Opinion: are anti-phishing toolbars worth the bother?

Anti-phishing toolbars are supposed to be a definitive way of telling whether the website you’re visiting is fake, dangerous to visit or just plain nasty to know.

We’ve commented on these before and still they keep coming. I have now acquired so many of these, stacked one on top of the other at the top of Internet Explorer browser view, that I fear I might have to start scrolling to read beyond a third of each visited page.

The latest edition to the spawning brood is TrustWatch Search, launched a couple of weeks back by Geotrust.

At least one esteemed organ of the press has taken it for a spin, and found it wanting. Apparently, TrustWatch declared one bogus facsimile site to be “verified”, with the rival Netcraft toolbar doing only slightly better in its attempt to identify the site as dodgy.

That a fake and potentially dangerous site can be given trusted status is disconcerting. But even without mis-identification, there’s the more fundamental problem. We know there are sites that harbour danger, and there are also a select few that are zero danger, but that still leaves a vast swathe of sites that don’t fall obviously to either one of these extremes.

How are these rated? Taking techworld.com as an example, Trustwatch is eerily non- committal, rating it as “not verified”. If you’re in doubt about what this means, the following explanation is offered:

“A Not Verified rating means that TrustWatch cannot determine that the site has been Verified by a Trusted Third Party. However, the site has not been listed on the TrustWatch blacklists of disreputable or suspicious sites. You should use caution before exchanging sensitive or confidential information with this site.”

We’d take this rather suspicious rating personally if it weren’t that TrustWatch comes to a similar non-conclusion about many other sites, including some well-known ones such as John Lewis Partnership (a large department store), Sainsbury’s (a UK supermarket), and IDG.net (a large IT publishing company, and publisher of Techworld).

The explanation for all this is simple: getting a trusted tag means paying for it by purchasing an SSL certificate, or being one of the miniscule number of websites that are well enough known not to need one. You can buy these from a number of sources, including, of course, TrustWatch’s creators, Geotrust. These cost from $189 and up, with the “up” being quite a long way up.

Important as SSL certification is, doesn’t this conflict of interest undermine the usefulness of Geotrust’s toolbar somewhat? The key is the volume of information offered when telling you that a site is “not verified”, such as when the domain was registered, its hosting company, and when it was first active.

In Geotrust’s case, this information is very limited, and far from enough to make an balanced judgement about a site’s trustworthiness. Why Geotrust is so mean with background is unclear.

By contrast, the CallingID toolbar verifies Techworld.com quite happily, stating “techworld.com Server location: Great Britain (UK); Owner: International Data Group, United Kingdom, 99 Grays Inn Road, London, London WC1X8UT”.

In fact, this is enough information, gleaned from domain record lookups and other background history (including domains hosted by that ISP), for Netcraft to declare Techworld.com as “verified” and to have a positive risk rating.

Neither approach is inherently wrong, but it still unclear how an indeterminate and generalised risk assessment such as that of GeoTrust’s TrustWatch actually benefits the end user. Commercial entities, especially smaller ones disinclined to pay for certificates every year, also deserve to be described in a way that doesn’t risk putting visitors off.

My advice is very simple. Anti-phishing toolbars confirm to no official standards. They reflect the manners of their creators. Caveat emptor. Buyer – or downloader - beware.