One of the most persistent misunderstandings about Safe Browsing is the idea that the browser needs to send all visited URLs to Google in order to verify whether or not they are safe.
While this was an option in version 1 of the Safe Browsing protocol (as disclosed in their privacy policy at the time), support for this "enhanced mode" was removed in Firefox 3 and the version 1 server was decommissioned in late 2011 in favor of version 2 of the Safe Browsing API which doesn't offer this type of real-time lookup.
Google explicitly states that the information collected as part of operating the Safe Browsing service "is only used to flag malicious activity and is never used anywhere else at Google" and that "Safe Browsing requests won't be associated with your Google Account". In addition, Firefox adds a few privacy protections:
Query string parameters are stripped from URLs we check as part of the download protection feature.
Cookies set by the Safe Browsing servers to protect the service from abuse are stored in a separate cookie jar so that they are not mixed with regular browsing/session cookies.
When requesting complete hashes for a 32-bit prefix, Firefox throws in a number of extra "noise" entries to obfuscate the original URL further.
On balance, we believe that most users will want to keep Safe Browsing enabled, but we also make it easy for users with particular needs to turn it off.
So basically, it does send your URLs to Google. Maybe not all of them, but an unspecified amount of them. Also, Google pinky promises that the data they collect from this isn't used for tracking purposes.
Thanks for the link, that explains it much better than the snippet in the post I replied to.
It seems like it actually is way more private than I thought. FF downloads the database of flagged sites from Google and stores it locally (only partial hashes of URLs though). Only when a match is detected in the local database, FF sends the full hash of the URL to Google to double check, since the local database only has partial hashes to save space (so false positives are likely). It also apparently sends extra noise as part of the payload, so that the request isn't obviously tied to a single URL (in case Google is able to reverse the hash to track your browsing habits, or something like that)
That sounds pretty private to me. A side-by-side comparison of this implementation to the one in Chromium would be interesting. I wonder if browsers like Vivaldi go the extra mile like FF does?
(not: that post is over 5 years old, so it's possible that the implementation may have changed since then)
> Only when a match is detected in the local database, FF sends the full hash of the URL to Google to double check
Even that's not quite what it says, as I understand things. When a partial-hash match is detected, FF asks Google for the list of full hashes that start with this partial hash, and then checks (still locally) against those. So as far as I can see, Google still wouldn't know which of those full hashes corresponds to the URL you're requesting.
(I have not examined the implementation personally, I'm just basing this off the post mentioned. But FF is open source, so if someone would like to check whether this is accurate, that'd be great.)
Firefox fetches URLs hashes from Google and then checks the URLs you visit against that list. Only if there is a match Firefox will send the hash(not the URL) to Google to verify that there isn't a hash conflict.
I always find it funny when they accuse people who point out glaring flaws and obvious truths of whataboutism. People should freely point out incongruences and hypocrisy. There is no better way to fix things, or at least to be buyer aware.
... while sending all URLs you visit to google for "safe browsing".