Google Safe Browsing API

What is Safe Browsing?

Safe Browsing is a service provided by Google that enables applications to check URLs against Google's constantly updated lists of suspected phishing and malware pages.

Here are some of the things you can do with the Safe Browsing service:

• Warn users before clicking on links that appear in your site when they lead to malware-infected pages.
• Prevent users from posting links to known phishing pages from your site.
• Check a list of pages againest Google's lists of suspected phishing and malware pages.

We provide two types of experimental APIs for using the Safe Browsing service:

• Safe Browsing API v2
• Safe Browsing Lookup API

Note that the Safe Browsing API v1 will be turned off soon.

Below are short descriptions and a comparision of them.

Safe Browsing API v2

The Safe Browsing API is an experimental API that enables applications to download an encrypted table for local, client-side lookups of URLs that you would like to check. In early 2010, we made a new version (v2) of the Safe Browsing API available. This v2 version is designed to be more efficient in terms of bandwdith usage, and helps us scale this service to be able to support even more users. The v2 protocol is already in use by several browsers, including Google Chrome and Mozilla Firefox. You can start using the Safe Browsing API v2 now. Existing v1 users should consider how to migrate existing code from v1 to v2, since we will turn off the v1 protocol very soon. Alternatively, existing v1 users could also consider using the new Safe Browsing Lookup API if approprate.

Safe Browsing Lookup API^new

The Safe Browsing Lookup API is a new experimental API that enables applications to simply lookup URLs from our Safe Browsing service and get the state of URLs (e.g. phishing, malware) directly. Users using the Lookup API do not need to be aware of the internal implementation details of the Safe Browsing service, so the API implementation is simple and easy. You can start using the Safe Browsing Lookup API now.

Choosing the Right API

The Safe Browsing API v2 has the following advantages:

• Better privacy: API users exchange data with the server using hashed URLs so the server never knows the actual URLs queried by the clients
• Better response time: API users maintain a local cache of the hashed URLs that are in our suspective phishing or malware lists and do not need to query the server every time they want to check a URL(s)

The major drawback of the Safe Browsing API v2 is the implementation complexity, including:

• API users need to be aware of the internal structures of how the server stores hashed URL(s) in the phishing or malware lists, and implement the hashing and suffix/prefix expressions themselves.
• API users need to periodically update their local cache of the hashed URLs. If there are updates, they also need to download the new lists of hashed URLs
• API users need to download and compare the full hash value of URLs that are hit in the local cache.
• API users need to canonicalize the URLs themselves.

The Safe Browsing Lookup API has the following advantage:

• Simple to implement: API users only need to wrap up the URL(s) they want to lookup using HTTP GET or POST request and the server will send the state of the URLs (e.g. phishing, malware) directly to the API users.

The Safe Browsing Lookup API has the following drawbacks:

• Privacy: The URL(s) to be looked up are not hashed so the server knows which URL(s) the API users have looked up
• Response time: Every lookup request will be processed by the Safe Browsing server and we don't provide any guarantees on lookup response time

In summary, if you are not too concerned about the privacy of the queried URL(s) and you can tolerate latency induced by a network request, you may want to use the Safe Browsing Lookup API since it's much simpler to implement. Otherwise, the Safe Browsing API v2 may be a better choice for you.