developers.google.com/safe-browsing/ is good documentation on how the Safe Browsing API used by browsers (Chromium, Firefox, Safari, etc.) works. It searches a database based on a truncated hash (4 bytes) of a canonicalized URL. It leaks some information, but doesn't send URLs directly.
Conversation
Safe Browsing isn't currently supported by GrapheneOS and won't be enabled by default with the standard approach. It leaks too much. I haven't done anything to intentionally break it and wouldn't mind it as an optional feature, but the default mobile approach uses Play Services.
2
4
Some work would need to be done to set up the alternate mobile implementation. Enumerating badness is not a workable approach to security so this hasn't been a priority. I also don't think the attempt at providing privacy is good enough. How large is the entire database anyway?
1
3
I'm curious if it's feasible to just regular scrape the entire Safe Browsing database and then download the full database from a GrapheneOS server on a regular basis. The standard approach seems to trend towards that anyway... and updates to the database can be done via deltas.
3
3
Replying to
Perhaps, but I'd just not support it. Concept of trusting Google to decide if sites are malicious is bogus.
1
2
If they have browser attacking malware, you should be pulling browser update not vulnerable rather than updating safe browsing list. If it's just phishing sites, meh.
1
Replying to
The vast majority of it is countering phishing / social engineering sites.
I don't like that it doesn't seem possible to obtain the full list. Obtaining a full database would seemingly require obtaining all of the hashes by iterating through all the 4 byte hash prefixes and that's still not a list of URLs but rather hashes of them.
1