Google Introduces Real-Time Safe Browsing in Chrome
Google has unveiled a significant update to its Safe Browsing feature in Chrome, which will now operate in real-time by verifying URLs against a server-side list, all without compromising user privacy.
Moving Away from Local Lists
In the past, Chrome would download a list of known malicious sites, including those hosting malware, unwanted software, and phishing scams, once or twice per hour. However, with the new system, Chrome will send the URLs you visit to its servers and cross-reference them with a frequently updated list. This approach is more effective because, as Google points out, the average malicious site is only active for about 10 minutes.
According to Google, this server-side system can detect up to 25% more phishing attempts compared to using local lists. Moreover, these local lists have grown in size, putting a greater burden on low-end devices and slow internet connections.
Rollout and Availability
The new real-time Safe Browsing feature is currently being rolled out to desktop and iOS users, with Android support expected later this month.
Ensuring User Privacy
Google has taken great care to explain how this real-time system can function without compromising user privacy. The process works as follows:
- When a user visits a site, Chrome first checks its cache to determine if the URL is already known to be safe.
- If the URL is not in the cache, it may be unsafe, and a real-time check is initiated.
- Chrome obfuscates the URL by converting it into 32-byte full hashes using URL hashing guidance.
- The full hashes are then truncated into 4-byte long hash prefixes.
- These hash prefixes are encrypted and sent to a privacy server.
- The privacy server removes any potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a secure TLS connection that mixes requests from many Chrome users.
- The Safe Browsing server decrypts the hash prefixes and matches them against its database, returning full hashes of all unsafe URLs that match the sent hash prefixes.
- Chrome then checks the received unsafe full hashes against the full hashes of the visited URL.
- If a match is found, Chrome displays a warning to the user.
Collaboration with Fastly
A key component of this privacy-focused system is the privacy server, which Google has implemented in partnership with Fastly, a CDN and edge computing specialist. Fastly’s Oblivious HTTP privacy server sits between Chrome and Safe Browsing, stripping out any identifying information from the browser request.
These servers are operated independently by Fastly, ensuring that Google’s Safe Browsing service never sees the user’s IP address. At the same time, Fastly cannot see the URLs either, as they are encrypted by the browser using a public-private key that Fastly cannot access.
With this innovative approach, Google aims to provide a more effective and responsive Safe Browsing experience while maintaining user privacy.
4 Comments
Great news for internet security, but will this lead to over-censorship of the web
Safer browsing is always good, but at what cost to free speech online
Hopefully this doesn’t slow down my browsing experience too much!
Another step towards a safer internet, but also towards more control and surveillance