What you need to know
- Safari Fraudulent Website Warning flags malicious websites.
- It uses Google's malicious website list internationally and Tencent's list for devices set to China.
- Actual URLs are not shared, though IPs have to be transmitted, and the feature can be turned off.
Apple and China have a complicated relationship and situation that's exploded in the news over the last week. (Much more on that in a future column.) It's led to some incredibly informative reporting, but also some ride-along FUD (fear, uncertainty, and doubt). A recent story about how Apple handles Safari Fraudulent Website Warning's, got caught up in the latter. Which is unfortunate, because it's something everyone should be informed about.
First, here's Apple's statement:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning," Apple told iMore. "A security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Second, here's how the system works:
Google and Tencent send Safari hashed prefixes of URLs (websites) known to be malicious. If your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. Hash prefixes, while imperfect, were designed to be more general than specific URLs.
Safari checks any web page you try to go to again the list of hash prefixes. If they match, the page may be malicious.
At that point, Safari asks Google or Tencent for the full list of URLs that match the hashed prefix.
Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.
Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.
If anyone, at any time, has any concerns about Google or Tencent having that information, they can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off. The downside, of course, is that you might hit a malicious website without warning. So, you need to balance the threats associated with both conditions.
In a perfect world, a more privacy-centric company like Duck Duck Go or Apple would be able to maintain and use their own lists, both internationally and inside China. In the meantime, some system that anonymizes and relays requests, like Siri does or like Sign in with Apple, perhaps, could improve privacy within the current implementation.
So, for now, browse smart and browse safe.