Chrome smoked by Edge in browser phishing test

At last some good news for Microsoft’s ignored Edge browser: new tests by NSS Labs have found that it beats Chrome and Firefox hands down at blocking malware downloads and phishing attacks.

After 23 days of continuous tests between 23 August and 15 September this year, Edge version 38 blocked 96% of the socially-engineered malware (SEM) samples thrown against it in the form of malicious links and pop-ups, compared to 88% for Chrome version 60 and 70% for Firefox version 55. (The researchers describe SEM attacks as “a dynamic combination of social media, hijacked email accounts, false notification of computer problems, and other deceptions to encourage users to download malware”.)

Edge did even better when it came to phishing, blocking 92% of malicious URLs, compared to Chrome’s 75% and Firefox’s 61%.

NSS also looked at “zero hour” protection, which is how long it takes for each browser to block brand new threats once they’ve been introduced into the test.

For zero-hour SEM, Chrome started at 75% before climbing to a peak of 95% after seven days, while Firefox started at 54%, climbing to a peak rate of only 80% over the same period. Compare that to Edge which managed a steady 99.8% from hour one.

For zero-hour phishing URLs, the results weren’t quite as wide, but even here Edge started at 82% to Chrome’s 59% and Firefox’s 51%. Firefox clawed back some of the gap by day seven, scoring a peak rate of 81% to Chrome’s weakening 65%, but still ended up lagging Edge’s 89%.

These differences sound significant but how seriously should we take them?

There are only two variables here, the first of which is NSS Labs’ test methodology. We’ll ignore that, partly because assessing security testing methodologies could consume an entire article on its own but also because there’s a better candidate – the cloud-based blacklists of files and URLs these browsers use to decide what’s trustworthy and what’s not.

Edge uses Microsoft’s SmartScreen (also used by Internet Explorer), while Chrome and Firefox use Google’s Safe Browsing API (also used by Apple’s Safari, Opera and Vivaldi as well by other Google services such as Gmail).

As far as the NSS tests are concerned, we shouldn’t be surprised that SmartScreen performs better than the Safe Browsing API because that’s been the case ever since the company started testing browser SEM blocking performance some years ago.

We might speculate that Microsoft’s vast Windows base gives it an advantage over Google when it comes to gathering intelligence on malware, although that doesn’t explain why it still beats Google at spotting dodgy URLs which both should, in theory, see equally well.

The difference between Edge and Chrome seems to hold true even when they’re running on other platforms, for example when Windows 10 S (which runs only Windows Store apps) is pitted against the Chromebook, Google’s cloud-oriented computers running Chrome OS.

Here, Edge scored a 92% success rate against phishing URLs while Chrome achieved 75%, both scores identical to the same browsers running on Window 10.

Because they don’t run executables, Chromebooks are undoubtedly superior to Windows computers against SEM malware but when it comes to URL detection, these tests suggest they lag.

An interesting question is what all this means for companies using more than one browser, either for compatibility reasons (i.e. older versions of Internet Explorer) or because they fear being exposed to a specific security vulnerability affecting one.

That’s a complex judgment not assessed by NSS Labs but it shouldn’t escape our notice that Edge came last in the CanSecWest Pwn2Own contest earlier this year in terms of contestants finding exploitable software flaws.

These phishing and SEM tests are not the whole story.

In the end, focussing on browser security technology might be to miss the point that devices of all kinds come with other security layers, chief among them their users.

Which is to say that while the person using a computer can be a weakness, they could, if properly trained, also be a strength. Whatever the differences between one browser and another, performance scores should never be seen as compensation for more fundamental weaknesses.