According to the most recently released comparative review by av-comparatives.org, Opera leads competing browsers in anti-phishing protection. Should you make the switch? Not so fast!
The comparative review used 294 phishing URLs and tested the following browsers:
Apple Safari 126.96.36.19934.57.2
Google Chrome 23.0.1271.97 m
Microsoft Internet Explorer 9.0.9112.16421/9.0.12
Mozilla Firefox 17.0.1
It produced the following results:
Opera: 94.2 percent detection rate of the phishing URLs used in the test
Internet Explorer: 82 percent detection rate for the phishing URLs used in the test
Google Chrome: 72.4 percent detection rate for the phishing URLs used in the test
Apple Safari: 65.6 percent detection rate for the phishing URLs used in the test
Mozilla Firefox: 54,8 percent detection rate for the phishing URLs used in the test.
None of the browsers triggered a "false phishing alarm." What kind of conclusions we can draw based on the these results, and what should decision makers keep in mind when considering a company-wide browser switch?
There's a special crowd of Internet users who are prone to make impulsive switches to a new product or browser, every time a new study or comparative review is released. That's totally wrong, and here's why:
Time period-specific results: What users and decision makers need to keep in mind is that the results from these comparative reviews are time sensitive, rather than being 100 percent conclusive. And while they offer factual evidence for the performance of a particular product or browser over a specific period of time, the results do not necessarily reflect the big picture, which in 2013 has to do with increased quality assurance (QA) applied by cybercriminals
Built-in phishing protection is among the many other factors to take into consideration before making a switch: Although Opera indeed outperformed competing browsers in anti-phishing protection, it doesn't necessarily mean it outperformed competing browsers when it comes to built-in security mechanisms in general. Case in point: A Google-commissioned study released in 2011 claimed that Chrome is the most secure browser on the market. What the report excluded as a key factor is vulnerable Chrome extensions that could lead to the successful compromise of a host running them. For instance, in 2011, a group of researchers tested 100 Chrome extensions and found that 27 of them contained 51 vulnerabilities. With Chrome leading the global browser wars, it's also worth emphasizing one of the most popular myopias that end and corporate users suffer from nowadays: the myth of the fully patched Web browser in the context of security.
What some of the browsers tested in the study--but not all of them--have in common is their reliance on the ubiquitous Safe Browsing service, excluding the fact that for years, cybercriminals have been relying on sophisticated "malicious content cloaking" techniques to prevent Google's crawlers from detecting their fraudulent or malicious content.
Let's discuss the big picture in more detail.
Mono-cultural reliance on Safe Browsing is good for PR, but it doesn't fuel innovation in built-in browser anti-phishing, anti-malware, and anti-client-side exploitation protection; when was the last time your browser of choice announced a new and innovative anti-malware or anti-phishing feature? That's right, it doesn't happen every day, and not even on a quarterly basis. It is my personal belief that browser vendors have found their "sweet spot" hiding behind the industry-accepted Safe Browsing service, and have therefore failed to innovate on the anti-phishing and anti-malware protection fronts over the past couple of years. The result? Successful detection for low QA malicious campaigns, and zero detection for sophisticated high QA campaigns
The QA applied by cybercriminals has the potential to undermine the real-life applicability of comparative reviews and industry-accepted standards. Ask yourself the following: What would be the first thing you would do if you were to launch a phishing, exploits, and malware serving campaign knowing that millions of users are directly or indirectly protected by Google's Safe Browsing? That's right! You'd not only check whether the service has blocked your URLs, you'd also check those URLs against the most popular Internet security suites on the market. This Q&A practice has been available to cybercriminals as a service for years, and is currently covering all the major community-based malicious URL-tracking services, next to all the major Internet security suites, leading to a higher probability of successful interaction with the malicious or fraudulent URLs, and millions of users with a "false feeling of security."
Do comparative reviews shape your decision-making process, and in what way? Do you believe that the mono-cultural reliance on the Safe Browsing service is actually protecting more people than helping cybercriminals reach a wider "attack population" thanks to its mass adoption? Do you think browser vendors failed to innovate on the anti-phishing/anti-malware/anti-client-side exploitation fronts over the past couple of years, and what should be done in this direction?
Find out more about Dancho Danchev at his LinkedIn profile.