At last some good news for Microsoft’s ignored Edge browser: new tests by NSS Labs have found that it beats Chrome and Firefox hands down at blocking malware downloads and phishing attacks.
After 23 days of continuous tests between 23 August and 15 September this year, Edge version 38 blocked 96% of the socially-engineered malware (SEM) samples thrown against it in the form of malicious links and pop-ups, compared to 88% for Chrome version 60 and 70% for Firefox version 55. (The researchers describe SEM attacks as “a dynamic combination of social media, hijacked email accounts, false notification of computer problems, and other deceptions to encourage users to download malware”.)
Edge did even better when it came to phishing, blocking 92% of malicious URLs, compared to Chrome’s 75% and Firefox’s 61%.
NSS also looked at “zero hour” protection, which is how long it takes for each browser to block brand new threats once they’ve been introduced into the test.
For zero-hour SEM, Chrome started at 75% before climbing to a peak of 95% after seven days, while Firefox started at 54%, climbing to a peak rate of only 80% over the same period. Compare that to Edge which managed a steady 99.8% from hour one.
For zero-hour phishing URLs, the results weren’t quite as wide, but even here Edge started at 82% to Chrome’s 59% and Firefox’s 51%. Firefox clawed back some of the gap by day seven, scoring a peak rate of 81% to Chrome’s weakening 65%, but still ended up lagging Edge’s 89%.
These differences sound significant but how seriously should we take them?
There are only two variables here, the first of which is NSS Labs’ test methodology. We’ll ignore that, partly because assessing security testing methodologies could consume an entire article on its own but also because there’s a better candidate – the cloud-based blacklists of files and URLs these browsers use to decide what’s trustworthy and what’s not.
Edge uses Microsoft’s SmartScreen (also used by Internet Explorer), while Chrome and Firefox use Google’s Safe Browsing API (also used by Apple’s Safari, Opera and Vivaldi as well by other Google services such as Gmail).
As far as the NSS tests are concerned, we shouldn’t be surprised that SmartScreen performs better than the Safe Browsing API because that’s been the case ever since the company started testing browser SEM blocking performance some years ago.
We might speculate that Microsoft’s vast Windows base gives it an advantage over Google when it comes to gathering intelligence on malware, although that doesn’t explain why it still beats Google at spotting dodgy URLs which both should, in theory, see equally well.
The difference between Edge and Chrome seems to hold true even when they’re running on other platforms, for example when Windows 10 S (which runs only Windows Store apps) is pitted against the Chromebook, Google’s cloud-oriented computers running Chrome OS.
Here, Edge scored a 92% success rate against phishing URLs while Chrome achieved 75%, both scores identical to the same browsers running on Window 10.
Because they don’t run executables, Chromebooks are undoubtedly superior to Windows computers against SEM malware but when it comes to URL detection, these tests suggest they lag.
An interesting question is what all this means for companies using more than one browser, either for compatibility reasons (i.e. older versions of Internet Explorer) or because they fear being exposed to a specific security vulnerability affecting one.
That’s a complex judgment not assessed by NSS Labs but it shouldn’t escape our notice that Edge came last in the CanSecWest Pwn2Own contest earlier this year in terms of contestants finding exploitable software flaws.
These phishing and SEM tests are not the whole story.
In the end, focussing on browser security technology might be to miss the point that devices of all kinds come with other security layers, chief among them their users.
Which is to say that while the person using a computer can be a weakness, they could, if properly trained, also be a strength. Whatever the differences between one browser and another, performance scores should never be seen as compensation for more fundamental weaknesses.
Matt
Fundamentally flawed test. Without a false positive test and a false negative test all we know is that Edge blocks more requests, which is in and of itself not a good thing.
Didn’t we learn this from IDSs?
RMc-Canada
Love my Edge ;-)
Brian T. Nakamoto
Instead of mostly reserving SmartScreen as a competitive advantage for Edge, Microsoft should make SmartScreen available as a proxy for all Windows network traffic, and then tout SmartScreen as a general security feature like Defender.
Anonymous
Yes it works too good. I get blocked downloads and sites that I do need to go to all the time with Edge. So, fix your tests and include real people that can’t get to websites they may need to!
Tom
I use Firefox most of the time and have used Sophos Home for years. Recently I’ve noticed that Sophos is warning me about potentially harmful sites with a notification. Is this new or have I just not been paying attention?
Mark Stockley
Sophos Home has always blocked harmful sites.
Mike
What a pity Edge is so slow, tried all the fixes but given up on it.
Jack Smith
Edge is the most insecure browser there is. Basically at pawnd 2017 hacked at will. Should be avoided.
John
EDGE LUL!
txpatriot
If no one uses Edge, Microsoft has only themselves to blame.
The security history if MSIE was so atrocious, no one is willing to give them another chance, even if Edge is based on totally new and different code. If Edge is really that good, in time its superiority will win out.
OTOH, Beta never overtook VHS . . .
Bob Leander
I really enjoy the Edge dark theme
Steven
May be a success now yet recently with in a year that fake Microsoft Alert appeared and I saved pictures of it using Chrome
Jim
Where is Internet Explorer in this roundup? I still prefer IE, and would like to know if it fares as well as Edge. (Until Edge catches up to at least IE’s standards, I have no reason to switch.)
John S
IE is seriously aged to a point its really a handicap to use it. Its performance is sub par to any other browser and its receiving no new features or updates. Just security updates, which don’t help much given the age of the browser. Your really better off learning to try another browser just on the improvements of performance and security. Edge is already far past IE standards in every possible measurement. So has any other browser out there, IE is a dinosaur not the other way around. Any web site today is not focused on IE at all.
John S
I like Edge but by habit I generally use Chrome and I think that’s typical of browser use. People use what they have used for a while and do not change on a whim. Not unless something else shows some real improvements. Edge isn’t bad its just not anything special and in many ways it lacks what Chrome has which is maturity, multi platform, more extensions, and syncing abilities.
If your less interested by that stuff and just find Edge simple and fast you may in fact use it. According to browser stats that’s not very many users. Chrome appears to have the right combination and I even question if Firefox 57 has anything to offer that would cause users to switch from Chrome. Especially with other services Google offers, it’s difficult to see any browser being anything but distant second or third to Chrome.