Aug 16 2009
I finally had the time to sit down and read the NSS Labs Web Browser Security Phishing Protection paper this morning. This paper is a test of the more popular browsers in use today and how well the reputation based systems they’ve built work to protect users against phishing attempts by malicious sites. The big winners in the test were Firefox 3 (not 3.5) and IE8, which almost tied at 80% and 83% accuracy for blocking phishing sites. Given that the study quotes a margin of error of 3.6%, the two browsers are equal for most intents and purposes. The big loser of the test was Safari 4, which only had a 2% blocking rate for malicious sites. I hope Safari on my iPhone is better than it is on my Macbook, or at least that there are less phishing sites targeting the iPhone.
It’s very interesting that Firefox 3, Chrome 2 and Safari 4 all use Google’s Safebrowsing data feed but have very different results from the same data. Chrome 2 only had a 16% success rate in blocking, compared with Firefox 3 at 80% and Safari 4 at 2%. So why the big difference between the three browsers running off of the same information? NSS Labs doesn’t offer an explanation and apparently none of the developers did either, so either Firefox is pulling in a lot of additional information from somewhere or the Chrome and Safari developers have some learning to do.
What I personally found the most interesting about the paper though was that the Anti-Phishing Working Group is quoted as saying that the average phishing site only has a lifespan of approximately 52 hours. None of the browsers really reach full effectiveness for blocking a phishing site for about 48 hours after the site has become active, therefore you’re only getting 4 hours of maximum benefits. The long term trends look good, but it’s a little disturbing that many phishing sites are relatively undetected for at least the first 24 to 48 hours they’re live.
I’d be curious to see how Firefox 3.5 changes this mix. Apparently it wasn’t stable enough to be used in this test, but maybe we’ll see a new set of tests next quarter. I’m also wondering what affect the FF plugin NoScript would have on the results. Since NoScript isn’t strictly speaking an anti-phishing tool, I doubt NSS Labs will be testing it any time soon, but I’d like to know how much more secure it makes my web surfing experience.
Now to go back and read the Socially Engineered Malware report.