Mozilla Claims Early Win in Browser Phishfight

Updated: A study sanctioned by Mozilla gives Firefox 2 a big win over Microsoft's IE 7 in the battle to block ID theft scam sites, but both browsers still come up short when pitted against active phishing URLs.

A new study sanctioned by Mozilla declares Firefox 2 as a big winner over Microsofts IE 7 in the battle to block ID theft scam sites, but weaknesses in both browsers confirm that the battle against phishing has only just begun.

The open-source group on Nov. 14 released results of a third-party test that showed the embedded phishing protection in Firefox 2 was significantly more effective at flagging phishing attacks than IE 7 (final release).

Using 1,040 verified phishing sites from the PhishTank community portal, the study found that Firefox 2s local blacklist feature blocked about 79 percent of the malicious sites from loading.

By comparison, IE 7s whitelist-based Auto Check OFF blocked only 16 attacks, or less than 2 percent.

The study, conducted over a two-week period by software services and testing company SmartWare, also gave a victory to Firefox 2 in the Ask Google option, which does a real-time check against a list of suspect sites provided by Google.

Firefox 2 with Ask Google blocked 848 of the 1,040 malicious sites. By comparison, Microsofts Auto Check ON feature only flagged 66 percent, or 690 sites, as identity theft threats.

There were 243 instances where Firefox blocked a phishing site but IE did not and 117 instances where IE blocked but Firefox did not, a clear suggestion that both browsers miss a large number of fraudulent sites that allow attackers to steal sensitive data from users.

Mozilla security chief Window Snyder said the test was part of the companys quality assurance process and confirms that both local and remote protection modes offer better security than Microsofts dominant browser.

In an interview with eWEEK, Snyder acknowledged that IE 7 was a "significant improvement" over IE 6 but argued strongly that users are better protected against phishing attacks when using Firefox.

"In terms of security, IE 7 is an improvement. The focus on security [in both browsers] means that the end-user is better protected. Im all for the idea that were both focusing on security in these releases," said Snyder, who previously served as a security strategist at Microsoft.

Snyder said the SmartWare testers used a custom built Web application to interface with the phishing data culled from PhishTanks public XML feed of valid phishing URLs.

/zimages/6/28571.gifClick here to read about how phishing "money mules" launder stolen money.

The testers worked in teams of two, testing one browser in both modes for up to seven URLs at a time, then switched to the other browser to test both modes on those URLs.

Since time favors the second browser tested (it gives the phishing features more time to update their lists), Snyder explained that the testing order between Firefox 2 and IE 7 was rotated to ensure that no one browser had a testing advantage over another.

The Firefox victory chant comes hard on the heels of Microsoft-commissioned study by 3Sharp, based in Redmond, Wash., that came up with an entirely different result.

The 3Sharp test results, released in October 2006, said the Internet Explorer 7 Beta 3 with Phishing Filter had the best overall accuracy, way ahead of Google Safe Browsing on Firefox.

Editors Note: This story was updated to include information and comments from Mozilla.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK SecurityWatch blog.