Google is updating its Safe Browsing feature in Chrome to add real-time protection against unsafe URLs, without disclosing your browsing habits to Google.
Chrome’s standard Safe Browsing feature has traditionally worked by storing a list of potentially unsafe URLs on the user’s device, which Google updates every 30 – 60 minutes. When a user visits a website, Chrome checks the URL against this local list and sends an alert to the user if there’s a match. However, with many harmful sites only being active for less than 10 minutes, this delay in updating means that some unsafe sites go undetected.
Safe Browsing’s opt-in Enhanced protection mode uses Google’s Safe Browsing server-side database, which catches unsafe URLs much faster in real time. It’s an opt-in feature because it requires you to provide security-related data for full protection.
Google says the latest update to Safe Browsing addresses the privacy issue by integrating an API that conceals the URLs of visited sites from Google. The company explains that for sites not found in its database, it will now perform a real-time check and send an encrypted version of the URLs to a privacy server operated independently by Fastly.
The privacy server removes potential user identifiers, such as IP addresses, from the URL. It then forwards the URL to Safe Browsing’s server-side database through a secure TLS connection, blending your request with those from other Chrome users to safeguard your anonymity.
Safe Browsing decrypts the URL to its full hash form, keeping the actual URL hidden, and then compares it with its database. If there’s a match, Google will receive only this encrypted hash form and alert the issuer.
Google says that this process keeps your browsing activity private and prevents any party from seeing both your IP address and the URL’s hash prefixes. It expects to block 25% more phishing attempts this way.
The feature is now available on Chrome for desktop and iOS, with a rollout to Android planned for later this month.