Browser makers maintain a blacklist of phishing sites that are blocked from public access, in an attempt to provide their users with secured surfing sessions. Such lists, however, should not be made public, according to some industry watchers.
Microsoft's Internet Explorer 8--currently in beta 2 version-- for example, is said to be on par with competitor browsers such as Mozilla's Firefox, in terms of security.
An essential component, in the capability of these Web browsers to warn users against suspicious URLs, is a "blacklist" of known or suspected phishing sites or sites that contain malware.
Not all companies are willing to make such information public.
In an e-mail interview with ZDNet Asia, a Microsoft spokesperson confirmed that the company does not share IE data pertaining to phishing and malware, "due to data source agreements and the dynamic nature of these changes".
According to an e-mail response from a Google spokesperson, the company's Safe Browsing service is provided to both Mozilla's Firefox and Chrome, Google's own browser.
When contacted, industry watchers were divided over whether browser companies should share their lists or data, in the interest of providing better security for online users.
Andrew Walls, research director for security, risk and privacy at Gartner, pointed out that browser companies keep such lists private for competitive advantage.
"The reality is that money drives most of what happens in the computer business, and security is becoming increasingly a discriminating factor for consumers when they decide what software to use, whether they're purchasing or getting it for free," Walls said in a phone interview. "The browser that's able to demonstrate better security is better placed to compete in the market."
However, the Melbourne-based analyst noted that companies that produce and maintain such lists "are very quick about updating their lists", and the lag in updates among competitors is very small. "So the real impact has got to be very light on the users," said Walls.
Chia Wing Fei, F-Secure's security response manager, concurred that there would not be "any huge impact" even if companies maintain their own databases of known malicious and phishing sites. "With their own lists, they can have more control and will be able to respond more quickly to newly found malicious sites," Chia said in an e-mail.
However, William Tan, Websense's Asia-Pacific technical manager, noted that sharing research information "is a big part of the security industry", and gaining access to such lists would imply quicker validation of information which leads to more Net users being protected.
Tan warned though the industry should not rely entirely on blacklists, which "fall short" amid a growing number of Web sites that carry dynamic, user-contributed content. "There are numerous examples where good sites turn bad and are found to be hosting malicious mobile codes injected by hackers," he said in an e-mail interview. "Static blacklists just prove to be inefficient in addressing that part of the Internet, [as they] usually account for the top 100 to 1,000 most frequently accessed Web sites [globally]."
Play video
Having been crippled by Phisihing lists and unable to get off.....
I run web sites and mail systems for customers. Despite not being on any black lists (DNSBL Open Phisihng etc) I have customers who are on Yahoos black list as spammers and some of my utility sites are on Mozilla black lists as phishing sites.
I have checked my clients - no one thinks they are spammers but yahoo has them banned from sending as they haven't filled in yahoo paper work .Having filled the paper work in they are still stuck on yahoo blacklists as spammers.
150 DNSBL and spam lists dont records them - just yahoo.
Normally this would not be an issue but our national provider of ADSL Copper and largest ISP/ Mail provider (being the old national telecom company) have handed all mail services for their customers to yahoo - thus removing my clients abilities to send email to a good 25% of the national population (including many govt services)
I personally run utility sites which allow me to upload, manage and sort out clients web sites. My utility sites have URLS such as web.someCompany.domain.net They are not google searchable, are closed except to password access and are only used by me for the purposes of running the web sites. However Mozilla has put these sites (how they got them I have no idea) into their phisihing list (Firefox 3 default) and I am banned from visiting and working on my own sites. Again these sites can in no way be considered phishing sites as they are purely a working backend to ftp, file management, joomla etc type technologies and are password protected.
With Mozilla I can find no way of contacting the list moderators, had to research hard to find who even owned and provided the list and have no idea why I am banned from using my sites in FF3.
These are two personal examples, and I can give many more for other legitimate businesses and organisations, of where private phisihin gand black list lists are killing the internet with privat eproviders leverging these lists for personal profit.
In effect the web is being censored at the whim of large corporates and organisations in very dangerous ways. Microsoft, Google, Yahoo, Mozilla are all practicing black listing, search redirection from the address bar and trailing you around changing what you view according to what they think you should see.
Dangerous practices killing the internet for normal users and businesses.
Posted by Shane Hollis on Saturday, December 20 2008 06:16 AM