Safe Browsing setting is potentially misleading

[fmarier]

The Safe Browsing setting in chrome://settings/privacy says that some unsafe pages might be sent to Brave:

I'm not 100% sure what part of Safe Browsing it's referring to, but I doubt it's sending Brave URLs. It's most likely sending these to nobody (because we turned it off) or it's sending these to Google under some limited circumstances.

cc @jumde

[bsclifton]

@fmarier these URLs are being sent to us and then proxied to Google. We have a Google Cloud platform account which has a token used to handle this service

[fmarier]

Yes, we do proxy Safe Browsing requests. In the case of browsing protection (e.g. the phishing warning pages), that includes both updates and requests for full hashes, but those are not actual URLs.

On the other hand, for download protection (i.e. how downloads are checked for maliciousness with Google Safe Browsing) we do currently send URLs to Google (to be disabled in #4341).

There are other parts of Safe Browsing which use URLs and which I need to investigate (and disable if they're active): client-side phishing detection), extended_reporting and password_protection.

While we proxy all of the requests, we're not looking at them, only Google is. So it seems misleading to state that some URLs might get sent to Brave, when they are really sent to Google via Brave.

[tomlowenthal]

@fmarier Do we have access to the plaintext of either the hash-prefix requests or the URL-based requests as they transit our proxy?

[fmarier]

Since we are using a brave.com endpoint for the requests, I believe we have access to the hash prefixes and the soon-to-be-disabled URLs in download protection requests.