Contents
Preface
Actually, I feel that it is too outdated to say this now. The earliest article I saw online started talking about this in 2017. As for why I am talking about it now? Because I just found out about it. After all, Safari is just a decoration for me. My main browser has always been Chrome.
I just stumbled across this on Zhihu recently. Because I occasionally use Safari to test, I feel that it is not completely unrelated to me, so I spent some time to study it and see if the situation has changed after such a long time. I just wrote an article.
What is a "Deceptive Website Warning"?
First, let’s take a look at the description of “Deceptive Website Warning” on the National Bank of iOS:
Let’s take a look at the instructions for “Deceptive Website Warning” on macOS:
Simply put, for the safety of users, when users use their Safari browser to browse websites, Apple will use the database provided by external security agencies to verify whether the website users are visiting is safe. If the verification result is unsafe, the Safari browser will block the loading of the website and prompt a "fraudulent website warning":
Of course, users can choose to continue clicking "Visit this unsafe website" (but I have also seen that clicking to visit does not work, and the "Fraudulent website warning" function must be turned off), but I believe that most people will choose not to continue visiting, this is out of trust in Apple.
What's the problem?
In the past, the external security agency was "Google Safe Browsing", but starting from September (or October) 2019, "Mainland China" was singled out (now it has become "Mainland China" or "Hong Kong") and is under the responsibility of "Tencent Safe Browsing".
I believe everyone is aware of Tencent's habits (when sending URLs on WeChat, the built-in browser of WeChat often cannot open them, saying that it has been reported as abnormal; when sending messages on QQ, normal URLs may also be marked in red, but they can be opened normally in the computer browser). In addition, this sentence: Google (for users with the region set to "Mainland China" or "Hong Kong", it is Tencent) may also record your IP address when receiving relevant information. This has scared many people, because some people used to be able to access URLs normally with Safari browser and knew that there was no problem, but later their access was blocked by the "Fraudulent Website Warning", so everyone turned off the "Fraudulent Website Warning" function.
How "Fraudulent Website Warning" works
Question: How do Safari and external security agencies verify whether the URLs visited by users are safe? Does Safari directly send the URLs and IP addresses visited by users to external security agencies?
After checking, it seems that this was true in the early days (when there was only "Google Safe Browsing"). At that time, Google provided an API, and the browser would directly send the user's URL to the API provided by Google for query. So during that period, Google was really able to obtain the full URL visited by the user and the user's IP address. This API still exists today, called the Lookup API:
To address these issues, Google quickly came up with a safer approach to Safe Browsing. This new approach is called the Update API, and here’s how it works:
1. Google first calculates the SHA256 hash value of each unsafe URL in the database, and then truncates each hash value to a 32-bit prefix to save space.
2. Google sends the truncated hash database to your browser.
3. Every time a URL is accessed, the browser hashes it and checks whether its 32-bit prefix is contained in the local database.
4. If the prefix is found in the browser's local copy, the browser sends the prefix to the Google server, which sends back a list of all the complete 256-bit hash values of the matching URL so that the browser can check for an exact match.
With each request, Google servers see the user's IP address and other identifying information such as database status.
Needless to say, the Lookup API is a privacy disaster, while the Update API is much more private: in principle, Google should only know the 32-bit hash of some browsing requests. Moreover, these truncated 32-bit hashes will not reveal exactly the URL address you are visiting, because there can be many collisions in such a short identifier, which provides a form of anonymity.
The downside of this approach is that it only provides partial privacy: the average user doesn't visit just one URL, they visit thousands of URLs over a period of time. This means that if the provider wants to eliminate the user's anonymity, it needs to collect more information about the URLs visited by the user. If the user visits many related websites, the details of their browsing history will gradually be leaked to the provider, and at this time, if the provider is willing, it can actually link these requests to infer which websites the user visited.
Although only Google is mentioned above, it is estimated that Tencent will adopt the same approach. Therefore, whether users trust the "fraudulent website warning" issued by the Safari browser when browsing the URL depends on whether the user trusts the "safe browsing" provider.
Effects of turning on the Fraudulent Website Warning option
In fact, when Tencent first took over, it probably didn't take it seriously. It habitually added many "self-defined" bad websites to the list of "fraudulent websites", resulting in many users in mainland China being "warned" when using Safari to visit the websites they usually visit:
Although I don't know what site they are talking about in the picture above, this will definitely greatly affect Apple's image, so I guess there must have been negotiations later. The "Safe Browsing" library that Tencent should provide to Apple is quite different from the one used on WeChat and QQ in China, and the "fraudulent website warning" will no longer appear at every turn.
Should I turn off the "Fraudulent Website Warning"?
After all this talk, what is the conclusion? Should we turn off the "Fraudulent Website Warning" feature?
To be honest, although Tencent will certainly make some small moves, such as adding some seasoning to the "Safe Browsing" library, the content of most of the problematic URLs in its "Safe Browsing" library is definitely real, and it would be a bit of a waste to turn it off completely. So let's discuss it separately:
1. If you are a professional who knows a lot and are very confident that there are no problems with the websites you frequently visit, and you will not visit problematic websites, then you can actually turn them off, because the more you know, the more concerns you have.
2. If you don’t know much about this aspect and cannot tell which websites have problems and which ones don’t, and you will not visit websites that you shouldn’t visit, then you can open it.
3. If you want to enjoy the usual "fraudulent website warning" and sometimes want to visit some unspeakable websites, and you are still worried about being recorded (although the possibility is very low), then as long as you have good energy, you can turn it on at ordinary times, turn it off when needed, and turn it on again when not needed.
4. In fact, there is another type, that is, an upright person like me, who has a clear conscience and will keep it open!
Also: I just closed it temporarily for screenshots before, but now it’s all open!
This reminds me of some browsers that have a function to detect whether your password has been leaked – have i been pwned?. It also uses a similar mechanism. The browser wants to know whether your password is in plain text, but it cannot do so for security reasons. First, your password is hashed, and a part of the hash value is intercepted. This part is sent to the browser official. Because it only receives a hash value and a part, the browser official cannot know your specific password. Then, the data matching this part of the hash is found in the leaked password database and returned to the user. The user end then compares its password with this part of the returned data. If there is a same one in the returned data, it means that the user's password is in the leaked database, which means that the user is using a weak password or the password has been leaked.
I learned about this in a blog before, but I can’t find the original text. This mechanism is also called “k-anonymity”.