Spyware researcher Ben Edelman says the updated Netscape browser fails to notify Web surfers when they're visiting sites that download spyware onto their machines.
A new version of the Netscape Web browser is being criticized by spyware experts for failing to notify Web surfers when theyre visiting Web sites that distribute the noxious monitoring programs.
Netscape 8s Trust Rating System, which warns users about insecure Web sites, gives a "green light" to Web sites that download spyware onto users machines, according to Ben Edelman,
a student at Harvard University Law School and an expert on spyware software.
In a conversation Wednesday, AOL spokesman Andrew Weinstein acknowledged that some spyware sites received an "unknown" rating from the browser. The spokesman subsequently confirmed evidence viewed by eWEEK magazine suggesting that other spyware sites received a "trusted" rating. The company is working to correct the problem with the new browser.
The critiques are the latest bump in the road for Netscape 8, which was released this month. It was patched almost immediately to cover a host of known holes in its code, which is based on the popular Firefox browser, and to fix a conflict with Microsofts Internet Explorer browser.
America Online Inc. touted Netscapes advanced security features when it released the program May 19. The new browser was "designed for the millions of online users who are searching for a safer and better browser," a company news release said.
The Trust Ratings feature is a key part of the browsers security story. According to AOL, if a user visits a Web site using Netscape 8.0, the browser automatically checks to see whether the site is on a blacklist of suspected virus, scam or spyware sites, or on a "white list" of 150,000 Web sites deemed acceptable by digital certificate authority VeriSign Inc. and by TRUSTe, a nonprofit online privacy monitoring organization.
Spyware and adware distribution sites do not get "trusted" certification if they are on a list of sites maintained by anti-spyware vendor Aluria Software LLC, according to Weinstein.
"If a company is on Alurias list, it will not get the green, trusted certification," Weinstein said.
"That is false," said Edelman, who provides screenshots of Netscape 8s "Trust Rating" System
on his Web site.
The new browser gives a green "trusted" rating when it brings up www.hotbar.com, a Web site that distributes a program that adds graphical skins to Internet Explorer toolbars, in addition to a Hotbar toolbar and stealth monitoring software, Edelman claims.
A copy of the new browser downloaded and tested by eWEEK does confirm Edelmans claim: The green "trustworthy" symbol is displayed on the hotbar.com home page as well as on a page on the Hotbar site that attempts to download the software to users machines.
A green "trusted" sign is also displayed on the download page at www.ABetterInternet.com, another Web site that downloads and installs monitoring software.
Hotbar and ABetterInternet are also listed as spyware on Alurias Web site,
casting doubt on AOLs claims that any companies on Alurias list are blocked, too.
In theory, sites on Alurias list should have a gray "unknown" or red "dangerous" sign, according to Weinstein.
Relying on partners.