Most Secure Browser: Internet Explorer 8
NSS Labs, a trusted advisor to the information security community, released today two new Web Browser Security Reports:
They’ve been testing intensively the latest browsers (Apple Safari 4, Google Chrome 2, Microsoft Internet Explorer 8, Mozilla Firefox 3* and Opera 10 Beta)** to compare their security models and APIs.
Note that Internet Explorer 8 relies on the new SmartScreen® Filter technology, while Firefox, Safari and Chrome on the same SafeBrowsing API (developed by Google).
Let’s have a look at the result of their tests.
1) MALWARE Protection
What is a Malware?
A Malware is software which is deceptive about functionality and is a security risk or a privacy risk. The term malicious software or malware refers to programs that demonstrate illegal, viral, fraudulent, or malicious behavior. For example, viruses, worms, and Trojan horses are malicious software.
Comparative Test Results
The use of reputation systems to assist browsers in the fight against socially engineered malware is a strong use of cloud technologies. But, not all vendor implementations and daily operations yield the same results.
- Internet Explorer 8 “was by far the best” , thanks to the SmartScreen® Filter technology
- Firefox 3 “comes in a distant second”
- Safari 4 presented a declined compared to the previous tests, with two short periods of sever security dips
- Chrome 2 performed very consistently, albeit very poorly
Although Firefox, Safari and Chrome are using the same security API, the results are different. From the report:
“The SafeBrowsing products’ protection rates were showing signs of converging just under 25%. This supports the notion that there are operational differences between the implementations of the API, but that the block lists are the same (or very similar)”
2) PHISHING Protection
What is Phishing?
Online phishing is a method of identity theft that tricks you into revealing personal or financial information online. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands in order to steal personally identifiable information such as usernames, passwords, credit card numbers, and Social Security numbers.
Since phishing sites have an average lifespan of only 52 hours it is essential that the site is discovered, validated, classified, and added to the reputation system as quickly as possible. A good reputation system must be both accurate and fast in order to realize high catch rates.
Comparative Test Results
- Internet Explorer 8 and Firefox 3 are clearly responding quickly to block new phishing sites
- Opera had a period during the tests where the protection dropped off significantly
- Chrome was below average
From the report:
“We expected better results given the fanfare about Google’s SafeBrowsing initiative. Additionally, a third-party (Firefox) was able to utilize Google’s API to achieve significantly better protection that Google’s own browser.”
What is the SmartScreen® Filter in IE8?
Internet Explorer 8 introduce a new technology called SmartScreen® Filter, an evolution of the previous Phishing Filter in IE8, to help protect IE8 users against the major security threats on the web today.
Eric Lawrence, Security Lead in the IE Team, has written many blog post where he introduce the feature and describe how it works. A FAQ about the Filter is available here.
If you want to know more about security in IE8, check out this video on Channel9.
Demo
For the sake of this post, based so far only on numbers, I’d like to show in action how IE8 identify and display an unsafe site to the end-user. We will use a test web site marked from the SmartScreen Filter as unsafe***.
If you browse to the site with IE8, the browser will start download the content of the page but shortly it will understand that the site is not safe and switch to a different view: a red warning alert will be offered to the end user.
The experience on other browsers, including Firefox and Chrome, would be completely different – since they don’t detect the site as unsafe…creating a big security threat for the end-user.
Is this really relevant?
NSS Labs is not The Word; it is one of the (many) trusted voices on the web, with a deep expertise in this field. You might not trust their results (btw, have a look at the Appendix of their reports to understand the architecture/methodology they have in place…).
It’s interesting however what they call “an easy apple-to-apple comparison”: they run those tests back in February and they are now comparing the trend over time for each browser. I’m surprised (and pleased :)) to see that IE is the only browser with a positive trend == it’s getting better over time. All of the other browsers decreased protection, between 3 and 8% - within the margin in the error.
Does all this mean that IE8 is 100% secure? Absolutely not, but I feel secure now… :-D
NOTE:
* I wished they tested with Firefox 3.5. From the report, “Firefox 3.5 was not stable enough to be tested during the course of this test. A patch has subsequently become available to address the stability issue. We were able to manually verify that the protection was identical between versions 3.0.11 and 3.5”.
** They used the “vanilla versions” (as downloaded from site and updated). No antivirus, no add-on installed, no security group policy, no special settings…. Just the browser, as it is.
*** This site has been designed for demonstration purposes only. The test performed from the NSS Labs used a list of 12000 real suspicious sites.
Comments
Anonymous
August 27, 2009
I applaud IE's new filter for blocking malware and phishing sites but It's important to remember that this is only half the picture - just like antivirus software can't stop problems it doesn't know about. These tests for instance show that 19% of malware was not blocked. A good browser is one whose vendor updates vulnerabilities quickly. History has shown Mozilla to be quicker at this... But the new focus on security is a good thing for the entire industry.Anonymous
August 28, 2009
maybe ms should have two version of ie8 one for enterprise and one for home users. In actuallity the code base would be identical but the home versin would be patched fasters since I don't think the regressions tests would need to be as complete for the home version. Mozillas I'm sure does not regression test as complete as ms does with ie thus they can patch faster.