Posted by & filed under Technology.

Favicons Can Aid Phishing Expeditions

The favicon began in 1999 with Microsoft’s Internet Explorer 5 and standardised by the World Wide Web Consortium in the HTML 4.01 later in the year. In 2000 they were restandardised in the XHTML 1.0 recommendation. Since then, they have become commonplace in .ico, .png, .gif and .jpg formats.

The point is they have been around for a long time, in internet terms. In fact, Firefox engineer Jared Wein called it ‘since the dawn of time’.

Users expect to see the site logo appearing in the address bar and next to a page’s name in the toolbar. Such logos give identity to a site and are prized by site owners to give branding and recognition kudos.

However, now they may be on the way out.

Firefox is set to remove them from address bars in their next version of Mozilla. The main reason is that some sites have started using a padlock as their favicon. This gives some browsing systems and most users the impression that a site is using a secure connection when it is not.

According to Mark Brown on Wired UK, new plans will set the icon automatically depending on a site’s level of security. A grey globe will indicate unsecured connection; green padlock for sites holding the SSL certificate with Extended Validation (EV-SSL).

The security icons are close to those already in use by Google Chrome, which also shows warnings, such as: ‘this is probably not the site you are looking for!’; ‘the site’s security certificate is not trusted!’, ‘the site’s security certificate has expired!’, ‘the server’s security certificate is not yet valid!’ or even ‘the server’s security certificate is revoked!’

Jared Wein, software engineer on the Firefox team at Mozilla Corporation wrote on his personal blog: ‘there are no plans to remove favicons from tabs, bookmarks or Awesomebar suggestions. These changes are intended to increase the security of our users as well as reduce some visual weight’.

It is aimed at reducing successful phishing from hackers and other con-artists populating cyberspace these days. Not everybody is over the moon at the prospect of the end of favicons (although Firefox confirms they will not be removed from tabs) and the replacements all being boringly, uniformly grey or green.

Harrison Weber wrote on the Insider blog: ‘what authority does Firefox have to completely eradicate the favicon without consulting the public? Technically, they have the right to do what the heck they want, but is this move the only way to go about hiding fraudulent SSL-esque favicons? What does this say about the future of the favicon and all other icons that sites use to identify themselves, like Apple’s touch icons?’

There is obviously a debate to be had here, and it reflects much of the security versus privacy argument that rages across the internet and throughout government departments at this time. Why not join in with your views too?


Wired UK, Mark Brown, April 2012.

Jared Wein, blog, April 2012.

Insider, April 2012.

Image: Stomchak