Most Secure Browser: Internet Explorer 8
NSS Labs, a trusted advisor to the information security community, released today two new Web Browser Security Reports:
They’ve been testing intensively the latest browsers (Apple Safari 4, Google Chrome 2, Microsoft Internet Explorer 8, Mozilla Firefox 3* and Opera 10 Beta)** to compare their security models and APIs.
Note that Internet Explorer 8 relies on the new SmartScreen® Filter technology, while Firefox, Safari and Chrome on the same SafeBrowsing API (developed by Google).
Let’s have a look at the result of their tests.
1) MALWARE Protection
What is a Malware?
A Malware is software which is deceptive about functionality and is a security risk or a privacy risk. The term malicious software or malware refers to programs that demonstrate illegal, viral, fraudulent, or malicious behavior. For example, viruses, worms, and Trojan horses are malicious software.
Comparative Test Results
The use of reputation systems to assist browsers in the fight against socially engineered malware is a strong use of cloud technologies. But, not all vendor implementations and daily operations yield the same results.
- Internet Explorer 8 “was by far the best” , thanks to the SmartScreen® Filter technology
- Firefox 3 “comes in a distant second”
- Safari 4 presented a declined compared to the previous tests, with two short periods of sever security dips
- Chrome 2 performed very consistently, albeit very poorly
Although Firefox, Safari and Chrome are using the same security API, the results are different. From the report:
“The SafeBrowsing products’ protection rates were showing signs of converging just under 25%. This supports the notion that there are operational differences between the implementations of the API, but that the block lists are the same (or very similar)”
2) PHISHING Protection
What is Phishing?
Online phishing is a method of identity theft that tricks you into revealing personal or financial information online. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands in order to steal personally identifiable information such as usernames, passwords, credit card numbers, and Social Security numbers.
Since phishing sites have an average lifespan of only 52 hours it is essential that the site is discovered, validated, classified, and added to the reputation system as quickly as possible. A good reputation system must be both accurate and fast in order to realize high catch rates.
Comparative Test Results
- Internet Explorer 8 and Firefox 3 are clearly responding quickly to block new phishing sites
- Opera had a period during the tests where the protection dropped off significantly
- Chrome was below average
From the report:
“We expected better results given the fanfare about Google’s SafeBrowsing initiative. Additionally, a third-party (Firefox) was able to utilize Google’s API to achieve significantly better protection that Google’s own browser.”
What is the SmartScreen® Filter in IE8?
Internet Explorer 8 introduce a new technology called SmartScreen® Filter, an evolution of the previous Phishing Filter in IE8, to help protect IE8 users against the major security threats on the web today.
Eric Lawrence, Security Lead in the IE Team, has written many blog post where he introduce the feature and describe how it works. A FAQ about the Filter is available here.
If you want to know more about security in IE8, check out this video on Channel9.
Demo
For the sake of this post, based so far only on numbers, I’d like to show in action how IE8 identify and display an unsafe site to the end-user. We will use a test web site marked from the SmartScreen Filter as unsafe***.
If you browse to the site with IE8, the browser will start download the content of the page but shortly it will understand that the site is not safe and switch to a different view: a red warning alert will be offered to the end user.
The experience on other browsers, including Firefox and Chrome, would be completely different – since they don’t detect the site as unsafe…creating a big security threat for the end-user.
Is this really relevant?
NSS Labs is not The Word; it is one of the (many) trusted voices on the web, with a deep expertise in this field. You might not trust their results (btw, have a look at the Appendix of their reports to understand the architecture/methodology they have in place…).
It’s interesting however what they call “an easy apple-to-apple comparison”: they run those tests back in February and they are now comparing the trend over time for each browser. I’m surprised (and pleased :)) to see that IE is the only browser with a positive trend == it’s getting better over time. All of the other browsers decreased protection, between 3 and 8% - within the margin in the error.
Does all this mean that IE8 is 100% secure? Absolutely not, but I feel secure now… :-D
NOTE:
* I wished they tested with Firefox 3.5. From the report, “Firefox 3.5 was not stable enough to be tested during the course of this test. A patch has subsequently become available to address the stability issue. We were able to manually verify that the protection was identical between versions 3.0.11 and 3.5”.
** They used the “vanilla versions” (as downloaded from site and updated). No antivirus, no add-on installed, no security group policy, no special settings…. Just the browser, as it is.
*** This site has been designed for demonstration purposes only. The test performed from the NSS Labs used a list of 12000 real suspicious sites.
Technorati Tags: IE,IE8,Security
Comments
Anonymous
August 13, 2009
Nice Post! Ahah, it's funny. On Ars Technica: Rick Moy, president of NSS Labs: "This stuff is expensive to do right, and we need to monetize it somehow," Moy told Ars. "We invited Google, Mozilla, Apple, Opera to participate, but they didn’t even bother to respond, except for Opera, which stated they “don’t really focus on malware." Source: http://arstechnica.com/microsoft/news/2009/08/microsoft-sponsors-two-nss-reports-ie8-is-the-most-secure.arsAnonymous
August 15, 2009
I like very much the writings and pictures and explanations in your adress so I look forward to see your next writings.Anonymous
August 29, 2009
Seriously? This is a bunch of sh*t. You took a TEST WEBSITE, that IE had marked as a test website, correct? Well guess what! No duh nothing else is gonna recognize it! ITS A TEST WEBSITE!!! But w/e... The people still using IE don't know better or are fan boys anyway...Anonymous
August 29, 2009
To Wow. If you read the reports attached (or any other security guide on the web), you will learn that those kind of malicious websites born and die within the span of a few minutes/hours/days. For the purpose of demonstration of the new user experience that IE offers to their users I'm using a test website here. If you have a better idea to test IE (or any other browser) with a site reported as malicious, I'd be happy to take your feedback. All the rest is just your opinion... ;)Anonymous
August 30, 2009
The comment has been removedAnonymous
August 30, 2009
The comment has been removedAnonymous
August 30, 2009
I do not find your ideas intriguing and would not like to subscribe to your newsletter.Anonymous
August 30, 2009
The comment has been removedAnonymous
August 30, 2009
I never thought I'd say this...but I actually love Internet Explorer (version 8 that is). In installed the Quero toolbar to block ads and its so much smoother and faster.Anonymous
August 30, 2009
A very useful and informative post. I am definately subscribing to your feed.Anonymous
October 18, 2009
Thanks for sharing the useful information with me!Anonymous
November 04, 2009
The comment has been removedAnonymous
January 27, 2010
Really informative post. But i think Mozilla is getting better with time. I always prefer Mozilla over IEAnonymous
January 27, 2010
Yeah.. I also prefer Mozilla over IE because its easy and you can search loads of add-on. And as per recent news Mozilla has released the latest iteration of its flagship Firefox browser with a few significant security goodies to keep malicious hacker at bay.