Safe browsing

From MozillaZine Knowledge Base

Browsing the web can be dangerous, some websites have malicious content and may harm your computer or your privacy. The term "Safe Browsing" combines protection against

  • attack sites distributing malware (e.g., to plant a virus or distribute spam), and
  • web forgeries containing phishing attempts to steal personal information (e.g., passwords).

Mozilla applications offer some protection against such websites since Firefox 2.0 (malware protection since 3.0) and SeaMonkey 2.18. If the feature is enabled, a list of domains which have been reported as being malicious is downloaded in regular intervals. The address (URL) of each website the user is about to visit is compared against these lists and a warning issued before the content of that website is actually loaded. In this way, the user has the opportunity to cancel the loading process before any potential harm is done.


Scope of this article

The main topic discussed here is the Safe browsing feature in Mozilla browsers, not the discussion of good practices when browsing the web in general. As a rule of thumb though, it is always a good idea to be careful when browsing and to utilize available precautionary measures.

Safe browsing should be complemented by disabling plug-ins which are not needed on a regular basis (such as Java) and installing add-ons like NoScript or FlashBlock to avoid loading content that may exploit vulnerabilities. Warning signs like certificate problems with encrypted connections should be taken seriously and the trustworthiness of the web site connected to verified; it is fairly straight-forward to generate a self-signed certificate that a malicious site may use to present itself as a legitimate site.

General considerations

  • No system is entirely complete and free of errors. If you do see a warning, it means that the site in question has been reported to provide malicious content, and you should be careful loading that site. If you don't see a warning, it won't guarantee that browsing the site is safe; it only means that it hasn't been reported (yet).
  • Websites may be compromised by hackers and transformed to an attack or phishing site, frequently without the owner of that site or its provider knowing about it. Thus, even a site which was considered safe when visited just recently may have turned malicious and blocked until the issue is resolved by the provider.
  • Mozilla's Safe Browsing implementation downloads a list of reported websites, thus there should be no directly identifiable information sent to the provider of that service which websites were actually visited by you. If more information on a page is requested, the request and the provided results cover a larger set of websites which includes the one the information was requested for, using an incomplete hash of the website's address. (As discussed in this forum post, it is unclear at this time if newer approaches under consideration will send more specific requests to the provider.)
  • While small, there is a delay between a malicious website being reported, then listed, and eventually recognized by the browser after updating the list from the provider. After a credible report of a malicious site, it should be listed within an hour and synchronized soon after. Removing an entry takes longer as it has to be verified that the site indeed is safe to use again. See this post for more information.
  • Anti-virus software frequently offers its own scanning system for malicious websites. There is no general rule whether or not you should keep them both enabled or just one of them. In multiple redundant systems one may catch an instance which the other didn't, thus making the detection better overall, at the cost of performance.

Preference settings

Depending on the application you are using, the settings are in different preference panels:

There are two checkboxes associated with warnings for malware and phishing sites to enable the respective features:

  • Block reported attack sites
  • Block reported web forgeries

Both are checked by default, thus in general there is nothing you need to do to stay protected.

When a website is listed

If you enter the address of a website reported as malicious, or try to visit it from a link provided in another website or from an e-mail or news messages, one of the following warnings will be shown:

Reported Attack Page

→ The website has been reported as containing potentially harmful content to distribute malware (e.g., viruses or spam engines).

Reported Attack Page

→ The website has been reported as pretending to be another website (e.g., of a banking institution) in order to obtain personal information from the user (most frequently username and password to the site which is imitated).

No harm has been done up to this point.

Options to proceed

There are three ways to proceed when a warning has been triggered:

  • Get me out of here!
forget about loading the website, instead go straight to the browser's start page
  • Why was this page blocked?
if further information is available from the provider of the list why the page has been reported, it will show in open a respective web page of that provider; otherwise, a generic page is shown.
  • Ignore this warning
clicking this option will load the website, thus you should be very certain that indeed it is safe to open that page! (keep in mind that this website may have been compromised by hackers, and even if it was considered safe when visited just recently, it may have turned malicious since and is hence blocked now.)

Reporting errors in the list

After clicking "Ignore this warning" an information bar is shown on top of the web page:

Reported Attack Page

The infobar can be dismissed with the [x] in its corner. It also provides a "Get me out of here!" button to leave that web page after it has loaded (keep in mind that at this time, malicious content may already have been loaded).

If you are sure that this is a false warning, the provider can be informed using the "This isn't an attack site" or "This isn't a web forgery" button (depending on the type of the warning). This will open a tab at (for malware) or (for phishing attempts) where you can enter details to consider removing that site from the respective list.

Mail & news messages

Neither Thunderbird nor SeaMonkey have to date extended the Safe browsing feature to e-mail and newsgroup messages. The Scam alert is strictly rule based and not tied into the phishing list provided by Google (or any other provider). However, when following a link which turns out to be pointing to a malicious site, the browser should catch such a site at this time.

It is a different case with build-in or add-on provided browsing capabilities in Thunderbird. Using the Search the Web function or an add-on like Thunderbrowse will not provide the same safety as opening the link in the actual browser, given that Thunderbird will not verify the web page against either malware or phishing lists.

Related preferences

See also

External links