Experts comment on `` safe browsing function '' that actually is safe and nothing


by

Darwin Laganzon

Mr. Matthew Greene, a security researcher at Johns Hopkins University and an expert in cryptography, explains in detail what is the Safe Browsing function and what is the problem?

How safe is Apple's Safe Browsing?? A Few Thoughts on Cryptographic Engineering
https://blog.cryptographyengineering.com/2019/10/13/dear-apple-safe-browsing-might-not-be-that-safe/

In October 2019, Reclaim The Net, an IT media specialized in privacy-related information, pointed out that 'iPhone is sending data to China through Safari's Safe Browsing function'. For some time, it was reported that Apple transferred iCloud data to China with the account release key and that the application used for demonstration activities in Hong Kong was deleted from the App Store , the Chinese government Among some iOS users who were worried about Apple's obedient attitude, there was a sudden increase in privacy concerns.

The following article details the issues of Safari's Safe Browsing feature.

The possibility that the iPhone was sending Safari data to Chinese companies emerged, Apple denied-GIGAZINE



Mr. Green, who was in contact with this report, was surprised, 'Wait, Apple is sending a URL to Chinese company Tencent !?'




As a security expert, Green, who decided to investigate this matter in detail, notices that “there is little specific information and the safe browsing function itself is not well known”. Therefore, Green published a blog post titled 'How Safe is Apple's Safe Browsing Function?' And explained what the safe browsing function is in the first place.

◆ Summary of Safe Browsing function
Google was the first to release safe browsing for mobile. In December 2015, Google introduced Safe Browsing to Chrome, which was a browser for Android at the time, and started efforts to protect the browser from dangers such as phishing websites.

However, because the early safe browsing function exchanged URLs in plain text, “This API was like a nightmare,” Green recalls.

Since then, Google ’s Safe Browsing feature has become more sophisticated, and after it has been called the “Updated API”, it has been protected by following four steps.

1: First, Google collects dangerous URLs into a database and hashes them with the SHA-256 algorithm. The database is then compressed by shortening the hash to a 32-bit prefix .
2: Google sends the database to the browser in the form of a shortened hash.
3: Every time the browser accesses the URL, it will hash the URL and check it against the database sent by Google.
4: If the URL matches the prefix, the browser sends the prefix to Google's server. When Google receives this and returns all URLs that match the database as a list of 256-bit hashes, the browser checks whether the URL in question exactly matches a known dangerous URL, and if it matches, accesses Shut off.


by

Gerd Altmann

At this time, because the user's IP address and other identifiers are checked at each stage where Google and the browser communicate, cookies may be collected on Google servers. In other words, providers of safe browsing functions such as Google can divert safe browsing functions to track and monitor individuals if they want to do so.

In fact, the paper (PDF file) that researched the safe browsing function of Google and Russian search engine Yandex (PDF file) stated that `` It was caused by poor communication between browser and server from Google and Yandex servers, or a specific URL We have detected a number of prefixes that may have been intentionally mixed in to track the server, but the risk is very low for Google ’s servers, but it ’s considered quite dangerous for Yandex ’s servers. ” It has been reported.

Mr. Green, who discovered this research report, gave a moan “Ugee”.



Based on these points, Mr. Green pointed out that “the weakness of this method is that only a certain level of privacy is guaranteed”. From a privacy perspective, we warn that the safe browsing feature is not completely safe.

◆ Can safe browsing providers be trusted?
Therefore, the important question is 'Is safe browsing provider reliable?' Specifically, the focus is on the trustworthiness of Google and Tencent , providers of safe browsing capabilities that have been revealed in the aforementioned Safari issue.

An iOS display explaining that Safari is sending prefixes and IP addresses to Google and Tencent.



For example, when Google receives a request from the FBI, an American investigative agency, Google submits data to the FBI in principle. However, after reviewing the FBI search warrant, if there is a request for data that is not necessary for the search, the warrant will be returned, or when submitting the data, the Google record manager will appear in the court and verify the authenticity of the data to be submitted We are working to ensure that the data we hold is not disclosed, such as by making a vow to guarantee.

You can read about the process by which Google submits data to investigative agencies in one shot by reading the following article.

What are the tips for successfully using G Suite, as revealed by a former Google employee? -GIGAZINE



Green said, “As a privacy-conscious person, we conclude that Google ’s risk of privacy infringement is commensurate with the need to protect users from malicious websites,” Google said. Evaluated that the approach is trustworthy. It shows that the safe browsing feature provided by Google is worth a certain amount of privacy.

Also, as for Apple sending data not only to Google but also to Tencent, Mr. Green said, `` Apple's transfer of iCloud data to the Chinese company mentioned above is the result of complying with Chinese law, `` Apple Seems to have had no other choice than to do so. ' On the other hand, “Apple should not have silently handed over data to China. Although journalists pulled out information from Apple, various facts became clear, but we still do not know 'There are many,' he pointed out and reproved Apple's attitude not to reveal inconvenient facts.

Green added: “Apple has two different faces. One is the face of a company that prioritizes user freedom by leveraging technologies such as the“ Find My ”feature. The other is the face of a company that sacrifices user freedom in China. Apple seems to be able to use these two faces at will, but I'm very doubtful, 'he said.

in Software,   Security, Posted by log1l_ks