Network News

X My Profile
View More Activity

Report: Firefox 2.0 Trumps IE7 In Phish-Fighting

Update, 3:24 PM ET: The text below was changed to clarify Mozilla's role as author of the report and the role of third-party testing and verification companies. Also, the data about this report that I promised earlier can be found at this link.

Original Post from Earlier Today:

The newly released Mozilla Firefox 2.0 and Microsoft Internet Explorer 7 Web browsers both include new technology to help flag and block phishing sites -- those authentic-looking Web sites set up by scammers to trick users into entering personal financial information.

So how do the browsers stack up against one another in a no-holds-barred, anti-phishing slugfest? One third-party test that pitted the browsers against two week's worth of phishing sites concluded that Firefox's phish net may have fewer holes than IE's.

The evidence comes in a report released today by Mozilla which shows the results of testing each browser against the same phishing sites flagged by contributors to Phishtank, an anti-phishing network run by OpenDNS. Mozilla is the author of the report, but they hired software testing firm SmartWare to conduct the testing, and they commissioned iSEC Partners to validate the test methodology and findings.

Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 blocked 117 sites that Firefox did not.

Before I go any further with the numbers, I think it's important to offer a little background on how the phish-filtering technology is set up within both browsers. With IE7, the user is asked upon installation whether he wants to allow the browser to auto-check all Web sites against a Microsoft database. (More about how this technology works in IE7 is online here, and the obvious privacy issues are discussed here.)

Firefox's default setting, in contrast, uses a blacklist of known phishing sites that is stored on the user's computer and updated approximately every 30 minutes. Alternatively, Firefox users can opt to turn auto-detect on, in which case the browser will check Web sites the user visits by checking them against a database maintained by Google. (More about the service is online here.)

Back to the numbers: The testers found that with IE7's auto-check turned off, the browser blocked less than two percent of all phishing sites thrown at it. With the phone-home option turned on, IE blocked 66 percent of the scam sites.

In its default configuration, Firefox 2.0 blocked close to 79 percent of all phishing sites during the test period; with the "Ask Google" option enabled, Mozilla's browser blocked nearly 82 percent of all scam pages.

While I applaud Microsoft and Mozilla for their first efforts, the reality is that -- depending on which browser (and setting) you use -- anywhere from 20 to 40 percent of the phishing scams are going to sneak past undetected. I'm not saying this is an easy problem to solve: It certainly isn't. But I'm left wondering whether a stronger "whitelist" approach that involves identifying legitimate banking sites might prove to be a more effective strategy, or at least a highly complementary one.

As Security Fix noted last week, Mozilla, Microsoft and other browser makers are teaming up with Web site certificate authorities to try to make it more obvious when a user is truly at a verified banking site as opposed to a convincing fake. It may turn out that phishers will come up with a clever way to spoof these "supercerts" as well. But it seems to me that combined with an oft-updated blacklist, the whitelist approach has the greatest potential to bring the number of phishing scams that go undetected by either browser well down into the single digits.

Avivah Litan, an online fraud analyst with Gartner Inc., agreed. "With crooks moving these phishing sites from place to place within minutes, it's really hard to keep a blacklist up-to-date," Litan said "The future of [browser-based anti-phishing technology] is whitelisting, backed up with heuristics" that allow the browser to detect unidentified phishing links as suspicious.

For its part, Microsoft pointed to a report the company commissioned earlier this year that gave Microsoft's anti-phishing measures top marks compared with other browsers and technologies. The report highlights the fact that IE7 didn't raise any alarm bells about legitimate sites, a problem known in the business as a "false positive." It's not hard to see why that factor alone would be a paramount concern for Microsoft: A legitimate company whose site was errantly blocked by IE7 most likely would file a lawsuit against Microsoft in a heartbeat.

The SmartWare study doesn't appear to have addressed the problem of false-positives to any meaningful degree. Still, what I especially like about the Phishtank-based study is that it is premised on open-source information that everyone has the same access to. In contrast, the founders of 3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."

Incidentally, any serious Mozilla-using phish fighters out there who want an easier way to submit "phishy" sites to Phishtank should check out this Firefox add-on.

By Brian Krebs  |  November 14, 2006; 6:00 AM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Little Patch Housekeeping
Next: Microsoft Patches 9 Security Holes

Comments

Thanks for the heads up Brian, it just further secures my decision to finally switch from IE to Firefox, which I recently did. While these numbers do seem rather close at very certain things, the fact that Firefox has consistently put up better numbers, time and again, really makes me believe that it is a better browser.

Every week I get my typical "Update your account" etc. emails which take me to a fraudulant site, and to know that Firefox will potentially block those sites from even letting me incidentally go there makes me feel much better.

My biggest concern has always been with people whom are new to the internet because they aren't trained to check the URL before going to a potentiall phishing site. If Firefox continues this trend, hopefully even the most novice internet users can be secure with their browsing.

Posted by: NathanK | November 14, 2006 9:30 AM | Report abuse

These are some interesting results; I note that they are significantly different to both what 3Sharp found, but also from what a team at Carnegie Mellon found in their own research. More thoughts at http://www.robichaux.net/blog/2006/11/mozilla_releases_antiphishing_report.php. (BTW, I pointed out to Brian that's it's not entirely fair to dis 3Sharp's report as less "open source" than Mozilla's, given that we published all our URLs as part of the study and have made results freely available to everyone who's asked.)

Posted by: Paul Robichaux | November 14, 2006 10:27 AM | Report abuse

Thanks Paul, and as I pointed out, Mozilla is going to make its raw data available in about an hour, so when they do I will update this post with a link to it.

Posted by: Bk | November 14, 2006 10:32 AM | Report abuse

It just proves what I've been saying all along: The use of IE, any version, marks the user as a technical neophyte.

The whole "...but my web site doesn't work with anything but IE..." is something straight out of 1999 and hasn't been true for about 2-3 years now.

Firefox is a great browser. Opera is a great browser. Konqueror is a great browser.

IE7? Not so good. I guess MS is too busy with the XBox and the Zune to worry about browsers these days.

Posted by: Bunkley | November 14, 2006 11:13 AM | Report abuse

>The use of IE, any version, marks the user as a technical neophyte.<

I have been using personal computers since the pre-Windows days of DOS, and recently dumped Firefox 2.0, because I prefer IE7.

I don't really care that much about anti-phishing filters, because I'm not stupid enough to fall for phishing scams.

Posted by: JohnJ | November 14, 2006 12:50 PM | Report abuse

I'm tired of Mozilla, Apple, and any other anti-Microsoft users that love to rag on anything Microsoft. All platforms [windows vs. linux vs. apple, IE vs. firefox] are pretty good and each has their advantages/disadvantages [like apple is better for media but windows is much better for utility, work, etc.]. I myself don't like the firefox or apple layouts and prefer to use microsoft products [and no, I do not like how they've switched to a more firefox layout in IE7] but it doesn't mean I won't use firefox or apple if its handy.

Posted by: Bean | November 14, 2006 1:01 PM | Report abuse

Well, reading this very instructive article show me somethings not pointed in the article :

Does it proves that Firefox 2 is Better than IE7 : Surely NOT !!!, it only proves that the Mozilla database is fare better than Microsoft one. Yes, i know that at the end of the day the result is the same, and firefox is filtering better but it is unfair to blame IE develloppers for something they are not responible of..

Does it proves that Mozilla database is the best : Surely NOT too !!! Google offer better results (yes, not that much, but you know : the bigger, the better that's all...)

Let's wait for Google and Ms to mix there database so evey browzers will takes benefits of it.

Posted by: Diagg | November 14, 2006 1:20 PM | Report abuse

>"But I'm left wondering whether a
>stronger "whitelist" approach that
>involves identifying legitimate banking
>sites might prove to be a more effective
>strategy"

I am the information security officer at a financial institution, and the problem that I see with a "whitelist" approach is that it assumes you know what site that the users think they are going to. In other words, you would have to know that the user means to go to Bank Of America when they click "http://blahblah.com/phishers/BofA/phishme.php" (and thereby know that is not Bank of Americas URL). Without knowing the mindset of the user, you would then have to create a whitelist that includes ALL good sites on the Internet.

Brian

Posted by: Bachroxx | November 14, 2006 1:30 PM | Report abuse

Great to see all the shills ,fanboys and astroturfers battling it out in there little blogophere. It's been real fun the last couple of weeks. OSS , MS and Apple on the WEB 2.o, but I think the people will just move along to WEB 3.0. You stay put now, you hear !.

Posted by: Retep. | November 14, 2006 1:41 PM | Report abuse

I'm an ASP.NET and .NET framework programer, so for me it's start with IE6 & 7 then get it to work in other browsers. Until Firefox 2.0 this was a pain in the rump. I could get everything I did to work perfectly in IE, Netscape, Opera and even some other "off brand" browsers, but had a terrible time getting work done with Firefox 2.0.

The odddest part of my experience is the difficulty I have getting simple client side Java to work in FireFox 2 that works perfectly in all the others! Odd isn't it? Anyway, so it FireFox a better browser? Nope...is IE7 the best browser ever? Nope... it's all a matter of what you're doing with it that makes all the difference. (I'm responding to the Firefox is a better browser comments)

So what does that have to do with the article? The phishing filter is a nice addition by both of the companies, and it's pointless. Completely utterly pointless.

The people who run phishing sites don't leave them up long enough for them to be identified, added and then distributed to the end user. They move...hourly. And when they move they often have created their site on top of a legitimate site which now will get flagged as a phishing site. Creating those wonderful false positives and blocking access to someone's legitimate site that happend to share the same URL header as the Phish site.

Whitelist? Best idea ever! until someone pirates the URL from the DNS server and points it back to a phsihing site...

You can't win, you come up with a solution, and someone will find an exploit, that's the nature of the game. So how do you make the best browser ever?

You make better internet users.

Posted by: Stephen | November 14, 2006 2:14 PM | Report abuse

Help can anyone provide comments and a recommendation for web-sites that bypass parental controls? I was shocked to find out that these sites exist and that my router could not block; my browser could not block and my internet security could not block. HELP

Posted by: Tim | November 14, 2006 3:29 PM | Report abuse

The netcraft anti-phishing toolbar is better then either browsers attempt. I highly recommend it.

Posted by: eeyore | November 14, 2006 4:00 PM | Report abuse

Hi Brian.
To cut a long story short, here it is what
FF 2.0 is doing :
- mouse scroller and touchpad up/down buttons are not working (see Mozilla forum)
- CallingID and CID Link Advisor, idem
- HP icon 'HP Director', idem (ask Rob re.
05/11/06 report)
- daily scanning with AdAWare and Spybot
S&D, find data miners, tracking cookies and
even 4 'Trojans', all related to FF. Just
switch by default to IE 7, and everything
is OK.

Nothing of what above happended with FF 1.5
which has been my default for a long time.

Thanks for your work !
oldboy
Genoa, Italy

Posted by: Giorgio Montagna | November 14, 2006 4:07 PM | Report abuse

I find it amusing that the pro MS trolls are coming out claiming that Firefox is not standards compliant.

This is most assuredly not true. MS browsers have never been fully standards compliant. It's the MS browsers that are a pain to work because they don't support CSS properly as well as other stuff.

The .NET programmers are complaining because only IE supports proprietary ActiveX and other technology that are neither W3C or Oasis compliant. Before any of you complain, I have just one word for you: VBScript.

Posted by: Thed | November 14, 2006 4:39 PM | Report abuse

Stephen's comment makes a lot of sense, good old common sense. Hundreds of thousands of us are not techies and don't know when we're dealing with techie-type imposters, hustling pretenders, who for a dirty buck, lead us into stupid errors and costly decisions with our new fangled machines. Reading this blog I note how often techie-types remark about the stupidity of those of us who get out-smarted by plishers and others. Instead of beating their chest over their preferences of foxfire as to IE-7 or Opera or Mac, why not use their talents, other blogs, etc. to develop and communicate an agreed upon educational program that all of us dummies can use to help beat the crooks and make it a better place for all.

Posted by: evanest | November 14, 2006 4:50 PM | Report abuse

I actually dumped Firefox for IE7 because I got sick and tired of the memory leaks. What good is a browser that you have to open and close all day so that it does not hog up memory? And I agree with a post above - if you don't know what a phishing email is, stay away for a computer! I don't need IE or FF tell me that!

Posted by: Scotty | November 14, 2006 4:53 PM | Report abuse

Until Microsoft and IE7 are committed to supporting web standards (http://w3.org) to the admirable extent of every other modern browser (Firefox, Opera, Safari, Konqueror, etc.) Microsoft's browser will be second rate and anti-social. IE7 offers a marginal improvement in standards compliance over IE6, but that's not saying much.

It must be very embarrassing for Microsoft that these tiny open source developer teams (and a bunch of Opera guys in Norway) have well and truly whupped them in terms of complying to open, published standards.

Oh, wait a sec... could it be that Microsoft doesn't *want* to adhere to standards? I suspect so. Perhaps they're terrified of what would happen if they actually had to compete on a level playing field governed by open standards they don't dictate. (witness their silly thrashings regarding ODF support for MS Office) In which case they deserve all the scorn the savvy user and web developer communities rightfully heap upon them.

Posted by: Dave Lane | November 14, 2006 5:52 PM | Report abuse

A large percentage was not detected by both browsers, if you read it correctly, firefox detected some which IE didnt, while IE detected some which firefox didnt, so how can you come up with the solution of saying , id rather go with firefox?, if the article read, that firefox detected most of the scams which IE didnt, but not vice versa, then I would definitely switch to firefox completely, tooooo muuuch firefox fans out there I guess

Posted by: Dyzophoria | November 14, 2006 11:11 PM | Report abuse

Netcraft toolbar anyone?
http://toolbar.netcraft.com/
it defines every site has being risky, and only with time does t become acceptable and less risky to use the site.

Posted by: Pedro Rodrigues | November 15, 2006 3:30 AM | Report abuse

I didn't read everything, but I can tell you my own opinion in Mozilla's crap called Firefox...
I used Firefox for about half a year, from May 2006 to October 2006. I must say it is good browser. We didn't have any problems accessing banking websites, everything looked perfect-on the first look.
But in october, I decided to install Opera because I wanted to test something new. It's not yet widely spread in our country, so I wanted to test it. The first results showed that Firefox has few unfixed problems with displaying websites, but let's not forget that Mozilla releases new Firefox version about each 3 weeks. I detected alot of problems with "align" and Flash, Quicktime player plugins didn't work correctly. Flash player was installed for ages ago, but Firefox claimed Flash player isn't installed and I have to download a new copy. Neither the Internet Explorer 7 and neither Opera had those problems. In fact, Opera is the best browser if we look for these 3....
Firefox is just commecrial piece of junk. I will never forget Mozilla's trick to get peoples attention. They compared Firefox with older Internet Explorer browser which was already known to be very wulnerable browser. But interesting is, that Firefox wasn't compared with Opera browser. Why not? Because it can't be compared! Opera opens webpages faster than Firefox, has more advanced security settings, uses less resources, just like Internet Explorer 7. I tested those 3 browsers and the only positive thing about Firefox was that it is translated into Slovenian language. Slovenia is on top of the EU countries if we look it on percentage of Firefox users. But I thing these will change with time. When people will realize Firefox is nothing but basic browser, they will come to Opera, just like I did. Something interesting...
Mozilla always claimed Firefox is invulnerable browser. For sure??? January-June2006- Firefox had most vulnerabilities found (47), while Opera browser had only 7 vulnerabilities discovered! I don't care any more about people saying install Firefox. Mozilla tricked you all. Too bad IE7 owned all Firefox 1.5 versions :-(. I feel sorry for IE7 because it will be attacked very soon by lame hackers trying to destroy it again. I don't care for IE neither, because the best browser on the world is OPERA!!!
Laughes from cannibal

Posted by: cannibal | November 15, 2006 4:30 AM | Report abuse

@bean - you're living in the 80s. mac osx is not just for media anymore. it's actually running on unix. have you even tried using a mac?

Posted by: cryptonomikon | November 15, 2006 10:14 AM | Report abuse

I understand that browsers should have add-ons like this "anti-phishing"... but,

why do pleople keep try to put some medicine to fix problems and not cut the roots of the problems??? Do you want no phising?? OK enter yourself the address! Educate people to do this. OK, thats alright but what you do with bookmarks?? Diversity (I learned this from biology)! Diversity in the way the browsers store their bookmarks (favourites), or diversity in the manner you save your bookmarks (you can use any program to make this function and copy-paste). That aint much user-friendly... and fishing, is it?.
All this methods I just proposed aren't virus-proof, but again, please help educate people and virus are less efective. Make people understand how it works (MS is doing a great effort on de-educating people in their user-friendly meaning: "Don't worry, you don't need to understand, We did it for you").
I know people that's using google as address bar (give me a break!) :S

Posted by: GGB | November 15, 2006 10:21 AM | Report abuse

Thanks,GGB. Your post above brings up many aspects, much information and knowledge that many of us don't have and will not have; until we better educate ourselves or obtain information from sources who aren't snake-oil salespersons or not nearly as smart or informed as they think. Just read this entire blog. One can come away finding justifications for whatever decisions one has made or is about to make in not-so-happy ComputerLand.
Fact: Every preacher, teacher or techie who waves a Bible, Torah, Koran or Browser in your face ain't necessarily got The Big Word.
GGB: Tell us more about proper use of Bookmarks (Favorites), "diversity", improper use of Google as an address bar, etc.

Posted by: evanest | November 15, 2006 12:40 PM | Report abuse

I still prefer Internet Explorer 7 because it is most up to date with Active X, a REQUIRED function with a lot of websites. You must either have one or the other browswer installed for they conflict with one another. Microsoft works best with Microsoft and certified programs and that will always be the case which is why I don't have Apple ANYTHING installed on my computer. Apple iPods and any other encoding besides .WMA really are not as good and aged and inferior. Sorry Charlie! By the way phishing filters in browsers are not enough. Use Spwall from www.trlokom.com. It is the best in browser and total spyware protection I have ever used and their firewall is superior to. And the next version coming out soon will outdo an anti-virus program so you won't need those bloated internet security programs. By the way stay away from ANY peer-to-peer programs because they can and do transmit viruses and trojans!

Posted by: Ernie Mink | November 16, 2006 1:18 PM | Report abuse

I'm a Java developer who works primarily with J2EE to create webapps with some AJAX components, DHTML, and the occasional WebStart component. For me, Firefox is always a dream to work with. It has excellent developer tools, and almost always implements the W3C standards either fully, or where it dosn't it at least fails in an intelligent fashion. IE on the other hand is always a nightmare to work with because it has horrible developer tools, implements (at least till IE7) some wierd blend of CSS 1.0 and 2.0, and insists on using it's own screwy version of DOM. ASP developers may love IE, but for those of us that actually code to the standards set by bodies such as the W3C anything is better than IE.
The anti-phising filters are a good idea in that it leverages the more tech savy members of the web to help protect those less informed through the use of a community DB that can be submitted to by everyone. That being said, I think it will really reach it's full potential when rather than having to install an extension to submit a site, that capability is instead built right into the browser itself (although maybe turning it off by default to prevent the neophytes from randomly submitting stuff by accident might be a good idea).

P.S. The new built in spell checker is great, now if only they would stop breaking my favorite extensions.

Posted by: Kyle | November 16, 2006 4:35 PM | Report abuse

I can't comment on Firefox, but since the 1995 IE has been a horrible browser, it was worse than Netscape explorer back then, worse than unreleased browers that I beta tested.

What I do remember are the early releases of Opera, the small memory consumption and the tabbing functionality even in Windows 3.1.

I've been using later versions under Windows 98 and Xp since 1999, and frankly there is absolutely no reason to change.

Posted by: alloy | November 17, 2006 2:28 AM | Report abuse

Opera is very nice, but it actually has a few minor glitches in how it handles some parts of CSS and DOM. Firefox is the most standards compliant (W3C standards that is, not Microsoft "standards") of all the browsers, and with a bit of work you can make it behave in almost anyway you want, but Opera does offer a tiny memory footprint and a very polished out of box experience. If you don't like Firefox, by all means use Opera, or even Konqourer or Safari, but whatever you do, stay away from IE, it will only lead to spyware infections.

Posted by: Kyle | November 17, 2006 10:13 AM | Report abuse

The url to the phishtank addon is incorrect.

It should be: http://phishtanksitechecker.com/

http://gamespotting.net ran out of bandwidth due to heavy traffic

Posted by: MASA | November 18, 2006 4:56 PM | Report abuse

Masa -- Thanks for the heads up. Wow, didn't know we had that many readers ;). I will change the link.

Posted by: Bk | November 19, 2006 12:51 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company