The new system works by obfuscating and encrypting the URL, which is then sent to a privacy server that removes potential user identifiers before forwarding the encrypted hash prefixes to the Safe Browsing server. Google has partnered with Fastly to use its Oblivious HTTP privacy server, which anonymizes users' metadata while still being able to exchange data with a web application. This ensures that Google’s Safe Browsing service never sees users' IP addresses and Fastly doesn’t see the URLs, as they are encrypted by the browser.
Key takeaways:
- Google is updating its Safe Browsing feature in Chrome to work in real time by checking against a server-side list, without sharing user's browsing habits.
- The new system will send the URLs users are visiting to its servers and check against a rapidly updated list there, potentially catching up to 25% more phishing attacks.
- Google has partnered with Fastly to use Fastly’s Oblivious HTTP privacy server, which anonymizes user metadata while still being able to exchange data with a web application.
- With this new system, Google’s Safe Browsing service should never see user's IP address and Fastly won’t see the URLs either, as they are encrypted by the browser.