What is Safe Browsing?
Safe Browsing is a service provided by Google that enables applications to check URLs against Google's constantly updated lists of suspected phishing and malware pages.
Here are some of the things you can do with the Safe Browsing service:
- Warn users before clicking on links that appear in your site when they lead to malware-infected pages.
- Prevent users from posting links to known phishing pages from your site.
- Check a list of pages against Google's lists of suspected phishing and malware pages.
We provide two types of experimental APIs for using the Safe Browsing service:
- Safe Browsing API v2
- Safe Browsing Lookup API
Note that the Safe Browsing API v1 has been discontinued.
Below are short descriptions and a comparison of the two APIs.
Safe Browsing API v2
The Safe Browsing API is an experimental API that enables applications to download an encrypted table for local, client-side lookups of URLs that you would like to check. In early 2010, we made a new version (v2) of the Safe Browsing API available. This v2 version is designed to be more efficient in terms of bandwidth usage, and to help us scale this service to support even more users. The v2 protocol is already in use by several browsers, including Google Chrome and Mozilla Firefox. You can start using the Safe Browsing API v2 now.
Safe Browsing Lookup APInew
The Safe Browsing Lookup API is a new experimental API that enables applications to simply look up URLs from our Safe Browsing service and get the state of URLs (e.g. phishing, malware) directly. Users using the Lookup API do not need to be aware of the internal implementation details of the Safe Browsing service, so the API implementation is simple and easy. You can start using the Safe Browsing Lookup API now.
Choosing the Right API
The Safe Browsing API v2 has the following advantages:
- Better privacy: API users exchange data with the server using hashed URLs so the server never knows the actual URLs queried by the clients.
- Better response time: API users maintain a local cache of the hashed URLs that are in our suspected phishing or malware lists and do not need to query the server every time they want to check a URL.
The major drawback of the Safe Browsing API v2 is the implementation complexity, including:
- API users need to be aware of the internal structures of how the server stores hashed URLs in the phishing or malware lists, and implement the hashing and suffix/prefix expressions themselves.
- API users need to periodically update their local cache of the hashed URLs. If there are updates, they also need to download the new lists of hashed URLs.
- API users need to download and compare the full hash value of URLs that are hit in the local cache.
- API users need to canonicalize the URLs themselves.
The Safe Browsing Lookup API has the following advantage:
- Simple to implement: API users only need to wrap up URLs they want to lookup using HTTP GET or POST request and the server will send the state of the URLs (e.g. phishing, malware) directly to the API users.
The Safe Browsing Lookup API has the following drawbacks:
- Privacy: The URLs to be looked up are not hashed so the server knows which URLs the API users have looked up.
- Response time: Every lookup request will be processed by the Safe Browsing server and we don't provide any guarantees on lookup response time.
In summary, if you are not too concerned about the privacy of the queried URLs and you can tolerate latency induced by a network request, you may want to use the Safe Browsing Lookup API since it's much simpler to implement. Otherwise, the Safe Browsing API v2 may be a better choice for you.