undefined | Better HN

0 pointsgroovybits6y ago0 comments

<< it also connects to Google's SafeBrowsing servers. >>

As a privacy enthusiast, what's wrong with Google's SafeBrowsing service? It provides protection from low-hanging fruit with anonymized data (hashes of URLs).

0 comments

heartbeats6y ago

It's not very anonymized. Google already has a list of URLs, so they can just hash them all and see what matches. And if they have URL 1, 2, and 4, odds are they can interpolate to find out what #3 is.

tialaramex6y ago

> so they can just hash them all and see what matches

Matches _what_ ? Firefox doesn't send hashes to Google Safe Browsing. This would not only be a privacy problem it would also make the browser much too slow. Instead Firefox periodically downloads a summary of what might be unsafe, and then it compares hashes to that summary. If there's a match in the summary (rare but it happens) it fetches more detailed parts of the total Safe Browsing map to make a decision.

As a rule of thumb I'd say when a person complains about Safe Browsing without any clue how it actually works I'm confident they're exactly the type of "power user" who most needs Safe Browsing to keep them out of trouble because they're falsely confident in their own abilities.

throwaway20486y ago

It does however request hash prefixes, then google sends to the client all bad URLs that match, that is what can be brute forced with relative ease, if you already have a stream of previous they are visiting (via google analytics, google captcha, and other matched hashes). Especially if you know most every URL on the internet already. (hash them, then look it up in a table).

Anonymization is a very tricky subject, and there is a lot of techniques that get trumpeted but are absolutely not effective assuming a bad faith actor.

1 more reply

XzetaU86y ago

That's not how GSB works in firefox.

https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-...

Anon10966y ago

I don't think you understand what anonymized means. Yes they know that someone went to those URLs... but they can't link it to a person. So it's anonymous.

propogandist6y ago

The request originates and returns to an IP address, your IP address. It's not anonymous.

1 more reply

j / k navigate · click thread line to collapse

0 comments

heartbeats6y ago

tialaramex6y ago

> so they can just hash them all and see what matches

throwaway20486y ago

Anonymization is a very tricky subject, and there is a lot of techniques that get trumpeted but are absolutely not effective assuming a bad faith actor.

1 more reply

XzetaU86y ago

That's not how GSB works in firefox.

https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-...

Anon10966y ago

I don't think you understand what anonymized means. Yes they know that someone went to those URLs... but they can't link it to a person. So it's anonymous.

propogandist6y ago

The request originates and returns to an IP address, your IP address. It's not anonymous.

1 more reply

j / k navigate · click thread line to collapse