
How Safe Browsing Works in Firefox - ashitlerferad
http://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
======
hugefaggot

        Cookies set by the Safe Browsing servers to
        protect the service from abuse are stored in
        a separate cookie jar so that they are not
        mixed with regular browsing/session cookies.
    

And how are these cookies cleared? Seems like as soon as some sort of ID
appears in one of these cookies, XKeyScore will track your every (physical)
move with it even if you take care to delete all your regular cookies and
don't browse the same sites on different networks. Why does this protocol even
allow for cookies to be set at all in the first place?

~~~
derf_
Since Firefox 41 [1] Safe Browsing traffic all uses https, so it should not be
vulnerable to passive collection techniques like XKeyScore.

[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1109475](https://bugzilla.mozilla.org/show_bug.cgi?id=1109475)

------
mrswag
By default, doesn't firefox query OCSP responder for every TLS connection
(unless the server offers OCSP stapling [1]) ? The privacy implications are
pretty similar to Safe Browsing.

[1] [https://blog.mozilla.org/security/2013/07/29/ocsp-
stapling-i...](https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-
firefox/)

~~~
aawc
Not quite. In the case of OCSP, in the absence of OCSP stapling, all TLS
connections are verified with an external server(s).

In that case of SafeBrowsing however, as noted in the article, for those URLs
whose hash prefix doesn't match one of the hashes on one of the blacklists,
the browser doesn't contact any other server. Only when there's a partial
match does the browser ask for a full hash from the SafeBrowsing server.

Source: I'm a Chrome SafeBrowsing engineer.

------
haddr
How does it compare to other browsers? Does Chrome, Opera or IE/Edge use
similar (or better) techniques?

~~~
aawc
Chrome SafeBrowsing engineer here.

Google has published the protocol that clients need to follow to fetch updates
from the SafeBrowsing servers here: [https://developers.google.com/safe-
browsing/developers_guide...](https://developers.google.com/safe-
browsing/developers_guide_v3#ProtocolBasics)

Both Chrome and Firefox implement that protocol. I believe Edge uses
Microsoft's own service. Not sure about Opera.

------
mcherm
Why doesn't this use a bloom filter? It seems like an ideal application for
that data structure.

~~~
mccr8
A Quora answer to this question linked to this Google Chrome commit:
[https://bugs.chromium.org/p/chromium/issues/detail?id=71832](https://bugs.chromium.org/p/chromium/issues/detail?id=71832)

In short, it says that the prefix set uses less memory than a bloom filter.

~~~
ape4
It seems to be saying that they first used bloom then switched to save space.

------
lemonade
"Safe browsing" is one of the first things I turn off when installing a new
profile in a browser. I personally dislike any commercial service turned on by
default in my software that continually and without my consent pings back to
some place on the net - using my real IP address and leaking anything remotely
related to destination addresses. And cookies?

I think there should be better ways of protection than trusting such a service
anyway.

