Google on Thursday announced an improved version of Safe Browsing to provide real-time URL protection, preserving privacy and safeguarding users from visiting potentially harmful sites.
“The standard protection mode for Chrome on desktop and iOS will check sites against Google’s server-side list of known malicious sites in real time,” said Google’s Jonathan Li and Jasika Bawa.
“If we suspect a site poses a risk to you or your device, you’ll see an alert with more information. By checking sites in real time, we expect to block 25% more phishing attempts.”
Until now, the Chrome browser used a locally stored list of known unsafe sites that was updated every 30 to 60 minutes, then using a hash-based approach to compare each visited site against the database.
Google first revealed its plans to move to real-time server-side controls without sharing users’ browsing history with the company in September 2023.
The reason for the change, explains the search giant, is motivated by the fact that the list of malicious websites grows rapidly and that 60% of phishing domains exist for less than 10 minutes, making them difficult to block.
“Not all devices have the resources necessary to maintain this growing list, nor are they always capable of receiving and applying updates to the list as frequently as necessary to benefit from comprehensive protection,” he added.
Therefore, with the new architecture, every time a user attempts to visit a website, the URL is compared against the browser’s global and local caches containing URLs known to be safe and the results of previous Safe Browsing checks to determine the status of the site.
If the visited URL is missing from the caches, a real-time check is performed by obfuscating the URL into full 32-byte hashes, which are then truncated into 4-byte long hash prefixes, encrypted, and sent to a privacy server.
“The privacy server removes potential user identifiers and forwards encrypted hash prefixes to the Safe Browsing server over a TLS connection that mixes requests with many other Chrome users,” Google explained.
The Safe Browsing server then decrypts the hash prefixes and compares them to the server-side database to return the full hashes of all insecure URLs that match one of the hash prefixes sent by the browser.
Finally, on the client side, the full hashes are compared to the full hashes of the visited URL and a warning message is displayed if a match is found.
Google also confirmed that the privacy server is nothing more than an Oblivious HTTP (OHTTP) relay operated by Fastly that interposes itself between Chrome and the Safe Browsing server to prevent the latter from accessing users’ IP addresses, thus preventing them from correlate URL checks with a user’s Internet browsing history.
“Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes,” the company pointed out. “No party has access to both your identity and hash prefixes. Therefore, your browsing activity remains private.”