Giorgio Sardo Blog

Senior Director of Windows, Windows Phone & XBOX Technical Evangelism & Development at Microsoft Corporation

Most Secure Browser: Internet Explorer 8

Most Secure Browser: Internet Explorer 8

Rate This
  • Comments 14

image NSS Labs, a trusted advisor to the information security community, released today two new Web Browser Security Reports:

They’ve been testing intensively the latest browsers (Apple Safari 4, Google Chrome 2, Microsoft Internet Explorer 8, Mozilla Firefox 3* and Opera 10 Beta)** to compare their security models and APIs.

Note that Internet Explorer 8 relies on the new SmartScreen® Filter technology, while Firefox, Safari and Chrome on the same SafeBrowsing API (developed by Google).

Let’s have a look at the result of their tests.

      

1) MALWARE Protection

What is a Malware?

A Malware is software which is deceptive about functionality and is a security risk or a privacy risk. The term malicious software or malware refers to programs that demonstrate illegal, viral, fraudulent, or malicious behavior. For example, viruses, worms, and Trojan horses are malicious software.

Comparative Test Results

imageThe use of reputation systems to assist browsers in the fight against socially engineered malware is a strong use of cloud technologies. But, not all vendor implementations and daily operations yield the same results.

  • Internet Explorer 8 “was by far the best”, thanks to the SmartScreen® Filter technology
  • Firefox 3 “comes in a distant second
  • Safari 4 presented a declined compared to the previous tests, with two short periods of sever security dips
  • Chrome 2 performed very consistently, albeit very poorly

Although Firefox, Safari and Chrome are using the same security API, the results are different. From the report:

“The SafeBrowsing products’ protection rates were showing signs of converging just under 25%. This supports the notion that there are operational differences between the implementations of the API, but that the block lists are the same (or very similar)”

2) PHISHING Protection

What is Phishing?

Online phishing is a method of identity theft that tricks you into revealing personal or financial information online. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands in order to steal personally identifiable information such as usernames, passwords, credit card numbers, and Social Security numbers.

Since phishing sites have an average lifespan of only 52 hours it is essential that the site is discovered, validated, classified, and added to the reputation system as quickly as possible. A good reputation system must be both accurate and fast in order to realize high catch rates.

Comparative Test Results

image

  • Internet Explorer 8 and Firefox 3 are clearly responding quickly to block new phishing sites
  • Opera had a period during the tests where the protection dropped off significantly
  • Chrome was below average

From the report:

“We expected better results given the fanfare about Google’s SafeBrowsing initiative. Additionally, a third-party (Firefox) was able to utilize Google’s API to achieve significantly better protection that Google’s own browser.”

What is the SmartScreen® Filter in IE8?

Internet Explorer 8 introduce a new technology called SmartScreen® Filter, an evolution of the previous Phishing Filter in IE8, to help protect IE8 users against the major security threats on the web today.

Eric Lawrence, Security Lead in the IE Team, has written many blog post where he introduce the feature and describe how it works. A FAQ about the Filter is available here.

If you want to know more about security in IE8, check out this video on Channel9.

Demo

For the sake of this post, based so far only on numbers, I’d like to show in action how IE8 identify and display an unsafe site to the end-user. We will use a test web site marked from the SmartScreen Filter as unsafe***.

If you browse to the site with IE8, the browser will start download the content of the page but shortly it will understand that the site is not safe and switch to a different view: a red warning alert will be offered to the end user.

image

The experience on other browsers, including Firefox and Chrome, would be completely different – since they don’t detect the site as unsafe…creating a big security threat for the end-user.

image        image

Is this really relevant?

NSS Labs is not The Word; it is one of the (many) trusted voices on the web, with a deep expertise in this field. You might not trust their results (btw, have a look at the Appendix of their reports to understand the architecture/methodology they have in place…).

image 

It’s interesting however what they call “an easy apple-to-apple comparison”: they run those tests back in February and they are now comparing the trend over time for each browser. I’m surprised (and pleased :)) to see that IE is the only browser with a positive trend == it’s getting better over time. All of the other browsers decreased protection, between 3 and 8% - within the margin in the error.

image

Does all this mean that IE8 is 100% secure? Absolutely not, but I feel secure now… :-D

NOTE:

* I wished they tested with Firefox 3.5. From the report, “Firefox 3.5 was not stable enough to be tested during the course of this test. A patch has subsequently become available to address the stability issue. We were able to manually verify that the protection was identical between versions 3.0.11 and 3.5”.

** They used the “vanilla versions” (as downloaded from site and updated). No antivirus, no add-on installed, no security group policy, no special settings…. Just the browser, as it is.

*** This site has been designed for demonstration purposes only. The test performed from the NSS Labs used a list of 12000 real suspicious sites.

Technorati Tags: ,,
  • Nice Post! Ahah, it's funny. On Ars Technica:

    Rick Moy, president of NSS Labs: "This stuff is expensive to do right, and we need to monetize it somehow," Moy told Ars. "We invited Google, Mozilla, Apple, Opera to participate, but they didn’t even bother to respond, except for Opera, which stated they “don’t really focus on malware."

    Source: http://arstechnica.com/microsoft/news/2009/08/microsoft-sponsors-two-nss-reports-ie8-is-the-most-secure.ars

  • I like very much the writings and pictures and explanations in your adress so I look forward to see your next writings.

  • Seriously? This is a bunch of sh*t. You took a TEST WEBSITE, that IE had marked as a test website, correct? Well guess what! No duh nothing else is gonna recognize it! ITS A TEST WEBSITE!!! But w/e... The people still using IE don't know better or are fan boys anyway...

  • To Wow.

    If you read the reports attached (or any other security guide on the web), you will learn that those kind of malicious websites born and die within the span of a few minutes/hours/days. For the purpose of demonstration of the new user experience that IE offers to their users I'm using a test website here.

    If you have a better idea to test IE (or any other browser) with a site reported as malicious, I'd be happy to take your feedback.

    All the rest is just *your* opinion... ;)

  • gisardo:

    I think "Wow" was trying to point out that the way you used a test website that you knew would give results favouring IE8 is misleading, as some may assume that this is what would happen in all websites. Note: I am not accusing you of telling them that. However, both this fact and that you put three clauses at the bottom of the page (which most would not read) seems a deliberate attempt to emphasize IE8's security. But hey, you are working for them, what else can one expect?

    I would also like to point out the general fallacy of the whole article. It does not speak of the overall security of your software. It deals with "socially engineered malware" and phishing, which is doublespeak for tricking the user. In other words, this speaks of the security of the users brain and the features the browser uses to make up for this deficit.

    A better test of security would be to test for the ease at which a third party website can trick the _software_. After a bit of searching I found these: http://www.permuted.org.uk/browsercompare.html, http://bcheck.scanit.be/bcheck/stats.php, http://www.ghacks.net/2008/12/14/web-browser-benchmark-comparison/ and http://www.webdevout.net/browser-security

    They indicate that currently, and historically, Internet Explorer has a record of low security (based on security holes versus security holes plugged).

    Infact, in the respect to the Acid tests, Microsoft admitted that it wasn't their goal to improve their scoring (20/100, compared to 100 for Opera 10 and 93 for Firefox 3.5.2). For anyone who doesn't know, the Acid tests are designed to strenuously test standards compliant behaviour. These can pose a security risk to web sites, in fact, even websites not intending to do harm could suffer problems due to Internet Explorers continued stance of ignoring W3C standards.

  • I just tried your precious IE8, and my anti-virus stopped something happening.

    I tried the same site on Firefox 3.5 and the browser got in and stopped it before theAnti-Virus.

    Your test... invalidated!

    Internet Explorer is STILL NOT SECURE!

  • I do not find your ideas intriguing and would not like to subscribe to your newsletter.

  • TheMG: I agree with your points, and I appreicate your contructive feedback. a) I work for MS b) I do like other browsers (and I think that there are great features out there), but I still prefer IE as for my daily browsing :) Also, I don't pretend to be a security expert; the purpose of this post was to highlight the result carried by an external company whose experise is on malware and phishing. As I written, I'm sure we can see at the security topic from many point of views...and each one will be true and untrue at the same time. And there will never (maybe?) be a 100% secure browser (as - btw - any software I application, imho). At least we can try to get better...

    With regards to patches etc, I honestly don't know the exact numbers of when/how quickly we patch compared to other browsers. I could call two recent examples. FF 3.5 critical security bug(http://blogs.zdnet.com/security/?p=3749)...remained unfixed for weeks (I'm not sure about the current status...); last IE issue took 7 days to investigate/fix/deploy hotfix to all IE users through WU (http://www.microsoft.com/technet/security/advisory/972890.mspx). And I'm SURE that there are many other cases where we've been slower to respond/fix than FF. It's a sane competition...and I like competition/challanges :)

    Acid 3? That's another story, maybe worth a separate post :)

    @You: I really don't want to sell IE here. I'm just showing the tests made by an external "neutral" company. If there is a website where you think IE security model is not sufficient, please send me the link...I'd be intersted to have a look and understand more. This is the kind of feedbacks that I always appreciate :)

  • I never thought I'd say this...but I actually love Internet Explorer (version 8 that is).

    In installed the Quero toolbar to block ads and its so much smoother and faster.

  • A very useful and informative post. I am definately subscribing to your feed.

  • Thanks for sharing the useful information with me!

  • TheMG.  Acid 3 is a set of conformance tests, and not security-based, so I don't see the relevance of that argument.  See the Acid 3 home page for a balanced appraisal of their own test and a partial defense of IE8's score.  As well as the excellent work the IE team did around secure browing, they also appear to have one of the most CSS 2.1 complaint browsers available.   Several of the Acid 3 tests check for conformance to features that are expected to be included in the next version of CSS, and which are not current standards.

    I think the problem here is that many people just feel that their world will fall apart if Microsoft addresses things like security, performance and standards compliance in IE.  It is somehow important to their self-identity to be able to accuse Microsoft of all kinds of bad behaviour from now to eternity.  Very childish behaviour.

  • Really informative post. But i think Mozilla is getting better with time. I always prefer Mozilla over IE

  • Yeah.. I also prefer Mozilla over IE because its easy and you can search loads of add-on. And as per recent news Mozilla has released the latest iteration of its flagship Firefox browser with a few significant security goodies to keep malicious hacker at bay.

Page 1 of 1 (14 items)