Safe Browsing in Brave Follow
The Brave Browser makes use of Google Safe Browsing in order to protect users from malicious sites. It’s enabled by default on all platforms, but can be turned off at any time from the browser settings menu.
Safe Browsing offers protection in three areas:
- Websites: blocks phishing sites, as well as those hosting malware or unwanted software
- Downloads: blocks dangerous, uncommon, or potentially unwanted software (desktop-only)
- Browser extensions: prevents you from downloading malicious, vulnerable, or policy-violating extensions, and disables any that are already installed (desktop-only)
Google works to provide the most accurate and up-to-date information about unsafe web resources. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be identified in error.
A privacy-preserving system
Safe Browsing in Brave has the following privacy properties:
- URLs are never sent to the Google-operated server.
- The vast majority of website visits do not lead to server requests.
- On desktop, the browser does not connect to the server directly; instead, it routes through a Brave-operated proxy server so that Google servers never see your IP addresses.
At the core of Safe Browsing are lists of dangerous sites or files. Rather than submitting full URLs to a server, the protocol is structured so that the bulk of these checks are done locally using lists downloaded from the Safe Browsing server.
When a user visits a website with a URL of phishing.example/
:
- The browser will turn the URL into
bac52b0b455d4b0435379a9cb61d43cd54bcd0f17ff0a5477b2598373fd7b997
using the SHA-256 hash function. - Then it will truncate this “hash” to
bac52b0b
and look it up against its local copy of the Safe Browsing lists. - If this hash prefix is found in a list (and only in that case), the browser will ask the Safe Browsing server for the list of all full-size hashes that start with that prefix (only the prefix is sent, not the full hash).
- Finally, the browser will compare the hash of the website URL with the full hashes it just received and show a warning page in case of a match.
The lists are updated approximately every 30 minutes, starting randomly some time within the first 5 minutes after the browser is started. All users receive the same lists. The lists are considered valid for 45 minutes, and are automatically ignored if they haven’t been refreshed after that time. You can find these lists, along with status and the time of last update, at brave://safe-browsing/#tab-db-manager
.
More technical details can be found on the Google Security blog post about hash-based safe browsing, and in the public developer documentation.
Platform-specific protections
Here is how these protections are implemented on each platform.
Desktop
In all cases, Brave relies on the Safe Browsing implementation that is part of Chromium to provide these protections. It also uses the same underlying lists and services as Chrome.
Note: Safe Browsing warnings are currently disabled in private windows with Tor.
Websites
Browsing protection looks like this when it detects a phishing site:
That warning can be bypassed by clicking Details
and then visit this unsafe site
:
This feature can be tested using the “Webpage Warnings” section of the official Google test page.
Downloads
Download protection looks like this when it detects a dangerous file:
This warning can be bypassed from brave://downloads
by clicking Keep dangerous
file
:
In addition to the URL-based checks described in the previous section, downloaded files undergo a second check after they’re fully downloaded by the browser, but before they’re made available to the user. This check involves sending metadata about the downloaded file (but not the file itself) to an application reputation service operated by Google. This service returns a verdict which determines which warning (if any) will be shown to the user.
While the Chrome and Firefox implementations of this feature send the filename, the URL of the downloaded file, and any URLs of the pages that led there, Brave has made a different security / privacy tradeoff and does not send any of this information to the server. The main piece of information the Brave Browser sends to the Google-operated server is the hash of the file, which only reveals information about files that Google already knows about. As with all other Safe Browsing network requests in the desktop version of Brave, these calls are sent through a Brave-operated proxy to hide your IP addresses.
Note that only certain types of files go through the second check and have their metadata sent to the application reputation server. This determination is platform-specific and based on the risk associated with each file type. The File Type Policies component tells the browser how to handle the different file types based on a list that is updated periodically by the Chrome team.
This feature can be tested using the “Desktop Download Warnings” section of the official Google test page.
Browser extensions
This is what a blocked extension looks like:
This protection cannot currently be bypassed.
In addition to the download protection checks described in the previous section, any browser extension you install undergoes an additional check. This final check involves checking the extension ID against a local list of extension ID prefixes. In case of a prefix match, the full extension IDs for that prefix are requested from a Google-operated reputation service. This service returns a verdict for each extension in the list. This determines which warning (if any) will be shown to the user, and whether or not the extension will be allowed to run. This network request is also proxied through a Brave server.
The extension ID check takes place when the extension is loaded, which typically happens immediately after being downloaded, and then every time the browser is restarted. This means that an installed extension that is later flagged as malicious by Google can be disabled after the fact.
Unfortunately, there is no easy way to test this feature at the moment. See our wiki documentation for more details.
Android
On Android, Safe Browsing offers the same website protection as desktop, though with a smaller list of phishing sites. The smaller list means that not all phishing websites blocked on desktop will be blocked on Android.
This is what browsing protection looks like on Android when it detects a phishing site. Like on desktop, this warning can be bypassed by clicking Details
and then visit this unsafe site
:
Unlike the desktop browser (which downloads and maintains its own lists), the Android version of Brave makes use of a service provided by the operating system. Specifically, it uses the SafetyNet Google Play API and on-device lists that are shared between all of the applications performing Safe Browsing checks. Android devices without Google Play Services are currently unable to enable Safe Browsing in Brave.
Checking a URL against the local Safe Browsing lists follows the same steps as with the desktop browser, since the SafetyNet API also makes use of the Safe Browsing Update API. The only difference is that any requests from the operating system service to the Safe Browsing server (whether they originate from the Brave application or not) are done directly and do not go through a Brave proxy. This means that your IP address may be seen (and logged) by Google.
This feature can be tested using the “Webpage Warnings” or “IOS Warnings” sections of the official Google test page.
Download protection is not available on mobile platforms. Android devices instead rely on Google Play Protect.
iOS
This is what browsing protection looks like when it detects a phishing site. This warning can be bypassed by clicking Show Details
and then visit this unsafe
site
:
As with Android, Safe Browsing protections on iOS are provided by an operating system service via a WKWebView setting. As such, any requests made to the Safe Browsing server are initiated by the operating system provider and cannot be proxied by Brave.
Apple devices use the Google and Tencent Safe Browsing services depending on their region. In recent versions of iOS, these requests will be proxied by Apple. This means that your IP address may be seen (and logged) by Apple, Google, or Tencent.
On devices which make use of the Google service, this feature can be tested using the “IOS Warnings” section of the official Google test page.
Comparison with other browsers
Website protection in Brave for desktop or Android is equivalent to the protections found in Firefox, Safari, and Chrome. Note that we do not expose the enhanced protection mode that Google offers to Chrome users only (on an opt-in basis).
Brave on iOS offers the same website protection as Safari or any WKWebView-based application (such as Firefox) that enables this option.
Download protection in Brave is more limited than the one in Chrome and Firefox due to the fact that we do not send any URLs to the server, so this information cannot be used to determine the risk associated with a given file. In practice this means that Chrome and Firefox will block more malicious files than Brave.
Brave’s extension protection is the same as Chrome’s.
Opting out of Safe Browsing
If you prefer not to use Safe Browsing, simply visit brave://settings/security
in your desktop browser to change your settings to No protection (not recommended)
:
On Android, open the browser settings menu and tap Brave Shields & Privacy
, then set the Safe Browsing
option to No protection (not recommended)
:
On iOS, open the browser settings menu and tap Brave Shields & Privacy
, then disable Block Dangerous Sites
: