Sharing malware lists: Pros vs perils

Browser makers maintain a blacklist of phishing sites that are blocked from public access, in an attempt to provide their users with secured surfing sessions. Such lists, however, should not be made public, according to some industry watchers.

For example, Microsoft's Internet Explorer 8 — currently in beta 2 version — is said to be on par with competitor browsers, such as Mozilla's Firefox, in terms of security.

An essential component in the capability of these web browsers to warn users against suspicious URLs is a blacklist of known or suspected phishing sites or sites that contain malware.Yet not all companies are willing to make such information public.

In an email interview with ZDNet Asia, a Microsoft spokesperson confirmed that the company does not share IE data pertaining to phishing and malware, "due to data-source agreements and the dynamic nature of these changes".

According to an email response from a Google spokesperson, the company's Safe Browsing service is provided to both Mozilla's Firefox and Chrome, Google's own browser.

When contacted, industry watchers were divided over whether browser companies should share their lists or data in the interest of providing better security for online users.

Andrew Walls, research director for security, risk and privacy at Gartner, pointed out that browser companies keep such lists private for competitive advantage.

"The reality is that money drives most of what happens in the computer business, and security is becoming increasingly a discriminating factor for consumers when they decide what software to use, whether they're purchasing or getting it for free," Walls said in a telephone interview. "The browser that's able to demonstrate better security is better placed to compete in the market."

However, the Melbourne-based analyst noted that companies that produce and maintain such lists "are very quick about updating their lists", and the lag in updates among competitors is very small. "So the real impact has got to be very light on the users," said Walls.

Chia Wing Fei, F-Secure's security response manager, agreed that there would not be "any huge impact" even if companies maintain their own databases of known malicious and phishing sites. "With their own lists, they can have more control and will be able to respond more quickly to newly found malicious sites," Chia said in an email.

However, William Tan, Websense's Asia-Pacific technical manager, noted that sharing research information "is a big part of the security industry", and gaining access to such lists would imply quicker validation of information, which leads to more internet users being protected.

Tan warned that the industry should not rely entirely on blacklists, which "fall short" amid a growing number of websites that carry dynamic, user-contributed content. "There are numerous examples where good sites turn bad and are found to be hosting malicious mobile codes injected by hackers," he said in an email interview. "Static blacklists just prove to be inefficient in addressing that part of the internet, [as they] usually account for the top 100 to 1,000 most frequently accessed websites [globally]."