Today, 3Sharp announced the release of our report Gone Phishing: Evaluating Anti-Phishing Tools for Windows. Paul's already posted a great FAQ that answers a lot of the common questions on our report. If you have any questions or comments, please, let us know about them!
As one of the researchers and authors of the study, I wanted to make a few more personal comments about the results. Going into the project, we knew that the very fact we were commissioned by Microsoft was automatically going to cause some members of the community to view our results with suspicion -- especially if the Microsoft products came out well. To combat that perception, we meticulously documented every step of our process and every bit of data we used. I can't speak for anyone else, but I confess to being extremely (pleasantly) surprised by the results. Quite frankly, I was expecting IE7 to get p0wned (as Paul would say).
When we started the study, I was a die-hard Firefox user. I'd been using Firefox as my primary browser well before the 1.0 release, relegating IE6 to only the necessary sites -- Exchange Outlook Web Access, SharePoint sites, and other such IE-centric sites I needed to visit in the course of my daily duties. I'd heard that IE7 had included some nifty features, but like many others I dismissed them as playing catch-up. Even when Firefox 1.5 came out and I noticed a bit of a slowdown and slight loss of stability, I still used it faithfully. During the testing, I obviously had to get familiar with IE7 (first beta 2, then beta 3, the version we tested for the final results). While it was nice (and somewhat mind-blowing) to have tabbed browsing under IE, I still used it as a secondary browser.
For those of you who haven't tried to do any anti-phish testing before, one of the biggest difficulties you're going to have is trying to get a large enough quantity of phish. Every day, we would have to sift through many thousands of messages to find a lucky few that a) still pointed to a live site and b) hadn't already been seen by us. By this time, I'd installed IE7beta3 as the primary browser on one of the laptops I was using, and I pretty quickly realized that IE7 was already a much better browser than IE6. In fact, when we finished the testing and crunched the final numbers, I went ahead and put IE7 on all of my computers at home and work, and I'm even mostly switched off of Firefox as my default browser.
Why would I switch?
- The anti-phishing protection is a big one. Not so important for me or my wife (who helped us with the screening and thus got far more familiar with phish than she'd ever wanted), but very important for our kids' computer. This computer also gets used by a lot of our houseguests, most of whom are not that tech-savvy.
- The system-integrated RSS feed reading capabilities. I've got a ton of blogs I read, and for the most part I've been reading them in a web browser. With IE7's RSS features, integrated with Outlook 2007, I can see the same list of feeds in both the browser and the mail client.
- I have to say that I really like IE7's tabbed browsing handling just a touch better than Firefox's. I still get my right-click "Open in new tab/window" choices, but I also can quickly open a new tab with a single click on IE7's New Tab icon (as well as the Ctrl-T keyboard shortcut, as in Firefox). In Firefox, I'd have to right-click on my tab bar, then select New Tab. Most of all, though, each tab in IE has its own close button; Firefox requires me to click on the Close button to the right of all the tabs.
So in the end, don't take our word for it (or anyone else's). If you're really curious about how well IE7 will protect you from phish, go download it and install it. Trawl through your spam filter and click on links; see where it gets you. Make the decision about whether the product will work for you.