mozdev.org

petname

resources:
What's New
  • Jul 13 - v0.10 at Mozilla Update
  • Mar 27 - Now hosting on mozdev.org

Need help avoiding phishing and spoofing attacks? The petname anti-phishing tool can help you avoid online fraud by clearly distinguishing your online relationships.

Using the petname tool, you can save a reminder note about a relationship you have with a site. The petname tool will then automatically display this reminder note every time you visit the site. After following a hyperlink, you need only check that the expected reminder note is being displayed. If so, you can be sure you are using the same site you have in the past.

vs

Overview

The petname tool will be enabled anytime you visit a site using SSL strong encryption. Initially, the petname tool will display the text "untrusted". If you decide to form a relationship with the site, overwrite this text with a reminder note describing the new relationship. The petname tool will remember this reminder note and display it every time you visit the site. Be sure to always check that the petname tool is displaying the expected reminder note before sending personal information to a site. If you have the misfortune to land on a spoof site, you'll know it because the petname tool will be displaying the text "untrusted", instead of your expected reminder note.

Doing business on the web is much like doing business in the physical world, you need some street smarts to avoid fraudsters. Careful use of the petname tool can help you apply your street smarts to the web. Below, you'll find detailed information to help you become a proficient user of the petname tool.

States

The petname tool has three states.

Disabled and specifying "untrusted"

The current page did not come from an SSL site. Anyone could have produced the page's content. Anyone could receive any information you enter into the page. You should treat the current page as you would a stranger.

Enabled with yellow background and specifying "untrusted"

The current page came from an SSL site that you do not have a relationship with. Anyone could have produced the page's content. You should treat the current page as you would a stranger.

If you decide to form a new relationship with the site, overwrite the contents of the petname tool with a reminder note describing the new relationship. This reminder note will be displayed in the petname tool every time you return to the site.

Enabled with green background and specifying a petname

The current page came from an SSL site that you have a relationship with. Use the displayed petname to remember the nature of your relationship and proceed accordingly. As you gain experience with the site, update your petname to reflect the evolving relationship.

Choosing a petname

The petname for a relationship should remind you of the important characteristics of the relationship, such as:

For example, "Alan's auctions" could be a good petname for a relationship with an auction site recommended to you by a friend named "Alan". If you decide to give the site your credit card number, you might rename the relationship to "Alan's ecommerce auctions".

A petname exists only to help you recognize and remember a relationship. A petname is never transmitted to others, so be candid in describing the relationship and use naming conventions that are meaningful to you.

Scenarios

Receiving an email that purports to be from your bank

You receive an email that purports to be from your bank. The email alerts you of a pending task that you must attend to. A hyperlink to the relevant page at the bank's web site is provided. You follow the hyperlink and arrive at a web page that looks like a page from your bank's web site. Should you proceed with the request or not?

If the petname tool is not displaying the reminder note you've associated with your bank, the email is likely a fraud. When you assigned a petname to your bank, the petname tool created a bookmark for your bank. Open your "Bookmarks" menu and use this bookmark to access your bank's web site and report the attack.

If the petname tool is displaying the expected reminder note, the current web page is from your bank's web site. You may proceed with the request, but rely only on the information presented by the web page. You should discount any information contained in the email, since you still don't know for certain that the email came from your bank. Essentially, you should treat the email as an anonymous tap on the shoulder from someone saying: "Hey, go take a look at this."

Following a hyperlink to a purchase page at a familiar store

While reading news, you find a review of a product you like. The page provides a hyperlink to a purchase page at a familiar ecommerce store. You follow the hyperlink and arrive at a page that looks like a page from the store. You setup the purchase and follow a 'checkout' link to complete the purchase. The checkout page asks for your address and payment information. Should you proceed with the purchase or not?

This scenario is similar to the previous email scenario.

If the petname tool is not displaying the reminder note you've associated with the store, the current site may be a fraud. Use your petname bookmark to access the store's web site and report the attack.

If the petname tool is displaying the expected reminder note, the current page is from the store's web site. Before providing your payment information, check that the listed goods are the expected ones. It is still possible that all of the prior pages were spoofed, so you should double check that the information on the checkout page is consistent with your expectations for the purchase.

The petname project can be contacted through the mailing list or the member list.
Copyright © 2000-2014. All rights reserved. Terms of Use & Privacy Policy.