One phish, two phish, red phishing-shield, green phishing-shield
Microsoft and Mozilla have released their new browsers Internet Explorer 7 and Firefox 2 which include anti-phishing features that warn end users about web sites which suspected or known to pose as trusted parties for the purpose of stealing sensitive information such as credit card numbers. Port80 software makes an excellent point that anti-phishing features in the new web browsers can compromise privacy by transmitting your web browsing behavior over the internet.
Cryptic disclosure, poor design
Microsoft isn’t too clear about the potential drawbacks of their “automatic web checking” anti-phishing feature. When you upgrade to IE7 you are prompted to enable the feature as part of the upgrade. Microsoft’s security adviser strongly encourages end users to allow automatic website checking with their classic a green shield (with a comforting check mark) screaming “everything is A-OK!” or opt out by selecting a red shield with an X suggesting “don’t choose me or you will regret it!”
The first time the browser transmits information to Microsoft the following informational message is displayed:
I could only elicit this message by running a “manual” check and by default it will only display once so catch it while you can – I had to reset IE to “factory default” to get this copy. Far from being a warning message it is designed to make you feel comfortable about sending information about your web browsing over the internet since “information received will not be used to personally identify you.”
How do they ensure that anyhow? Couldn’t someone else intercept this data? Even if they don’t pull an AOL, will Microsoft use the data collected for internal commercial purposes? Until I can verify with a sniffer whether, when and how IE7s “automatic website checking” is sending my browsing habits over the internet to Microsoft, I am following Port80’s advice to “turn off automatic website checking” in IE7:
Tools – Phishing Filter – Turn off automatic website checking
Don’t select “Phishing Filter Settings” if you value your sanity – it doesn’t take you directly to the appropriate settings. It will get you to the right ballpark but you need to work a bit to find them. Disabling the anti-phishing filter has no discernible impact on automatic website checking (manual checks are still allowed) but presumably it prevents IE7 from filtering based on a built-in list of phishing sites. Too bad they can’t simply give that option to us as a third choice in the first place (they could use their less-judgmental yellow shield icon). I can’t help but wonder if Microsoft is trying to get folks to send them behavioral data under the guise of improving their security.
A final note on IE7’s anti-phishing is the ability to report sites to Microsoft. I’m not sure what kind of due diligence Microsoft then applies to thusly alleged Phishing sites but hopefully they will apply some kind of logic to avoid the blacklisting of sites for political or commercial reasons.
Hurrah for Firefox 2
What Port80’s blog posting glosses over, perhaps because they are a Microsoft shop, is that Firefox 2’s default behavior is to simply use a built-in list of phishing sites. No confusing or misleading prompts and informational boxes. They provide the option, if you look for it, of using real-time verification with Google’s anti-phishing database – useful for high-risk users concerned with zero-day phishing exploits. When you enable this they warn the end user appropriately about the potential privacy issue that arises when you transmit your browsing activity over the internet:
Simple. Clear. Decent security and privacy by default. No presenting the end user with strongly loaded “options” (green shield, red shield). The ability to use more advanced anti-phishing methods is provided as an option from Google while being clear about the privacy drawbacks. “Google will not associate the information that Phishing Protection logs with other personal information about you. However, it is possible that a URL sent to Google may itself contain personal information.”
The failure to implement security in a simple, consistent and useful way is yet another reason I don’t trust Microsoft with my web browsing. Add that to a list including but not limited to poor standards compliance, myriad security holes, and being the favorite target for security exploits.
My recommendation for Windows users is to install or update both browsers to these new versions. Use Firefox as your default browser and IE only when a poorly designed site requires it. For power users, I recommend Opera 9.x, which is particularly good for the heavy web users thanks to its better performance and features. Opera 9 and Firefox 2 are both also available on OSX and Linux, giving them that much greater usefulness and respectability.