By Manil in ☕️ general

Spot unexpected URLs: Firefox Containers for visual signals

I found a phishing attempt, using search engine results, for Bitwarden credentials.

Interesting that when I reported to Bitwarden, the resolution was assigned to Marketing. I suppose that's an SEO function.
Update, 2023.02.22: seems a recurring, if not regular, occurrence for Bitwarden users 🧐

Now, avoid using search engines for regular logins-save your regular URLs. But I visit lots of URLs, and it's tough to be vigilant all the time (sorry, Mad-Eye). So I made being careful easier for myself, by using Firefox Containers to help me spot unexpected URLs.

Firefox Multi-Account Containers (install or source code) is not only useful as a tool for privacy, the browser extension can do double-duty defending against phishing. The method outlined here can work against typosquatting (typing googel.com instead of google.com, woops). And theoretically against homoglyph attacks (where a URL looks visually similar to one that you recognize, but is actually different)-though this has not been rigorously tested.

The defence is simple to set up. Here's how.

How it works

Three features, combined, allow Firefox Multi-Account Containers to signal you if you might be on the wrong URL:

A. Containers can be assigned colours of your choice. When a tab is opened in a Container, the top edge of the tab is coloured using what you assigned.

Screenshot of colour options for a Container.

B. Specific URLs can be made to always automatically open in a Container of your choice.

Screenshot of option to auto open in a Container.

C. A Container can be limited to only allowing those whitelisted URLs to be opened within it.

Screenshot of toggle to limit Containers to designated URLs.

Setup

  1. Open the known legitimate URL in Firefox. For example, https://vault.bitwarden.com
  2. Whitelist that URL, by making it always open in a Container of your choice (How it works, B),
  3. Limit the chosen Container to only contain whitelisted URLs (How it works, C),
  4. Choose an expected colour for the tabs when that specific Container is opened (How it works, A). Green is common language for okay :)

Usage

The system you've just set up will signal you if you land somewhere unexpected, instead of a page you've whitelisted. This behavioural defense method is best used for high-value URLs worth taking the time to whitelist, where you make repeat visits.

Screenshot of Bitwarden Web Vault opening in a preset, green coloured tab.
In the example, the known Bitwarden URL should always open in the green Container.

When a tab's colour matches the colour assigned to the Container for safe, whitelisted URLs, you can be confident the URL opened matches the known good URL.

Also, thanks to feature C described earlier, if you visit a good URL that is initially recognized by Firefox Containers as whitelisted, but which then redirects to a different domain, Containers will "kick out" the tab, removing the colour and signaling to you that something has changed.

Limitations

  • Containers need separate whitelisting for sub-domains. For example, you'll need to whitelist mail.google.com (Gmail) and meet.google.com individually. Whitelisting the root domain google.com won't catch them all ;-)
  • Because whitelisting needs you to specifically choose URLs, this method won't help with general browsing. For that, your browser relies on the Safe Browsing project and other safety features. To get the latest safety features, quit your browser often. Nonetheless, Safe Browsing doesn't always know of the newest dodgy URLs, so the method outlined here could help you spot unexpected URLs before they get flagged by Safe Browsing.
🐭