Home & Office

Will sharing malware lists help?

Industry watchers are divided over whether browser companies should make public blacklists of phishing sites to provide better protection for Internet users.
Written by Vivian Yeo, Contributor

Browser makers maintain a blacklist of phishing sites that are blocked from public access, in an attempt to provide their users with secured surfing sessions. Such lists, however, should not be made public, according to some industry watchers.

Microsoft's Internet Explorer 8--currently in beta 2 version-- for example, is said to be on par with competitor browsers such as Mozilla's Firefox, in terms of security.

An essential component, in the capability of these Web browsers to warn users against suspicious URLs, is a "blacklist" of known or suspected phishing sites or sites that contain malware.

Not all companies are willing to make such information public.

In an e-mail interview with ZDNet Asia, a Microsoft spokesperson confirmed that the company does not share IE data pertaining to phishing and malware, "due to data source agreements and the dynamic nature of these changes".

According to an e-mail response from a Google spokesperson, the company's Safe Browsing service is provided to both Mozilla's Firefox and Chrome, Google's own browser.

When contacted, industry watchers were divided over whether browser companies should share their lists or data, in the interest of providing better security for online users.

Andrew Walls, research director for security, risk and privacy at Gartner, pointed out that browser companies keep such lists private for competitive advantage.

"The reality is that money drives most of what happens in the computer business, and security is becoming increasingly a discriminating factor for consumers when they decide what software to use, whether they're purchasing or getting it for free," Walls said in a phone interview. "The browser that's able to demonstrate better security is better placed to compete in the market."

However, the Melbourne-based analyst noted that companies that produce and maintain such lists "are very quick about updating their lists", and the lag in updates among competitors is very small. "So the real impact has got to be very light on the users," said Walls.

Chia Wing Fei, F-Secure's security response manager, concurred that there would not be "any huge impact" even if companies maintain their own databases of known malicious and phishing sites. "With their own lists, they can have more control and will be able to respond more quickly to newly found malicious sites," Chia said in an e-mail.

However, William Tan, Websense's Asia-Pacific technical manager, noted that sharing research information "is a big part of the security industry", and gaining access to such lists would imply quicker validation of information which leads to more Net users being protected.

Tan warned though the industry should not rely entirely on blacklists, which "fall short" amid a growing number of Web sites that carry dynamic, user-contributed content. "There are numerous examples where good sites turn bad and are found to be hosting malicious mobile codes injected by hackers," he said in an e-mail interview. "Static blacklists just prove to be inefficient in addressing that part of the Internet, [as they] usually account for the top 100 to 1,000 most frequently accessed Web sites [globally]."

Editorial standards