[Update: Mozilla’s PR agency says the anti-phishing feature isn’t fully enabled in Firefox 2 Beta 1. Details here.]
Over at ZDNet, I’ve just published a lengthy comparison of the security features in the most recent beta releases of Internet Explorer 7 and Firefox 2. (The comparison is entitled IE7 or Firefox 2: Which browser is more secure? It includes a detailed image gallery so you can draw your own conclusions.)
One prominent feature of each new release is technology to detect so-called phishing sites, which try to spoof legitimate sites and deceive visitors into giving up personal information like credit card numbers and banking account login details. Like most people, I was initially skeptical about whether this technology would work, so over the past few months I’ve been putting IE7’s phishing filter to the test. Normally I just delete those phishing messages, but lately I’ve been clicking on every single one to see what happens. Surprisingly, IE7 has nailed one fake site after another. I haven’t kept detailed records, but the hit rate has been nearly 100%.
I’ve only begun using the Firefox beta in the past few days, so I have only a small sample size to work with. But so far it has missed every one of four phishing sites I’ve pointed it to, each of which has been detected by IE7. I’ve tried monkeying with the settings for the anti-phishing option in FF2, with no luck, and I’ve repeated the installation on a separate computer with identical results. (Both computers were running stock installations of Windows XP.)
Frankly, this is baffling to me. Both Microsoft and Mozilla have been testing this feature for a year. In Mozilla’s case, the testing has been done by Google, which developed the technology as part of its Google Toolbar for Firefox. As a control, I installed Google’s Firefox toolbar on the latest official release of Firefox, 220.127.116.11. It failed to detect two obvious phishing sites as well. (Two other links that I had used for testing yesterday have already been taken down.)
I’m going to begin monitoring this feature a lot more closely and will report my results periodically here.