Skip to main content

Chrome upgrading standard Safe Browsing to work in real-time

For those that want the most secure tier of Google Safe Browsing, Chrome offers “Enhanced protection.” The “Standard protection” in place for all other Chrome Safe Browsing users is now getting a real-time upgrade.

Safe Browsing’s Standard protection works by checking the sites you visit against a local list on your device that is refreshed every 30 to 60 minutes. These hash-based checks (depicted below) have to contend with how the list grows at a “rapid pace” and that “not all devices have the resources necessary to maintain this growing list.”

Since the “average malicious site actually exists for less than 10 minutes,” Google is switching to real-time Safe Browsing for Standard protection users. This will “check sites against Google’s server-side list of known bad sites in real time,” and is expected to block 25% more phishing attempts.

Here’s how it works:

  1. When you visit a site, Chrome first checks its cache to see if the address (URL) of the site is already known to be safe
  2. If the visited URL is not in the cache, it may be unsafe, so a real-time check is necessary.
  3. Chrome obfuscates the URL by following the URL hashing guidance to convert the URL into 32-byte full hashes. 
  4. Chrome truncates the full hashes into 4-byte long hash prefixes.
  5. Chrome encrypts the hash prefixes and sends them to a privacy server
  6. The privacy server removes potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a TLS connection that mixes requests with many other Chrome users.
  7. The Safe Browsing server decrypts the hash prefixes and matches them against the server-side database, returning full hashes of all unsafe URLs that match one of the hash prefixes sent by Chrome.
  8. After receiving the unsafe full hashes, Chrome checks them against the full hashes of the visited URL.
  9. If any match is found, Chrome will show a warning.

On the privacy front, this real-time approach “doesn’t share the URLs of sites you visit with Google” thanks to an “Oblivious HTTP (OHTTP) privacy server between Chrome and Safe Browsing” operated by CDN provider Fastly:

Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes. No single party has access to both your identity and the hash prefixes. As such, your browsing activity remains private.

Compared to Enhanced protection (chrome://settings/security), the Standard tier “can only protect you from sites that Safe Browsing has already confirmed to be unsafe”:

…Enhanced protection mode is able to use additional information together with advanced machine learning models to protect you from sites that Safe Browsing may not yet have confirmed to be unsafe, for example because the site was only very recently created or is cloaking its true behavior to Safe Browsing’s detection systems. 

This is rolling out first to desktop Chrome and iOS, with Android support arriving later this month.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications