Hot Take [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

[Evjl's Rain]

Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings

Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings

Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings

Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings

Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings

Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings

Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings

Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings

Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings

Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings

Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings

Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings

Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings


Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links

Spoiler: Links

Dropbox - link test 17-3-2018.txt

Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

Spoiler: ublock origin filters

http://hosts-file.net/emd.txt
http://hosts-file.net/exp.txt
http://hosts-file.net/pup.txt
http://hosts-file.net/psh.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:

Winner: Google Safe Browsing

 

[Virtuoso]

Nice to see that Kees1958 is using and commenting on Osprey extension:

Not an issue, just a tip to get more exposure (and users) · Issue #1 · Foulest/Osprey

Hi, a tip a documentation question and a functionality question TIP To get more exposure (and users), you might consider becoming a member on malwaretips.com (and state you are the developer). Docu...

github.com

Chrome Web Store link for the extension:

Osprey: Browser Protection - Chrome Web Store

Protect against online threats in real-time using multiple browser protection engines.

chromewebstore.google.com

 

[Foulest]

One word of warning: be careful with extensions that you only can download from GitHub. Do test it first on a testmachine and check the networkconnections.

That's a good rule, but Osprey is on both the Chrome Web Store and Microsoft Edge Addons and will soon be on Firefox.

---

When I saw the Osprey extension above, my impulse was to install it and try it out. But then I paused and thought about a recent article regarding the 35 unknown extensions that aren't searchable on the Chrome Web Store but have been installed 4 million times. I realized this isn't for the faint of heart; I can wait another year or two.

Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

Even weirder: Why would Google give so many the “Featured” stamp for trustworthiness?

arstechnica.com

Osprey is on both the Chrome Web Store and Microsoft Edge Addons and will soon be on Firefox. It's open-source, so feel free to check the code and the network requests to your heart's content.

 

[Jan Willy]

Nice to see Foulest the developer of Osprey on this forum. It will benefit us all.

 

[Vitali Ortzi]

Nice to see Foulest the developer of Osprey on this forum. It will benefit us all.

It's my favorite security extension currently and I absolutely love the direction the developer went with making it as light as possible and it has great url filtering providers in it

 

[Vitali Ortzi]

I have some random tests out of boredom in recent days in my system against pishing on open pish and so far the block ratio is 100% (tried 250 pages each now and then from there and some recent pishing pages from GitHub , pish tank ) although at least one had to be blocked using checkpoint zero pishing tech (bypasses everything else )
Anyway I'm actually amazed how it basically replaced my usage of a few extensions while having even better results (traffic light , Symantec , Microsoft)


The urlf filtering is done by Eset (av used on the system ) , extensions (Checkpoint + Osprey ) , DNS (quad9), browser (google safe browsing )


Obviously against actual zero day pishing everything will fail but so far browsing is snappier then ever and the detection is better then ever so I'm absolutely thankfully we have
Osprey that doesn't waste io , CPU , ram (would recommend to install even on a 2gb ram system ) and it shouldn't really make a delay that's at least easily measurable as it doesn't hold pages hence making it hard to even try and do a calculation of page loading time like debug bear does to benchmark extensions

oh and those that don't trust Osprey can just clone the repo and manually check the js code and update themselves each time rather then installing from the store and there probably won't be a big change in providers anyway as it already has the best ones that are easy enough to implement (no requirement for auth logic , local databases or anything complex to implement )

 

[Kongo]

That's a good rule, but Osprey is on both the Chrome Web Store and Microsoft Edge Addons and will soon be on Firefox.

---

Osprey is on both the Chrome Web Store and Microsoft Edge Addons and will soon be on Firefox. It's open-source, so feel free to check the code and the network requests to your heart's content.

Waiting patiently for the Firefox release

 

[Foulest]

Waiting patiently for the Firefox release

Me too.

 

[Gandalf_The_Grey]

@Foulest Do you publish any release notes?
The Edge version is now 1.0.5, the Chrome version 1.0.8.
You are showing a not yet available Firefox version 1.07.
And on your GitHub the Setting pictures are showing version 1.09.
It would be nice to see what is changed and when it was changed.

 

[SeriousHoax]

@Foulest Do you publish any release notes?
The Edge version is now 1.0.5, the Chrome version 1.0.8.
You are showing a not yet available Firefox version 1.07.
And on your GitHub the Setting pictures are showing version 1.09.
It would be nice to see what is changed and when it was changed.

I agree that changelogs should be provided with each update.
But looking at GitHub commits, I see that it has now gained the ability to check sites even with free security DNS services

 

[Vitali Ortzi]

I agree that changelogs should be provided with each update.
But looking at GitHub commits, I see that it has now gained the ability to check sites even with free security DNS services
View attachment 288134

Wow that's awesome now you can just use the fastest DNS and Osprey will check if the site is malicious and only after the site loads hence no slowdowns

 

[Vitali Ortzi]

@Foulest Do you publish any release notes?
The Edge version is now 1.0.5, the Chrome version 1.0.8.
You are showing a not yet available Firefox version 1.07.
And on your GitHub the Setting pictures are showing version 1.09.
It would be nice to see what is changed and when it was changed.

GitHub commits are kinda a change log although yes he does need to make more convenient for a normie to check like other projects

 

[SeriousHoax]

Wow that's awesome now you can just use the fastest DNS and Osprey will check if the site is malicious and only after the site loads hence no slowdowns

Yes, but local system level or router level DNS can block sites outside of the browser, so they still have the advantage.

 

[Vitali Ortzi]

Yes, but local system level or router level DNS can block sites outside of the browser, so they still have the advantage.

Obviously they will have but majority of pishing , malware etc comes from the browser anyway and the fastest DNS server will probably have some malware blocking abilities too (obviously far far far less then Osprey )

 

[Marko :)]

I don't use the extension and it's the first time I'm hearing for it, but I do like the concept. It's like real-time VirusTotal for websites. @Foulest I really do think it's a good solution and I will probably recommend it to my not so tech-wise friends and family members.

The only beef I have with the extension is sending the actual URL to these services, instead of some kind of hash. This is the reason why I simply refuse to use SmartScreen or anything else other than Google Safe Browsing.

Google Safe Browsing works by downloading a list and then by checking domains locally on device. When it finds a match, just then it sends to Google and in hashed format so Google doesn't have any idea which site someone visited. If you use enhanced Safe Browsing, then it works like your extension but way more privacy invasive.

 

[Foulest]

I agree that changelogs should be provided with each update.
But looking at GitHub commits, I see that it has now gained the ability to check sites even with free security DNS services
View attachment 288134

I've been holding off on pushing 1.0.9 out to browsers, as I keep having to add more features. I'm still waiting on Firefox and Edge to update it to 1.0.8.

 

[Foulest]

I don't use the extension and it's the first time I'm hearing for it, but I do like the concept. It's like real-time VirusTotal for websites. @Foulest I really do think it's a good solution and I will probably recommend it to my not so tech-wise friends and family members.

The only beef I have with the extension is sending the actual URL to these services, instead of some kind of hash. This is the reason why I simply refuse to use SmartScreen or anything else other than Google Safe Browsing.

Google Safe Browsing works by downloading a list and then by checking domains locally on device. When it finds a match, just then it sends to Google and in hashed format so Google doesn't have any idea which site someone visited. If you use enhanced Safe Browsing, then it works like your extension but way more privacy invasive.

I've done as much as I can to address this on my GitHub page, unfortunately. I'd recommend using a VPN.

 

[Foulest]

I agree that changelogs should be provided with each update.
But looking at GitHub commits, I see that it has now gained the ability to check sites even with free security DNS services
View attachment 288134

I've been holding off on pushing 1.0.9 out to browsers, as I keep having to add more features. I'm still waiting on Firefox and Edge to update it to 1.0.8.

You can see the state of all the releases on the GitHub's README page under Current Release.

 

[Vitali Ortzi]

I don't use the extension and it's the first time I'm hearing for it, but I do like the concept. It's like real-time VirusTotal for websites. @Foulest I really do think it's a good solution and I will probably recommend it to my not so tech-wise friends and family members.

The only beef I have with the extension is sending the actual URL to these services, instead of some kind of hash. This is the reason why I simply refuse to use SmartScreen or anything else other than Google Safe Browsing.

Google Safe Browsing works by downloading a list and then by checking domains locally on device. When it finds a match, just then it sends to Google and in hashed format so Google doesn't have any idea which site someone visited. If you use enhanced Safe Browsing, then it works like your extension but way more privacy invasive.

Well he made it has privacy friendly without sacrificing on security if he did sacrifice on security to use only ones that use hashes he probably won't have much providers to use and anyway not sure how privacy friendly the hash is as google can probably reverse it to it's url
Btw with having only your url (assuming you use a fake user agent and proxy etc ) they will still have a hard time tracking you to an extent that will be dangerous to anyone but a cyber criminal as they wouldn't have much to cross match with most likely as everyone has only part of your data and only the proxy has your exact location
But it's definitely possible if you visit sites with advertisements that they will sell extra data to be used to cross match so it depends on your usage too how hard it is to cross match for non state sponsored entities
As with url alone they can't do much (again using a privacy friendly setup ) and only with extra data via a broker they can start tracking you

 

[Marko :)]

According to his extension's documentation on Github, security vendors will still get your social media profiles for example, along with your IP address. I don't mind having collected my IP address because every single web site collects it. but my social media profiles... Microsoft doesn't need to know that. If malware comes from domain.com; then they certainly don't need anything after .com.

And worth to keep in mind: basic Google Safe Browsing (as the one in pretty much all web browsers) sends Google hashed URL ONLY if malicious site was found. It doesn't send hashed URLs of clean websites. Now... I understand that this isn't possible with this extension; but I'd at least want URL to be hashes or encrypted in someway. Or just not to include anything after TLD in URL. It really isn't necessary.

 

[Vitali Ortzi]

I don't use the extension and it's the first time I'm hearing for it, but I do like the concept. It's like real-time VirusTotal for websites. @Foulest I really do think it's a good solution and I will probably recommend it to my not so tech-wise friends and family members.

The only beef I have with the extension is sending the actual URL to these services, instead of some kind of hash. This is the reason why I simply refuse to use SmartScreen or anything else other than Google Safe Browsing.

Google Safe Browsing works by downloading a list and then by checking domains locally on device. When it finds a match, just then it sends to Google and in hashed format so Google doesn't have any idea which site someone visited. If you use enhanced Safe Browsing, then it works like your extension but way more privacy invasive.

There is basically an extension that is literally virus total and it will miss a ton of stuff Osprey easily catches and you can test yourself here VT4Browsers - Chrome Web Store

(Reason is that osprey technically uses most recent databases by directly sending to vender API and usually using their equivalent urlf to vendors paid product )