Q&A Google Chrome 92 Blocks Phishing Attacks Faster

Marko :)

Level 19
Verified
Aug 12, 2015
907
Chrome relies on Google SafeBrowsing, as does Brave (albeit via proxy, I believe). Edge has SmartScreen which is already superior to GSB, at least quality-wise if not also speed.
Google Safe Browsing has something better; something that SmartScreen doesn't have—privacy.

Instead of every URL sent to Google for inspection, everything is done on client's device so Google doesn't know what you're browsing.
SmartScreen works different way; it sends full URLs of visited websites to Microsoft in unencrypted format via SSL.
 

qua3k

Level 1
Jul 18, 2021
19
Google Safe Browsing has something better; something that SmartScreen doesn't have—privacy.

Instead of every URL sent to Google for inspection, everything is done on client's device so Google doesn't know what you're browsing.
SmartScreen works different way; it sends full URLs of visited websites to Microsoft in unencrypted format via SSL.
That isn’t exactly true. Chrome downloads the safe browsing list and compares all sites you visit against this list, and sends a partial hash of the URL to Google if deemed dangerous. Edge downloads a local copy of the SmartScreen list and compares the URLs you visit against it; any URL that is not in the “top sites” is sent unhashed to Microsoft. This behavior can be reproduced in Chrome but it is opt in by default.
 

Marko :)

Level 19
Verified
Aug 12, 2015
907
That isn’t exactly true. Chrome downloads the safe browsing list and compares all sites you visit against this list, and sends a partial hash of the URL to Google if deemed dangerous.
Well, duh. It sends just part of the URL and it's hashed before sending. And it only sends it if you came across dangerous site. I find that acceptable since in any case Google won't get any idea what sites I visit.
Edge downloads a local copy of the SmartScreen list and compares the URLs you visit against it; any URL that is not in the “top sites” is sent unhashed to Microsoft. This behavior can be reproduced in Chrome but it is opt in by default.
Their top sites list probably contains only Microsoft's domains because when I played with Fiddler, all URLs were sent; it didn't matter how popular site was. And it was all unhashed. Not to mention it used to send user IDs along to Microsoft so they had pretty good idea where the one surfs. And it's worth to keep in mind; just because the site is popular, it doesn't mean it's safe. There were plenty of cases popular websites became malicious.

This behavior can be reproduced in Chrome but it is opt in by default.
It can, but again, it's hashed. Even with maximum protection enabled (which has to be manually), Google still doesn't have any idea where I surf.
On the other hand, SmartScreen has just two options—ON and OFF. You're either protected or vulnerable. If they implemented Google's way of protection, I'd be happy to use Edge and SmartScreen. Until then, SmartScreen stays disabled completely on my PC.
 

qua3k

Level 1
Jul 18, 2021
19
It can, but again, it's hashed. Even with maximum protection enabled (which has to be manually), Google still doesn't have any idea where I surf.
Privacy theater. It’s trivial for Google, Microsoft, or anyone else to compute the hashes of every site in the Alexa Top 10 Million. If you don’t trust the server, hashing the the URLs of the sites you visit won’t change anything.
 

Marko :)

Level 19
Verified
Aug 12, 2015
907
Privacy theater. It’s trivial for Google, Microsoft, or anyone else to compute the hashes of every site in the Alexa Top 10 Million. If you don’t trust the server, hashing the the URLs of the sites you visit won’t change anything.
Not quite. Here's why.

Yes, you can decrypt simple domain names without any issue. Example; www.google.com is 191347bfe55d0ca9a574db77bc8648275ce258461450e793528e0cc6d2dcf8f5 hashed by SHA-256. Now, if we change from that to www.Google.com (yes, just uppercase letter G) the entire SHA-256 hash changes and is now fb0d6fbb3fff0090731e98c9d3088f9b0dcbcbd45d42b32ba6ea5b07ffd4840a.

While you could easily decrypt the first hash, unless you know what change was made to generate the new SHA-256 hash, there is no way to decrypt it. Don't believe me? Here's the website that tries to decrypt the SHA-256. If you enter first hash, you get the result as www.google.com; but when you enter the second hash, it says that match isn't found in their database so they can't show the result.

Screenshot_1.png Screenshot_2.png

Now, if you can't decrypt that simple change. How could you decrypt the entire URL? You can't. That's why Google's implementation is much, much better than SmartScreen is. In fact, Chrome will only send hash if you came across malicious website; if not, it won't send anything because all other checks are done locally, on your device. Meanwhile, at Microsoft, they don't have to go through all that trouble because full URLs are sent in plain text to Microsoft's servers via HTTPS. That HTTPS means nothing when rogue SSL certificate is found on user's computer. MITM attack could easily decrypt what was sent to SmartScreen's servers.

One more thing. Do you know why security experts recommend setting a strong and different password for each user account? This is the reason why. Once hackers get their hands on user account database, they'll get e-mail addresses in plain text and passwords in hashed format. If password is really popular and not unique, they could just put the hash into decrypter like I did and get the result fast. If you made unique and strong password with different symbols, chances their decrypt tool will give them your password are non-existent, as to this day, SHA-256 hasn't been cracked.
 
Last edited:
  • Like
Reactions: Nevi and venustus

qua3k

Level 1
Jul 18, 2021
19
Yes, you can decrypt simple domain names without any issue. Example; www.google.com is 191347bfe55d0ca9a574db77bc8648275ce258461450e793528e0cc6d2dcf8f5 hashed by SHA-256. Now, if we change from that to www.Google.com (yes, just uppercase letter G) the entire SHA-256 hash changes and is now fb0d6fbb3fff0090731e98c9d3088f9b0dcbcbd45d42b32ba6ea5b07ffd4840a.
URLs are lowercased before hashing. What you’re saying doesn’t make sense in the first place as you’re saying the safe browsing list would have to have an entry for every single possibility of uppercase in all the domains, massively bloating the list.
That HTTPS means nothing when rogue SSL certificate is found on user's computer. MITM attack could easily decrypt what was sent to SmartScreen's servers.
If there is a rogue root certificate on your computer why not just decrypt the traffic of every site you visit?
In addition this attacker can read your DNS queries, or reverse the IP addresses of the sites you visit…
If you made unique and strong password with different symbols, chances their decrypt tool will give them your password are non-existent, as to this day, SHA-256 hasn't been cracked.
Domains are not passwords. They are virtually all known, unlike strong passwords.
 
Last edited:
  • Like
Reactions: Nevi

Marko :)

Level 19
Verified
Aug 12, 2015
907
URLs are converted to lowercase before hashing. This doesn’t make sense in the first place as you’re saying the safe browsing list would have to have an entry for every single possibility of uppercase in all the domains, massively bloating the list.
I used uppercase letter just as an example to show how any character change results in completely new hash. On the web, www.google.com, www.Google.com, www.gOOglE.com lead to same address. So, no Google doesn't need to have hashes for every variant of domain name. When you type an address in uppercase, all web browsers will automatically make the address lowercase because uppercase letters don't exist in domains.

And, URLs and domains are not the same thing. URLs contain domains along with specific path of the page on a web server. They often contain unique parameters which make hashed URLs undecryptable.

Example;
C32F0D568284387D515238E6BDF34C08AF10AACDEEEBA4777D7A8CD41850ECBA leads to https://malwaretips.com/.
C4E8A51D51CB479C4738C9BE05F2E1BBE43894DFF6F630EC356FC359249059FA also leads to https://malwaretips.com/ but to a post in some thread I stumbled upon on this site.

Even if Google gets the actual URL by somehow magically decrypting SHA-256 hash, I'd have nothing against that since the only thing they got is the URL of malicious website. They still have no idea what I visited before and next because that info isn't sent.
If there is a self installed root certificate on your computer why not just decrypt the traffic of every site you visit?
In addition an attacker can read your DNS queries, or reverse the IP addresses of the sites you visit…
Well, in that case, attacker seeing what's sent to SmartScreen servers is the least of your problems. 😁
Domains are not passwords. They are all known, unlike passwords.
Domains aren't, but URLs could be like passwords. If they contain unique parameters which they do, most of the times. 😉
 

qua3k

Level 1
Jul 18, 2021
19
And, URLs and domains are not the same thing. URLs contain domains along with specific path of the page on a web server. They often contain unique parameters which make hashed URLs undecryptable.
Not sure you're understanding that it's not just hash(URL) being sent, which would allow for trivial defeats via simply randomizing paths/fragments/etc. The client sends many hashes to the Safe Browsing service, including the easily precomputed hash of the hostname. This whole thing is a fantasy threat model as you don't trust Google/Microsoft with your browsing history through Safe Browsing/SmartScreen but trust them with your entire browser.
 
  • Like
Reactions: Nevi and Nagisa

Marko :)

Level 19
Verified
Aug 12, 2015
907
Not sure you're understanding that it's not just hash(URL) being sent, which would allow for trivial defeats via simply randomizing paths/fragments/etc. The client sends many hashes to the Safe Browsing service, including the easily precomputed hash of the hostname. This whole thing is a fantasy threat model as you don't trust Google/Microsoft with your browsing history through Safe Browsing/SmartScreen but trust them with your entire browser.
From Google Chrome Privacy Whitepaper:
You can find settings for Safe Browsing in the “Privacy and security > Security” section of Chrome’s settings. When Safe Browsing is enabled in the “Standard protection” mode (pictured below), Chrome contacts Google's servers periodically to download the most recent Safe Browsing list of unsafe sites including sites associated with phishing, social engineering, malware, unwanted software, malicious ads, intrusive ads, and abusive websites or Chrome extensions. The most recent copy of this list is stored locally on your system. Chrome checks the URL of each site you visit or file you download against this local list. If you navigate to a URL that appears on the list, Chrome sends a partial URL fingerprint (the first 32 bits of a SHA-256 hash of the URL) to Google for verification that the URL is indeed dangerous. Chrome also sends a partial URL fingerprint when a site requests a potentially dangerous permission, so that Google can protect you if the site is malicious. Google cannot determine the actual URL from this information.
All in all, Safe Browsing IS better regarding privacy than SmartScreen. How it works is very well documented on safebrowsing.google.com unlike Microsoft's solution. I don't have any issues with the service if it follows at least basic privacy principles, which SmartScreen doesn't.
 

qua3k

Level 1
Jul 18, 2021
19
You’re misleading yourself with a false sense of privacy. I’m not sure why you don’t trust the Safe Browsing server when Google wrote the code you’re running. It’s not clear what your intention is besides insinuating that hash = good without a clear threat model.
 
  • Like
Reactions: venustus

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
Interesting discussion. How long does Microsoft keeps those URL's? Anyone knows?

The SmartScreen service stores data about the reputation checks and builds a database of known malicious URLs and files. The data is stored on secure Microsoft servers and is used only for Microsoft security services. The data is never used to identify or target you in any way. Clearing your browsing cache clears all locally stored SmartScreen URL data. Clearing your download history removes any locally stored SmartScreen data about file downloads.

So answer is: until you exit Edge when you have chosen to delete browsing data when closing the browser

Interesting point raised about privacy: when I trust the OS (Windows on desktop, Android on phone) and the browser (Edge/Chrome), does it make big data wise any difference when I do or don't use their search engine (Bing/Google) or their phishing protection? Would be interesting to know MT-members opinion on this.
 
Last edited:
  • Applause
Reactions: venustus

SpiderWeb

Level 6
Aug 21, 2020
288
Interesting discussion. How long does Microsoft keeps those URL's? Anyone knows?

The SmartScreen service stores data about the reputation checks and builds a database of known malicious URLs and files. The data is stored on secure Microsoft servers and is used only for Microsoft security services. The data is never used to identify or target you in any way. Clearing your browsing cache clears all locally stored SmartScreen URL data. Clearing your download history removes any locally stored SmartScreen data about file downloads.

So answer is: until you exit Edge when you have chosen to delete browsing data when closing the browser

Interesting point raised about privacy: when I trust the OS (Windows on desktop, Android on phone) and the browser (Edge/Chrome), does it make big data wise any difference when I do or don't use their search engine (Bing/Google) or their phishing protection? Would be interesting to know MT-members opinion on this.
It doesn't which is why I stopped using DuckDuckGo. What's the point? All I was doing is depriving myself of Google features. Google will find a way to track me one way or another so I might as well use their services for convenience and speed.
 
Top