Yeah for the first thing, I said I assume it -- I wasn't actually making an assertion that all the requests get sent to a server. I can't realistically spend the effort to double-check every single thing like this (as in how badly every corp is spying on me), and it's substantially easier to just assume the worst and act accordingly.
Right, I'm sure the "Safe Browsing" stuff has prevented downloads of .exes that the user never would have run anyways (but I digress). Regardless, I still am not going to rely on shareholder-driven megacorps to decide what sites I can trust or not. They have proven they are not trustworthy themselves. To start, Google does things like hiding portions of the URL of the website you're on[0], making the web browsing experience even more opaque than it already is for the average user. In fact, Google has even engaged in phishing-like behaviour themselves, replacing an original website with their own AMP version, while showing the original URL[1].
Of course, this is all without even touching on the shocking depth of surveillance/tracking undertaken by Google.
Regarding exploits in the browser iself, in fact, the extremely massive surface area of web browser software is indeed absolutely a vector for malware. In this sense, Safe Browsing is a solution to a problem browser vendors created by nearly turning the web browser into an OS. By April this year, Chrome had already hit its third zero-day exploit[2] affecting its billions of users. By last month, it had hit its seventh[3]. Basically every month or two there's a new actively-exploited vulnerability in Chrome that may very well allow malware to be installed on your system by simply visiting a web page. If only trying to read some text on a website didn't mean risking having my home network turned into a botnet, or getting ransomware-locked...
Except [0] has been demonstrated to actually be more useful for average users, as it hides parts of the url that are not actually relevant. I don't know what google's current UI for it is, but in safari by default https:// is not shown. Instead if you visit a http: site you get a completely different UI "not secure - example.com".
The reason for these UI changes is very simple: signaling secure vs insecure via a single character in a string that is meaningless to most people makes it essentially useless. Similarly making "secure" websites get a padlock is not helpful - it's essentially the same as a car engine light, except the engine light is surrounded by a dozen other lights, and it turns off when there's a problem. Unending amounts of research show that that kind of design means people will not notice problems.
This is not to say Google is a shining example of privacy engineering (see their core business model), but you're being incredibly dismissive of the work that their chrome and browser privacy engineering teams do.
I am definitely dismissive of the benefits of work that obfuscates or conceals the most concrete piece of information I require to know what site I am on: the complete URL, including schema, that I have been looking at on every single web page I visit since the early 90's.
IMO when a browser vendor does something like this, I'm not in a rush to sit there and read all their blog posts and give huge consideration to yet another megacorp imposing their will upon me. I just don't want my URL hidden, and I will definitely turn off features like this where possible. (n.b. I don't use Chrome, so its irrelevant for me)
Interesting. http "not secure", but I bet every piece of malware delivered to a user's machine via browser exploit was delivered on an https URL...
BTW, you make some assertions about the feature being more useful for average users -- can you provide any links/documents about this? I am very skeptical, though you are under no obligation to convince me (don't spend the time finding link(s) unless you specifically feel like it). I'd be curious, because I even feel doubtful that there's any solid measurement indicating hiding part of the URL has actually benefited anyone.
Right, I'm sure the "Safe Browsing" stuff has prevented downloads of .exes that the user never would have run anyways (but I digress). Regardless, I still am not going to rely on shareholder-driven megacorps to decide what sites I can trust or not. They have proven they are not trustworthy themselves. To start, Google does things like hiding portions of the URL of the website you're on[0], making the web browsing experience even more opaque than it already is for the average user. In fact, Google has even engaged in phishing-like behaviour themselves, replacing an original website with their own AMP version, while showing the original URL[1].
Of course, this is all without even touching on the shocking depth of surveillance/tracking undertaken by Google.
Regarding exploits in the browser iself, in fact, the extremely massive surface area of web browser software is indeed absolutely a vector for malware. In this sense, Safe Browsing is a solution to a problem browser vendors created by nearly turning the web browser into an OS. By April this year, Chrome had already hit its third zero-day exploit[2] affecting its billions of users. By last month, it had hit its seventh[3]. Basically every month or two there's a new actively-exploited vulnerability in Chrome that may very well allow malware to be installed on your system by simply visiting a web page. If only trying to read some text on a website didn't mean risking having my home network turned into a botnet, or getting ransomware-locked...
[0] https://www.bleepingcomputer.com/news/google/google-chrome-h...
[1] https://www.androidpolice.com/2019/04/16/amp-pages-will-now-...
[2] https://www.forbes.com/sites/gordonkelly/2022/04/16/google-c...
[3] https://www.forbes.com/sites/daveywinder/2022/10/28/emergenc...