There is no 'best browser' for blocking generic phishing attacks, says NSS
Network testing and security analysis firm NSS Labs has released the third part of its comparative browser vulnerability study, this time focusing on phishing protection. The previous installations, released last September, focused on general malware blocking and click fraud.
NSS Labs observed Safari 5, Chrome 21, IE10, and Firefox 15 for ten days and found that the general phishing URL catch rate was pretty good across the board. In fact, the group said there is so little difference in the average block rate between the different browsers that one must "consider other factors, such as socially engineered malware blocking capabilities for qualitative differences in the security effectiveness of the browsers."
Three years ago, NSS Labs says, the mean phishing block rate was 47 percent, now it's 92 percent. This means general phishing URLs are less of a threat than targeted spear-phishing attacks that stay under reputation systems' radar. Also, attackers rotate their malicious sites more frequently to block reputation-based URL protections.
Each of the tests performed by NSS yielded slightly different results. Chrome 21, for example had the highest mean block rate for phishing (94%), but the slowest response time for blocking new "zero hour" malicious URLs (53.2%). Firefox 15 had the exact opposite: the lowest mean block rate (90%) but the fastest response time (79.2%).
The entire study, however, has a two percent margin of error, and when taking that into account, Chrome's lead in mean block rate is only one quarter of one percent over Internet Explorer 10, Safari 5, and Firefox 15, which were all within one percent of one another.
"Looking back to 2009, when the best browser blocked 83% and the worst a mere 2%, it is obvious that all of the tested vendors have made significant strides in their abilities to block phishing attacks," the NSS study concludes. "Going forward, the challenge will be to bring down the response time, especially for targeted brands with the largest consumer bases."
Ultimately, it looks like NSS might have proven that the old style of Phishing is largely under control. However, the company reiterates that not all browsers are equal, and that social engineering malware and "drive by downloads" are the real defining criteria for a browser's security supremacy.