[Update: Mozilla’s PR agency says the anti-phishing feature isn’t fully enabled in Firefox 2 Beta 1. Details here.]
Over at ZDNet, I’ve just published a lengthy comparison of the security features in the most recent beta releases of Internet Explorer 7 and Firefox 2. (The comparison is entitled IE7 or Firefox 2: Which browser is more secure? It includes a detailed image gallery so you can draw your own conclusions.)
One prominent feature of each new release is technology to detect so-called phishing sites, which try to spoof legitimate sites and deceive visitors into giving up personal information like credit card numbers and banking account login details. Like most people, I was initially skeptical about whether this technology would work, so over the past few months I’ve been putting IE7’s phishing filter to the test. Normally I just delete those phishing messages, but lately I’ve been clicking on every single one to see what happens. Surprisingly, IE7 has nailed one fake site after another. I haven’t kept detailed records, but the hit rate has been nearly 100%.
I’ve only begun using the Firefox beta in the past few days, so I have only a small sample size to work with. But so far it has missed every one of four phishing sites I’ve pointed it to, each of which has been detected by IE7. I’ve tried monkeying with the settings for the anti-phishing option in FF2, with no luck, and I’ve repeated the installation on a separate computer with identical results. (Both computers were running stock installations of Windows XP.)
Frankly, this is baffling to me. Both Microsoft and Mozilla have been testing this feature for a year. In Mozilla’s case, the testing has been done by Google, which developed the technology as part of its Google Toolbar for Firefox. As a control, I installed Google’s Firefox toolbar on the latest official release of Firefox, 1.5.0.6. It failed to detect two obvious phishing sites as well. (Two other links that I had used for testing yesterday have already been taken down.)
I’m going to begin monitoring this feature a lot more closely and will report my results periodically here.
Ed Bott 
I haven’t used Firefox’s anti-phishing thing so I can’t speak for its accuracy, and it appears from this article that it doesn’t work all that well. Hopefully, people will get on that.
However, this article doesn’t deal at all (that I saw) with false positives, which I have seen a number of times in IE7 – I don’t use it myself, but a coworker has struggled through various attempts at getting legitimate files from different sites.
I’ve had two pages on my site tagged as possible phishing sites by IE7. (Both were triggered by comment spammers whose comments had gotten through my filters.) In both cases, they got the yellow badge, not the red one. In both cases, no one was blocked from viewing or downloading anything. In both cases, I was able to fill out a form and the designation was changed within a few hours.
I have seen nothing in this feature that would cause a false positive to be anything more than an inconvenience. Can you be more specific about what you saw? You mention “getting legitimate files from sites” which sounds like you’re referring to some sort of filter that blocks downloads. There’s nothing like that in IE7, and in fact even a “blocked” page is accessible. You just have to click past the warning page.
I will have to check – I don’t use IE7, so I will ask my coworker if he remembers the site, and the exact problem that occurred. It definitely was not third party software, but just plain IE7. Sorry I can’t be more exact.
I do remember the fix for it. Clicking the yellow thing wasn’t enough – but we turned off the internet security, or set it to low, etc. and then we could get into the site.
The problem I have with the yellow bar, is that I have watched people click on it so fast, they don’t have any idea what it is saying, but just know that when that comes up, something was blocked that they want to see. I worry about the same thing with UAC – either people getting so used to typing in their password that they do it without thinking (at least this stops the kids from downloading stuff – at least until they figure out the password by watching their parents’ fingers) or people make html popups that look like the UAC dialog, and people type their admin password into a web page.
But, we will see how it turns out. It has to be a step in the right direction, no matter what bugs/side-effects it has.
sir
i am very interested in this issue of why the firefox is not able to identify phishing sites
please try some more experiments and mail me about their results
thanku
I’m usually on top of things, being the geek that I am, but I was phished by a fake ebay email–which I had deleted in the past but logged in for this time. My ebay account was stolen as a result, but having my email auto-checked every 4 minutes alerted me within 10 minutes of an auction being listed using my account.
How can the filter not look for typical php links, which yanked my account info?!
“How can the filter not look for typical php links, which yanked my account info?!”
What is a “typical PHP link”? The PHP engine can be associated with extensions other than “.php” such as “.asp” if you found that browsers were dumbed down to rely on the URI in determining integrity. Or heck, it could map the “.html” extension and you’d think you were looking at static pages while in fact everything you did was being examined and the output was calculated so you would give more and more information.
Beyond that, most servers have a list of “default pages” that will come up when you specify a directory rather than filename target URI. You could ask for “http://www.example.com/siteinfo/” (since that was what the link pointed to) and upon pinging this you could actually get the output of a PHP script and you’d never know.
There are no “typical” links anymore. Everything is suspect to some degree, right up to and including your own site. The only 100% safe computer is disconnected from the network and has its PSU unplugged.
What IE7 and FF2 are doing is simply an attempt to augment the users’ common sense. Lock down your hosts file. If an email link asks you for your personal information, think twice about it. Keep your antivirus and antispyware software up-to-date. Run Search & Destroy at least once a week – more often if you tend to visit questionable sites. And whatever you do, never trust someone else’s program to do what your brain should have been doing already. Think before you click.
This is a list of known phishing sites, i have tried 5 at random and all were detected by firefox 2.0 ..not bad, didn’t try them all though but the way the gui handles things is very slick indeed!! ..and thats without using google as phishing list: dont think i like them knowing everything!!!
http://www.dslreports.com/phishtrack?pid=4905&urls