The methodology is (vaguely) described in the first document. The click fraud result was very interesting, it seems that Chrome just doesn't address it at all. Of course I suspect the majority of click fraud goes on in Google's ad network, so Google has an incentive to ignore it just as Microsoft has a reason to catch it.
I don't see why we need click fraud blocking in the browser anyway, unless it was just a by product blocking malware, as it could be done way more effectively in the ad network.
The malware report here says they analyze protection from "malware downloads". If so wouldn't that be the job of an antivirus program? I don't understand why the browser is supposed to do this.
If this is basically duplicating what antivirus programs do anyway, then has IE just added some GUI integration with MS's antivirus, and that gives it the good result it gets here? It seems like all browsers will be equally safe given the same antivirus installed on their machine, so the result seems meaningless.
Even less clear is the other report, on click fraud. It mentions software running on the client's machine ("click fraud software installation" etc.), so basically we are again talking about malware? And again, wouldn't a program separate from a browser - an antivirus program - be the right tool to handle that?
Lists of dangerous URLs are something that browsers can do that antivirus programs can't. But oddly that is not the focus of these reports.
It's a reputation system for downloads. Sure its something a antimalware can do as well but given that most software/malware gets downloaded these days, makes sense to have something like this in browser
I'd like to see false positive rates in addition to false negative rates. In my experience, SmartScreen just labels 90% of everything as malware. The false positive rate is important because if the filter is usually wrong users will learn to just ignore it.
SmartScreen is basically a reputation system. If not enough people have downloaded it and it's not known as a threat yet, it chooses to do the default thing and blocks it. That is probably what causes the behavior you referred to. But would you rather let a non-technical person not download a valid binary or let them download a malware?
I will avoid the "easy" joke that it's because so many sites balk at running properly under IE9 (oh... guess I didn't after all), and point out that I do believe that Microsoft understands they need to regain a certain amount of cred if they are going to regain the number 3 spot they need to be able to eventually take a shot at the summit again. I do think their development process gets in the way - in that they are setup not to be able to accept good ideas from the community that Firefox and to a lesser extent Chrome are able to. On the other hand, they have a better view of the corporate environment than the others, and I have to assume that will pay off at some point.
IE9 was a good jump in standards but it was only half the job. IE10 should get Microsoft almost back to competitive. Hopefully, Microsoft pushes to Win7 users as promised effectively replacing IE9 in short order.
I think you're referring to the warning about unsigned files? Signed code generally improves security, incidents like the Adobe cert theft are rare. My only complaint is how expensive the certificates can be. Then again, if they were cheap or free we'd just start the cycle of fraud all over again.
I like the Chromebook and Chromebox adverts, but thats probably just me.
When I see a statement such as "IE9 is better at blocking malware than Chrome, Safari, and Firefox combined" I think of it as some clever marketing spin. Reason being is if you got the malware issues of Chrome+Safari+Firefox and compared the result with IE9 malware issues and you see how some statements can be true whilst not being accurate. This is the issue with any sample based comparision. There are many forms of issues out there and new ones every day at times. Lets face it only last week IE9 was open to a expliot that the other browsers were not and was emergency patched by microsoft shrtly afterwards.
True answear is no one browser is secure all the time and if you come across a new unpatched expliot in one browser then the option to fallback to another browser is better than being open until it is patched.
From my personal experience I've found Opera to be the best out the box for blocking general crap. Shame that was not included in there testing, especialy if they wish to give out solid advice. Also note these are desktop browsers and in that, how mobile browsers fair is still a question left unansweared.
They talk about URLs and MD5 (binary files). Chrome, Safari and Firefox use Google Safe browsing which target malicious pages, rather than malicious files. Malicious pages (HTML, JavaScript) is typically hosted on a different domain that the malicious executable. For my experience, GSB focuses on the malicious HTML/JavaScript. If it is blocked, the user never gets to the malicious executable. if NSS feeds URLS of the malicious executable, it is possible GSB miss them. But this would not be a real world case.
I tested GSB and IE about 2 years ago which a much smaller sample set. There was very little overlap between what they block. So I would be curious how the URLs were gathered.
This is the same Microsoft marketing material that NSS Labs puts out every year. It's devoid of any of the information you'd need to quantify, validate, or falsify the findings. In past years NSS at least admitted that Microsoft sponsored these "studies." Now they lack even that transparency.
It's hard to say. Microsoft paid directly for these "studies" in the past, and eventually people started ignoring them. So, now NSS simply doesn't disclose who pays for them.
..really? well, thanks for your thoughtful contribution to the discussion. i hate to shoot-down such an insightful and well thought-out point but a quick check [1] seems to refute your claim. in fact (oddly enough) it appears that, not only do people use it, but a majority of people do.
i honestly don't understand all the hate around ie.. my experience using it on a day-to-day basis has shown it to be a stable, fast, and well-designed (and apparently quite secure) browser..
[+] [-] dmethvin|13 years ago|reply
http://www.nsslabs.com/reports/your-browser-putting-you-risk...
http://www.nsslabs.com/reports/your-browser-putting-you-risk...
The methodology is (vaguely) described in the first document. The click fraud result was very interesting, it seems that Chrome just doesn't address it at all. Of course I suspect the majority of click fraud goes on in Google's ad network, so Google has an incentive to ignore it just as Microsoft has a reason to catch it.
[+] [-] asdfaoeu|13 years ago|reply
[+] [-] azakai|13 years ago|reply
If this is basically duplicating what antivirus programs do anyway, then has IE just added some GUI integration with MS's antivirus, and that gives it the good result it gets here? It seems like all browsers will be equally safe given the same antivirus installed on their machine, so the result seems meaningless.
Even less clear is the other report, on click fraud. It mentions software running on the client's machine ("click fraud software installation" etc.), so basically we are again talking about malware? And again, wouldn't a program separate from a browser - an antivirus program - be the right tool to handle that?
Lists of dangerous URLs are something that browsers can do that antivirus programs can't. But oddly that is not the focus of these reports.
[+] [-] Mythbusters|13 years ago|reply
It's a reputation system for downloads. Sure its something a antimalware can do as well but given that most software/malware gets downloaded these days, makes sense to have something like this in browser
[+] [-] modeless|13 years ago|reply
[+] [-] Mythbusters|13 years ago|reply
[+] [-] EwanG|13 years ago|reply
[+] [-] zethraeus|13 years ago|reply
</rant>
Firefox needs to step its game up here. Although frankly I'm surprised that the browser manufacturers don't share their blacklist data.
[+] [-] melling|13 years ago|reply
[+] [-] at-fates-hands|13 years ago|reply
Hell, even Opera has a better set of developer tools and it hovers around 2.2% of the market. I'm not even including its great mobile emulator either.
[+] [-] drhowarddrfine|13 years ago|reply
[deleted]
[+] [-] ars|13 years ago|reply
So why do their graphs differ so much?
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] maxerickson|13 years ago|reply
[+] [-] CamperBob2|13 years ago|reply
SmartScreen Filter is a product-disparagement lawsuit waiting to happen. I hope I hear about it in time to pile on.
[+] [-] dmethvin|13 years ago|reply
[+] [-] barista|13 years ago|reply
[+] [-] Zenst|13 years ago|reply
When I see a statement such as "IE9 is better at blocking malware than Chrome, Safari, and Firefox combined" I think of it as some clever marketing spin. Reason being is if you got the malware issues of Chrome+Safari+Firefox and compared the result with IE9 malware issues and you see how some statements can be true whilst not being accurate. This is the issue with any sample based comparision. There are many forms of issues out there and new ones every day at times. Lets face it only last week IE9 was open to a expliot that the other browsers were not and was emergency patched by microsoft shrtly afterwards.
True answear is no one browser is secure all the time and if you come across a new unpatched expliot in one browser then the option to fallback to another browser is better than being open until it is patched.
From my personal experience I've found Opera to be the best out the box for blocking general crap. Shame that was not included in there testing, especialy if they wish to give out solid advice. Also note these are desktop browsers and in that, how mobile browsers fair is still a question left unansweared.
[+] [-] jusob|13 years ago|reply
I tested GSB and IE about 2 years ago which a much smaller sample set. There was very little overlap between what they block. So I would be curious how the URLs were gathered.
[+] [-] justinschuh|13 years ago|reply
[+] [-] JimmaDaRustla|13 years ago|reply
Although, I'm a nub and don't know how to properly code an AJAX call I'm assuming.
[+] [-] pwniekins|13 years ago|reply
nobody has caught on to the fact that NSS did this test with the latest version of IE and horribly outdated versions of FF and chrome?
Hacker news I expected better of you.
[+] [-] antihero|13 years ago|reply
[+] [-] capo|13 years ago|reply
[+] [-] justinschuh|13 years ago|reply
[+] [-] barista|13 years ago|reply
[+] [-] taw9|13 years ago|reply
[+] [-] pwniekins|13 years ago|reply
[+] [-] dahotre|13 years ago|reply
[deleted]
[+] [-] eddanger|13 years ago|reply
[+] [-] simba-hiiipower|13 years ago|reply
i honestly don't understand all the hate around ie.. my experience using it on a day-to-day basis has shown it to be a stable, fast, and well-designed (and apparently quite secure) browser..
[1] http://marketshare.hitslink.com/browser-market-share.aspx?qp...
[+] [-] 404error|13 years ago|reply