Google Safe Browsing

From LinuxReviews
Jump to navigationJump to search
Find softlist.png

Google "Safe Browsing" is a online API service which checks web URLs against a blacklist which includes sites and links Google believes are harmful. Google story is that links included in the blacklist are either malware or phishing scam attempts. Most web browsers default to using the Google "safe" browsing list through an online API.

Privacy implications

Most Web browsers and devices with "Safe Browsing" enabled will report every single web page you visit to Google. Some browsers download a blacklist regularly and check against that locally, others will send every web requests to Googles safebrowsing API. The browsers who download blacklist snapshots and check against that locally stored blacklist will still make requests to the online API on a regular basis. The URLs in the blacklist are hashed and stripped down to the first 32 bits of those hashes. That makes collisions likely. URLs matching the local blacklist are therefore checked against the online API in order to verify if the page is actually blacklisted or not.

Some browsers and devices submit the URL as plain text, others submit a hash. Which is used makes no difference when it comes to privacy implications.

Wikipedia story as of October 2019 is that

" "The URLs to be looked up are not hashed so the server knows which URLs the API users have looked up". The Safe Browsing Update API, on the other hand, compares 32-bit hash prefixes of the URL to preserve privacy. The Chrome, Firefox and Safari browsers use the latter."

Wikipedia story regarding hashes "preserving privacy" may sound reasonable to non-technical people but it is laughable from a technical perspective. Google has a table of hashes and URLs which means that they can look up any hash you submit and plainly see the URL and it makes no difference which one you submit. If the URLs are checked against a locally stored blacklist which is updated regularly or a online API does matter.

"Harmful" by Default

Google was adding sites offering "Uncommon" files as "harmful" as of December 2019[1].

Safebrowsing-warning-uncommon-downloads.png

This is a problem for free software developers, shareware developers and anyone else posting their own software on the Internet for that matter. The criteria for claiming the Windows version of the bsnes SNES emulator is "harmful", is, apparently, that it is "Uncommon". Any freshly compiled executable will, naturally, be uncommon.

Google classifying "uncommon" files has "harmful" is problematic. Files not published by a large "approved" corporation are classified as malware by default as of December 2019 - executable files are apparently guilty until .. the common phrase would be "proven innocent" - but there does not appear to be any clear way of doing that. byuu, the developer of bsnes, reports that files remain classified as "harmful content" even if Google does a manual review and finds the file to be harmless and legitimate.

Google publishes page titled "Unwanted Software Policy"[2]" which lists a set of criteria Google demands everyone follow or Google will "take steps". Nothing in that policy specifies that a piece of software linked to on a web page is forbidden if it is "Uncommon" yet that is something they use as a "reason" to place free software on their blacklist.

It is also worth mentioning that there are two points in Googles "Unwanted Software Policy"[2] which may be problematic from a free software perspective.

  1. "Programs should have a valid and verified code signature issued by a code-signing authority that presents verifiable publisher information."
  2. "The software and download page must contain a link to an End User License Agreement (EULA) or Terms of Service (TOS)."

Getting a "code-signing authority" to sign Windows binaries or GNU/Linux AppImages requires a registered corporation and it is far from free. The free software community will typically provide GPG signatures signed by the projects own key. It is also common to simply refer to the GNU General Public License or the three clause *BSD license when it comes to a "license agreement" and "Terms Of Service" isn't a thing within the free software community.

Googles Harmful by Default policy towards free software places the validity of their "Safe Browsing" program in question. It is marketed as something which will warn you if something is bad while it in reality warns about everything which is not well-known to be good.

If you are unsure if you are using the "Safe Browsing" blacklist then you probably are

It is used everywhere.

The "Safe Browsing" service is enabled in the vast majority of common desktop web browsers:

  • Google Chrome
    • Chromium
    • Not Ungoogled-Chromium and Chromium Privacy
  • Safari
  • Firefox
  • Vivaldi
  • GNOME Web

It is also used by Google's own services like Google Search, Google Adsense and Gmail.

HOWTO disable Google "Safe Browsing"

Mozilla Firefox

Firefox downloads snapshots of the Google Safe Browsing list and checks URLs against locally stored snapshots. The local snapshot is limited to the first 32 bits of blacklisted URL hashes which means that there is room for collisions (false positives). Firefox sends a hash of the URL you visit to Google every time there is a collision. Firefox will also send the URL of all the files you download to the Googles API.

Disabling "Safe Browsing" in Firefox is easy. Choose the menu item Edit and then Preferences or click the hamburger menu on the right side of the URL bar and choose Preferences to get to the settings. Next, choose Privacy & Security and scroll down to "Deceptive Content and Dangerous Software Protection" and uncheck Block dangerous and deceptive content. Changing this setting will change two keys to false in about:config: browser.safebrowsing.malware.enabled and browser.safebrowsing.phishing.enabled.

Mozilla has a FAQ about this functionality called How does built-in Phishing and Malware Protection work?.

Chromium

Go to chrome://settings/people or click the menu button in the upper right corner and choose Settings and then People. Scroll down to Privacy and security and click on Sync and Google services. That page has an option you can turn off called Safe Browsing (protects you and your device from dangerous sites).

References

  1. Google’s Monopoly is Stifling Free Software by byuu, Decmeber 29th, 2019
  2. 2.0 2.1 google.com: Unwanted Software Policy checked 2019-12-31


Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.