What are the required permissions, and why do you need them?
- “Access your data for all websites”: to check the content of
webpages for phish
- “Access browser tabs”: to check if a page is phish while you browse
- “Store unlimited amount of client-side data”: to store the
snapshots and lists of known-good pages.
Does AuntieTuna track or send my browsing history somewhere?
AuntieTuna does not track your browsing history or send
any data anywhere.
Any data sharing is optional and at your request: for example, if
you send us a bug report or
share your known-good lists with us.
If this changes in the future, data sharing will be opt-in only,
with explicit permission from the user.
Is phish detection done online or locally?
AuntieTuna runs locally in your browser in its entirety.
The known-good lists are stored in the browser (and are deleted if you
remove the extension).
When AuntieTuna runs its detection on a visited webpage,
it locally computes the visited webpage’s “fingerprint” and
cross-references with the known-good lists stored in your browser.
What is the “known-good” (or “fingerprint” or “snapshot”) of a webpage?
The “known-good” of a webpage consists of
the webpage’s domain and hashes of the webpage’s content.
Given a webpage, AuntieTuna reads the webpage’s underlying HTML code,
and splits it into “chunks”, delimited by
AuntieTuna then computes the SHA256 hash of each chunk.
The corresponding hashes, combined with the webpage’s domain
makes up the “known-good”.
You can see a known-good example for
For more information about the underlying algorithm, see our
When are the known-good (or hashes) of each webpage refreshed?
At the moment, the known-good of each webpage needs to be refreshed
manually (when you click on the “Add to Known Good” button).
In the future, the known-good will be opportunistically refreshed
once every two weeks.
Why doesn’t AuntieTuna deny me access to a suspected or real
AuntieTuna is currently in Alpha stage, and we expect there
might be bugs or false-positives. We display a prominent pop-up
on suspected phishing sites but otherwise leave the content
untouched in case it’s a false-positive.
Why are the starting lists is too minimal? It requires a lot
of manual work to add sites.
We anticipate including as default a starting known-good list
containing popular sites (e.g., Alexa Top 100).
We also anticipate building “bundles” for target audience groups
(e.g., students at a University XYZ, staff at Widgets Inc.).
How can I help improve AuntieTuna?
Please test and give feedback or thoughts about your use!
Send us email or fill in the
If you want to help with some coding, check out
the Developers page.
Don’t see your question here?
Submit to us via email or Google