Antiphishing feature

Christopher Stuart ukcrypto at chiark.greenend.org.uk
Wed, 2 Apr 2008 15:11:04 -0400 

James Firth wrote...
>... I had been assuming all along that Phorm would also be somewhat
> unsophisticated in its detection (i.e. using a blacklist of IP and URLs)...
>
> So the next question is: how well will Phorm fair in this?  In order to keep
> abreast of the latest phishing technologies, Phorm will likely have to
> release frequent software updates, not just for the watch-list definitions,
> but also of the detection algorithm itself.

Hopefully Mr. Clayton will address related subjects in his write-up, but to
share some thoughts in the mean time...

It has been communicated that the antiphishing feature is "basically just
another Channel".  Channels can be configured to match a specific URL
or URLs.  Which in the case of an Antiphishing Channel, could be URLs
acquired from any number of Anti-Phishing services.  Assuming such
matching is performed prior to the browser's Request being allowed to
exit the Phorm system, then it would likely be a simple matter of delivering
a "proceed? yes no" interstitual to the browser or redirecting the browser
to such a prompting page.  As the Channels and their matching rules would
be changing on a regular basis, Phorm would necessarily have the capability
of pushing Channel updates out to the various ISP collocated servers.  I
believe Phorm has stated that they only inspect HTTP and ignore POSTs,
so their antiphishing feature would have related limitations.

Note that an ability to push out matching rules that trigger the delivery of
content to the browser, redirect the browser, and/or affect functionality
in other ways raises security concerns.  Particularly in light of this being
a centrally controlled system spanning multiple ISPs, and if successful,
countries.  Based on Phorm statements it appears that the sofware is
largely if not entirely Russian developed, and ISPs aren't given access
to the source code.

> This then leads back to the original question I put to my MP: who will have
> oversight of the software running on Phorm's servers, and any market rivals,
> to ensure it *continues* to be both secure and "lawful" in its data
> gathering?

Unless the software engineers were kept on an incredibly tight leash and
forced to perform very unnatural acts for software engineers, the system
and its components would be well abtracted with support for updating
and tuning certain things via updates pushed out from Phorm HQ.  Plus
there are the Channel updates  So the problem would seem to be much
more difficult than validating infrequent builds (which in and of itself would
be quite a challenge, particularly for any third party).