Google on Thursday released enhancements to Safe Browsing to provide instant, privacy-preserving URL protection and protect users from visiting potentially malicious websites.
Google’s Jonathan Li and Jasika Bawa said: “Chrome’s standard protected mode on desktop and iOS will check websites in real time against Google’s server-side list of known bad sites.”
“If we suspect a website poses a risk to you or your device, you’ll see a warning with more information. By checking websites in real time, we estimate we can block 25% more phishing attempts.”
Until now, Chrome used a locally stored list of known unsafe sites, which was updated every 30 to 60 minutes, and then used a hash-based method to compare each site visited against the database.
Google first revealed plans in September 2023 to move to real-time server-side inspection without sharing user browsing history with the company.
The search giant said it made the change because the list of harmful sites is growing rapidly and 60% of phishing domains are less than 10 minutes old, making them difficult to block.
It added: “Not all devices have the resources required to maintain this growing inventory, and are not always able to receive and apply inventory updates at the frequency needed to benefit from comprehensive protection.”
Therefore, with the new architecture, each time a user attempts to visit a website, the URL is checked against the browser’s global and local cache (which contains known safe URLs) and the results of previous Safe Browsing checks to determine the website’s state.
If the accessed URL does not exist in the cache, an on-the-fly check is performed by obfuscating the URL into a 32-byte full hash value, which is then truncated to a 4-byte long hash prefix, encrypted, and sent to Privacy server.
Google explains: “Privacy servers remove potential user identifiers and forward the encrypted hash prefix to Safe Browsing servers over a TLS connection that mixes the request with many other Chrome users.”
The Safe Browsing server then decrypts the hash prefix and matches it against a server-side database to return the full hash value of all unsafe URLs that match one of the hash prefixes sent by the browser.
Finally, on the client side, the full hash value is compared with the full hash value of the accessed URL, and if a match is found, a warning message is displayed.
Google also confirmed that the privacy server is nothing more than an Oblivious HTTP (OHTTP) relay run by Fastly between Chrome and the Safe Browsing server to prevent the latter from accessing the user’s IP address and thus preventing it from linking URL inspections to User’s Internet browsing history.
“Ultimately, Safe Browsing will see the hash prefix of your URL but not your IP address, while Privacy Server will see your IP address but not the hash prefix,” the company emphasizes. “No party has access to your identity and hash prefix. Therefore, your browsing activity remains private.”
