Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change the way Adguard checks domain with browsing security web service. #162

ameshkov opened this issue Nov 6, 2015 · 1 comment


Copy link

@ameshkov ameshkov commented Nov 6, 2015

We now send domain and ip to the backend server to check it against our phishing/malware database. This is wrong and may look suspicious to users that domain name is sent in plain text.

Instead we should use a one-way hash to do the check (like SHA256). Thus user will be sure that we don't see the real domain names and thus we can't use that data in any way.

Checking against browsing security web service

Extract most significant parts of that host (in fact just extract subdomains and concatenate for '/') AND ip address.
Calculate SHA256 hashes for both domains:   ->   6372934A1C222E79F9C6B60833C24C0CBF63FFF53BF2C8CDC874C4F3BEFE2B3A           ->   C9529394138C895A50E70E537673B48A7BA0ED6D7BDC2CFC0BB205AA3B7BEDBE           ->  719AEECD10F94270B6D21C837150D8DCA8BD7D55C8065AD40094052165DECC38
Get prefixes (substring length=8)    ->    6372934A                  ->     C9529394                   ->    719AEECD
Send these prefixes to the backend server (separate with "/")
GET /safebrowsing-lookup-hash.html?prefixes=6372934A/C9529394/719AEECD
Response will contain list of all hashes found, list name and a chunk id



If nothing found server will return empty response 204 No Content.

Check if any of returned full hashes match any of your hashes.

Real life example

  1. Check
  2. Extract hashes and prefixes
  3. Request:
  4. Response matches one of significant host parts:
@ameshkov ameshkov self-assigned this Nov 6, 2015
@ameshkov ameshkov added this to the 2.5 milestone Nov 6, 2015
@ameshkov ameshkov changed the title Browsing Security service requests Change the way Adguard checks domain with browsing security web service. Nov 6, 2015
Copy link
Member Author

@ameshkov ameshkov commented Nov 6, 2015

Implemented in Android

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant