PhishTank, a new service from the OpenDNS folks, is an open and public phishing database. It finds itself up against several large and wealthy commercial products and services. PhishTank may prove to be a quixotic endeavor, but someones got to dream the impossible dream.
There have been phishing databases for years. For years my favorite, one of the oldest, was the Netcraft Toolbar which, like all of the other client agents for the databases, is free.
For now there is no client agent for PhishTank—you have to go to the Web site and enter information in a form. But before too long there will be agents in the form of plug-ins for Outlook, Firefox, Internet Explorer and other important browsers and e-mail clients.
This is because of whats really cool and important about PhishTank: It has an open Web services API for accessing the database. The API is young and, according to the PhishTank blog, not quite perfect yet, but it has some intriguing calls, such as a single call to test the contents of an e-mail for whether its a phish (at least in part by scanning URLs in it to see if they are in the database).
Of course the fact that a site is submitted as a phish doesnt make it a phish, so it isnt listed as a phish until enough users vote for it. The voting is Cloudmark-style, where users themselves develop a reputation and a better reputation gives greater weight to their votes. How do you get good reputation? To the extent that your votes coincide with the judgment of the community, your reputation grows, and vice versa.
The voting system is good because its fair and effective, but it also makes it imperative that a large community be constantly examining the submissions and voting. The longer it takes for phishing samples to be judged by the community, the longer they are not useful to potential phishing victims. So if PhishTank remains a nonmainstream community, it will remain a nonmainstream community.
That would be a shame. It doesnt help users for the big players in this area to keep their systems closed. Symantec may have a business reason to treat their database as proprietary, but Microsoft doesnt. Microsoft simply has an interest in the best possible protection. They dont need to make money off of security products, they need for computing to be more carefree and secure.
So why shouldnt IE7s Phishing Filter submit phishing candidates into PhishTank and read from it as well? The only real problem with this scenario is that Microsoft has performance requirements that PhishTank is unlikely to meet, but thats the kind of problem you can basically throw money at.
And since IE7 uses heuristics for many judgments, the database would have to take some account of this. It should get some number of points in the evaluation process based on the specific characteristics that got it flagged.
If only big companies would be so civil and logical. But its probably just a dream.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer