How Safe Browsing helped pave the way to our passwordless future

The internet was a risky place in 2005. 

Threat actors were well ahead of the security teams responsible for stopping them. Internet Explorer was the dominant web browser, and any website you clicked on could contain a malicious plugin or corrupt iFrame. A “roulette of risk” — would today be lucky or unlucky? — was one way to think about the tools that helped make the web work, including digital artifacts such as ActiveX, Flash, QuickTime, and Java. 

Worst of all, security was also a crap-shoot: It was nearly impossible to independently verify if a site, link, or plugin was actually safe. Into this maelstrom of uncertainty, Google launched Safe Browsing, now one of the most widely-used security tools on the planet. And if you’ve never heard of it, that’s by design.

Launched in 2005 as an anti-phishing plugin for the Firefox browser, today Google Safe Browsing protects more than 5 billion devices across the world. It safeguards consumers and enterprises from malicious websites and links. It’s also an essential demonstration of how tech companies can use their insight-at-scale to improve security.

“Our goal was to scan as much of the Search index as possible,” Panos Mavrommatis, a senior engineering director at Google Cloud who has been on the Safe Browsing team since 2006, said in a recent episode of our Cloud Security Podcast. “So we built a scanner that looked for mostly hacked sites that distributed exploit kits.”

According to Mavrommatis, the early scanners for Safe Browsing were unique at the time in that they had two layers. One was a virtual machine that would load the website and see if it got infected, and the other was a scanner that would check the website for known issues like infected iframes or known malicious content. The Safe Browsing team scaled the virtual machines that the tool relied on at the time through unused Google servers, an early instance of what we would now consider to be using the cloud.

Safe Browsing was able to scale to cover the billions of websites that Google Search crawled every day, even back in 2006. To make scanning easier and more scalable, the Safe Browsing team used the data from those virtual machines to institute machine learning (ML), another early example of the type of advanced tools that are commonplace today but were just getting started back then.

“We try to classify everything using machines first, and as quickly as possible, but there are still [suspicious sites] that pass through,” Mavrommatis said. “So, we have a second principle, a set of humans who review a small but important subset of suspicious new sites or suspicious binaries. We can leverage our telemetry to understand how to prioritize what to review.”

“And number three, we can leverage those human-generated labels to train a ML model. So we can go back to the first system and help the automated detection get better and better in terms of automated classification.”

It’s a prime example of how security has evolved over recent decades to meet our current moment of integrating AI assistance in solutions and products.

The evolution of Safe Browsing and phishing protection

Nearly two decades later, the internet is still a risky place. Many of the reasons that led to the creation of Safe Browsing are still present, but now include newer threats, including more sophisticated phishing attempts, “monster-in-the-middle” attacks, social engineering, and credential stuffing of stolen passwords. 

To combat them, Safe Browsing has been joined by newer protective technologies. Two-factor authentication (2FA) and one-time passcodes (OTPs) have helped to reduce the level of risk that individual consumers and larger organizations face on the internet, but they are not a panacea. Enterprise security teams still need to be able to protect their employees from threats inside and outside their organizations.

One thing that has changed since 2005 has been the advent of the IT security team. 

“What Safe Browsing does, if you are in an enterprise environment, is we can give you visibility into what your workforce is doing when it comes to these types of security events in the browser,” said Mavrommatis. “What kind of files are they downloading? Which of those are potentially suspicious and malicious? Where are passwords being typed? What does Safe Browsing think about the reputation of the site on which passwords were typed?”

Answers to those questions can provide vital threat information to security teams that can make the difference between responding to a critical breach — or stopping one before it can take hold. 

“Even if you get that intelligence a little bit later, you can still react to it as the security admin, you can try to find the device and investigate it,” Mavrommatis said. “You can look for signs of account takeover, or just force a reset of the password.” 

Security leaders including Google are always working on new ways to protect people from phishing attacks, whether that’s phishing-resistant physical keys such as the Titan Security Key, or working within the FIDO Alliance to build phishing-resistant keys right into smartphones. Ideally, the world is well on its way to a passwordless future, which can help protect us against malicious actors at the consumer and enterprise levels. 

In many ways, our post-password journey started with the introduction of Safe Browsing, and it continues today with those billions of covered devices, open APIs to help developers identify website threat risks, and plans for expanding mitigation efforts to protect people from phishing efforts all over the world.

To hear more about the history of Safe Browsing and how it scaled to become one of the most-used services on the planet, you can listen to the Cloud Security Podcast here.