Google Urges Gmail Users to Enable 'Enhanced Safe Browsing' for Faster, More Proactive Protection

The Washington Post's "Tech Friend" newsletter has the latest on Google's "Enhanced Safe Browsing" for Chrome and Gmail, which "monitors the web addresses of sites that you visit and compares them to constantly updated Google databases of suspected scam sites." You'll see a red warning screen if Google believes you're on a website that is, for example, impersonating your bank. You can also check when you're downloading a file to see if Google believes it might be a scam document. In the normal mode without Enhanced Safe Browsing, Google still does many of those same security checks. But the company might miss some of the rapid-fire activity of crooks who can create a fresh bogus website minutes after another one is blocked as a scam.

This enhanced security feature has been around for three years, but Google recently started putting a message in Gmail inboxes suggesting that people turn on Enhanced Safe Browsing.

Security experts told me that it's a good idea to turn on this safety feature but that it comes with trade-offs. The company already knows plenty about you, particularly when you're logged into Gmail, YouTube, Chrome or other Google services. If you turn on Enhanced Safe Browsing, Google may know even more about what sites you're visiting even if you're not signed into a Google account. It also collects bits of visual images from sites you're visiting to scan for hallmarks of scam sites.

Google said it will only use this information to stop bad guys and train its computers to improve security for you and everyone else. You should make the call whether you are willing to give up some of your privacy for extra security protections from common crimes.
Gmail users can toggle the feature on or off at this URL. Google tells users that enabling the feature will provide "faster and more proactive protection against dangerous websites, downloads, and extensions."

The Post's reporter also asked Google why it doesn't just enable the extra security automatically, and "The company told me that because Google is collecting more data in Enhanced Safe Browsing mode, it wants to ask your permission."

The Post adds as an aside that "It's also not your fault that phishing scams are everywhere. Our whole online security system is unsafe and stupid... Our goal should be to slowly replace the broken online security system with newer technologies that ditch our crime-prone password system for different methods of verifying we are who we say we are."

I'm done with this bullshit

[quonset]

When I type in a URL it is the sole job of the browser to take me there. It should not be making any decision. I told it where to go, take me there.

This is especially problematic not only on the web in general, but when trying to connect to the web interface of printers. When manufacturers such as Ricoh or HP haven't done their part to configure security for web access, you get denied which means you can't remotely administer it on your own network.

Never question the user. If the user wants to go a web site, that's what you do. Go there.

Re:I'm done with this bullshit

[Luckyo]

It's going to get much worse. Google's long term project has for quite a while been the sort of "official, validated, advertiser-friendly web" which became very visible with google's search engine shift from actual search to being a pitch engine. Pitching you on things that google thinks you should get from your query that is maximally monetized and controlled by google.

One thirf of google's current big projects taking web in this direction is DRM in browser for chromium. Basically make it so that browser asks for validation from OS that it is indeed the user that is controlling the machine. This is being sold as "bot protection for websites". This is also likely in part riding on the coat tails of microsoft pushing for mandatory TPM in windows 11, which means that all major consumer operating systems now have a form of hardware DRM built in. The idea is that every device will allow full hardware DRM mechanism for every website to validate that:

"This is the intended user".
"User is using only allowed and validated software packages".

All via the mainline web browser family that is used by almost everyone.

Other third is the slow strangling of ad blocking with things like manifest v3. This ensures that add-ons are less and less useful, especially on ad blocking front, while validated premade "you don't need anything but this" browser being basically the only available option to overwhelming majority of users.

And last third is what is described in the OP. Just strangle the rest with lack of financing due to being inaccessible by most with the mechanism described in OP, "this is a malicious, not validated site because it doesn't require DRM validation from you, so you should not use it".

The obvious end goal is to go to fully closed web that every major corporation uses, which means that overwhelming majority of users will have to join it. A web that is controlled by the corporations, and where users have to validate themselves to it that they are who they are and that they are not running any unsanctioned software connecting to said websites.

It's going to be IE6 on steroids, where not only will websites be allowed to basically require that you only use validated software, but you won't be able to spoof this due to hardware DRM built into your computer subverting your attempts to do so.

Re:I'm done with this bullshit

[quonset]

It's not just Google/Chrome. Edge and Firefox pull the same stunts, though Edge is worse. At least in most cases Firefox will allow you to proceed to the site. Edge acts more like Chrome (and it should since they use the same underlying engine) and outright prevents you from going to a site or web interface.

As I said, never question the user. If they want to go somewhere then that's where you go. It is not up to Google/Microsoft/etc to decide, it's the user's decision.

Firefox

[antdude]

I have had Firefox block me to access the "bad" web site before. Sometimes, it does let me go through. Once in awhile, it won't. :(

Re:

[Fuck_this_place]

You can turn that off. In privacy & security settings...

Deceptive Content and Dangerous Software Protection:

*Block dangerous and deceptive content
*Block dangerous downloads
*Warn you about unwanted and uncommon software

Edge does not prevent bypass by default

[Anonymous Cward]

How do I know this? Because I have to configure it using Group Policy to prevent users bypassing SmartScreen as part of corporate security policy. It is necessary because no matter how much you train people, pretexting is still an effective way for an attacker to help socially engineer people into skipping those big, red, fullscreen warnings. When left with default settings, there is a way to bypass the warning, but it is deliberately obscure to help prevent accidents.

Remember folks, untrained normies do

Re:

[Loki Prankster]

Your article is "the end is nigh" prediction, probably meant to elicit activism and an angry response of the "cold dead hand" type. I am usually skeptical with respect to the "end of the world" predictions. There is something called open source and it looks like this:
cat /etc/redhat-release
Fedora release 38 (Thirty Eight)
Anyone, anywhere can branch this off and start a new distribution and even a new OS. In order for your Chicxulub prediction to come true, no alternatives should exist. However, thanks t

Re:

[Rujiel]

Digital ID, and the will of governments to destroy online anonymity in the name of saving the children, is a very real problem.

Re:

[Loki Prankster]

Historically, anonymity has never been a right. Government was always opening our mail and frequently listening to our phones. Anonymity is a mixed blessing. On one hand, anonymity enables more open discussion, like the one we are having now. On the other hand, anonymity is the basis for the online bullying, spam, malware and radicalism. Speaking of spam, did you know that you can save 15% or more by switching to GEICO? Joking aside, I don't think we need regulation, we need to extend the laws of morality t

Re:

[Luckyo]

Historically, "government" didn't exist in people's lives in any meaningful capacity. The only governance you may have had in your remote village was local lord occasionally holding court and his tax man coming to collect the dues. That's it. Nation state model is historically a very new concept that is yet to prove its durability through surviving more than a couple of centuries.

As a result concept of privacy is a longstanding tradition to the point where it's in our genetic coding. Normal people avert the

Re:

[conorjh]

Normal people avert their eyes when they see something they identify as private, because we recognize on instinctual level that there are things that are not for us to see.

luckyos respectful caveman hyposthesis

Re:

[Loki Prankster]

Well, people started building cities long time ago. There are some remarkable examples going thousands of years back (Carnac, Luxor, Babylon, Niniva, Rome, Athens). Privacy is a burgeoning problem of urbanization. There was little room for privacy in those remote villages you mention, because villages were populated by a few closely related families. Privacy in those villages was less important than survival. Furthermore, it is unclear what is the contents of privacy. Messages? Conversations? What do you me

Re:

[Rujiel]

"Also, please note that anonymity is not the same as privacy. We've quite recently had a case of 20 goat herders from the Middle East crashing airplanes into buildings in NYC and DC. The necessary infrastructure for them to do that was privacy."

Oh, those guys the CIA was training? Explain to me how you think they had any privacy?

https://jacobin.com/2023/05/ci... [jacobin.com]

Re:

[Loki Prankster]

Being a libertarian, I am inclined to discount Jacobin as a source. I have checked it out and it is every bit the communist trash I expected it to be. Basically, Jacobin is a leftist version of Alex Jones. Not to be quoted in a civilized group of people. They are even praising the Barbie trash movie.

Having said that, I am aware that CIA has done some disgusting things. However, I refuse to accept the claim that CIA is responsible for the 2nd Pearl Harbour without a valid proof. Jacobin (and The Nation) are

Re:

[Rujiel]

So you think the web should do away with anonymity in order to be more self-regulated, so that it doesn't become more government-regulated? Don't you see how that is self-defeating? You realize that these tech giants already bend to the will of governments to censor, while also being paid for information by the same. They got what they wanted through back doors and didn't need regulation for it other than maybe the PATRIOT act.

Trolling and spam are not good reasons for digital ID. You're posting on a site t

Re:

[Loki Prankster]

As a rule, the one that I did break a few times, I am doing my best not to say on the Internet anything I wouldn't say in a face to face meeting. We disagree on the significance of spam and trolling. Eternal September proves my point. It already has destroyed a useful Internet service that is now an abandoned cesspool of spam, trolling and downright bullying. The only way of dealing with that is to have the same rules for the internet debate as one would have in a physical conversation. IMHO, anonymity is a

Re:I'm done with this bullshit

[AmiMoJo]

If you want to turn this feature off, go ahead. But for most people who aren't technically knowledgeable, it's a very useful feature.

It's like arguing that a table saw should cut whatever you place on it, even if it's your fingers. Most people benefit from the safety features.

Re:

[real_nickname]

I don't mind if the browser check locally my url against a local DB and ask me if I really want to go there. On the other hand sending every url to google computers(why???) is an obvious no.

Re:

[strikethree]

Never question the user. If the user wants to go a web site, that's what you do. Go there.

Dude. Don't start with this shit. You are perfectly happy forcing the government to protect those who are too stupid to know better. In this case you know better, but you will still get the nanny state you wanted for everyone else. Enjoy. I know I am laughing at you right now. A leopard is eating your face!

Probably a good idea for the average clueless user

[VoodooCryptologist]

Hear me out on this one. The average user of Gmail is not too bright and email is a major phishing/malware vector. All grandmas should turn this on ASAP. For anyone who cares about privacy, go sign up for ProtonMail or something and don't worry about this.

Re:Probably a good idea for the average clueless u

[Luckyo]

"Safety, security" is the common mantra in how freedoms are taken away. Because the more safe and secure you are, the less free you are.

And for the sake of the granny, we better validate all software everyone uses. Because script kiddies are a real threat, so pretty much any power user connecting to the web should also be validated. Preferably through a hardware validated browser with in built TPM within OS and hardware. So we're sure that potentially bad user doesn't use script kiddy tools on the poor grandma.

Funnily enough, in addition to this project, google also has the project to integrate just that kind of DRM into chromium code. It's for grandma's safety and security of course!

Re:

[AmiMoJo]

Validation via signing and chains of trust have prevented massive amounts of fraud and extortion.

Meanwhile access to an uncensored web has become easier, thanks to things like the Tor browser and VPNs.

You have been sounding that alarm for decades, while the world moves in the opposite direction.

Re:

[VoodooCryptologist]

Anyone who signed up for Gmail (or those who actively use a Google account for that matter) gave up their privacy at the door. Everyone knows that Google is advertising giant, and if you don't pay for something, you're the product. But there are a lot of people who just shut off their brains in exchange for a slight increase in convenience. I'm a big fan of ProtonMail but FastMail is a good second option and it's way better than Gmail. People just can't give up the ease of use on Google though.

For the group

Re:

[usedtobestine]

But if you give them a dirty, very dirty needle, they'll stop using heroin. That sounds like a win, to me.

Re: Probably a good idea for the average clueless

[Mr. Underbridge]

"Anyone who signed up for Gmail (or those who actively use a Google account for that matter) gave up their privacy at the door Bear in mind that" That wasn't the Google that they claimed to be around 2003 when I signed up. What you say is demonstrably true now, but it's hard cutting the cord on a 20 year old email address, for instance. For those of us who can't easily go "cold turkey" on Google, trying to compartmentalize their services may be desirable.

Re:

[VoodooCryptologist]

I was in the same boat. I had a Gmail account right after it launched and used it regularly until Google became too creepy. It was much easier than you think to jump ship. My account is still open but I don't use it.

Re:

[ocean_soul]

A good idea would be to give such users a clue. This nonsense is only a good idea for Alphabet's profits.

Re:

[Waccoon]

Fair enough, but... why does anyone trust Google? Google is one of those companies offering to keep your kids safe, even though their van has "Free Candy" written on the side.

Reminds me of when Yahoo bragged about their anti-spamming technology, but as soon as you signed up for a Yahoo account, you started getting a dozen spam e-mails even before you told anyone your address.

Hey, Google! Know what else improves security?

[blindcoder]

Adblocking! It totally stops https://en.wikipedia.org/wiki/... [wikipedia.org] in its tracks!
How about you commit to that in Chrome? Huh?

Re:

[Luckyo]

Granny doesn't use adblocking, because google never pitches it to her on their pitch engine. Instead they pitch her nigerian princes coming to marry her, because nigerian princes pay good money for relevant ad words.

Re:

[AmiMoJo]

Chrome has a built in ad blocker. It's enabled by default, but you can turn it off in the settings.

It only blocks the most abusive ads, but it's there.

So how does it work exactly?

[fph il quozientatore]

How does this enhanced safe browsing work exactly, technically? From what I understand, "vanilla" safe browsing works in part with a client-side blocklist, to preserve privacy better. Is ESB the same? What information reaches Google's servers exactly? Why must it reach Google's servers, and why can't the same feature be implemented in a privacy-preserving way? Wouldn't this problem be solved by a client-side database of malicious URLs, synced with a server?

Re:

[Superdad]

I'll hazard a guess. Loading a black-list on the client end would allow the users to see the sites being blocked, which doubtless over time, will include sites one might wish to visit if one only knew they existed ... sites the 'they' don't want you to go to ... or am I just paranoid ?

SD

Re:

[Opportunist]

Considering that you still have the option to say "buzz off, I know what I'm doing", I guess that's not exactly going to do much if that's the goal.

Re:

[fph il quozientatore]

You can make a blocklist with hashes of the malicious URLs to solve this problem.

From what I understand, (non-enhanced) safe browsing uses this trick, but it is implemented in a way that allows Google access to data in certain cases: there are very short hashes that allow for false positives, and potential matches are sent to Google servers for confirmation.

Other way round on non-enhanced security

[Anonymous Cward]

Google sends you a bunch of full hashes in relation to your browser sending a truncated short hash, if the short truncated short hash of a domain you access happens to match one in your Safe Browsing Cache. Google does not know if the lookup relates to a true positive or a false positive, and never gets the full hash sent their way.

This is why Firefox and Safari are happy to use the same Google-provided service, as it does provide privacy. The same cannot be said for SmartScreen, which works like the Enh

Re:

[Dragonslicer]

It probably sends the URL (or at least the domain name) to Google's servers, which checks it against a blocklist. The only advantage over a regular client-side blocklist is that it can be updated faster.

Re:

[_merlin]

If it's like the regular safe browsing it works as follows:

• Browser computes intentionally poor digest of URL (high collision rate).
• Browser either checks digest against a local blacklist or sends it to server to check against blacklist.
• If the digest is on the blacklist, the browser requests a list of blacklisted URLs matching that digest.

The "privacy" aspect relies on the fact that the digest intentionally has a high collision rate. The sever doesn't know whether you attempted to visit a blacklisted URL, o

Thanks, but ...

[fahrbot-bot]

I POP my mail from Gmail (and my ISP) to Thunderbird on my PC. I only use Gmail directly on my Pixel to empty the trash and do folder cleanup -- easier than logging in via Firefox. I don't keep anything on the Gmail servers. If I follows any links in my incoming mail, it's almost always done in a private Firefox session -- mainly so I don't have to do any browser cleanup.

No thank you

[93 Escort Wagon]

It seems like whenever you look at something Google says they're doing for your benefit, it always turns out that thing is also somehow giving access to more of your data to Google.

I got off personal Gmail years ago - I check it every once in a blue moon, but no legitimate mail seems to be going there anymore. I'm stuck with Gmail for work (choices are Google or Microsoft), but I access it via a desktop email client using IMAP - which has the side benefit of adding features (such as bounce/redirect) Gmail's web interface doesn't provide.

Re:

[AmiMoJo]

Safe browsing works by downloading a list of bad URLs/patterns, and matching against them locally. No data is collected. Same as your ad blocker.

Re:

[93 Escort Wagon]

From TFA:

The Post's reporter also asked Google why it doesn't just enable the extra security automatically, and "The company told me that because Google is collecting more data in Enhanced Safe Browsing mode, it wants to ask your permission."

(emphasis mine)

Re:

[AmiMoJo]

Yeah, the extra safe mode, not the basic Safe Browsing feature.

DNS provider

[Dwedit]

Nobody gets to spy on me except the DNS provider.

Re:

[Some nick or other]

Not even the DNS provider, necessarily; that's what DNSCrypt's Anonymized DNS is for.

For a lot of people this would actually be good

[Opportunist]

I mean, if you have a Facebook profile, you already pretty much signed away your privacy anyway, so you can as well get a bit of safety out of it.

Lipstick on a pig!

[oldgraybeard]

But then some enjoy and expect lipstick.

Call me a skeptic.

[JackAxe]

This sounds good on the surface, but I think the end result of this will be another layer of censorship.

Re:

[ocean_soul]

I don't think this even sounds good on the surface. It sounds terrible on the surface, and even worse the longer ytou think about it.

Re:

[JackAxe]

I'm in the same camp as you when it comes down to it. I don't want any of this to ever become standard by default, not even if it's just added context like YouTube -- which I use StyleBot to remove. My thought about surface level, was more so for certain members of my family that aren't very savvy when it comes to the web.

Enhanced Safety = Degraded Privacy

[Bob_Who]

Its like the inverse square law in many fundamental calculations. The more "they" know the "safer" you are. Now be a good dog!

already on

[groobly]

If you are already "on" a website, it's too late to warn you.

What could possible go wrong?

[jarle.aase]

Google want to know *everything* you do on the Internet. I am sure they will use this information exclusively to protect you from harm. There is no way they will share this info with their AI's or sell analyzed data about you and your family to banks, potential employers and the Government!