HN

Need help?
<- Back
Google Safe Browsing missed 84% of confirmed phishing sites

Google Safe Browsing missed 84% of confirmed phishing sites

jdup7

Comments (69)

  • lich_king
    I don't understand the metric they're using. Which is maybe to be expected of an article that looks LLM-written. But they started with ~250 URLs; that's a weirdly small sample. I'm sure there are tens of thousands malicious websites cropping up monthly. And I bet that Safe Browsing flags more than 16% of that?So how did they narrow it down to that small number? Why these sites specifically?... what's the false positive / negative rate of both approaches? What's even going on?
  • mholt
    I never loved the idea of GSB or centralized blocklists in general due to the consequences of being wrong, or the implications for censorship.So for my masters' thesis about 6-7 years ago now (sheesh) I proposed some alternative, privacy-preserving methods to help keep users safe with their web browsers: https://scholarsarchive.byu.edu/etd/7403/I think Chrome adopted one or two of the ideas. Nowadays the methods might need to be updated especially in a world of LLMs, but regardless, my hope was/is that the industry will refine some of these approaches and ship them.
  • obblekk
    Maybe I’m an outlier but I’d rather this than accidentally block legit sites.Otherwise this becomes just another tool for Google to wall in the subset of the internet they like.
  • pothamk
    One thing that often gets overlooked in these comparisons is distribution latency.Detecting a phishing domain internally is one problem, but pushing a verified block to billions of browsers worldwide is a completely different operational challenge.Systems like Safe Browsing have to worry about propagation time, cache layers, update intervals, and the risk of pushing a false positive globally. A specialized vendor can update instantly for a much smaller customer base.That difference alone can easily look like a “miss” in snapshot-style measurements.
  • kopollo
    Let me give you a simple detection algorithm. Apply OCR to the screenshot because they often use logos. Also, parse the text from the HTML and compare it to the URL. You can catch a lot of spam this way.You can also examine many parameters in the js html code.
  • timnetworks
    The most dangerous links recently have been from sharepoint.com, dropbox.com, etc. and nobody is going to block those.
  • dvh
    Just yesterday I marked another Gmail phishing scam. This wouldn't be worth mentioning but they are using Google's own service for it. It has to be intentional, there is no other explanation. https://news.ycombinator.com/item?id=46665414
  • virken
    I'm all for stopping phishing - and the tool sounds great - but I have to say the Web Store Extension listing is very concerning - even with a new company/offering - there's only 4 users - and 1 rating (a 5 of course) - I'd like to try - but seems phishy :-(
  • virken
    I'm all for stopping phishing - and the tool sounds great - but the Web Store Extension listing is very concerning - even with a new company/offering - there's only 4 users - and 1 rating (a 5 of course) - I'd like to try - but seems phishy :-(
  • kemotep
    Default deny and only permitting what you explicitly allow stops 90% of this in a corporate environment.You don’t just leave all your ports open on the firewall and only close the ones exploited. You default deny and only allow the bare minimum you need in.
  • candiddevmike
    I'm getting some kind of chrome security warning when using zscaler now. Discussing all of this with non-techies, I think folks are overwhelmed by all of the security warnings they get and have stopped paying attention to them.So what's the point of doing all of this if there isn't some kind of corresponding education on responsible computer use? There needs to be some personal responsibility here, you can't protect people against everything.
  • supermatt
    > When we ran the full dataset through the deep scan, it caught every single confirmed phishing site with zero false negatives. The tradeoff is that it flagged all 9 of the legitimate sites in our dataset as suspiciousHuh? Does this mean it just flagged everything as suspicious?
  • thayne
    It would be interesting to see how many of the sites safe browsing does block are false positives.
  • dsr_
    Almost all email phishing attempts we receive come from GMail.
  • xnx
    Why should I trust that "Norn Labs" knows what is and is not a phishing site?
  • nico
    On a tangent - gmail has a feature to report phishing emails, but it seems like it’s only available on the website. Their mobile app doesn’t seem to have the option (same with “mark as unread”). Is it hidden or just not available?
  • PunchyHamster
    They put them directly in front of search results, why would they not miss them ?
  • lorenzoguerra
    >We also ran the full dataset of 263 URLs (254 phishing, 9 confirmed legitimate) through Muninn's automatic scan. This is the scan that runs on every page you visit without any action on your part. On its own, the automatic scan correctly identified 238 of the 254 phishing sites and only incorrectly flagged 6 legitimate pages....so it has a false positive rate of 67%? On a ridiculously small dataset?
  • passwordoops
    Anecdotal and loosely related, but I can say since Gemini was forced into Gmail, much more obvious SPAM passes the filter
  • hedora
    So, the false negative rate was 84%, but what was the false positive rate?They have a table "AUTOMATIC SCAN RESULTS (263 URLS)" that sort of presents this information. Of the 9 sites that were negatives, they say they incorrectly flagged 6 as phishing.With a false positive rate of 66%, it's not surprising they were able to drive down their false negative rate. Also, the test set of 254 phishing sites with 9 legitimate ones is a strange choice.(Or maybe they need to work on how they present data in tables; tl;dr the supporting text.)
  • itvision
    Criminals can easily show Google crawlers "good" websites.The fact that Safe Browsing even works is already good enough.
  • sirpilade
    But hits 100% of browsing tracking
  • notepad0x90
    Glass is half empty, I see.How about GSB stopped 16% of phishing sites? that's still huge.
  • 7777777phil
    Blocklists assume you can separate malicious infrastructure from legitimate infrastructure. Once phishing moves to Google Sites and Weebly that model just doesn't work.
  • throawayonthe
    > ...full dataset of 263 URLs (254 phishing, 9 confirmed legitimate)> ... automatic scan is optimized for precision (keeping false alarms low...really?> When we ran the full dataset through the deep scan, ... it flagged all 9 of the legitimate sites in our dataset as suspiciouslol
  • nickphx
    So I tested out the extension.. First the extension spammed me with "login required".. So I click the notification to be taken to a login page.. Great? Now I have to create an account and verify a link.. Now I can test how great this is against a "fresh" facebook phishing page being actively promoted via Facebook Ads..hxxps://r7ouhcqzdgae76-fsc0fydmbecefrap.z03.azurefd.net/new2/?utm_medium=paid&utm_source=fb&utm_id=6900429311725&utm_content=6900429312725&utm_t erm=6900429314125&utm_campaign=6900429311725The "extension" did a "scan". {"url":"https://r7ouhcqzdgae76-fsc0fydmbecefrap.z03.azurefd.net/new2..."}response: {"classification":"clean"}great work?If I click "Deep scan".. I see a screenshot blob being sent over.. response: { "classification": "phish", "reasons": [ "Our system has previously flagged this webpage as malicious." ] }So if the site were already flagged, why does the "light" scan not show that?
  • caaqil
    Yeah, maybe let's change the title to remove that 84% rate. It's meaningless because it's just 254 websites, given the scale of what Google Safe Browsing deals with.How is this serious? This is a marketing slop. If the title isn't enough indicator, the ending should be:> If you're interested in trying Muninn, it's available as a Chrome extension. We're in an early phase and would genuinely appreciate feedback from anyone willing to give it a shot. And if you run across phishing in the wild, consider submitting it to Yggdrasil so the data can help protect others.
  • hulitu
    The purpose of "Safe Browsing" is to send your URLs to Google.
  • iqandjoke
    But why Apple choose to work with this on Safari?
  • nickphx
    "If you're interested in trying Muninn, it's available as a Chrome extension. We're in an early phase " Domain is less than 4 months old.. Software is "early phase".. Already making misleading marketing claims of usefulness..
  • varispeed
    When Google will remove scams, phishing and other nonsense from their advertising? Especially the scareware stuff, where AI videos say someone might be listened to / hacked and here is the software that will help block it / find it whatnot. Then they collect personal data.
  • xvector
    There's probably like one engineer maintaining this as a side project at the company
  • mrexcess
    These statistics would be a lot better if they were compared directly to the same measurements taken from dedicated cloud SWGs/SSEs like Zscaler. My somewhat subjective sense is that the whole industry is in a bit of a rough patch, the miss rate seems to be noticeably climbing all across the board.
  • epicprogrammer
    Having spent some time in the anti-abuse and Trust & Safety space, I always take these vendor reports with a massive grain of salt. It’s a classic case of comparing apples to vendor-marketing oranges. A headline screaming about an 84% miss rate sounds like a systemic collapse until you look at the radically different constraint envelopes a global default like GSB and a specialized enterprise vendor operate under.The biggest factor here is the false-positive cliff. Google Safe Browsing is the default safety net for billions of clients across Chrome, Safari, and Firefox. If GSB’s false-positive rate ticks up by even a fraction of a percent, they end up accidentally nuking legitimate small businesses, SaaS platforms, or municipal portals off the internet. Because of that massive blast radius, GSB fundamentally has to be deeply conservative. A boutique security vendor, on the other hand, can afford to be highly aggressive because an over-block in a corporate environment just results in a routine IT support ticket.You also have to factor in the ephemeral nature of modern phishing infrastructure and basic selection bias. Threat actors heavily rely on automated DGAs and compromised hosts where the time-to-live for a payload is measured in hours, if not minutes. If a specialized vendor detects a zero-day phishing link at 10:00 AM, and GSB hasn't confidently propagated a global block to billions of edge clients by 10:15 AM, the vendor scores it as a "miss." Add in the fact that vendors naturally test against the specific subset of threats their proprietary engines are tuned to find, and that 84% number starts to make a lot more sense as a top-of-funnel marketing metric rather than a scientific baseline.None of this is to say GSB is perfect right now. It has absolutely struggled to keep up with the recent explosion of automated, highly targeted spear-phishing and MFA-bypass proxy kits. But we should read this report for what it really is: a smart marketing push by a security vendor trying to sell a product, not a sign that the internet's baseline immune system is totally broken.
  • bethekidyouwant
    Their example is really dumb. Eventually, you get a fake Microsoft login page, but they clip out the address bar which clearly isn’t a Microsoft address so your auto complete password isn’t going to be put into the form and you’d have to be pretty dumb to type it in my hand or even to know your Microsoft password, it should be some random thing generated by Safari or whatever your password manager is. Not to mention two factor authentication.