Tencent makes a list of "suspicious" URLs (malware, piracy, terrorism, pro-democracy, etc.)
It hashes all the URLs and makes the list available for download. It retains a map of all of the hashes and the URLs for each hash.
Safari downloads the hash list.
Whenever you try to visit a URL whose hash is on the list, Safari phones home to Tencent and tells them the hash (revealing your IP address in the process.)
Tencent looks up the suspicious URL list (URLs matching that hash) in its hash->URL map and returns the suspicious URL list to Safari.
Tencent logs your IP address, the hash/list of suspicious URLs, and the timestamp
If the URL is actually on the suspicious URL list, Safari blocks the site saying that it is suspicious.
Tencent forwards the information (your IP address, list of suspicious URLs that you might have been trying to visit, and the date/time of each attempt) to the appropriate Chinese authorities for further investigation.
Profit!
That doesn't make any sense. Why are 5-7 necessary after 4? If the hash is on the list -> block. No need to send anything to Tencent.
Tencent makes a list of "suspicious" URLs (malware, piracy, terrorism, pro-democracy, etc.)
It hashes all the URLs and makes the list available for download. It retains a map of all of the hashes and the URLs for each hash.
Safari downloads the hash list.
Whenever you try to visit a URL whose hash is on the list, Safari phones home to Tencent and tells them the hash (revealing your IP address in the process.)
Tencent looks up the suspicious URL list (URLs matching that hash) in its hash->URL map and returns the suspicious URL list to Safari.
Tencent logs your IP address, the hash/list of suspicious URLs, and the timestamp
If the URL is actually on the suspicious URL list, Safari blocks the site saying that it is suspicious.
Tencent forwards the information (your IP address, list of suspicious URLs that you might have been trying to visit, and the date/time of each attempt) to the appropriate Chinese authorities for further investigation.
Profit!
That doesn't make any sense. Why are 5-7 necessary after 4? If the hash is on the list -> block. No need to send anything to Tencent.
I think this is what he imagined happened. Not what really happened.
Tencent makes a list of "suspicious" URLs (malware, piracy, terrorism, pro-democracy, etc.)
It hashes all the URLs and makes the list available for download. It retains a map of all of the hashes and the URLs for each hash.
Safari downloads the hash list.
Whenever you try to visit a URL whose hash is on the list, Safari phones home to Tencent and tells them the hash (revealing your IP address in the process.)
Tencent looks up the suspicious URL list (URLs matching that hash) in its hash->URL map and returns the suspicious URL list to Safari.
Tencent logs your IP address, the hash/list of suspicious URLs, and the timestamp
If the URL is actually on the suspicious URL list, Safari blocks the site saying that it is suspicious.
Tencent forwards the information (your IP address, list of suspicious URLs that you might have been trying to visit, and the date/time of each attempt) to the appropriate Chinese authorities for further investigation.
Profit!
That doesn't make any sense. Why are 5-7 necessary after 4? If the hash is on the list -> block. No need to send anything to Tencent.
I think this is what he imagined happened. Not what really happened.
That doesn't make any sense. Why are 5-7 necessary after 4? If the hash is on the list -> block. No need to send anything to Tencent.
They are necessary to avoid false positives. If disney.com and malware.org hash to the same number, then you need to verify the actual URL to avoid blocking disney.com by mistake. The way you do that is by requesting the whole list for that number. How do you request the list? By asking Tencent (or Google) "Hey, what is the list of suspicious URLs for this hash number?" Then Safari can verify that you were trying to visit disney.com and not malware.org.
Usually false positives are rare, so requesting that list of the full URLs has the unfortunate side effect of telling Tencent or Google that you very likely tried to visit a suspicious URL, and it also gives them a good idea of what that URL is (perhaps the list is only a couple of URLs long, for example.)
Remember that hashes basically compress a large string to a smaller number. This means that there can be collisions (in this case, matches that are false positives.)
Tencent makes a list of "suspicious" URLs (malware, piracy, terrorism, pro-democracy, etc.)
It hashes all the URLs and makes the list available for download. It retains a map of all of the hashes and the URLs for each hash.
Safari downloads the hash list.
Whenever you try to visit a URL whose hash is on the list, Safari phones home to Tencent and tells them the hash (revealing your IP address in the process.)
Tencent looks up the suspicious URL list (URLs matching that hash) in its hash->URL map and returns the suspicious URL list to Safari.
Tencent logs your IP address, the hash/list of suspicious URLs, and the timestamp
If the URL is actually on the suspicious URL list, Safari blocks the site saying that it is suspicious.
Tencent forwards the information (your IP address, list of suspicious URLs that you might have been trying to visit, and the date/time of each attempt) to the appropriate Chinese authorities for further investigation.
Profit!
That doesn't make any sense. Why are 5-7 necessary after 4? If the hash is on the list -> block. No need to send anything to Tencent.
I think this is what he imagined happened. Not what really happened.
Update: cryptographer and CS prof. Matthew Green clarifies that the hash that Safari sends is 32 bits (about 4 billion buckets) and that the URL list is returned in 256-bit hashed form (note that there is nothing preventing Tencent or Google from retaining the mapping from 32-bit hash prefixes to plaintext URLs, which is what they would to do if they wished to track you.) He also goes into more depth on how more information leaks to Tencent/Google over time, allowing them to build a more and more detailed profile: https://blog.cryptographyengineering.com/2019/10/13/dear-apple-safe-browsing-might-not-be-that-safe/
Your system is infected with 3 viruses!Monday, October 14, 2019 8:39 PM
Your Mac is infected with 3 viruses. Our security check found traces of 2 malware and 1 phishing/spyware. System damage: 28.1% - Immediate removal required!
The immediate removal of the viruses is required to prevent further system damage, loss of Apps, Photos or other files. Traces of 1 phishing/spyware were found on your Mac with OSX.
Personal and banking information are at risk.
To avoid more damage click on 'Scan Now' immediately. Our deep scan will provide help immediately! 0 minute and 56 seconds remaining before damage is permanent.
iOS and iPadOS are not mentioning at the Fraudulent Website Warning setting but macOS Catalina explicits that the data go to Google. Why hiding it? Obviously Apple do not want users know. That makes Apple products no longer safe.
Turn it off, you may lose some protection from some malicious websites, but it is a necessary step in avoiding being traced by a thuggish régime.
What a laughably bullshit post. Also, encouraging people to turn off this feature is utterly irresponsible and moronic.
Tencent makes a list of "suspicious" URLs (malware, piracy, terrorism, pro-democracy, etc.)
It hashes all the URLs and makes the list available for download. It retains a map of all of the hashes and the URLs for each hash.
Safari downloads the hash list.
Whenever you try to visit a URL whose hash is on the list, Safari phones home to Tencent and tells them the hash (revealing your IP address in the process.)
Tencent looks up the suspicious URL list (URLs matching that hash) in its hash->URL map and returns the suspicious URL list to Safari.
Tencent logs your IP address, the hash/list of suspicious URLs, and the timestamp
If the URL is actually on the suspicious URL list, Safari blocks the site saying that it is suspicious.
Tencent forwards the information (your IP address, list of suspicious URLs that you might have been trying to visit, and the date/time of each attempt) to the appropriate Chinese authorities for further investigation.
Profit!
That doesn't make any sense. Why are 5-7 necessary after 4? If the hash is on the list -> block. No need to send anything to Tencent.
I think this is what he imagined happened. Not what really happened.
Update: cryptographer and CS prof. Matthew Green clarifies that the hash that Safari sends is 32 bits (about 4 billion buckets) and that the URL list is returned in 256-bit hashed form (note that there is nothing preventing Tencent or Google from retaining the mapping from 32-bit hash prefixes to plaintext URLs, which is what they would to do if they wished to track you.) He also goes into more depth on how more information leaks to Tencent/Google over time, allowing them to build a more and more detailed profile: https://blog.cryptographyengineering.com/2019/10/13/dear-apple-safe-browsing-might-not-be-that-safe/
So if I’m following this correctly (thanks for clarifications above) then what Tencent/Google would recieve would be a hash and an IP address. And they map the hash to their table of suspicious websites to get the website and pass back to the device so that it can checked on-device. The worry is that Tencent/Google now know a website that the IP address has gone to?
But, the data only gets sent to Tencent/Google when the website hash hits a flagged value in the suspicious hash table. If it’s suspicious then the user probably didn’t mean to go to it anyway. And the website that the hash maps too isn’t necessarily the website that the IP address visited anyway.
Comments
Usually false positives are rare, so requesting that list of the full URLs has the unfortunate side effect of telling Tencent or Google that you very likely tried to visit a suspicious URL, and it also gives them a good idea of what that URL is (perhaps the list is only a couple of URLs long, for example.)
Remember that hashes basically compress a large string to a smaller number. This means that there can be collisions (in this case, matches that are false positives.)
https://www.imore.com/heres-apples-statement-safari-fraudulent-website-warning-and-tencent
Update: cryptographer and CS prof. Matthew Green clarifies that the hash that Safari sends is 32 bits (about 4 billion buckets) and that the URL list is returned in 256-bit hashed form (note that there is nothing preventing Tencent or Google from retaining the mapping from 32-bit hash prefixes to plaintext URLs, which is what they would to do if they wished to track you.) He also goes into more depth on how more information leaks to Tencent/Google over time, allowing them to build a more and more detailed profile:
https://blog.cryptographyengineering.com/2019/10/13/dear-apple-safe-browsing-might-not-be-that-safe/
meanwhile Google is pulling the same shit everywhere else.
Your system is infected with 3 viruses!Monday, October 14, 2019 8:39 PM
Your Mac is infected with 3 viruses. Our security check found traces of 2 malware and 1 phishing/spyware. System damage: 28.1% - Immediate removal required!
The immediate removal of the viruses is required to prevent further system damage, loss of Apps, Photos or other files.
Traces of 1 phishing/spyware were found on your Mac with OSX.
Personal and banking information are at risk.
To avoid more damage click on 'Scan Now' immediately. Our deep scan will provide help immediately!
0 minute and 56 seconds remaining before damage is permanent.
It is from http://your-mac-security-analysis.net.quphgjoi.aphkcagdoibzaesq6u9admasn5ymrk4xztcf.xyz/fx/en/index.php?browser=Safari&fred=1&app=Mac Speedup Pro&hul=cmnp.grnyrmkzv.xyz&cep=lKjGOVygkCZKIR7zAzs-9hTt93gWlAGnQNdZEO9lX_WiZM8llx0SHH3nwoAIrD7ZLX3c0_eLMSpmBqikquGztNOqp9DqKIifzqs5BKUW8MSvwhiLC6OI2tMuzcyo_ctjd1-3hKpDyRKSGu8h8vALVj4S7QYTkICP7dTKkkFndnFR8MK9skPMuSN3bjgDo83OuGr0woRfRBS-krOFwccarm57EU7xBAuKX_Z0fenZsPFTI6BnZ6UMefnaRi1M4iXBSFgCyOk3Rn2hUF_WVzwfMzXhmROWO9_dvQRiIs4gJY2lOY2ZoaCBtPJ7jxZ_7atiGBE93j_gclN17O6-WBojqmHU14S0fxJWxqd5uqhHG42ima18q3qXs6nRzKTHINjFl4LNUU8qWO4Os9Q7gPbT2sAmeapbflCqMldfM5x3n8DLn6_gExHzjNfnE0dN9xe7quX_CA2VED6Yzutd8P8fnogAbB6OrhsuO-k-h58KhejN27787ZTW5xjrOihCzIRjfVGK2Lx27wvQeQWnz8U488ou34QHJ3XK10P9wVo36fo&_=BAYAXaU_jAFdpT-MgAGBAcAAIOk-gmbAVKu1R7gqa0zO4qT4_-6PAL63YOjhlBRrm-SXwQAgo9YuF6faqd-prykzuHp8ZYuX-eon8rYo5caf3WMCzXI#b
What a laughably bullshit post.
Also, encouraging people to turn off this feature is utterly irresponsible and moronic.
But, the data only gets sent to Tencent/Google when the website hash hits a flagged value in the suspicious hash table. If it’s suspicious then the user probably didn’t mean to go to it anyway. And the website that the hash maps too isn’t necessarily the website that the IP address visited anyway.
Seems like a lot of hoo-hah over nothing.