|
Indeed. Google basically gives this service away to browsers. It costs money if you want to build a commercial service using it, but if you give away browsers, no problem. You can switch it off, but you probably shouldn't, even if you're sure you would spot a phishing scam, actually maybe even especially if you're sure you would spot the scam. The service is capable of being quite nuanced since it works on (hashes of) HTTP path segments, so e.g. it can say OK this site https://some.example/ seems fine except the /cgi-bin/crapscript.php/fake-bank/ pages are clearly a fake bank, and so if your browser tries to visit those pages it gets flagged. But equally it can say OK, everything in bogus.example is bogus, fakebank.bogus.example, harrods.bogus.example, www.news.bogus.examples, it's all bogus, warn for all of it. You can't get the actual list, because if you could of course that mostly helps bad guys. Your browser does a bunch of hash lookups, and it has a fancy tree structure, so it can rule out e.g. OK everything starting FE43 is fine, everything in FD9 is fine etc. If that tree can't rule out a hash it calls Google, who have much finer grained hash data that wouldn't fit in your browser. Also periodically the browser fetches delta updates to the tree from Google. |