Firefox to warn users who visit p0wned sites
Do you really want to go there? And does Mozilla, which hasn't figured out how to do this and preserve security, privacy
Mozilla developer Nihanth Subramanya has revealed the organisation's Firefox browser will soon warn users if they visit sites that have experienced data breaches that led to user credential leaks.
A recently-released GitHub repo titled “Breach Alerts Prototype” revealed “a vehicle for prototyping basic UI and interaction flow for an upcoming feature in Firefox that notifies users when their credentials have possibly been leaked or stolen in a data breach.”
Subramanya explained that Mozilla has teamed with haveibeenpwned.com to source data that will warn users. He also outlined the following goals for the feature:
- Inform users about data breaches through the Firefox UI - for example, a notification when they visit a site (or maybe when they focus a form on a login page) known to have recently been breached.
- Expose documentation/educational information about data breaches in the Firefox UI - for example, a "Learn more" link in the notification mentioned above leading to a support page
- Offer a way for interested users to learn about and opt into a service that notifies them (e.g. via email) when they may be affected by breaches in the future.
The feature's not complete, in code or conceptually.
On the code front, Subramanya used the structure of a legacy add-on, which Firefox 57 recently trashed. He's therefore admitted that'll need to change.
The concept also needs work, as Subramanya explained:
The third goal brings up some privacy concerns, since users would need to supply an email address to receive notifications. Who is the custodian of this data? Can we avoid sending user data to haveibeenpwned.com? Can we still offer useful functionality to users who opt out of subscribing their email address? While the project is still in infancy, the idea is to offer as much utility as possible while respecting the user's privacy.
He also wrote that the tool will report on hacks like Adobe.com or LinkedIn.com that occurred several years ago and have been the subject of advisories from those vendors. Being notified of those incidents over and over may not meet the stated goal of educating users “on the repercussions, what they can do when such a breach occurs, and protect themselves in the future.” ?