Principles behind IE7’s Phishing Filter

My last post was intended to introduce our overall security strategy and the specific features in IE7 Beta1 for XP SP2 and Windows Vista. A lot of responses to my post were questions about why and how the Microsoft Phishing Filter in IE7 will check websites. We have also have heard from a number of site owners who want to know how they can correct an evaluation of “suspicious” or “confirmed phishing”. Before we continue posting on the rest of the IE7 security features, I want to let you know that we’re listening to your feedback about the Phishing Filter and take this opportunity to clarify the process.

The prime directive of the Phishing Filter feature is to help protect users from phishing websites, while maintaining user privacy and being transparent and flexible about how we do it. Protecting your privacy means we will not collect personally identifiable information, we will explain clearly how the feature works, we will give you the choice to use it only when you want to, we will provide a clear indication of how we will use any data, and we’ll use SSL encryption to help protect any queries you send to the anti-phishing server. These are the principles we used to design the Phishing Filter.

1. Readers asked why we decided to use real-time look ups against the anti-phishing server as opposed to an intermittent download list of sites in the way that an Anti-spyware product might.  We included real-time checking for phishing sites because it offers better protection than only using static lists and avoids overloading networks. Phishing Filter does have an intermittently downloaded list of “known-safe” sites but we know phishing attacks can strike quickly and move to new addresses, often within a 24-48 hour time period which is faster than we could practically push out updates to a list of “known-phishing” sites. Even if the Phishing Filter downloaded a list of phishing sites 24 times a day, you might not be protected against a confirmed, known phishing site for an hour at a time, at any time of day. Because Phishing Filter checks unknown sites in real-time you always have the latest intelligence. There would also be network scale problems with requiring users to constantly download a local list. We think the number of computers that could be used to launch phishing attacks is much higher than the number of spyware signatures that users deal with today. In a scenario where phishing threats move rapidly, downloading a list of new reported phishing sites every hour could significantly clog internet traffic.
2. Readers asked about how the data from the Phishing Filter will be used. We want to be very clear about this so we actually updated the privacy statement last week to spell it out in more detail: We use the data to make the Phishing Filter service better and constantly improve the level of accuracy in our results, not to personally identify you.
   
   The updated privacy statement also explains how and when the Phishing Filter will check sites.
   • No site will be checked on the server unless you choose to enable the feature.
   • Phishing Filter only checks sites that aren’t in IE’s downloaded “known-safe” list
   • Potentially sensitive data, like the URL query string, is stripped out of the URL before it’s sent to the server for checking. Other types of navigation-related information, like http cookies, are not sent to Microsoft.
   • The URL is sent securely over an encrypted SSL connection to help protect your privacy

   You may not find the privacy statement to be a page turner, but it does represent our promise to you. I hope this clarification helps dispel a conspiracy theory or two.

3. Folks have also raised concerns about how Microsoft will judge sites for the confirmed-phishing-site list. We want you to know that the process to evaluate reported phishing sites will be fair, simple and clear. To be sure it’s fair, the process will allow sites to ask for a reevaluation if the site owner does not agree with the Phishing filter rating. You won’t have to find a support number to call, instead the link to report an incorrect evaluation is built into the UI of IE7. If you dispute an evaluation by the phishing filter, the situation will be addressed as quickly as possible.  If the review process determines that there was a mistake on part of the phishing filter, your site will instantly be restored to good standing once it’s been reevaluated as not-phishing. The phishing filter whitepaper includes more information about best practices to prevent your site from being marked suspicious.

I hope this has helped folks understand the benefits of getting dynamic protection with a real-time service. I encourage you to try it out. Even if you turn real-time protection off, it’s nice to know that you can always manually check on a site if you have reason to suspect foul play.

Tariq’s post is teed up and will go into way more detail about the UX and how Phishing Filter actually works. If you have questions like that you should hold for him. If you have questions or feedback on the privacy concerns, fire away!

Thanks,
Rob Franco

Update: Changed the link of the phishing filter whitepaper to reflect the correct URL (it got changed).