On Fri, Aug 30, 2019 at 11:56 AM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > For readers unfamiliar, let me briefly explain what Safe Browsing gives > browsers: > > For every URL you're considering displaying you calculate a whole bunch > of cryptographic hashes, of the whole URL, just the FQDN and certain > other combinations. Then you truncate the hashes and you see if the > truncated hashes are in a small list Google gave you (a browser will > update this list periodically using a synchronisation API Google > designed for the purpose). > > If one of your truncated hashes /is/ in the list, maybe this is > Phishing! You call Google, telling them the truncated hash you are > worried about, and Google gives you a complete list of full (not > truncated) hashes you should worry about with this prefix. It might be > empty (the phishing attack is gone) or have multiple entries. > > Only if the full hash you were worried about is in that fresh list from > Google do you tell the user "Ohoh. Phishing, probably go somewhere > else" in all other cases everything is fine. > What's described here is how the browser determines with the service whether the page you visit is on the list of what Google considers to be a likely unsafe page. What's not discussed in that mechanism is how Google decides what pages are unsafe and when? Say, for example, you're actively monitoring a property that historically has had EV presentation. For high value sites, especially in finance, perhaps the database notes that EV is "normal" for the site. If subsequent checks against that site lack EV, perhaps it flags a human review to determine if the site has been hijacked. Perhaps it combines the change of EV status with a change in other underlying elements (new / different a-DNS set, A records resolving to suspicious IP space, etc.) But I'm not sure we can really know, unless they're willing to say. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
