Real-Time URL Protection Introduced For Chrome Users By Google

Google Enhances Safe Browsing with Real-Time URL Protection

Published on March 19th, 2024

Google recently announced an improved version of Safe Browsing that provides real-time, privacy-preserving URL protection and safeguards users from visiting potentially malicious sites.

“The Standard protection mode for Chrome on desktop and iOS will check sites against Google’s server-side list of known bad sites in real-time,” said Google’s Jonathan Li and Jasika Bawa.

“If we suspect a site poses a risk to you or your device, you’ll see a warning with more information. By checking sites in real time, we expect to block 25% more phishing attempts.”

Previously, the Chrome browser used a locally-stored list of known unsafe sites that was updated every 30 to 60 minutes. It then leveraged a hash-based approach to compare every visited site against the database.

Real-Time URL Protection

Google first revealed its plans to switch to real-time server-side checks without sharing users’ browsing history with the company in September 2023.

The search giant explained that the reason for the change is because the list of harmful websites is growing rapidly.

They stated that 60% of phishing domains exist for less than 10 minutes, making them difficult to block with the old system.

“Not all devices have the resources necessary to maintain this growing list, nor are they always able to receive and apply updates to the list at the frequency necessary to benefit from full protection,” Google added.

With the new architecture, every time a user tries to visit a website, the URL is checked against the browser’s global and local caches containing known safe URLs and the results of previous Safe Browsing checks to determine the site’s status.

If the visited URL isn’t found in the caches, a real-time check is performed.

This is done by obfuscating the URL into 32-byte full hashes, which are then truncated into 4-byte long hash prefixes. These prefixes are encrypted and sent to a privacy server.

“The privacy server removes potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a TLS connection that mixes requests with many other Chrome users,” Google explained.

The Safe Browsing server then decrypts the hash prefixes and matches them against the server-side database.

It returns full hashes of all unsafe URLs that match one of the hash prefixes sent by the browser.

Finally, on the client side, the full hashes are compared against the full hashes of the visited URL. If a match is found, a warning message is displayed.

Google also confirmed that the privacy server is essentially an Oblivious HTTP (OHTTP) relay operated by Fastly.

This relay sits between Chrome and the Safe Browsing server to prevent the latter from accessing users’ IP addresses. This prohibits it from correlating the URL checks with a user’s internet browsing history.

“Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes,” the company emphasized.

“No single party has access to both your identity and the hash prefixes. As such, your browsing activity remains private.”

Check weak and reused passwords with Password Checkup.