Wednesday, July 23, 2014

Download files more safely with Firefox 31


Did you know that the estimated cost of malware is hundreds of billions of dollars per year? Even without data loss or identity theft, the time and annoyance spent dealing with infected machines is a significant cost.

Firefox 31 offers improved malware detection. Firefox has integrated Google’s Safe Browsing API for detecting phishing and malware sites since Firefox 2. In 2012 Google expanded their malware detection to include downloaded files and made it available to other browsers. I am happy to report that improved malware detection has landed in Firefox 31, and will have expanded coverage in Firefox 32.

In preliminary testing, this feature cuts the amount of undetected malware by half. That’s a significant user benefit.

What happens when you download malware? Firefox checks URLs associated with the download against a local Safe Browsing blocklist. If the binary is signed, Firefox checks the verified signature against a local allowlist of known good publishers. If no match is found, Firefox 32 and later queries the Safe Browsing service with download metadata (NB: this happens only on Windows, because signature verification APIs to suppress remote lookups are only available on Windows). In case malware is detected, the Download Manager will block access to the downloaded file and remove it from disk, displaying an error in the Downloads Panel below.


How can I turn this feature off? This feature respects the existing Safe Browsing preference for malware detection, so if you’ve already turned that off, there’s nothing further to do. Below is a screenshot of the new, beautiful in-content preferences (Preferences > Security) with all Safe Browsing integration turned off. I strongly recommend against turning off malware detection, but if you decide to do so, keep in mind that phishing detection also relies on Safe Browsing.
Many thanks to Gian-Carlo Pascutto and Paolo Amadini for reviews, and the Google Safe Browsing team for helping keep Firefox users safe and secure!

10 comments:

Jesper Kristensen said...

It sounds great. I cannot find the information on what data is sent to Google, as well as how often you expect to query Google's servers. Could you share the link?

Monica Chew said...

Hi Jesper, the "download metadata" description above points to https://wiki.mozilla.org/Security/Features/Application_Reputation_Design_Doc.

We expect the blocklist and allowlist to suppress remote lookups for the majority of downloaded binaries.

Anonymous said...

Where to report false positives?

Anonymous said...

Should Firefox(‘s queries to google’s servers be made via some Mozilla’s anonymizing proxies, I would use this feature. But one of the reasons why we use Firefox and not Chrome, is that we praise our privacy and don’t want another source of disclosure towards Google. I trust Mozilla, I don’t trust Google.

Monica Chew said...

Please see https://support.google.com/webmasters/answer/3258249

Monica Chew said...

Anonymous, given your position I hope you take advantage of the existing security preferences to disable Safe Browsing. Running proxies is an expensive proposition, requires ongoing maintenance and is not feasible for Mozilla.

Anonymous said...

Does SafeBrowsing override your virus detection/firewall software?

Monica Chew said...

No, Firefox Safe Browsing checks occur independently of existing virus detection. Files downloaded by Firefox successfully may still be scanned by your existing software. If your firewall is configured to prevent certain types of downloads, those checks typically happen before Firefox ever sees the file.

Anonymous said...

thanks, very helpful explanation

Jim Smith said...

Monica - thanks for a useful description of the sb protection extended by google to ff users.

Here's one more voice in favor of anonymous' posted suggestion (July 25 7:00 am) to redirect ff browsers' queries to google's sb servers via a Mozilla anonymizing proxy. Like anonymous (I think like most or all who select Mozilla and ff over ie and Chrome) I choose ff because I don't trust google's intentions with the metadata they collect. But I cannot endorse of apply your response's suggestion - disable safe browsing - that's just tossing out the baby with the bathwater. So I'll continue using it, but ......

My vote for stronger privacy protection in Mozilla's sb deployment and my endorsement of the anonymizing proxy solution is motivated by the same reason I still mourn the passing away of Daniel Brandt's Scroogle service. That effort may offer some insight as to the problems the proxy approach might face.

Is it conceivable to apply a peer-to-peer sharing concept to the results of ff community's recent SB queries - say within the last one minute or so? That would of course deprive Google's SB servers of some yet-to-be-determined percentage of query metadata, in return for a similar percentage reduction of the ff community's SB overhead, in effect crowd-powering the solution.
Jim Smith jamesptrk5@rcn.com