I've been looking around, and found a few threads on it, but:
How much a deal is it not using, or having, the safe browsing feature activated (Vanadium) in regards to resisting exploitation / malware / phishing?
If I do a search I'll just find standard (like googles own homepage) articles and forum threads, in addition to the ones here :)
And, in regards to privacy, how "bad" is enhanced safe browsing actually?
Testing I was running NextDNS (normaly Quad9) and the connection made with regular safe browsing is:
safebrowsing.googleapis.com (for Brave, probably the same for the rest I suppose)
And this:
safebrowsing.google.com
for enhanced safe browsing in Vanadium
?
And lastly what setting does the team prefer in thier daily usage?

    • [deleted]

    FlipSid I think this is the info you want to see before you commit.

      [deleted] what is commit in this context? πŸ˜…
      I'm fairly new to this world. Actually I've been trying to avoid IT, until certain things lead to each other.
      Thank you for the linkπŸ‘πŸΎ

        • [deleted]

        FlipSid Before you commit as in start using it. I actually didn't realize that even with standard safe browsing protection your logins and passwords seem to be collected to check against known breaches. I am leaving that unchecked now and will be changing all my passwords shortly. Unless someone can explain how that process works and where it is being submitted.

          Personally, I avoid as much Google as reasonably possible. IMO, safe-browsing is a great example of a place for anyone and everyone like-minded to start (gmail, Chrome proper, Youtube.app/.com among others). Not saying sb is worthless (checking linked redirects in browser DLs for insecure connections is neat, for one), per se. But I am saying that you will almost surely experience no negative effects from disabling it. I've survived, virtually unscathed (dad pun!); disabling it, cross-platform for as long as I can remember. It's worthless to me.

          Google have done truly amazing things for a truly amazing thing in securing the world's internet. They are champions of information security the level one would expect of an industry titan.

          They are also an the ad company.

          The ad company that (will) continue to develop the proprietary, surveillance-marketing scourge at the heart of their profound ascension to omnipotence most glorious, human tool for make great again humanity.

          Seriously*, thanks for Maps, android/aosp, Chromium, somehow maintaining the YT monster. You're welcome for all the money...along with so many of our thoughts, fears, hopes and dreams available for purchase/trade.

          Great relationship. Would enter into again!!

            FlipSid Standard safe browsing use badness enumeration, enhanced safe browsing sends samples of pages, downloads etc. so as to have a constant analysis of everything you do on the browser, and not just by comparing your browsing data with a list of known malicious data, it's more efficient but obviously means sending more data to Google.

            Personally, I don't use either of them.

              [deleted] actually, before I went to GrapheneOS, and before chrome had so much annoying ads (actually back in the day I didn't even have the idea to switch browsers lol) I just used the safe browsing in Brave...
              Never had it block a site. It was just there.
              Not it Chrome either
              Now I'm just curious about it..., since I am trying a layered approach.
              But as I understand standard safe browsing is done locally.
              The browser will download a list and update it periodically to check against known malicious domains / phishing sites...
              Enhanced safe browsing was more invasive, but I could not find info's (like for MS Defender the white paper).
              Enhanced safe browsing seems to be more invasive than smart screen, on a side note. I'll check your link later, at job training today

              ezlover thank you. Valuable information, on not using the safe browsing.
              For me, after switching to GrapheneOS, it was hard to not install Eset Mobile Security.... Habitual thing lol
              Same with *ar least** (standard) safe browsing.

              FlipSid Enumarating badness does little because you have to maintain a list and tracking can be done without any scripts so wondering when it makes sense depends on the threat, it only weakly and temporarily reduces the attack surface by catching the low-hanging fruit because it's always just a matter of attacking a moving target, the opponent can adapt, it makes more sense not to rely on it alone and assume it's not enough, the browsers that use it do so essentially to reassure you.

              Vanadium is hardened, disables JIT and other features that the official GrapheneOS website explains better than I can. Vanadium now uses ad blocking, they currently use easylist and easyprivacy, but it's planned that blocking will extend to uBlock Origin lists. Providing ad and tracker blocking is useful if it's used to address a clear threat model, we all know that browsing certain websites is disastrous without ad blocking.

              GrapheneOS is working hard to reduce fingerprinting.

                I'm not seeing any evidence so far that Enhanced Safe Browsing is being used to deliver targeted ads. General distrust of a company is not evidence.

                  fid02 I'm not seeing any evidence so far that Enhanced Safe Browsing is being used to deliver targeted ads. General distrust of a company is not evidence.

                  It's enough for the feature to come from Google for some users to see another way of targeted advertising, even when it makes no sense.

                  Xtreix Enumarating badness does little because you have to maintain a list and tracking can be done without any scripts so wondering when it makes sense depends on the threat

                  Like I said, I can follow on the Tracking thing. Which is why I am using Vanadium as it comes basically.
                  On the Safe Browsing and Malware / Phishing / etc is where I am having trouble.
                  Where does enumerating badness start and where does it stop.
                  Right know I'm running dnsO/Zero (alternative to Quad9) on a DNS Level.
                  Some line of "defence" was safe browsing.
                  Or maby not.
                  Don't know πŸ˜‚
                  Obviously I should not do nothing, which I am not by running GrapheneOS in the first place. And using Brave for a few selected sites.
                  So all in all running a hardened browser (like Vanadium) should be enough?
                  Or let me ask the other way around. Comparison between standard Chrome / Brave and Vanadium:
                  Is Vanadium so hardened that it makes up for safe browsing?
                  Like it is already obvious, I kinda got myself in a braindamage place haha πŸ˜‚

                    FlipSid Is Vanadium so hardened that it makes up for safe browsing?

                    I think I found the answer here:
                    https://lwn.net/Articles/293034/
                    from link that was share here from @Xtreix
                    Exactly this just caught my attention:
                    "99% of the World is just
                    gullible and insists on thinking that security holes are handled by
                    scanning for viruses/malware and not by patching holes"

                      FlipSid On the Safe Browsing and Malware / Phishing / etc is where I am having trouble.
                      Where does enumerating badness start and where does it stop.

                      https://grapheneos.org/usage#web-browsing

                      Malware can't do much on Android because of sandboxing, Chromium browsers use sandbox-based site isolation which is a powerful security feature that protects privacy, it's enhanced in Vanadium, don't install unknown apps on unofficial links, don't visit dodgy links, phising is a social engineering attack that relies on a lack of vigilance on your part, example, opening an email link without checking the URL and sender.

                      FlipSid Right know I'm running dnsO/Zero (alternative to Quad9) on a DNS Level.

                      Note that this is limited to DNS

                      https://grapheneos.org/faq#private-dns-other

                      FlipSid Or let me ask the other way around. Comparison between standard Chrome / Brave and Vanadium:
                      Is Vanadium so hardened that it makes up for safe browsing?

                      Secure browsing and browser hardening are two different things, browser hardening is a systemic approach that aims to reduce the attack surface and prevent entire classes of vulnerabilities, secure browsing as presented by Google in Chrome is essentially an Antivirus in the browser. I don't use Brave but I think it's OK to use it. Standard Chrome is Chromium vanilla with Google services imposed by default.

                      DivestOS offers a free real-time malware scanner if you are interrested.

                      FlipSid Exactly this just caught my attention:
                      "99% of the World is just
                      gullible and insists on thinking that security holes are handled by
                      scanning for viruses/malware and not by patching holes"

                      Of course, it's more important to patching holes, you can compare with the CVE count, less doesn't mean better, it may mean that software security is not regularly assessed. Anti-malware detection is useful in certain scenarios, such as spotting which file is infected, but is intrinsically defective.

                      [deleted] I actually didn't realize that even with standard safe browsing protection your logins and passwords seem to be collected to check against known breaches.

                      Personally I would want a very reputable source for a claim as strong as this one, especially since it is feasible for checking to be done privately on the device with zero "collection".

                      Is there a clear detailed claim from a reputable source?

                        • [deleted]

                        de0u if you have knowledge how this is done privately and locally, can you please point as at relevant source? I would be very grateful.