Am I missing something or is that a 66%/100% False Positive Rate on legitimate Sites?
If GSB would have that ratio, it would be absolute unusable.. So comparing these two is absolutely wrong...
I've seen this before in the ip blocklist space... if you're layering up firewall rules, you're bound to see the higher priority layers more often.
That doesn't mean the other layers suck, security isn't always an A or B situation...
On the other hand, I don't know how I feel about how GSB is implemented... you're telling google every website you go to, but chances are the site already has google analytics or SSO...
Yeah. "Here's a blog post with some casually collected numbers about our product [...] It turns out that it's great!" is sorta boring.
But couple that with a headline framed as "Google [...] Bad" and straight to the top of the HN front page it goes!
Where I'd push back is on what this means for the average person. Most people have no protection against phishing beyond what their email provider and browser give them. If that protection is fundamentally reactive, catching threats hours or days after they go live, that's a real limitation worth talking about honestly. The 84% number isn't meant to say GSB is broken. It's meant to say there's a gap, and that gap has consequences for real users regardless of the engineering reasons behind it.
On the marketing angle, we aren't currently selling anything. The extension is free and so is submitting URLs for verification. We recognize it would be disingenuous to say we never will, but at the very least the data and the ability to check URLs (similar to PhishTank before they closed registration) will always be free. The dataset is also sourced from public threat intelligence feeds, not a curated set designed to make our tool look good. We think publishing findings like this is valuable even if you set aside everything about our tools.
In what way is it valuable?