Security/Safe Browsing/V4 Implementation

From MozillaWiki
Jump to: navigation, search


Safe Browsing v4 is designed to reduce network bandwidth and disk storage (mainly for mobile devices). The usage of partial URL hashes (aka prefixes) and complete hashes remains the same but the way we get those prefixes and complete hashes is changed. The update and hash completion API will be based on protobuf and content compression (in additional to HTTP compression) is introduced. For further information, see (The public specification is not complete. For example, the protobuf is not mentioned.)


Given that ESR 52.8 will be the last supported version of Firefox using the V2 servers, we have the following deadlines:

  • Firefox 59 (Desktop): merge on 2017-11-13, release on 2018-03-06
  • Firefox 61 (Android): merge on 2018-03-05, release on 2018-06-26

We will therefore target the following releases:

  • Firefox 58 (Desktop): merge on 2017-09-20, release on 2018-01-16
  • Firefox 60 (Android): merge on 2018-01-15, release on 2018-05-01

Design and Implementation

To have v2 and v4 run in parallel, we must carefully refactor some core components like ListManager and HashCompleter. Instead of having a master preference to switch between v2 and v4, we take the "table name driven" approach. The plan is to add a separate provider called google4, which owns v4 tables: goog-phish-proto, goog-unwanted-proto and goog-malware-proto. The suffix "-proto" indicates that the table should be updated and completed via protobuf. Besides, the new provider google4 has its own updateURL and gethashURL. You can consider google4 yet another provider like mozilla.

When ListManager and HashCompleter (and any other related components like ProtocolParser) sees table names suffixed by "-proto", they would behave differently. For example, in listmanager.js, while making update request for table goog-phish-proto, nsIUrlClassifier.makeUpdateRequestV4 will be called to build a v4 specific request. (See bug 1264885 and bug 1275507 for more information.)

Using custom API key

We are required to have a API key to access Google services like geolocation and Safe Browsing. The nightly/beta/aurora/release Firefox builds will have a proper API key associated with Mozilla. However, if you build your own Firefox, the API key will be substituted with the string "no-google-api-key", which is not a valid key.

Here's how to get your own key:

  1. Obtain a Safe Browsing Google API key from and put it in ~/
  2. Add ac_add_options --with-google-api-keyfile=/home/foobar/ to your .mozconfig
  3. Rebuild and check if config.status has something like 'MOZ_GOOGLE_API_KEY': b'AIzaSooxxxxoxoxoxoxooxx'

Try Google Safe Browsing V4!

To use Google Safe Browsing V4, set the following preferences:

  1. urlclassifier.downloadAllowTable to goog-downloadwhite-proto
  2. urlclassifier.downloadBlockTable to goog-badbinurl-proto
  3. urlclassifier.phishTable to goog-phish-proto,test-phish-simple
  4. urlclassifier.malwareTable to goog-malware-proto,goog-unwanted-proto,test-malware-simple,test-unwanted-simple

To use both V4 and V2 at the same time:

  1. urlclassifier.downloadAllowTable to goog-downloadwhite-proto,goog-downloadwhite-digest256
  2. urlclassifier.downloadBlockTable to goog-badbinurl-proto,goog-badbinurl-shavar
  3. urlclassifier.phishTable to goog-phish-proto,goog-phish-shavar,test-phish-simple
  4. urlclassifier.malwareTable to goog-malware-proto,goog-unwanted-proto,goog-malware-shavar,goog-unwanted-shavar,test-malware-simple,test-unwanted-simple


M0 (2016/7/31)


  1. Send v4 update request on time
  2. Parse v4 update response but not store to disk
  3. Use v4 request backoff settings
  4. v2 will still be up and running


  1. v4 table download/update will be opt-in.
  2. To test M0 features, modify the following preferences:
    • urlclassifier.malwareTable ==> Add goog-malware-proto and goog-unwanted-proto
    • urlclassifier.phishTable ==> Add goog-phish-proto


Dashboard for M0 bugs

M1 (2016/9/30)


  1. Store v4 tables to disk (including fixed and variable length prefixes)
  2. Store table states
  3. Split v4 tables to different directory per provider


Dashboard for M1 bugs

Workweek in Vancouver

  1. Etherpad:

M2 (TBC, maybe 10/15)

The intention of M2 is to push the date where we "enable v4 list update on nightly by default" to two weeks later because we have identified some issues and lacks in M0 and M1 in Vancouver SBv4 work week. The target date is the end of second week in October.


  1. bug 1305486 to enable v4 table update on nightly by default (The most important!)
  2. bug 1305567 so that we won't get 400 error while doing list update. (landed)
  3. bug 1305581 to examine checksum against the updated lists.
  4. bug 1285848 to support compressed list update. (under review)
  5. bug 1305801 to store v4 list to disk. (landed)
  6. bug 1305484 to store v4 list states to disk rather than preference.


Dashboard for M2 bugs

M3 (Right before Hawaii Workweek)


  1. Check v4 prefixes (in addition to v4) but ignore the result
  2. v2/v4 prefix matching consistency telemetry (e.g. v2/v4 should both 'have' or 'not have' certain URL hash)
    1. Be careful of the variable length prefixes: it's possible to get a 32-bit prefix match for in V2 and no match on V4 because that entry uses a 48-bit prefix instead


Dashboard for M3 bugs

M4 (2017/1/23)


  1. Enable update by default
  2. Fix crashes and regressions


Dashboard for M4 bugs

M5 (2017/3/6)


  1. Enable v4 completion on nightly but ignore the result
  2. Add V4 table for Download protection.
  3. v2/v4 URL hash matching consistency telemetry


Dashboard for M5 bugs

M6 (2017/4/18)


  1. Caching
  2. Enable both V4 and V2 on Nightly 55


Dashboard for M6 bugs

M7 (2017/6/12)


  1. V4 is feature complete


Dashboard for M7 bugs

M8 (2017/8/7)


  1. V4 only in Nightly 56
  2. Initial Soft Vision tests


Dashboard for M8 bugs

M9 (2017/09/20)


  1. Shipping to release
  2. Crash comparison on beta
  3. Gradual roll-out on release


Dashboard for M9 bugs

M10 (2017/11/13)


  1. V4 working on Fennec
  2. Follow-ups completed


Dashboard for M10 bugs