Google's Safe Browsing Protection in Chrome Goes Real-Time

Google announced a major change to its Safe Browsing feature in Chrome today that will make the service work in real time by checking against a server-side list -- all without sharing your browsing habits with Google. From a report: Previously, Chrome downloaded a list of known sites that harbor malware, unwanted software and phishing scams once or twice per hour. Now, Chrome will move to a system that will send the URLs you are visiting to its servers and check against a rapidly updated list there. The advantage of this is that it doesn't take up to an hour to get an updated list because, as Google notes, the average malicious site doesn't exist for more than 10 minutes.

The company claims that this new server-side system can catch up to 25 percent more phishing attacks than using local lists. These local lists have also grown in size, putting more of a strain on low-end machines and low-bandwidth connections. Google is rolling out this new system to desktop and iOS users now, with Android support coming later this month.

First and most important question

[Rosco P. Coltrane]

How can this be disabled?

Re:

[serafean]

Chromium

Re:

[markdavis]

You mean "Firefox"

Re: First and most important question

[Grokew]

We are being spied on, in the name of safety, and privacy. ðY

Re:

[AmiMoJo]

We aren't. TFA explains how this works:

1. When you visit a site, Chrome first checks its cache to see if the address (URL) of the site is already known to be safe (see the âoeStaying speedy and reliableâ section for details).
2. If the visited URL is not in the cache, it may be unsafe, so a real-time check is necessary.
3. Chrome obfuscates the URL by following the URL hashing guidance to convert the URL into 32-byte full hashes.
4. Chrome truncates the full hashes into 4-byte long hash prefixes.
5. C

Re:

[ArchieBunker]

I have "safe browsing" turned off which somehow makes their safety net more intrusive. Chrome will complain my file is unverified and make me click on keep. You would think disabling safe browsing would disable this, but nope. God forbid a file isn't sent via https either.

Re:First and most important question

[thegarbz]

Chrome will complain my file is unverified and make me click on keep.

Oh noes, god forbid a user is warned about downloading a file from an insecure connection. How horrible!

Google is implementing a stop gap given a safety was disabled. If you don't want your hand held when browsing the internet then why the everloving **** are you using Chrome? If you're the type of person to disable safe browsing then this is not a browser designed for you.

Use appropriate software to your needs.

Re:

[Seven Spirals]

Oh noes, god forbid a user is warned about downloading a file from an insecure connection. How horrible!

Have you ever seen a heavy handed authoritarian solution backed by a government or big nasty fascist corporation you didn't like? Weren't you cheerleading all the mandates for CV19, too? I bet you're great fun at parties.

Re:

[thegarbz]

authoritarian solution backed by a government

People can't choose authoritarian governments (that's the point of them). People can choose their software. Google Chrome is designed for the common idiot and has features targeted at protecting the common idiot. It's use is optional. Use something else.

Weren't you cheerleading all the mandates for CV19, too?

Absolutely. I fully support health mandates that reduce death and long term suffering for fellow humans, even if it does come at the minor cost of you being slightly inconvenienced. And I'm glad I lived in a country where it was taken seriously.

I bet you're great fun at parties.

I have been t

Re:

[Seven Spirals]

People can't choose authoritarian governments

... and this is why you love them?

Absolutely. I fully support health mandates

I'm shocked. Yes, yes, I got all the tripe about "preventing death". That's typical of safety-cult folks like yourself. You always have a reason you find adequate to tell others how to live and what to do. You were all for the censorship and heavy handed authoritarian tactics and seemed to celebrate the more draconian they got.

I have been told I'm very fun at parties.

Your mom does not count.

Re:

[AmiMoJo]

The unsecure connection warnings had a massive, positive effect on the web.

Before, your browsing habits were regularly monitored by your ISP and security services. Now it is 99% HTTPS, they can not long do mass surveillance. I'm sure that the NSA and GCHQ can get the data if they really want to, but there is a cost and they need to target rather than indiscriminately spy on everyone.

Most web hosts now offer free SSL certificates via an automated system, and there is also Let's Encrypt free and easy to use c

Re:

[thegarbz]

How can this be disabled?

The fact that you're asking this shows that you're okay with it. You don't disable things in Chrome to protect your privacy, you just reach for another bottle of lube.

Re:

[Rosco P. Coltrane]

It was a rhetorical question. I don't run Chrome, as I trust dodgy websites more than I trust anything Google comes up with.

I run LibreWolf with resist-fingerprinting and all privacy options turned on, uBlock Origin in hard mode, I make extensive use of multi account containers to compartmentalize my browsing, and I'm generall very anal about which sites I browse and how.

And while Chromium is open-source and there are plenty of excellent Chromium-based privacy-oriented browsers out there, I refuse to run an

Re:

[Rosco P. Coltrane]

To quote the girl in the movie Anon [wikipedia.org]:

"It's not that I have something to hide, I have nothing I want you to see."

If you can't understand that basic concept, you deserve to be put under surveillance.

Re:

[AmiMoJo]

That's great but you are not getting protection from malware that way. In fact you are taking a risk because Librewolf releases lag behind Firefox ones, i.e. security patches take longer to get to you, and because Librewolf doesn't have a built-in auto-updater so there is even more lag as you either become aware of updates or wait for your package manager to distribute them.

Librewolf does actually support Google's safe browsing tech: https://librewolf.net/docs/set... [librewolf.net]

That's the one which downloads a database

Re:

[ZiggyZiggyZig]

How can this be disabled?

You can find the answer here [mozilla.org].

Re:

[SilentChasm]

This can be disabled using the setting described here: Choose your Safe Browsing protection level in Chrome [google.com]

Settings > Privacy and Security > Security > Safe Browsing

Re:

[vbdasc]

Have something to hide, citizen?

Hm

[backslashdot]

Why doesn't WhatsApp/Skype etc. have anything remotely like this to catch all its scammers?

Re:

[Rosco P. Coltrane]

They have other means of tracking everything you do on their platforms. They don't need that.

"All without sharing your browsing habits"

[Rosco P. Coltrane]

Pinky-swear...

Privacy implications

[jddimarco]

There is some pretty nice thought put into this system to allow Google to use a server-side list, but hinder Google from being able to record which websites are being browsed. One problem, though, is that it normalizes Chrome sending encrypted data regularly to Google each time a new site is visited, making it more difficult, if Google were to later add surveillance to Chrome, for that fact to be uncovered through unusual traffic patterns, because said patterns would not be unusual. That being said, the benefit may be worth the risk, as phishing is an absolute plague right now.

Re:

[mysidia]

if Google were to later add surveillance to Chrome, for that fact to be uncovered through unusual traffic patterns, because said patterns would not be unusual

With this it doesn't seem like they even need to add surveillance to Chrome; just get the nature of the "Privacy servers" tweaked on the backend; which can't be verified from your web browser.

The second they can log the hashes reported with your IP Address it's game over, As they can start building a database to reverse the hash codes --- they

Re:

[SilentChasm]

Isn't it using hash prefixes though, not a full hash?

Also, Google isn't the one running the privacy server that sits in the middle between your client and their secure browsing server in this case: Fastly is.

Re:Privacy implications

[thegarbz]

One problem, though, is that it normalizes Chrome sending encrypted data regularly to Google each time a new site is visited, making it more difficult, if Google were to later add surveillance to Chrome

I'm sorry but WTF? Normalises? It's 2024 mate. Your browser ... *ALL BROWSERS* are constantly sending encrypted data back and forth between servers. Heck it's says right there in the summary that this transmission of data replaces another previously hourly transmission of data. Have you ever wondered why your browser is up to date? Didn't Google introduce a system level service back in 2007 that automatically communicated with its servers in an encrypted way, and keep your data up to date?

This *IS* normalised. Fire up wireshark on your computer one day if you want to have a freakout.

Re:

[AmiMoJo]

This is untrue. Neither Firefox nor Chrome are "constantly sending encrypted data back and forth between (Mozilla/Google) servers".

By default, they come with browser sync disabled. For malware, they download a database every half an hour, and the only thing sent is a version number for the existing database so that the server can respond with just diffs.

They both periodically check for new versions, and Chrome sends an installation ID along with that check. I think the check is once per day, it might be mor

Re:

[thegarbz]

They both periodically check for new versions

What part of a browser making an encrypted communication with a server that you are unable to independently verify is so confusing to you?

Data is being sent and received over an encrypted channel. That is normalised. Your post gave an example of it happening despite you saying it's not. I never said all browsers phone home with your data, I said "encrypted data". Unless you think opening an encrypted connection to a foreign server is somehow able to be done without sending any data (in which case I suggest

Re:

[AmiMoJo]

You can understand it. Just look at the source code. Build it and verify that the binary matches the released one. Both Firefox and Chromium are open source.

Re:

[Shakrai]

One problem, though, is that it normalizes Chrome sending encrypted data regularly to Google each time a new site is visited, making it more difficult

It's pretty trivial to install your own certificate authority and perform MITM attacks [wikipedia.org] against all encrypted traffic coming from a particular endpoint over which you have control. It's less trivial but still doable to decompile a program and look through the source for hidden processes like you describe. All of which is to say I doubt Google could keep something like you describe a secret for very long, if they were inclined to try it, which seems unlikely. Why risk the bad PR and inevitable lawsuits whe

How about this

[smooth wombat]

I put in a URL, you take me there. That's the job of a browser.

This nanny state needs to stop.

Re:

[russty]

You can quit "this nanny state" anytime by downloading Firefox or another browser. Stop complaining about things entirely under your control.

Re:

[smooth wombat]

Firefox does the same thing. It checks the site you're going to and throws up a scary warning if it thinks it's not safe.

Re:

[markdavis]

>"Firefox does the same thing. It checks the site you're going to and throws up a scary warning if it thinks it's not safe."

What you described is called "Deceptive Content and Dangerous Software Protection"

1) This protection is ENTIRELY configurable by the user by settings you can CHOOSE. It is enabled by default.

2) It uses downloaded list of malware sites, firefox is not sending real-time "I am going here" data to anyone with any setting. It is simply checking against a LOCAL list.

https://support.mozi [mozilla.org]

Re:

[The-Ixian]

Why are you using an advertising company's browser anyway?

Re:

[markdavis]

>"Why are you using an advertising company's browser anyway?"

Bingo. And the longer version would be:

"Why are you using a browser pushed by an advertising company, who has a vested interest in collecting as much information you as possible, who wants to set all the "standards" to ensure they have full control, that has no community oversight, that is pushing a binary blob, and that has caused all other multiplatform browsers to die or use their code... except Firefox?"

Re:

[SilentChasm]

This nanny state is needed because many users won't or can't maintain their own security. Things like warnings about unsafe sites, password checkups, and more help protect people from not just getting their accounts or devices compromised but also protect other people's data that they have in those accounts or devices (like the 23andMe 'breach'/credential stuffing).

China

[backslashdot]

Can China use this for censorship? Actually, is Chrome even allowed in China?

Clearly a scam

[peterww]

I think it's obvious they've designed this to make Google money.

The big tell is that this is supposedly because it takes too long to get an update. The story goes, we don't download lists of malware except once an hour, but we want you to get updates sooner, so we will push your requested URLs to our server where we'll check them in real time. Why don't they just download the list more frequently? Because that would be a lot of traffic, and make your own connection slower as well as Google's.

So then, if the problem with sending you updates constantly is too many updates, can't they just send the individual changes to the malware list to your browser? The answer is: yes, they can. They can send you compressed deltas of malware lists as they are updated in real time, which is a small, fast update. This will actually be less traffic than sending every one of your browser requests to them. So why don't they just send your browser the compressed deltas?

Simple: that wouldn't allow them to monitor what sites you're going to. They still need you to send them that list of sites so they can mine it for money.

Now, they're claiming that Google and Fastly have designed a complex system to prevent anyone from figuring out what you're sending them. But we already know from above that this complex system isn't even necessary, and would actually be more efficient than what they've created. And the only reason for them to receive the updates is so they can have more information to make money off of.

What are they actually using this for? I don't know. But it's clearly not just to help the users.

Re:

[markdavis]

>"Why don't they just download the list more frequently?"

And exactly how long/big/difficult is it to push a diff?
And why should Google be in control of that list?
And what controls will users have?
And what happens when the list is weaponized?
And how can it be audited?

>"Now, they're claiming that Google and Fastly have designed a complex system to prevent anyone from figuring out what you're sending them."

Which we have no way to confirm and which can change at any time.

>"What are they actually using

Re:

[peterww]

> And exactly how long/big/difficult is it to push a diff?

long, big, and difficult are 3 different things:

1. Long: latency is fast to Google datacenters

2. Big: let's just assume a compressed delta of a single site update is 20 bytes data payload, and 16 bytes TCP overhead. Compare that to the 4 byte hash payload + 16 byte TCP overhead of sending every single one of your website requests to Google. All you would have to do is look at 4 web pages within the time frame of the Malware list changing, for it t

Re:

[peterww]

> the entire list could be changing in 20 minutes, for all we know. Deltas would be pointless.

That wouldn't make any sense at all. Why would the entire list change? That would mean every malware website in the list disappeared. I'm willing to bet there are plenty of malware sites that stay up a long time. Deltas would be useful.

Re:

[AmiMoJo]

They already do send compressed deltas, so your conspiracy theory falls apart. Here's the API documentation if you don't believe me: https://developers.google.com/... [google.com]

Not also how the whole system works using 4 byte partial hashes, which can't be reversed into URLs. It's a well established practice for checking things against a list without revealing what the thing is. You calculate a longer hash of the thing, but only send part of it, and the server responds with all the hashes that match that part. You the

Re:

[peterww]

That's an insanely fat request/response protocol. They could cut that down to a dozen bytes per update.

Yes, it would *appear* their system is "unreversible", but statistical analysis has long proved that you only need a little bit of metadata (not even necessarily the payload) to determine the content to a high probability. I don't have time to explain how it works, but it's a very old practice. Among other things it's how Tor connections are tracked by 5 Eyes.

Re:

[AmiMoJo]

That's about what they do, a dozen bytes. Every URL is cut down to 4 byes of the hash.

"protection"

[elcor]

next, the system will "protect" us from dissenting opinion on the new thing.