This article can also be found in the Premium Editorial Download "Information Security magazine: How to stop data leakage."
Download it now to read this article plus other related content.
Pop-ups are at best an annoyance, at worst a lure to malicious sites. Each tested browser is generally effective at blocking pop-ups. Netscape's and IE's controls are a little more granular, permitting designated sites to allow pop-ups and storing them as a site security property, while Firefox has a single button to block pop-up windows. However, Firefox has a configurable whitelist of sites that will permit pop-ups, so there's really little difference.
All three browsers have anti-phishing capabilities, but IE 7.0's and Netscape's functionality is embedded in their native code, while Firefox requires an antiphishing toolbar from Web services provider Netcraft.
Password maintenance is a serious security issue: Unencrypted, easily accessible passwords are prime prey for attackers. No worries on that score. All three browsers store application passwords with AES encryption and hide the actual characters from plain-sight view. Nevertheless, password transmission should really be the main concern. We'd love to see the browsers notify users when they are about to send a password in clear text over the Internet.
Phishing attempts, orchestrated by organized criminals, are a major factor in identity theft and a serious threat to online consumer confidence. Using social engineering, attackers lure users to convincingly fake Web sites, usually on hijacked servers.
All three browsers have taken first steps to help thwart phishing and alert users that they may be on a potentially bogus site, but the jury is still out on how much they really will help.
Firefox users can download a free antiphishing toolbar from Web services provider Netcraft (also available for IE 6.0), while IE 7.0 and Netscape embed this capability in native code. All three rely primarily on a blacklist of known phishing sites. This is helpful, but phishing sites are notoriously moving targets--they're taken down as soon as they're discovered, and the crooks simply move to another hijacked server.
IE 7.0 also uses a parsing engine that can potentially identify threats based on string patterns.
This was first published in January 2006