Report: Firefox 2.0 Trumps IE7 In Phish-Fighting
Update, 3:24 PM ET: The text below was changed to clarify Mozilla's role as author of the report and the role of third-party testing and verification companies. Also, the data about this report that I promised earlier can be found at this link.
Original Post from Earlier Today:
The newly released Mozilla Firefox 2.0 and Microsoft Internet Explorer 7 Web browsers both include new technology to help flag and block phishing sites -- those authentic-looking Web sites set up by scammers to trick users into entering personal financial information.
So how do the browsers stack up against one another in a no-holds-barred, anti-phishing slugfest? One third-party test that pitted the browsers against two week's worth of phishing sites concluded that Firefox's phish net may have fewer holes than IE's.
The evidence comes in a report released today by Mozilla which shows the results of testing each browser against the same phishing sites flagged by contributors to Phishtank, an anti-phishing network run by OpenDNS. Mozilla is the author of the report, but they hired software testing firm SmartWare to conduct the testing, and they commissioned iSEC Partners to validate the test methodology and findings.
Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 blocked 117 sites that Firefox did not.
Before I go any further with the numbers, I think it's important to offer a little background on how the phish-filtering technology is set up within both browsers. With IE7, the user is asked upon installation whether he wants to allow the browser to auto-check all Web sites against a Microsoft database. (More about how this technology works in IE7 is online here, and the obvious privacy issues are discussed here.)
Firefox's default setting, in contrast, uses a blacklist of known phishing sites that is stored on the user's computer and updated approximately every 30 minutes. Alternatively, Firefox users can opt to turn auto-detect on, in which case the browser will check Web sites the user visits by checking them against a database maintained by Google. (More about the service is online here.)
Back to the numbers: The testers found that with IE7's auto-check turned off, the browser blocked less than two percent of all phishing sites thrown at it. With the phone-home option turned on, IE blocked 66 percent of the scam sites.
In its default configuration, Firefox 2.0 blocked close to 79 percent of all phishing sites during the test period; with the "Ask Google" option enabled, Mozilla's browser blocked nearly 82 percent of all scam pages.
While I applaud Microsoft and Mozilla for their first efforts, the reality is that -- depending on which browser (and setting) you use -- anywhere from 20 to 40 percent of the phishing scams are going to sneak past undetected. I'm not saying this is an easy problem to solve: It certainly isn't. But I'm left wondering whether a stronger "whitelist" approach that involves identifying legitimate banking sites might prove to be a more effective strategy, or at least a highly complementary one.
As Security Fix noted last week, Mozilla, Microsoft and other browser makers are teaming up with Web site certificate authorities to try to make it more obvious when a user is truly at a verified banking site as opposed to a convincing fake. It may turn out that phishers will come up with a clever way to spoof these "supercerts" as well. But it seems to me that combined with an oft-updated blacklist, the whitelist approach has the greatest potential to bring the number of phishing scams that go undetected by either browser well down into the single digits.
Avivah Litan, an online fraud analyst with Gartner Inc., agreed. "With crooks moving these phishing sites from place to place within minutes, it's really hard to keep a blacklist up-to-date," Litan said "The future of [browser-based anti-phishing technology] is whitelisting, backed up with heuristics" that allow the browser to detect unidentified phishing links as suspicious.
For its part, Microsoft pointed to a report the company commissioned earlier this year that gave Microsoft's anti-phishing measures top marks compared with other browsers and technologies. The report highlights the fact that IE7 didn't raise any alarm bells about legitimate sites, a problem known in the business as a "false positive." It's not hard to see why that factor alone would be a paramount concern for Microsoft: A legitimate company whose site was errantly blocked by IE7 most likely would file a lawsuit against Microsoft in a heartbeat.
The SmartWare study doesn't appear to have addressed the problem of false-positives to any meaningful degree. Still, what I especially like about the Phishtank-based study is that it is premised on open-source information that everyone has the same access to. In contrast, the founders of 3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."
Incidentally, any serious Mozilla-using phish fighters out there who want an easier way to submit "phishy" sites to Phishtank should check out this Firefox add-on.
Posted by: NathanK | November 14, 2006 9:30 AM | Report abuse
Posted by: Paul Robichaux | November 14, 2006 10:27 AM | Report abuse
Posted by: Bk | November 14, 2006 10:32 AM | Report abuse
Posted by: Bunkley | November 14, 2006 11:13 AM | Report abuse
Posted by: JohnJ | November 14, 2006 12:50 PM | Report abuse
Posted by: Bean | November 14, 2006 1:01 PM | Report abuse
Posted by: Diagg | November 14, 2006 1:20 PM | Report abuse
Posted by: Bachroxx | November 14, 2006 1:30 PM | Report abuse
Posted by: Retep. | November 14, 2006 1:41 PM | Report abuse
Posted by: Stephen | November 14, 2006 2:14 PM | Report abuse
Posted by: Tim | November 14, 2006 3:29 PM | Report abuse
Posted by: eeyore | November 14, 2006 4:00 PM | Report abuse
Posted by: Giorgio Montagna | November 14, 2006 4:07 PM | Report abuse
Posted by: Thed | November 14, 2006 4:39 PM | Report abuse
Posted by: evanest | November 14, 2006 4:50 PM | Report abuse
Posted by: Scotty | November 14, 2006 4:53 PM | Report abuse
Posted by: Dave Lane | November 14, 2006 5:52 PM | Report abuse
Posted by: Dyzophoria | November 14, 2006 11:11 PM | Report abuse
Posted by: Pedro Rodrigues | November 15, 2006 3:30 AM | Report abuse
Posted by: cannibal | November 15, 2006 4:30 AM | Report abuse
Posted by: cryptonomikon | November 15, 2006 10:14 AM | Report abuse
Posted by: GGB | November 15, 2006 10:21 AM | Report abuse
Posted by: evanest | November 15, 2006 12:40 PM | Report abuse
Posted by: Ernie Mink | November 16, 2006 1:18 PM | Report abuse
Posted by: Kyle | November 16, 2006 4:35 PM | Report abuse
Posted by: alloy | November 17, 2006 2:28 AM | Report abuse
Posted by: Kyle | November 17, 2006 10:13 AM | Report abuse
Posted by: MASA | November 18, 2006 4:56 PM | Report abuse
Posted by: Bk | November 19, 2006 12:51 AM | Report abuse
The comments to this entry are closed.