Google Safe Browsing missed 84% of confirmed phishing sites
jdup7
273 points
81 comments
March 05, 2026
Related Discussions
Found 5 related stories in 49.6ms across 3,471 title embeddings via pgvector HNSW
- We indexed the Delve audit leak: 533 reports, 455 companies, 99.8% identical fadijob · 115 pts · March 22, 2026 · 43% similar
- Is BGP safe yet? janandonly · 244 pts · April 01, 2026 · 43% similar
- I audited the privacy of popular free dev tools, the results are terrifying WaitWaitWha · 52 pts · March 03, 2026 · 42% similar
- Google Just Patented the End of Your Website bookofjoe · 39 pts · March 27, 2026 · 41% similar
- Most-read tech publications have lost over half their Google traffic since 2024 Growtika · 210 pts · March 03, 2026 · 41% similar
Discussion Highlights (20 comments)
supermatt
> When we ran the full dataset through the deep scan, it caught every single confirmed phishing site with zero false negatives. The tradeoff is that it flagged all 9 of the legitimate sites in our dataset as suspicious Huh? Does this mean it just flagged everything as suspicious?
lich_king
I don't understand the metric they're using. Which is maybe to be expected of an article that looks LLM-written. But they started with ~250 URLs; that's a weirdly small sample. I'm sure there are tens of thousands malicious websites cropping up monthly. And I bet that Safe Browsing flags more than 16% of that? So how did they narrow it down to that small number? Why these sites specifically?... what's the false positive / negative rate of both approaches? What's even going on?
PunchyHamster
They put them directly in front of search results, why would they not miss them ?
xvector
There's probably like one engineer maintaining this as a side project at the company
candiddevmike
I'm getting some kind of chrome security warning when using zscaler now. Discussing all of this with non-techies, I think folks are overwhelmed by all of the security warnings they get and have stopped paying attention to them. So what's the point of doing all of this if there isn't some kind of corresponding education on responsible computer use? There needs to be some personal responsibility here, you can't protect people against everything.
dvh
Just yesterday I marked another Gmail phishing scam. This wouldn't be worth mentioning but they are using Google's own service for it. It has to be intentional, there is no other explanation. https://news.ycombinator.com/item?id=46665414
iqandjoke
But why Apple choose to work with this on Safari?
nico
On a tangent - gmail has a feature to report phishing emails, but it seems like it’s only available on the website. Their mobile app doesn’t seem to have the option (same with “mark as unread”). Is it hidden or just not available?
itvision
Criminals can easily show Google crawlers "good" websites. The fact that Safe Browsing even works is already good enough.
7777777phil
Blocklists assume you can separate malicious infrastructure from legitimate infrastructure. Once phishing moves to Google Sites and Weebly that model just doesn't work.
lorenzoguerra
>We also ran the full dataset of 263 URLs (254 phishing, 9 confirmed legitimate) through Muninn's automatic scan. This is the scan that runs on every page you visit without any action on your part. On its own, the automatic scan correctly identified 238 of the 254 phishing sites and only incorrectly flagged 6 legitimate pages. ...so it has a false positive rate of 67%? On a ridiculously small dataset?
mholt
I never loved the idea of GSB or centralized blocklists in general due to the consequences of being wrong, or the implications for censorship. So for my masters' thesis about 6-7 years ago now (sheesh) I proposed some alternative, privacy-preserving methods to help keep users safe with their web browsers: https://scholarsarchive.byu.edu/etd/7403/ I think Chrome adopted one or two of the ideas. Nowadays the methods might need to be updated especially in a world of LLMs, but regardless, my hope was/is that the industry will refine some of these approaches and ship them.
sirpilade
But hits 100% of browsing tracking
notepad0x90
Glass is half empty, I see. How about GSB stopped 16% of phishing sites? that's still huge.
epicprogrammer
Having spent some time in the anti-abuse and Trust & Safety space, I always take these vendor reports with a massive grain of salt. It’s a classic case of comparing apples to vendor-marketing oranges. A headline screaming about an 84% miss rate sounds like a systemic collapse until you look at the radically different constraint envelopes a global default like GSB and a specialized enterprise vendor operate under. The biggest factor here is the false-positive cliff. Google Safe Browsing is the default safety net for billions of clients across Chrome, Safari, and Firefox. If GSB’s false-positive rate ticks up by even a fraction of a percent, they end up accidentally nuking legitimate small businesses, SaaS platforms, or municipal portals off the internet. Because of that massive blast radius, GSB fundamentally has to be deeply conservative. A boutique security vendor, on the other hand, can afford to be highly aggressive because an over-block in a corporate environment just results in a routine IT support ticket. You also have to factor in the ephemeral nature of modern phishing infrastructure and basic selection bias. Threat actors heavily rely on automated DGAs and compromised hosts where the time-to-live for a payload is measured in hours, if not minutes. If a specialized vendor detects a zero-day phishing link at 10:00 AM, and GSB hasn't confidently propagated a global block to billions of edge clients by 10:15 AM, the vendor scores it as a "miss." Add in the fact that vendors naturally test against the specific subset of threats their proprietary engines are tuned to find, and that 84% number starts to make a lot more sense as a top-of-funnel marketing metric rather than a scientific baseline. None of this is to say GSB is perfect right now. It has absolutely struggled to keep up with the recent explosion of automated, highly targeted spear-phishing and MFA-bypass proxy kits. But we should read this report for what it really is: a smart marketing push by a security vendor trying to sell a product, not a sign that the internet's baseline immune system is totally broken.
xnx
Why should I trust that "Norn Labs" knows what is and is not a phishing site?
mrexcess
These statistics would be a lot better if they were compared directly to the same measurements taken from dedicated cloud SWGs/SSEs like Zscaler. My somewhat subjective sense is that the whole industry is in a bit of a rough patch, the miss rate seems to be noticeably climbing all across the board.
pothamk
One thing that often gets overlooked in these comparisons is distribution latency. Detecting a phishing domain internally is one problem, but pushing a verified block to billions of browsers worldwide is a completely different operational challenge. Systems like Safe Browsing have to worry about propagation time, cache layers, update intervals, and the risk of pushing a false positive globally. A specialized vendor can update instantly for a much smaller customer base. That difference alone can easily look like a “miss” in snapshot-style measurements.
timnetworks
The most dangerous links recently have been from sharepoint.com, dropbox.com, etc. and nobody is going to block those.
varispeed
When Google will remove scams, phishing and other nonsense from their advertising? Especially the scareware stuff, where AI videos say someone might be listened to / hacked and here is the software that will help block it / find it whatnot. Then they collect personal data.