Re: Primitive phishing protection

A couple of nights ago, trying to overcome the missed 1000+ in Google Reader, I stumbled upon the topic " Primitive protection against phishing " of the hooey habrayuzer . And inspired.

I wanted to implement the idea as an extension for Firefox, which I tried to do.

I warn you, this is my first extension for Firefox, it was written in a couple of evenings, and I’m absolutely not trying to immediately give out any final product, but just want to show a certain prototype.

Idea

So briefly:

1. look for links whose text is a URL;
2. check if the href value is a reference (it may turn out that there is an anchor);
3. we compare hosts in the text and in href;
4. if it doesn’t match, we shout loudly and don’t let the user go left.

Code

var fishurl = {
onLoad: function () {
var appcontent = document .getElementById( "appcontent" );
if (appcontent)
appcontent.addEventListener( "DOMContentLoaded" , this .onDOMLoad, true );
},
onDOMLoad: function (e) {
if (e.originalTarget instanceof HTMLDocument) {
fishurl._parseDocument(e.originalTarget);
}
},
_parseDocument : function (doc) {
//
for ( var i = 0, l = doc.links.length, item, textUrl, hrefUrl; i < l; i++)
{
item = doc.links[i];

textUrl = this ._parseUrl(item.text);

// , URL
if (!textUrl)
continue ;

hrefUrl = this ._parseUrl(item.href);

// , href URL (, , )
if (!hrefUrl)
continue ;

// ,
if (textUrl.host != hrefUrl.host)
{
//
var _href = item.href;

// click
item.addEventListener(
"click" ,
function () {
// ,
if (confirm ( " ?\n[" + _href + "]" ))
gBrowser.selectedTab = gBrowser.addTab(_href);

return false ;
},
false );
// URL
item.removeAttribute( "href" );
item.setAttribute( "rel" , "nohref" );
// «»
item.style.cursor = "not-allowed" ;
//
item.style.textDecoration = "line-through" ;
}
}
},
_parseUrl: function (data) {
// regexp, !.. URL «», , — false
return data.match(/(ftp|http|https):\/\/(\w+:{0,1}\w*@)?([\w.-]+)(:[0-9]+)?(\/([\w#!:.?+=&%@!\-\/])*)?/) ?
{ url: RegExp[ '$&' ], schema: RegExp.$1, auth: RegExp.$2, host: RegExp.$3, port: RegExp.$4, path: RegExp.$5 } : false ;
}
};

// load
window.addEventListener( "load" , function () { fishurl.onLoad(); }, false );

* This source code was highlighted with Source Code Highlighter .

')

Picture

So (disgusting) this, so far, looks in practice:



In the image this is not visible, but when you hover the cursor over a “bad” link, it takes the form of a crossed circle, hinting that you should not press here.

Also, “#” is placed in the href (and starting with the svn11 version, the href is removed altogether), so that the user does not follow the link by dragging it (using some kind of extension like QuickDrag ).

Alternatively, you can still display a warning icon on the link.

What's next?

If anyone is interested, I will continue to do it. Write what you want, what you do not like, and ask if something is not clear in the code or logic.

Naturally, there is the problem of false positives, for example, with the same download from Narod.Disk.



Therefore, it will probably be necessary to organize black- or white- lists.

Where to get?

You can download it here: fishurl-svn12.xpi

I distribute under the BSD license, so if you are interested, open the xpi file (this is a ZIP archive) and do what it pleases.

If the author of the idea ( hooey ) doesn’t like it in any way, I certainly will stop this business;)

And a big thank you to him, for the idea, and for waking up my desire to play, and even for the exciting hours of reading developer.mozilla.org !