Need a way more detailed explanation of how Safe Browsing works

Description of the issue:
The description of Safe Browsing is different between Desktop and Android and I need to know exactly when and what Brave sends back to Brave servers about my browsing.

I expect that it downloads on schedule the list of bad URLs/domains (is it domains or URLs?) but the Android version mentions that if a detection happens, it may even send back snippets of page content.

The Desktop version does not mention ANYTHING about sending data back. Is that true or does the same logic form the Android version apply to the Desktop version?

Will the browser even notify me and ask me before uploading snippets of page content? I find sending snippets of a page unacceptable for a privacy focused browser, if the user does not explicitly approve it. False positives happen after all, so data leaks may happen as a result if for example the user is reading emails at the time. And what does “Snippets” even mean? Whole paragraphs of a potential email? Just info about words showing up in the webpage? Or something else?

Please, provide a very detailed description of how Safe Browsing works in Brave. Both for the Desktop version and for the Android version if they differ.

Thank you.

Operating System and Brave Version(See the About Brave page in the main menu):
Version 1.42.97 on Desktop and on Android.

Good point, both notes are different for safe browsing for desktop and android

1.) It looks to me in start, they were sending non-proxied requests of ‘snippets’ to google.
2.) Then they stopped the old method and start proxying the requests and sending ‘snippets’ to google
3.) Then they stopped the new method of proxying snippets as they had some leakage in their proxying for short of time
4.) Now at present, they are sending proxied cryptographic hashes (which you call as snippets) to google.

5.) It looks to me that the android one is correct and the desktop one is the wrong one. (I may be wrong here)
6.) Only official brave team will be able to answer. Particularly their security engineer @fmarier :-
a.) How is this whole thing functioning in Aug 2022? Are snippets being sent? If so to whom, to google via brave proxy or to google unproxied?
b.) If so, then which text is wrong (desktop or android)

First of all, thanks @Tritonio for bringing that discrepancy to our attention.

It turns out that the answer is quite simple: we don’t yet have Safe Browsing enabled on Android and so the notice you saw:

is not relevant because it comes from Chromium (what Brave is based on) and we forgot to hide it.

The way that Safe Browsing works in Brave (Desktop and iOS) is described accurately in this section of our browser privacy policy. We don’t send page contents/snipets to Google.

If you’re interested in more details about how this works from a technical point of view, have a look at this long blog post. That’s about Firefox, but the implementation details are pretty much the same in Chrome, Firefox and Brave.

2 Likes