My e-mail inbox has been remarkably free of phishing messages lately, so I haven’t been able to compare the performance of the IE7 and Google/Firefox phishing filters, as I promised last week. (The filters on my e-mail server do an excellent job of blocking this junk.)
Today, I finally got one – a come-on from a Romanian server attempting to get my Bank of America credentials. The good news is that both IE7 and the Google Toolbar for Firefox nailed it. (Firefox 2 Beta 1 alllowed it right through, but that’s to be expected since the phishing feature isn’t turned on yet.)
In looking at the two browsers side by side, I was able to compare the different behaviors. Here’s IE7:
The URL appears in the address bar, but the page itself is completely blocked. I have to choose to click a link to go to the suspicious page. Any other option sends me somewhere else, away from the unsafe site.
Now here’s how the Google Toolbar flags the same site in Firefox:
The phony page is visible, but grayed out. If I try to click on the site, it doesn’t work because the Web Forgery dialog box has completely taken over the focus. That’s good. And the Get me out of here! link is unmistakable in its effect. The only part I don’t like is the big X in the upper right corner. I don’t know about you, but I’ve learned, Pavlov-style, to click that X whenever I see a popup window or a warning dialog box. In this case, though, clicking the X dismisses the dialog box and allows you to go to the page.
That default behavior seems wrong to me. If I’ve chosen to use a piece of security software, I want it to protect me from any threat unless I specifically and unequivocally choose to ignore its warning. The X in the dialog box is ambiguous, and in my opinion the default behavior in that case should be the exact opposite: I didn’t choose to ignore the warning, so send me somewhere else, far away from that threat.
If anyone at Google or Mozilla is listening, consider this a feature request.