developers.google.com/safe-browsing/ is good documentation on how the Safe Browsing API used by browsers (Chromium, Firefox, Safari, etc.) works. It searches a database based on a truncated hash (4 bytes) of a canonicalized URL. It leaks some information, but doesn't send URLs directly.
Conversation
Safe Browsing isn't currently supported by GrapheneOS and won't be enabled by default with the standard approach. It leaks too much. I haven't done anything to intentionally break it and wouldn't mind it as an optional feature, but the default mobile approach uses Play Services.
Replying to
Some work would need to be done to set up the alternate mobile implementation. Enumerating badness is not a workable approach to security so this hasn't been a priority. I also don't think the attempt at providing privacy is good enough. How large is the entire database anyway?
1
3
I'm curious if it's feasible to just regular scrape the entire Safe Browsing database and then download the full database from a GrapheneOS server on a regular basis. The standard approach seems to trend towards that anyway... and updates to the database can be done via deltas.
3
3
Replying to
It fetches the database based on a 4 byte truncated hash of canonicalized URLs (which strips out a bunch of data before hashing). So, for cases where it didn't already have an updated list of hashes for that truncated hash, it leaks the fact that you're visiting one of many URLs.
1
Show replies