Google Safe Browsing incident

For approximately six hours on 25.9.2025, the entire statichost.eu domain was flagged as deceptive by Google Safe Search. This meant that anyone using Google Safe Search was shown a very aggressive warning or outright blocked when trying to access any site on the statichost.eu domain. In some cases even custom domains hosted on the statichost.eu platform were affected. This post is part incident report and part privacy (and monopoly) rant.

Note: This post sparked some discussion on Hacker News, which is of course great. I’d like to clarify that I do not hate Google, nor do I think that they did anything particularly wrong by flagging malicious content (albeit with a pretty wide net). I’m simply saying that Google is pretty darn big, and that I personally think they are too big.

Google has too much power over the Internet. Or in the most objective way possible: Google controls and/or monitors a substantial part of every single interaction on the Internet. You may think that this is fine, and that is your right, although I very much disagree. Especially since Google blocked all of statichost.eu for “over five billion” devices for several hours. Here is how it went down:

I woke up to some pretty bad news on Monday a couple of weeks ago. A few users had started reporting that statichost.eu is unavailable due to a security warning. This is not great, I think to myself, and go into incident response mode. Immediately, I check https://www.statichost.eu, and see that it’s working. No TLS issues or other technical problems - maybe a browser issue or network problem?

Ok, so I start investigating. The affected users all mention Google, so I start there. I use Chromium for Google-specific things (only), so I open it up and fire up a Google search. I actually cannot see statichost.eu on Google now, which is weird - it should be the top-ranked result for my keywords (e.g. “europen static hosting”). While I wait for Google Search Console to load, I check www.statichost.eu again in Chromium, just in case.

And BOOM! There it is. Now I start panicing. Google is blocking me from my own website! It apparently thinks I might be deceived - I guess into doing something I shouldn’t do or something I’ll regret later?

Back in the Search Console, which has now loaded all its JavaScript and whatnot, I see a giant error message: “Security issues detected”. There seems to be a problem with phishing on the statichost.eu domain. All sites on statichost.eu get a SITE-NAME.statichost.eu domain, and during the weekend there was an influx of phishing sites. As a result of that, statichost.eu ended up on the Google Safe Browsing list of “dangerous” sites. Luckily, Google provided me with a helpful list of the offending sites, which I could then promptly delete.

It is of course impossible to talk to anyone at Google in order to fix this, but there is a “request review” button. After writing up an explanation and requesting a review, all I could do was wait. I prepared for the worst, but within a few hours, the block was lifted and an automatically generated response of the same appeared as a notification in Search Console. Not even an email was sent. Nonetheless: incident over.

Anyway, back to Google.

The stated goal of Google Safe Browsing is “Making the world’s information safely accessible.”. Yikes! But what does it mean? It is basically a giant blacklist of sites that Google has deemed unworthy. This list is then used by major browsers and anyone who wants to “make information safely accessible” or whatever. According to Google, this protects “over five billion devices”. That of course means that you really don’t want to end up on this list!

And do you know how Google builds this list? By doing what they do best: by monitoring absolutely everything. One tool for this is Google Chrome - a “free” browser created by Google for its business purposes. It of course sends the URLs of pages you visit back to Google - I very much assume by default. And with “enhanced security protection” turned on, it even sends some of the page content to Google. That is a very neat way to monitor the comings and goings of something like four billion people.

To be fair, many or even most sites on the Google Safe Browsing blacklist are probably unworthy. But I’m pretty sure this was not the first false positive. And I’m not sure this is the best way to tackle phishing. E.g. what happens on the countless phishing sites that are not on this list? Be that as it may, do not rely on Google to tell you who to trust. Use your own judgement and hard-earned Internet street smarts.

There are lots of problems on the Internet, but I for one don’t trust Google to be our savior. There was a time when Google was different, but do not mistake their friendly branding and legacy goodwill for something it is not.

In order to limit the impact of similar issues in the future, all sites on statichost.eu are now created with a statichost.page domain instead. This domain is pending addition to the Public Suffix List in order to further increase resilience and security.