(Wróć do mojej strony nt. Firefoksa. / Back to my page about Firefox.)

EN: Firefox 3 "Antiphishing/Antimalware" (so-called "safebrowsing") Server-side Project

Table of contents:

1. EN: Firefox 3 "Antiphishing/Antimalware" (so-called "safebrowsing") Server-side Project
   1. Introduction
   2. How to enable and conduct this demonstration?
      1. Step by step instructions
      2. Format of logfiles
   3. How to restore your previous or default settings after conducting this demo?
   4. What are the related versions of Firefox?
   5. Technical details
      1. Specification
      2. Source code (client side)

Introduction

For similar project regarding Firefox 2 see this page.

(More to be written.)

How to enable and conduct this demonstration?

In order to demonstrate (using this project) how Google's so-called "safebrowsing" works it is necessary to change configuration of Firefox, ie. switch "data provider" for the "safebrowsing" service from Google (default) to this server. The most important prefs are:

• browser.safebrowsing.enabled -- boolean, setting related with option in GUI "Tell me if the site I'm visiting is a suspected forgery" (Firefox 3.0.x) / "Block reported web forgeries" (Firefox 3.5.x) (see here for screenshot of options window)
• browser.safebrowsing.malware.enabled -- boolean, setting related with option in GUI "Tell me if the site I'm visiting is a suspected attack site" (Firefox 3.0.x) / "Block reported attack sites" (Firefox 3.5.x) (see here for screenshot of options window)
• browser.safebrowsing.provider.0.updateURL -- string, URL where updates of "phishing/malware" database are requested from
• browser.safebrowsing.provider.0.gethashURL -- string, URL where requests for full hashes are sent to
• browser.safebrowsing.provider.0.keyURL -- string, URL where browser gets keys needed for cryptographic operations (eg. signing updates).

There is also browser.safebrowsing.provider.0.name which holds name of the provider (it seems this value isn't used anywhere in Firefox 3) and browser.safebrowsing.dataProvider which holds value of index of current provider (0). So, in theory (and it was possible to do that in Firefox 2), it should be possible to add another provider instead of replacing Google (provider 0) by changing browser.safebrowsing.dataProvider to another number and creating prefs with this number, however provider 0 is actually hardcoded, so this is not possible and we have to replace prefs with 0.

Step by step instructions

1. if you use Google's "safebrowsing" and want to restore its operation after conducting this demo, then backup 2 files from your profile directory:
   • urlclassifier3.sqlite -- this is actual "safebrowsing" database
   • urlclassifierkey3.txt -- file with crypto keys (content of this file is retrieved from URL in browser.safebrowsing.provider.0.keyURL pref)
2. change relevant settings; there are two possible ways to achieve this -- using file user.js (recommended way) or changing prefs in about:config by hand:
   • using user.js: choose this link, save it in your profile directory as "user.js" and (re)start the browser or
   • first, make sure that you have so-called "safebrowsing" enabled (see here for relevant options), then go to about:config (write it in address field and press Enter), then find and set appropriate values of the following preferences (in this order):
     • value of browser.safebrowsing.provider.0.gethashURL set to: http://bb.homelinux.org/firefox/sb2/gethash.php?client={moz:client}&appver={moz:version}&pver=2.2
     • value of browser.safebrowsing.provider.0.updateURL set to: http://bb.homelinux.org/firefox/sb2/downloads.php?client={moz:client}&appver={moz:version}&pver=2.2
     • value of browser.safebrowsing.provider.0.keyURL set to: http://bb.homelinux.org/firefox/sb2/newkey.php?client={moz:client}&appver={moz:version}&pver=2.2
3. (re)start the browser
4. after starting Firefox keep the browser running and wait 15-30 minuts; you may use the browser as usual; during this time the browser will perform the following operations (standard activity related with "safebrowsing"):
   • requests new key, so it will be possible to communicate with this server (logfile: keyreqs.log)
   • requests resetting of the database, so it will be possible to fill it with new data (logfile: updates.log)
   • requests getting of new data (logfile: updates.log)

After last step is performed (watch relevant logfile to see "[[Sending data... ]]" at the end of line with your identifier) it will be possible to finally conduct the demo: visit one or more of the following pages:

• http://www.gnu.org/licenses/license-list.html
• http://publib.boulder.ibm.com/infocenter/lnxpcomp/v8v101/topic/com.ibm.xlcpp8l.doc/language/ref/designators.htm
• http://www.microsoft.com/protect/computer/basics/netiquette.mspx
• http://www.openssl.org/docs/ssl/ssl.html OR https://www.openssl.org/docs/ssl/ssl.html ("safebrowsing" protocol doesn't care about "protocol" part of URL -- it is stripped early in the process)
• http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=3&chap=5
• http://dobreprogramy.pl/index.php?dz=15&n=9801&Firefox+donosi+Google+o+niebezpiecznych+stronach

and then the browser will silently send "gethash request" during the visit, which will be logged in the file urls.log (because it is possible for server to gather information about visited site).

Format of logfiles

When you enable this demo on client side, then three public logfiles on this server, mentioned above, will log all activity related with so-called "safebrowsing" (for purely educational purposes). The files are:

• keyreqs.log -- logs requests related with getting new key
• updates.log -- logs requests related with getting updates of "safebrowsing" database
• urls.log -- logs requests related with "gethash" requests, which allow deducing visited page.

All files use common format and logs info that demonstrates that "safebrowsing" server is able to reliable differentiate between clients (computers/users). Each line means one request and consists of the following space-separated fields (some fields may be empty if there is no data):

• [<type of request>], eg. [downloads] -- first field is type of request; it is always "[newkey]" in keyreqs.log and "[downloads]" or "[getchunks]" in updates.log; this field is empty in urls.log
• <part of IP>, eg. x.y.0.1 -- last two octets of client's IP address; first two octets are hidden to protect your privacy; your IP will be written as x.y.191.116
• [<date and time>], eg. [26/Dec/2008:20:30:02] -- date/time when given activity occured; time is local for this server; current time/date on server is: 07/Nov/2009 10:34 CET
• (only in urls.log) "<address of visited page>", eg. "www.gnu.org/licenses/license-list.html"
• "<your cookie>", eg. "ab483f2d968a5869dc8f905211600bcd" -- cookies can be used for tracking purposes and Google uses this mechanism extensively; your cookie (created by this server, not Google's, of course), as will be logged in logfiles (if not cleared or disabled), is: 03e694aba49ef39ec20cd8f3b825c5e9
• "<wrapped key>", eg. "H5HJgV9o91WmSEY96FCw_pPcIezDpgYQTJrzUyTm6BCYvqis6WCnnrDFFXKpkH5GTbmDNsZmKE-8hUBrepprjupFMDjo_sJTQg==" -- piece of data needed to conduct cryptographic operations; it may be used also as a unique identifier, as cookie, however there is no way to disable it (apart from disabling so-called "safebrowsing", of course); this field is obviously empty for requests for new key; it is also not sent with "getchunks" requests
• "<User-Agent>", eg. "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5" -- User-Agent field is one of the de-facto standard fields sent with all HTTP request headers; to some degree it can also be used to differentiate between different clients
• "(<client ID>, <client version>, <protocol version>)", eg. "(navclient-auto-ffox, 3.0.5, 2.2)"
• optionally there is additional info in double square brackets, eg. [[Requesting resetting DB. ]] in updates.log.

How to restore your previous or default settings after conducting this demo?

(To be written. Steps will be similar to the ones one this page.)

What are the related versions of Firefox?

Firefox 3.0.x and later (including Firefox 3.5.x). It should also work with "clones" of Firefox such as Iceweasel.

It also works with "Private Browsing" (new feature in Firefox 3.5.x) enabled.

The same protocol is used in Google Chrome, so it may work with it, too. However, update/gethash/newkey URLs in Google Chrome are hardcoded, so it is probably not easy to change configuration on client side in case of this browser.

For similar project regarding Firefox 2 see this page.

Technical details

(More to be written...)

Specification

Protocolv2Spec (copy on Webcite) (note that Google restricts usage of the protocol, so legal status of this project is unclear...)

Source code (client side)

• Mozilla Firefox: mainly contents of directories browser/components/safebrowsing/ and toolkit/components/url-classifier/
• Google Chrome: mainly contents of directory src/chrome/browser/safe_browsing (actually, I haven't studied source code of Google Chrome much yet...).

Bartłomiej B. (aka "BartZilla" @ Bugzilla@Mozilla)

Last modification of this page (yyyy-mm-dd): 2009-08-18