Find safe-browser technologies that really work
By Yardena Arar The major browsers and security programs all tout their ability to warn you about malware sites before you visit them, but do any of these early-warning systems really work?
Experts say they’re all useful, but none provides a silver bullet — and any browser-security product’s claims of superiority are extremely difficult to verify.
One of the ways browsers and their add-ons combat malware is by tracking sites containing infected files and warning you before your browser opens them.
Safe-browsing products and technologies go by different names: Internet Explorer 8 has a SmartScreen Filter, while Firefox and Chrome use the Google Safe Browsing API. Opera’s built-in fraud protection depends on malware data assembled by Netcraft.
If you use Firefox, the free LinkExtend add-on combines alerts from several site-rating services. You’ll find more information about LinkExtend, plus a download link, on the product’s site. WS senior editor Gizmo Richards described the utility in his March 5 Best Software column (paid content).
These products use different techniques to maintain their data on malware-dispensing sites. The analysts I consulted say each technique is effective, although none is perfect. Determining which one works best isn’t easy — or even possible, according to the experts — because their performances in tests will depend heavily on the samples used.
Johannes Ullrich, director of the SANS Institute’s Internet Storm Center, says all safe-browsing features depend to some extent on what he calls a sensor network. For Google’s Safe Browsing API, the sensor network is composed of the search service’s Web crawlers. Other safe-browsing products rely on a large number of volunteers whose systems report rogue URLs to the mother ship as they encounter them.
Of course, the resulting databases of malware-serving sites are only as good as their most-recent scans or user contributions. When a new malware site comes on line — as they do with alarming frequency — it won’t appear in any malware database for some time.
Different browsers use different malware lists
Google’s Safe Browsing API is based almost entirely on what the search engine’s spiders see. The protection depends, therefore, on how frequently the spiders crawl sites and furnish updates to the Safe Browsing blacklist that’s downloaded to Firefox and Chrome. Because of the potential for slowing down the browser, the latest version of the API provides ways to customize the frequency of blocklist downloads.
The bottom line is that there’s inevitably a lag time between the discovery of a new malware site and the addition of that site to a blocklist update.
Safety-conscious users should consult an on-demand database (which, with a broadband connection, shouldn’t impact your overall browser performance). On-demand lists are the default approach in IE 8 and the latest versions of Opera, but you must turn this capability on in Firefox. When you visit a new site, the browser sends the URL to a server that determines whether the site is in the malware database.
However, some observers — such as the Ha.ckers security blog — believe this approach represents a privacy threat. After all, you do reveal to the browser maker which sites you’re visiting. The SANS Institute’s Ullrich says there’s “no blanket answer” to that concern. “That’s something you have to decide for yourself,” he states.
McAfee’s Site Advisor browser add-on and Netcraft’s blocklists are created primarily through feedback from their users. After all, you’re letting the browser maker know what sites you’re visiting. This may or may not produce faster updates than those generated by Web crawlers, depending on the type of site hosting the malware.
Another variable is the type of malware site the safe-browsing product monitors. Netcraft, for example, is heavily oriented toward collecting URLs of phishing sites — hacker dens that imitate legitimate sites. Phishing sites attempt to trick visitors into entering personal information, such as passwords or Social Security numbers.
This is why Opera uses Netcraft data for phishing sites, but information from Haute Secure for sites that attempt to infect your PC with viruses, Trojans, or other malware.
Internet Explorer 8 sniffs out malware sites
Microsoft greatly expanded its SmartScreen Filter protections in the transition from IE 7 to IE 8. The company’s URL Reputation Service, much like other safe-browing systems, collects the names of known phishing and malware sites. However, SmartScreen flags sites based on their heuristics within IE 8 — something not all the other browser watchdogs do.
The heuristics component may explain why Microsoft trounced the competition in an NSS Labs study (PDF) released last August that tested the effectiveness of various browsers in blocking “socially engineered” Web sites. According to NSS Labs, these are sites that trick users into voluntarily downloading malware — for example, a site purporting to offer a video clip sent to you by a friend.
Spokespersons for Google and Opera state that the companies were unable to replicate the results of the NSS Labs study, which was paid for but not designed by Microsoft.
However, as reported by Erik Larkin in PC World’s security blog — and confirmed to Larkin by NSS Labs — the study didn’t test browser effectiveness in keeping people away from exploit sites. These are sites that take advantage of browser vulnerabilities to install malware without your having to download anything, also known as “drive-by downloads.”
“It’s like rating a car for seatbelts and not worrying about airbags,” said Jordy Berson, group product manager for Check Point’s ZoneAlarm division. Berson adds that drive-by downloads may account for up to 70% of all malware delivery. Check Point’s ZoneAlarm ForceField beta program maintains a database of malware URLs based on the company’s own research, along with malware-site data obtained from Netcraft and RSA.
Of the major browsers, Benson says Chrome offers the best protection against exploits because it uses virtualization technology. Thus, malware loaded through exploits “doesn’t hit the actual machine,” according to Berson. The Chromium blog provides more information on Chrome’s built-in “sandbox” feature.
Is definitive safe-browser testing possible?
Various studies of browser safety produce conflicting results. In a separate study (PDF) released last July, NSS Labs focused exclusively on phishing sites and found IE 8 tied statistically with Firefox 3. Symantec points to a Carnegie-Mellon study (PDF) conducted earlier this year that gives the company’s Norton 360 security suite high marks for quick detection of phishing sites obtained through spam e-mail campaigns. Symantec says its software uses blacklists based on its own Web crawlers, plus user feedback and heuristics.
“It’s always hard to do these studies right,” says the SANS Institute’s Ullrich. So much depends on the test sample, especially on whether the sample uses real sites or a controlled set. Heuristics analysis has a huge edge in the latter case. Safe-browsing studies similar to the double-blind studies medical researchers conduct have never been conducted. Such studies would last a year, and the testers wouldn’t know which technology — if any — they were using.
The lack of a clear winner, Ullrich emphasizes, shouldn’t prelude the use of safe-browsing technologies. He estimates that most of these products will catch about 80% of malware sites. “I don’t think there’s anything that’s better. You do get rid of a lot of the bad stuff, and the performance impact is fairly small.”
Jeremiah Grossman, chief technology officer at WhiteHat Security, is more skeptical. “Personally, I don’t think it [safe-browsing technology] matters that much.” He adds that the modern browsers capable of warning you not to visit malware sites tend to have other malware protections as well. Differences between them, he adds, are likely “slight and meaningless.”
“Where it would have made a difference is with IE 6,” Grossman says.”We have new security features to protect the browser that’s not vulnerable.”
Grossman’s recommendation for safe browsing is to use the popular browser of your choice for routine browsing and a different — and preferably less-targeted — browser for serious transactions. He adds that you should always shut the browser down once the transaction is complete.
Grossman’s suggestion sounds like a good strategy to me, but I’ll continue to use all my browser’s security features as well.
WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.
By Dennis O’Reilly 
