Hmm, since Chromium is working on adding browser-local AI features, I wonder if this one day could be a security check (for links opened from the outside of the browser). E.g. the browser detected that you clicked on a new-tab link, and the page looks like a commonly known site, then the AI detects that the URL isn't "x.com" and gives a heads-up warning. At least for the top 1000 most common sites, this could prevent a lot of phishing attacks.

This is exactly how not to defend against phishing. The meaningful defense is to foreclose on it entirely, not to just get super good at spotting fakes.

> The meaningful defense is to foreclose on it entirely

Sounds easy enough in theory. How do you do that in practice?

Use passkeys. Bully services that don’t offer them or lock them behind enterprise plans into implementing them.

That’s it. The single working Defense against credential theft.

So, in that case the browser (correctly) did not autofill? Is that a common occurrence for legit traffic from X? And no complaint about the website's identity from the browser -- the expected "lock" icon left of the URL?

As long as people are used to companies just buying new domains for the hell of it, yes. Just look at the amount of domains Microsoft uses for signing in! My password manager currently holds 8 of them. Eight! Who can be blamed for thinking it’s the password managers fault?