Hot Take [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

[Evjl's Rain]

Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings

Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings

Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings

Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings

Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings

Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings

Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings

Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings

Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings

Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings

Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings

Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings

Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings


Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links

Spoiler: Links

Dropbox - link test 17-3-2018.txt

Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

Spoiler: ublock origin filters

http://hosts-file.net/emd.txt
http://hosts-file.net/exp.txt
http://hosts-file.net/pup.txt
http://hosts-file.net/psh.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:

Winner: Google Safe Browsing

 

[Vitali Ortzi]

According to his extension's documentation on Github, security vendors will still get your social media profiles for example, along with your IP address. I don't mind having collected my IP address because every single web site collects it. but my social media profiles... Microsoft doesn't need to know that. If malware comes from domain.com; then they certainly don't need anything after .com.

And worth to keep in mind: basic Google Safe Browsing (as the one in pretty much all web browsers) sends Google hashed URL ONLY if malicious site was found. It doesn't send hashed URLs of clean websites. Now... I understand that this isn't possible with this extension; but I'd at least want URL to be hashes or encrypted in someway. Or just not to include anything after TLD in URL. It really isn't necessary.

It least everything is encrypted by https so only the enabled security vendors and your browser DNS have that data
But yeah it's not exactly privacy friendly although it does its best to be and there is no way no matter hashed or not to not forward a malicious url to be checked unless you have an intelligence database locally downloaded Wich will be massive and impossible to get anything close to what Osprey offers in terms of detection
So hmm it's impossible for Osprey to be perfectly privacy friendly and any alternative to try to emulate that will just be heavy and waste a ton of computation power locally to get far inferior results

 

[Foulest]

According to his extension's documentation on Github, security vendors will still get your social media profiles for example, along with your IP address. I don't mind having collected my IP address because every single web site collects it. but my social media profiles... Microsoft doesn't need to know that. If malware comes from domain.com; then they certainly don't need anything after .com.

And worth to keep in mind: basic Google Safe Browsing (as the one in pretty much all web browsers) sends Google hashed URL ONLY if malicious site was found. It doesn't send hashed URLs of clean websites. Now... I understand that this isn't possible with this extension; but I'd at least want URL to be hashes or encrypted in someway. Or just not to include anything after TLD in URL. It really isn't necessary.

Checking page URLs is much more secure than just checking hostnames. For example, many phishing attacks occur on the legitimate platform Jotform. If we only checked the hostname, it would completely miss the many phishing forms uploaded to Jotform that are only caught by checking full-page URLs.

 

[BSONE]

Checking page URLs is much more secure than just checking hostnames. For example, many phishing attacks occur on the legitimate platform Jotform. If we only checked the hostname, it would completely miss the many phishing forms uploaded to Jotform that are only caught by checking full-page URLs.

Good point. I use ControlD DNS with the NGD (newly generated domain) option ticked.which will prevent most Phishing attempts. DNS protection will not prevent Phishing attempts that use a landing page of a compromised site though (This is a less successful for Phishers though as the URL will be exposed for people who pause and look at the URL before clicking.)
The biigest worry I have though is after the initial compromise very little can be done if the malware connects to safe cloud server domains such as Google, Microsoft, Amazon or tons of other whitelisted cloud storage providers.

 

[Foulest]

Good point. I use ControlD DNS with the NGD (newly generated domain) option ticked.which will prevent most Phishing attempts. DNS protection will not prevent Phishing attempts that use a landing page of a compromised site though (This is a less successful for Phishers though as the URL will be exposed for people who pause and look at the URL before clicking.)
The biigest worry I have though is after the initial compromise very little can be done if the malware connects to safe cloud server domains such as Google, Microsoft, Amazon or tons of other whitelisted cloud storage providers.

That's a problem that Amazon, Microsoft, and Google have to solve on their end. Although some cloud URLs should be present in at least one malicious database if it's part of a well-known malware or phishing campaign. I'd bet that Bitdefender would flag it.