We had two different views of the Phishing Filter, Microsoft's new anti-phishing protection feature set.
As you surf, you'll want to keep an eye on the bottom of the display, which now offers an icon informing you when it blocks pop-ups and cookies. You can click on these icons to see exactly what was stopped. There's also an icon that fades in and out like Casper the Friendly Ghost as each new page loads. It shows that IE 7 is checking a page you've just loaded for possible phishing characteristics. When the icon in the status bar winks out, a yellow warning icon is placed beside the URL address bar if the site is deemed to be "suspicious." No yellow warning means that Phishing Filter has deemed the site to be okay.
I took IE 7 to an obvious phishing URL I had recently received (you know the type: "PayPal Notification of Limited Account Access"). The yellow warning appeared; when I clicked it, IE 7 displayed this message: "Phishing Filter has determined that this might be a phishing website. We recommended you do not give any of your information to such websites." I was also given the option to click on a link to a Microsoft Phishing Filter Feedback page where I could report whether I thought this was truly a phishing site.
I decided to play the part of a really stupid user, so I ignored the yellow URL and proceeded to put a name and password (false, of course) into the form. I was immediate taken to another page that told me my credit card was reported as lost or stolen, and asked me to fill in unimportant information such as my name, credit card number, PIN, social security number, banking ID, billing address.... Again, the "Suspicious Website" notification came up.
This is useful stuff, but I'm not sure it's enough. It took at least a full minute for the notification to come up (during which time most decent typists could have had the form filled in and sent), and the yellow button displacing part of the Address bar isn't really all that noticeable. If Microsoft really wanted to stop innocent users from giving personal information to scammers and other nasty folk, a more prominent "Are you sure you want to type personal information into this Web page?" notice would have been nice.
The other side of the coin could present issues for businesses. When I loaded my Scot's Newsletter site, I found virtually every page on my site (hundreds of pages) caused IE 7 to display the yellow "Suspicious Website" warning. When you click the yellow button, there's a link for Webmasters and site owners to notify Microsoft that their sites are incorrectly labeled this way. To submit a page for human examination, you have to fill out ten separate fields, including personal information. Then you send it off to Microsoft.
The first time I did this, I assumed Microsoft would check over the entire site when it realized its mistake. But, no -- what it did was to agree with me that the page in question didn't represent a phishing threat, turning off the yellow suspicious Web site warning for just that one page. I got an auto-generated message 24 hours later letting me know of the company's decision. There's no way to reply to the message.
The submission form doesn't let you submit any more than one page at a time. So I thought, I'll submit another page and ask them in one of the five free-form fields to examine every page on my site. I got the exact same auto-generated email response as I did with the first submission, and again, Microsoft had turned off the warning for just that one page. The third time around I put the same request in every field asking for all the pages on my site to be reviewed. It took about five days for this to occur, but at last Microsoft got it right. Every page but one was free of the yellow warning. I just submitted that one page and it, too, was free of the warning the next day.
I interviewed three of the folks at Microsoft who are responsible for the Phishing Filter about the issues I experienced as a Webmaster/Web site owner. They readily agreed that blog and newsletter sites have tended to be a problem for the Phishing Filter, and said that this is something they will have fixed by the time the IE 7 ships. But they stopped shy of saying that they would make it easy for entire Web sites to be submitted for review. Their fear is that phishing scammers will set up domains, have them reviewed as safe, and then add the malicious tools after Microsoft has blessed them. I can understand that problem. But it points out to me that the technology they're using might need to be improved. It's too soon to say that for sure in this early beta, but it's something to keep an eye on.
I should add that we have found very few sites on the Internet so far that seem inappropriately tagged with the Suspicious Website tag. So, by and large, Microsoft has gotten this right. But they need to make it easier for legitimate businesses whose Web sites are their front doors to free themselves of Microsoft labeling them as phishing scams when they're not. If you're going to set yourself up as final arbiter when the ruling could be potentially damaging to another company, you better get it right -- or make it easy to set it right.
Security and Out
There's quite a bit more security in IE 7, too. The Windows Vista version of IE 7 will provide a Protected Mode that gives the browser sufficient rights to browse the Web, but not enough rights to modify user settings or data. Protected Mode will only be available to Vista users because the functionality depends on the reworked user account system in Windows Vista. Vista's version of IE 7 will also be able to automatically install security and other updates; that will not be the case in the XP version. New parental controls will be available for Limited accounts (we were unable to make the Windows Parental Controls control panel work). There's also a new "ActiveX Opt-in" feature that's apparently in the 5231 code but we haven't been able to prompt it into action.
We'll weigh in with insights and opinions about how much better IE 7 is when the beta 2 code is released; it's expected around the middle of December.