THIS BOARD. If http://slashdot.org/ can do it…

  45. Anonymous says:

    I’ve searched a valid method to insert a flash object in a XHTML document and did the code below:

    <object type="application/x-shockwave-flash" data="flash/index.swf">

    <param name="movie" value="index/index.swf" />

    <img src="imagens/index.gif" alt="" />

    </object>

    The browser IE 6.026, however, don’t load the movie, being extremely slow. How I can to correct it?

    P.S.: Excuse my poor English.

  46. Anonymous says:

    So, Microsoft is going to have the ability to blackmail every governor that visits 16-year-old-sluts.com without first taking the precaution of turning off the filter…

    I can’t think of any possible harm that could come from that.

  47. Anonymous says:

    Thinking about this even more, this is completely back-asswards. Why is the whitelist on the client-side and the blacklist on the server side? Are you suggesting the number of phishing sites out numbers the number of legit sites in the world by such a huge margin that it cannot be held on an average sized hard drive? I find that hard to believe. So what’s the utility of having a blacklist online? Well, if it’s online, it’s easier to keep it up-to-date. But will thousands of new phishing sites really be reported every second of every day? Isn’t checking for updates once a day enough?

    Both lists should be on the client side and periodically updated. To do otherwise is a gross violation of privacy.

  48. Anonymous says:

    I think this is a great idea so far. Phishing is one of the biggest threats on the internet and can make users more aware of what it is, and what it can do.

    This looks like when you are downloading a file, it prompts you to check if it has any malicous code.

    Nice, stuff we have got here. I think IE7 + XP SP2 is a big plus to security.

  49. Anonymous says:

    <i>Why is the whitelist on the client-side and the blacklist on the server side?</i>

    I’d guess that most people tend to visit a small group of websites fairly frequently (e.g. going to the Dilbert website every morning), and having a local "approved list" will speed up those accesses.

    More generally, I’d like to see anti-phishing stuff put into mail clients as well as the web browser. This may be off-topic for the IE blog, although I’m not sure whether Outlook Express still counts as an IE component. Anyway, my standard approach is to hover over a hyperlink and see whether the actual URL is completely different to the one in the text (e.g. an IP address vs http://www.paypal.com). It would be nice for the mail client to do that kind of test for me, although I can also see some complications (e.g. text that says "our shop" to legitimately hide a long URL).

    More to the point, if I see an iffy thing like that, I’d be happy to report it to Microsoft for their blacklist, but I don’t actually want to visit the site, so it would be good to have an option in the context (right-click) menu to deal with that.

  50. Anonymous says:

    [

    <An organized crime approach>

    That’s not phishing, it’s fraud. Phishing is when the user thinks they’re at one place, but they’re at another.

    ]

    My reply is for a laugh, not for arguing ok? 🙂

    That’s not phishing, that’s simply having clicked the wrong link.

    Phishing is when the users think they’re at one place, but they’re at another – and in this other they get robbed, not given a chance to realize the error and go away 🙂

  51. Anonymous says:

    To be honest, I don’t like the approach taken with the anti-phishing filter. It’s a clear case of "#2 – Enumerating Badness" (http://www.ranum.com/security/computer_security/editorials/dumb/). Maybe it’s time you should update your bag of tricks.

  52. Anonymous says:

    Some questions to Tariq Sharif:

    Is it a special IE7 feature or is it integrated into the WebBrowser control?

    Is the feature IE6 compatible – that means does the filter extents the IHttpSecurity interface that allows programmers handle the dialog programmatically?

  53. Anonymous says:

    << Still no explanation on why MS insists on sending the real URL rather than a hashed URL>>

    I’ve answered this before. Wildcard DNS and folder redirection make it so hashing is an unworkable approach. Furthermore, as noted before, the universe of registered domain names is so tiny that it would be trivial to create a hash dictionary containing all registered domain names.

    <<The "known good sites" list is a terrible idea. Read up on pharming and you’ll see why. I type in http://www.microsoft.com, however, someone has hacked MS’s DNS server so that it gives me an illegitimate IP rather than Microsoft’s real IP. With the known good site stuff, IE is going to tell me that I am safe. >>

    No, we didn’t solve every security problem with the phishing filter. It helps prevent phishing attacks. IE will not tell you you are safe, but it will tell you that you are unsafe if a phishing attack was detected.

    To prevent Pharming, you have to use SSL.

    Other answers:

    1> The "IsPhishing?" query is sent via SSL.

    2> The "stripping off the querystring" applies only to what’s checked against the web service. We’re obviously not disabling query strings on the internet.

    3> This is an IE7 feature and is not part of the browser control. The feature is not IE6-compatible, but you can check out the MSN toolbar’s Anti-Phishing plugin.

  54. Anonymous says:

    IE7 Phishing Filter: Tariq Sharif of Microsoft’s Internet Explorer team describes how the next OS/browser will guard against counterfeit sites (an email which says it’s from your bank, but which actually serves a duplicate page hoping you’ll enter your passwords,…

  55. Anonymous says:

    "I’ve answered this before. Wildcard DNS and folder redirection make it so hashing is an unworkable approach."

    If this were really your reason then you would not be stripping query strings. Query string redirection is very common, possibly more common than folder redirection… every site I make uses it. http://www.blah.com goes to a default page, http://www.blah.com/?page=somethingelse else is how you browse to other pages. Yet, even so you are stripping query strings. So if you can remove this feature which significantly reduces the effectiveness, in the name of privacy, why can’t you remove other features? Furthermore, couldn’t the domain be hashed but not the path 78321738219734218937/blah/blah2 is much harder for someone to track than nudemonkeys.com/blah/blah2…

    "Furthermore, as noted before, the universe of registered domain names is so tiny that it would be trivial to create a hash dictionary containing all registered domain names. "

    First of all the number of registered domains grows daily so by the time you created a list it would be obsolete (the same argument you’re trying to use for the remote phishing database, remember?) So if it applies to phishing, it applies to domains – you can’t have it both ways. But lets even assume you do have such a list. It’s still a step in the right direction. It makes it harder for some evil MS employee to steal my info (remember the AOL employee who sold email addresses to spammers?) But to be honest, the mere fact that you basically said, "even then we could get the urls if we wanted to" makes me wonder why such a thought would have ever crossed your mind if MS really has no intention of capturing our browsing history. No technology is perfect, but that doesn’t mean we shouldn’t improve it. We should make it as good as we can.

    Personally I’d rather the *possible* threat of phishing than the *guaranteed* threat of privacy invasion, but that’s just me.

  56. ptorr says:

    I have a response at http://blogs.msdn.com/ptorr/archive/2005/09/13/464376.aspx (although Eric has a very good short summary above).

    Codemastr — if you don’t like the feature, you can simply choose not to use it. It is provided for customers who make a different choice than you do (ie, would rather be protected against phishing and accept the potential risk to their privacy).

  57. Anonymous says:

    Well, there may be some people who would like to comment *and* don’t want to use it. That should only be a problem if you’re afraid of critiques.

  58. Anonymous says:

    MS may aswell resign themselves to the fact that there ARE going to be ways around this filter, wether through querystring manipulation (as mentioned above) or whatever. New methods will evolve over IE7’s lifespan.

    The problem with this, is that we are talking about being responsible for the end user’s confidence in third party websites.

    If you have a filter built in to your browser which you are told will warn you about dodgy websites, Aunty Mabel is going to start to rely on this feature.

    So who do you think she is going to blame when her credit card shows she has just bought 7000 xbox’s off eBay, when she KNOWS she hasnt proceeded onto any sites her browser has warned her about.

    "This browser said it would protect me, and it didn’t"

    Sure, you COULD put in a load of text in the installer or whatever saying "this doesnt GUARANTEE your safety, but it helps it!" or words to that effect, but how many times do you think Mabel is going to read that text? Once probably, before she starts thinking "oh, its that damn warning box again" and blindly clicks OK.

    Even worse if its in the installer, as most Aunty Mabel’s out there get nephew Jimmy who "knows all about computers" to install things for her. Who so you think told Mabel to install IE7 in the first place, and will he pass on EVERY warning dialogue through the installation process? Of course not, he’ll go DOWNLOAD NOW -> NEXT -> NEXT -> NEXT -> "I’ve finished Aunty! Look at this nice new GUI"

    Finally, how many phishing sites do you think last more than a few hours anyway? By the time someone has been daft enough to log into these sites, realised whats happened, sent the phishing report off, got the site blacklisted… thousands of people got the email at the SAME TIME as this guy, and unfortunately, some of them fell for it.

    Phishing filters are a "wouldnt it be nice if…" feature, but totally unrealistic to implement

  59. Anonymous says:

    The IE Blog has a post about the new Phishing Filter which will be built into IE 7. Basically, there’s a client-side whitelist and a server-side blacklist; if you turn the filter on, every URL you visit which is not on the whitelist gets sent off to Microsoft’s servers to be checked. And if you suspect a site is a phishing site, you can click &quot;Report Phishing Site&quot; on the Tools menu to send that URL off into a queue to be verified. However, for privacy reasons, IE strips off the URL parameters before sending off URLs. And this is where the problems with such an approach start to become apparent. What guarantees that the web page the manual URL checker person views (requested without URL parameters) is going to be the same one that the original reporter saw? The URLs phishers distribute by email can be mangled and made unique in many ways; DNS wildcards, mod_rewrite and query parameters are just three. Really smart phishing site implementations would continue to server the phishing content for a given unique URL to the same IP address or class C range, but send innocent content back to any different IP address. Or they could use cookies to achieve the same effect. Microsoft engineer Peter Torr lists quite a few methods of URL mangling while explaining why the phishing filter doesn’t use hashing. However, he doesn’t say that they are all quite effective at making the filter’s life difficult even without hashing. Server-blacklist-based anti-phishing implementations put you in an arms race, and one in which the phishers hold all the cards. They have 20,000-strong botnets with automatic deployment tools; you have to check every submitted URL by hand. They can invent new ways of obfuscating and redirecting URLs; you are limited by the tools built into your deployed client. They have a large financial incentive; you are giving away a free product. There’s no magic bullet, but I believe the correct route to take is a combination of greater SSL use (which means we need SSL vhosting), stronger certificate field verification and OCSP, combined with in-browser standalone heuristics and a sprinkling of user education. A minimal amount of the latter is IMO, sadly, unavoidable – it’s very hard to protect people who will put their credit card number into just any web form which asks for it….

  60. Anonymous says:

    Wie netzpolitik.org berichtet, soll der neue Microsoft Internet Explorer 7.0 einen Phishing Filter der ganz besonderen Art enthalten:Alle Webseitenaufrufe werden zuerst an einen Microsoft-Server &#252;bermittelt, wo sie mit einer Blacklist abgeglichen werden.

  61. Anonymous says:

    I am a website designer, therefore I am trying to be up-to-date with news from web browsers market. Recently, I have read about an interesting feature – a Phishing Filter, which is supposed to be included in new Microsoft’s browser – Windows Internet Ex

  62. Anonymous says:

    Your reasoning for discounting the use of hashing within Microsoft’s "phishing filter" is a bit misleading. Hashing (when used correctly) is a completely acceptable method of authentication. Indeed, hashing is now the standard adopted by all branches of the Unites States government for securing confidential data. See: http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf

    It would perhaps be more accurate to say that Microsoft’s approach does not support authentication techniques using hashing. This is not a failing of the hashing approach in general; rather, it is a failing with Microsoft’s conceptual approach to preventing phishing. Microsoft is adopting a repeatedly failed "filtering" approach, using a remote database of blacklisted phishing websites. Microsoft’s approach, by the way, will most likely be redundant and useless since the average lifespan of a phishing website is only 2.65 days. By the time the phishing website has been reported to Microsoft, evaluated, and the database updated, the damage will already have been done and the phishing website long abandoned by the phisher.

    On Dec 14, 2004, the U.S. Federal Deposit Insurance Corporation (the FDIC) published a study presenting their findings on how the financial industry and its regulators could mitigate the risks associated with Phishing. In this report, the FDIC identified TWO ROOT CAUSES for the problem of phishing: 1) Authentication methods are insufficiently strong, and 2) The internet lacks website authentication capabilities. Virtually all other anti-phishing solutions, including Microsoft’s "phishing filter", fail to address these two root causes. Some solutions simply lookup IP or other domain records and calculate risk. Some solutions, like Microsoft’s, rely on databases of blacklisted websites and selectively permit or block access based on company-defined filtering rules (while tracking your browsing habits in the process). Other solutions, like Passmark SiteKey, simply add additional "red tape" to an existing weak login process, using multiple layers of images, audio recordings, or other user-supplied information. Strictly speaking, none of these solutions are actually authenticating anything. At best, they are simply adding additional more process layers to an already weak approach using non-standard rules, vulnerable databases and questionable public records. At worst, they may actually be providing phishers with even more confidential user information through their use of user-supplied images, recordings, and other personal information.

    Of all the available anti-phishing solutions, PhishCops by Sestus Data Corporation is the only anti-phishing solution that actually mitigates the two root causes of phishing as identified by the FDIC. PhishCops is a patent-pending two-factor anti-phishing solution which uses an innovative implementation of mathematic authentication algorithms developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce, to authenticate websites directly.

    PhishCops recently successfully completed a 5 month technical vetting (evaluation) process by one of the world’s largest financial entities (supporting hundreds of thousands of online merchants, banks, etc.) Also, for the past month Sestus Data Corporation has been quietly negotiating with a number of banks, internet infrastructure companies, and other organizations who have an interest in enhancing internet security generally, in preparation for a "launch" later this year. Several licensing announcements are now pending. In June of 2005, PhishCops was also named a semifinalist for the 2005 Homeland Security Award by the Christopher Columbus Fellowship Foundation in Washington D.C., a U.S. government agency. It may be partly due to PhishCops pending release that Microsoft rushed its phishing filter to market ahead of schedule.

    For more information:

    http://www.phishcops.com

  63. Anonymous says:

    Nice bit of advertising there…

  64. Anonymous says:

    …And here come the marketers. Anyone who claims they’ve "solved" the phishing problem is lying to you, either out of ignorance, or the desire to sell something.

    At least Microsoft is willing to explain how their technology works, the limitations of it, and what it protects against.

  65. Anonymous says:

    "Codemastr — if you don’t like the feature, you can simply choose not to use it. It is provided for customers who make a different choice than you do (ie, would rather be protected against phishing and accept the potential risk to their privacy)."

    This is irrelevant. My point is that we can be protected from phishing *AND* privacy violations. Microsoft has *CHOSEN* to introduce a privacy issue, it is not a necessity of a phishing filter. Again I say, virus scanners, spyware scanners, spam filters, none of these require remote servers, yet Microsoft expects us to believe phishing is vastly different, a difference I fail to see.

    Indeed, if you don’t like the feature, don’t use it (and I won’t). I’m simply suggesting that this should not be an issue because Microsoft could design the system in such a way that privacy is never jeopardized and I think we can all agree that would be the best, no phishing and no invasion of privacy.

  66. Anonymous says:

    I’m just not sure an inexperienced computer user should have to read a paragraph of text just to answer a question that should be, by default, chosen for them. Phishing Filter should be run by default.

    My father is not going to know, nor should he HAVE to know, what the heck a "Phishing Filter" is. If he doesn’t understand phishing (and he doesn’t… no matter how many times I explain it to him), isn’t there a good chance he’ll choose NOT to enable Phishing Filter, and in doing so get himself in trouble?

    This is a classic example of an unnecessary choice. Just turn it on by default and protect my father without asking him silly questions he won’t understand anyway.

  67. Anonymous says:

    <blockquote>If you are a site owner and your website is shown as suspicious or blocked, you too can click on the red or yellow warning in the Security Status Bar and click on the link to send feedback about the mistake. On the feedback page you can fill out the necessary information and request to have your website reevaluated.</blockqute>

    sounds good, but might prove goof. imagine my site gets blacklisted (by accident, by concerted influx of fake browser history lists from 20.000+ botnets phishers use, or whatever technique comes up their minds), and this causes me loss of money. imagine my site being a webshop, but without customers since no one can actually access it.

    then, in the middle of chaos and lost revenue, I have to fill out a form and have to wait

    <blockqute>Once a request has been submitted it is reevaluated by the Phishing Filter team. Based on the reevaluation, the site will either be removed from the list or left as it is.</blockqute>

    how long will it take? are there guarenteed response times? is there any compensation if my income loss is severe? what kind of plans are there against mass misuse by botnets?

  68. Anonymous says:

    Test it against a live phishing site: http://193.4.240.7/AccountVerification/index.php spoofs EBay.

    RobertD: They could never have this on-by-default, as this is considered a phone-home feature and that’s illegal to have on by default in a lot of places.

    Karsten: Botnets can’t make a non-phishing site appear to be a phishing site. Remember they said they review sites before blocking them.

  69. Anonymous says:

    "Phishing" is NOT a term that needs wider usage.

    The real issue is that the URL is suspicious.

    Call it "Suspicious web address".

    Or call it "Easily Confused Website".

    That describes http://paypol.com vs http://paypal.com

    Honestly you should include whitehouse.com in such a list, though I know you wouldn’t push it that far.

  70. Anonymous says:

    Will the "Phishing Filter" also transmit https URLs to the Microsoft server? I hope it will not, as the URL itself may be a secret and the "Phishing Filter" would destroy the privacy provided by SSL.

  71. Anonymous says:

    I shall be disabling this immediately, and recommending all my contacts to do so as well because:

    1) I don’t want Microsoft judging the ‘goodness’ of any site. How on earth are they, legally, going to do that world-wide. Wait for the law suites as they denegrate sites with are legally valid under _local_ laws.

    2) Requiring site owners to have to apply to Microsoft for permission to be visible on the Web is just crazy.

    3) There _IS_ a major privacy issue here – they can watch and cross-reference all my browsing by indexing it by my static IP address (available from the query my browser sends to them). My IP address can be linked to my eMail address, and hence the domain I own, by looking at the trace headers in any message I post to a public list. My full name and address can be obtained from that domain’s DNS registration.

    4) Second MAJOR security issue that has just occurred to me: Many web services use URL-rewriting to place a session identifier into the URL (e.g. Sun’s Servlet spec) – necessary if Cookies are not in use. This session ID is not in the query part which Microsoft strips out, it is in the part sent to Microsoft. So session security will have been compromised – while the session is open!

    5) We need the answer to the question posed by someone else here about whether or not HTTPS URLs are sent. That, in combination with the above point about session IDs in URLs whuld be ‘the nuclear option’ as far as security is concerned.

    6)I have no desire to spend my bandwith and processing helping Microsoft build up frequency-of-access tables for their search-enging rival to Google.

    7) An engineering point: How on earth are they going to implement and scale this? Has anyone there sat down and calculated the rate of referrals if every site visited by everybody with IE7 (asuming it is as successful as is intended) has to refer to their server. They will have to offer the world a guaranteed response time and honor it – say 50 millisecs from anywhere in the world – otherwise browser usability will be shot to pieces. How many servers / how much bandwidth does this take up? It’s almost as as if there was one central router for all HTTP traffic – it is a single choke-point. No matter that the look-up is asynchronous, either the information is there when some reads the page, or it’s too late and Microsoft’s implied promise to protect users has been dishonoured.

    Nope – this is BAD engineering and will cause widespread anger and re-ignite global paranoia as the world comes to believe that, yet again, Microsoft are trying to subvert and control the Internet!

    Don’t you guys ever learn (or have someone paid to work out for you) what madcap schemes like this look like to the rest of the world? PR disaster in the making, again!

  72. Anonymous says:

    Chris– Yup, you can certainly turn off the feature if you’d like. In response to your concerns:

    1> Microsoft isn’t judging the goodness of anything. Microsoft is exposing third-party data about whether a site is likely being used to phish. Whether or not phishing is legal in some jurisdiction isn’t relevent; the point of the feature is to warn the user. They can ignore or disable the warning if they prefer.

    2> Please reread how the feature works. There’s no "applying for permission" to be visible.

    3> If Microsoft was snooping on your traffic in ways that it doesn’t, then yes, this information could be gleaned. Our privacy policy explains that we don’t do this. (Incidentally, your ISP is better positioned to spy on you.)

    4> Passing session information in paths is not a recommended mechanism of maintaining state in HTTP. Such state will show up in any logs on the server or a proxy.

    5> SSL urls are checked if the site isn’t on the known list. The same mitigations (host and path only) apply.

    6> As noted in the privacy policy, this isn’t how the data is used. It wouldn’t even be relevant anyway, given the relatively small number of anti-phishing enabled clients.

    7> Yes, we have engineering teams that calculate this sort of thing, and they will scale appropriately. Furthermore, the Browser User-Experience is coded such that a delay on the Antiphishing code doesn’t "shoot to pieces" the usability of the browser.

    Thanks for the feedback.

  73. Anonymous says:

    Eric: Thanks for the feedback, and the confirmation that the URL & path of SSL/TLS ‘protected’ page access will be copied to Microsoft.

    Will you be modifying the ‘padlock’ symbol on the browser while this feature is enabled, to warn people that their browsing is no longer secret?

    Re: session IDs embedded in paths: In some cultures, notably Germany, there is strong mistrust of all Cookies, and the embedding of sessionIDs in the path is the accepted ‘standard alternate’ way of handling this. Microsoft can’t just deprecate this indistry-standard practice by fiat. Now, with even ‘SSL-protected’ sessions compromised by Microsoft (above), the concerns about session security must be enormous.

    You suggest that this info is also available to one’s ISP, but ISPs can’t see the path-encoded session IDs of SSL sessions. Microsoft can.

    To summarise: with this feature enabled, Microsoft will be told the full URL+path of every HTTP / HTTPS page request made. This is more data than any ISP or national security agency gets to see, and it has great potential for privacy invasion, blackmail, industrial espionage, political surveillance, etc., etc.

    The fundamental question is: will people trust Microsoft with this data?

    Microsoft IS aware of this trust concern. Look at the care taken with product upgrade and licence validation to explain to users that no confidential information will be uploaded to Microsoft – that there is simply a download of passive information. You really should be using something with this kind of architecture – even if it is less optimal from an engineering POV.

    You are obviously gambling that people, world-wide, have total faith in American corporations and their employees and will fully trust them – to the extend of giving them access to thir confidential SSL browsing history, and (for those who don’t even trust cookies) to their open, ‘secure’ sessions.

    You are also, within your product team, perhaps gambling / hoping, that Microsoft ‘corporate’ don’t realize what you are planning and its full PR impact. Your scheme blows a hole in all the careful trust that has been built up around the licence-validation processes – essential for Microsoft revenue. Now your team is putting that trust at risk. Is this a career-limiting risk you are prepared to take – for a feature which brings with it no directly-attributable revenue – only cost?

    I strongly urge you to use a different architecture. Phishing-site info is essentially transient; sites will usually be closed down within a matter of days. The total number of ‘current’ sites cannot be too large – maybe 10,000 at any one time. Why not have the browser download once per hour the current list, or even use HTTP If-Modified-Since every minute, combined with an incremental format.

    Any of these would avoid the security issues, all of them would reduce the central load, and all of them would avoid the inevitable perceived degradation in browser performance.

    Think again Microsoft! With greatness comes responsibility – rise to that responsibility.

  74. Anonymous says:

    Microsoft will probably never stop to amaze us with what they think they can get away with.

    Chris Haynes is spot on target. This is so serious, I hope a class action suit (governments, large corporations and NGOs could also join in) will come out of it, just from the potential of what a disgruntled MS employee could do with this information.

    This is NOT about power users being told "just turn it off". That is an antic similar to phising itself; "Just don’t go to the site."

    We don’t you guys concentrate on stuff that makes a difference, without potentially stealing my bank account?? (Or is that the big plan?)

    * http://www.microsoft.com@somethingveryinteresting.whatever.hedhman.org is a common trick. Users should be warned against such URLs.

    * <a href="http://phisher.com/give/me/your/secrets>http://www.ebay.com/signin</a&gt; is another awfully common one, that technology-ignorant people fall for (and that is what this is all about – ignorant people). Big warning after some careful analysis. False positives are damaging, and result in turning such off.

    * The above for mail clients as well.

    * Default to text in non-trusted (certificates / marked senders) mails. Possibly combined with no link creation by default.

    I am sure if you bother to ask the community at large, many other techniques could be employed to vastly improve the current situation.

    So, can the 3 member (so called) security team go back to the drawing board and remove this stupendous "feature" (probably violation of Geneva conventions of human rights would be closer to the truth (no opening of a sealed envelope)).

    I am also flabbergasted over the number of M$ d**ks**kers around here, not thinking about implications and arguing over whether phishing is fraud or not, and if it should be called Scam Filter instead. Stop arguing and just send your Bank account information straight to Eric, Tariq and the team, so they can empty it at their leisure instead of polluting the world with more crap.

  75. Anonymous says:

    I still have yet to hear a cogent explanation of why it’s neccessary to send the path of all of my non-whitelisted sites to Microsoft every page load, instead of downloading a fresh copy of the changes into my local blacklist file. Approximately how many new phishing sites are created everyday? Can someone give me a number? I still refuse to believe it’s more than a few megabytes of text per year.

    Less seriously, re: http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx#469639, when will MS come out with a blog spam filter? 😉

  76. Anonymous says:

    Microsoft-Developers:

    How do you bar competitors from blaming each other using phishing websites?

    There really comes a high risk of abuse with this phishing website suggestion tool.

    Greets Jean

  77. Anonymous says:

    Please reconsider sending the path of an https URL to a third party server.

    You may have your own views on what is the ‘recommended way’, but these are just your views. The ‘recommended way’ may not actually be the best, or even a workable, way of implementing access control in a web application. But this programming change forces your view on everyone and detroys the design freedom that the HTTP and HTTPS specifications provide. HTTP treats the path as opaque and allows the site to encode whatever it wants there. HTTPS provides *socket level* privacy for an HTTP session. This programming change greatly restricts both these dimensions.

    I also don’t see the upside to this loss of design freedom. Since you are not sending the query string, you can’t do the same GET operation that the user did. Of what benefit is the path without the query string?

    If you have to send anything, please send just the hostname component of the URL. This is the only part of the URL with defined semantics, and that is already transmitted in the clear.

  78. Anonymous says:

    I’ve been asked a couple of times why I accepted a position working with IIS 7.&amp;nbsp; Someone even quipped…

  79. Anonymous says:

    I am a program manager on the Internet Explorer team and in this post I would like to share what we are…

  80. Anonymous says:

    I’ve been asked a couple of times why I accepted a position working with IIS 7.&amp;nbsp; Someone even quipped…

  81. Anonymous says:

    As we’ve described

    previously, we’ve made some major architectural improvements to improve browsing…

  82. Anonymous says:

    Hello, I’m John Scarrow and am the general manager for the Anti-Spam and Anti-Phishing Team at Microsoft….

  83. Anonymous says:

    I’m really excited for my talk tomorrow here at Mix06. This conference feels more like a party than work….

  84. Anonymous says:

    IE7 – フィッシング詐欺検出機能

  85. Anonymous says:

    I read about this internally yesterday and then on the blog posts today – IE7 will become part of the

  86. Anonymous says:

    I had mentioned a while back that we planned to call the version of IE7 in Windows Vista “Internet…

  87. Anonymous says:

    在五月底的时候,微软的IE开发小组曾说过要将Windows Vista中的IE命名为“Ineternet Explorer 7 ”。但现在他们又改变了注意,放弃了“ ”的称谓,没有后缀,没有.x,就只是“Internet Explorer 7”。

  88. Anonymous says:

    As we’ve worked on the new Phishing Filter in IE7, we knew the key measure would be how effective it…

  89. Anonymous says:

    I imagine just about everyone reading this has encountered some form of phishing emails. Common examples would be emails supposedly coming from sites like PayPal, Ebay, or large banks asking you to update your account information. Of course, the real..

  90. Anonymous says:

    As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

  91. Anonymous says:

    &#160; &#160; 안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을