Google Safe Browsing can kill a startup
After years of seeing developments like this, getting worse and worse, it fills me with rage to think about how clearly nobody in power at Google cares.
I naively used to think, "they probably don't realize what's happening and will fix it." I always try to give benefit of the doubt, especially having been on the other side so many times and seeing how 9 times out of 10 it's not malice, just incompetence, apathy, or hard priority choices based on economic constraints (the latter not likely a problem Google has though).
At this point however, I still don't think it's outright malice, but the doubling down on these horrific practices (algorithmically and opaquely destroying people) is so egregious that it doesn't really matter. As far as I'm concerned, Google is to be considered a hostile actor. It's not possible to do business on the internet in any way without running into them, so "de-Googling" isn't an option. Instead, I am going to personally (and advise my clients as well) to:
Consider Google as a malicious actor/threat in the InfoSec threat modeling that you do. Actively have a mitigation strategy in place to minimize damage to your company should you become the target of their attack.
As with most security planning/analyzing/mitigation, you have to balance the concerns of the CIA Triad. You can't just refuse Google altogether these days, but do NOT treat them as a friend or ally of your business, because they are most assuredly NOT.
I'm also considering AWS and Digital Ocean more in the same vein, although that's off topic on this thread. (I use Linode now as their support is great and they don't just drop ban hammers and leave you scrambling to figure out what happened).
Edit: Just to clarify (based on confusion in comments below), I am not saying Google is acting with malice (I don't believe they are personally). I am just suggesting you treat it as such for purposes of threat modeling your business/application.
It's a relatively long article - but it does not answer one simple question, which is quite important when discussing this: were there any malicious files hosted on that semi-random Cloudfront URL? I realise that Google did not provide help identifying it - but that does not mean one should simply recomission the server under a new domain and continue as if nothing has happened!
From TFA:
> We quickly realized an Amazon Cloudfront CDN URL that we used to serve static assets (CSS, Javascript and other media) had been flagged and this was causing our entire application to fail for the customer instances that were using that particular CDN
> Around an hour later, and before we had finished moving customers out of that CDN, our site was cleared from the GSB database. I received an automated email confirming that the review had been successful around 2 hours after that fact. No clarification was given about what caused the problem in the first place.
Yes, yes, Google Safe Browsing can use its power to wipe you off the internet, and when it encounters a positive hit (false or true!) it does so quite broadly, but that is also exactly what is expected for a solution like that to work - and it will do it again if the same files are hosted under a new URL as soon as detects the problem again.
Our company [0] was also hit by this too.
We receive email for our customers and a portion of that is spam (given the nature of email). Google decided out of the blue to mark our attachment S3 bucket as dangerous, because of one malicious file.
What's most interesting is that the bucket is private, so the only way they could identify that there is something malicious at a URL is if someone downloads it using Chrome. I'm assuming they make this decision based on some database of checksums.
To mitigate, we now operate a number of proxies in front of the bucket, so we can quickly replace any that get marked as dangerous. We also now programmatically monitor presence of our domains in Google's "dangerous site" database (they have APIs for this).
0: https://www.enchant.com - software for better customer service
Yes, the power of something like Google Safe Browsing is scary, especially if you consider the many many downstream consumers who might have an even worse update / response time. Responsiveness by Google is not great, as expected, we recently contacted Google to get access to the paid WebRisk API and haven't heard anything in a few months...
However, phishing detection and blocking is not a fun game to be in. You can't work with warning periods or anything like that, phishing websites are stood up and immediately active, so you have to act within minutes to block them for your users. Legitimate websites are often compromised to serve phishing / malicious content in subdirectories, including very high-level domains like governments. Reliable phishing detection is hard, automatically detecting when something has been cleaned up is even harder.
Having said all that, a company like Google with all of its user telemetry should have a better chance at semi-automatically preventing high-profile false positives by creating an internal review feed of things that were recently blocked but warrant a second look (like in this case). It should be possible while still allowing the automated blocking verdicts to be propagated immediately. Google Safe Browsing is an opaque product / team, and its importance to Google was perhaps represented by the fact that Safe Browsing was inactive on Android for more than a year and nobody at Google noticed: https://www.zdnet.com/article/mobile-chrome-safari-and-firef...
Lastly, as a business owner, it comes down to this: Always have a plan B and C. Register as many domains of your brandname as you can (for web, email, whatever other purpose), split things up to limit blast radius (e.g. employee emails not on your corporate domain maybe, API on subdomain, user-generated content on a completely separate domain) and don't use external services (CDN) so you can stay in control.
Of particular note:
"Don't host any customer generated data in your main domains. A lot of the cases of blacklisting that I found while researching this issue were caused by SaaS customers unknowingly uploading malicious files onto servers. Those files are harmless to the systems themselves, but their very existence can cause the whole domain to be blacklisted. Anything that your users upload onto your apps should be hosted outside your main domains. For example: use companyusercontent.com to store files uploaded by customers."
“Don't host any customer generated data in your main domains. ”
This is extremely important for multiple reasons. One reason is the blacklisting as mentioned in the article, the other reason is security: browser typically implement security policies around domains as well, such as cookie scoping and whatnot. Putting all user generated content under a completely separate domain avoids a whole category of potential issues.
I learned the hard way that other companies than Google also contribute to the blacklist. A site I was working on got falsely flagged by netcraft.com (which they admitted after I spent a week explaining it to them). They do some kind of active AI cyber defence bollocks and have netflix as a customer. Their Automated Idiot classified our login page as trying to phish netflix.
The fun part of this is that I could have prevented this if I had seen the warning email that Google sent me, but since Gmail classified it as an email phishing attempt, I never saw it (straight to spam folder). How ironic.
Consequences:
- Our website was blocked in all major browsers, not just chrome
- AWS, who also look at the blacklist and were contacted by netcraft automatically, threatened to delete our account. I had to convince both parties that we did nothing wrong
- One week offline
If their claim is false, then is it, in any jurisdiction, libelous?
Maybe, legislation to bring consequences for false claims will help ensure algorithms, and the support teams that monitor them, do a better job. In an internet focused world, especially one with lock downs, wiping sites off of the internet with false claims is a heinously bad act.
I can confirm everything that was said in that article. I run a free dynamic dns service (freemyip.com) and every time someone creates a subdomain that later hosts some questionable material, Google will immediately block my whole domain. Their response time for clearing these up varies from a few hours to two weeks. It feels completely random. I once had a malicious subdomain that I removed within two hours, yet the ban on Google lasted for more than two weeks. Now, this is a free service so bans like these don’t really matter that much to me, but if it was a business, I would have most likely gone bankrupt already.
I noticed that recently, they are only sending me the warning, but don’t block me right away. Perhaps after a few years of these situations I advanced to a more “trusted” level at Google where they give me some time to react before they pull the plug on my domain. I don’t know. But I would be truly petrified of Google if this was my real business.
1- Ban self dealing.
Even the appearance of a conflict of interest should be treated as an actual conflict of interest.
Among all the other countermeasures being considering, breaking apart these monopoly's end-to-end integrations should be top priority.
For comparison: I'm a huge Apple fan boy. I'm in a happy monogamist relationship with Apple (h/t NYU Prof Scott Galloway).
There's no question their awesome products are largely due to their keiretsu, monopsony, and other anti-competitive practices. So despite my own joy, I also support breaking up Apple, for the greater good.
The same applies to Google's offerings. Google Chrome cannot be allowed to operate without oversight. Once a product or service becomes an important pillar in a market, it must be held accountable.
2- Fair and impartial courts.
Governments make markets. Google (et al) act as sovereign governments running their private markets. This is unacceptable.
We all must have the right to negotiate contracts, appeal decisions, and other misc tort. To be adjudicated in an open, fair, impartial courts overseen by professional and accountable judges.
In other words, I demand the rule of law.
Again using Apple as my example. As a customer, I benefit hugely from Apple's App Store, where they vet and curate entries. This is awesome.
But Apple must be held accountable for all of their decisions. All participants must have the right to sue for damages. In a fair and impartial court system, independent of Apple's total control over the market.
Similarly, however Google is administrating the Safe Browsing infrastructure, it must be transparent, accountable, auditable.
--
I'm still working on this messaging, phrasing. Criticisms, editing, word smithing much appreciated.
one of my apps my company makes is a chat app, when someone clicks a link in chat, we bounce them to a URL redirect page ("Warning, you're leaving $app, don't enter your account password/information phishing warning" type page) with a button "Continue to $url" - We also have a domain blocklist to block known phishing sites for our app. Because of this, Google blocked our entire domain due to malicious urls (the "This link was blocked" page) It took us weeks to get it unblocked. Just an utter pain in the butt. We're an established business, but having our entire website blocked by Chrome for weeks nearly killed the entire app.
> I received an automated email confirming that the review had been successful around 2 hours after that fact. No clarification was given about what caused the problem in the first place. ... We never properly established the cause of the issue, but we chalked it up to some AI tripping on acid at Google's HQ.
I expect more of this Kafkaesque experience to come in the future.
This is no longer a technical problem, but a social one. It can only be solved through legislation.
This reminds me of email blacklisting. When I was "young" I operated an email server for 6000 users. Keeping that server and our domain away from blacklisting was a full-time job.
It wasn't enough to secure your server: Any spam or virus coming from the internal network through that email server could potentially blacklist us. Basically, you had to treat your users as untrusted, and run anti-spam and anti-virus filtering that was as good as whatever the rest of the Internet was running.
IIRC, although blacklisting was done by non-profits, it was still rather opaque: Blacklisting should be traumatizing, so that you (and your higher ups) are forced to do a proper risk assessment and actually implement it. It was also opaque to make it harder for the bad guys to move quickly.
I hate the increasing influence that big tech has on small tech. But keeping web and email safe and clean is a cat-and-mouse game, which, unfortunately, also adds burden to the good folks.
The section about ants and Google shifting on its planetary chair is perhaps the best part of this article. A sobering way to look at it.
I run https://neocities.org, and safe browsing has been my nightmare overlord for a long time.
No way to manage reports via an API, no way to contact support. I haven't even been able to find a suggestions box, even that would be an upgrade here. Digging to find "the wizard" gets you into some official google "community support" forum where you learn the forum is actually run by a non-employee lawful neutral that was brainwashed somehow into doing free work for one of the wealthiest companies in the world. A lot of the reports are false and I have no idea how they are added (this would be an excellent way to attack a web site btw).
Google will sometimes randomly decide that every link to our over 350,000 neocities sites is "malicious" and tell every gmail user in a pop-up that it is dangerous to go to a neocities site. Users are partitioned to a subdomain but occasionally google will put the warning on the entire domain. It's not clear if it's even the same thing as safe browsing or something completely different, and this one doesn't have a "console" at all so I have no idea how to even begin to deal with it. When users complain, I tell them I can't do anything and to "contact google", which I'm sure just leads them to the same community support volunteer.
We actively run anti spam and phishing mechanisms, have a cleaner track record on this than google themselves with their (pretty neglected) site hosting, and because we block uploads of executable files, it is literally impossible for users to host malware on our servers. It is also impossible to POST form data on our servers because it's just static html.
None of that matters. Occasionally we also just get randomly, completely soft-blacklisted by safe browsing for no reason (they call this a "manual action", there's never any useful information provided, I have no idea what they imply and I live in fear of them).
If things ever got extremely horrible, I used to have a friend that worked at google but she no longer works there (I hated using her for this). The other person I knew that works at google stopped responding to my tinder messages, so I'm pretty much doomed the next time they do something ultra crazy and I need emergency support.
It's extremely frustrating and I'm hoping for the day when something gets better here, or they at least provide some way to actually communicate with them on improving things. In the meanwhile, if anyone happens upon the wizard at a ski resort or something, please have them contact me, I have a lot of improvement ideas.
edit: Just to add here from a conversation I had a year ago (https://news.ycombinator.com/item?id=21907911), Google still hasn't figured out that the web is their content providers and they need to support them, and treating their producers with contempt and neglect is a glorious example of how shortsighted the entire company is right now about their long term strategy (how many ads will you sell when the web is a mobile Facebook app?). They should as soon as possible, as a bare minimum, start providing representatives and support for the content providers that make people actually use the web and help them to be successful, similar to how Twitch has a partnership program.
I wonder if it would be faster to deal with this through legal. I’m not a lawyer, but I wonder if you could send a C&D to Google legal or something because this seems like an actual case of slander and reputation damage.
I provide Windows builds of ffmpeg, linked via http://ffmpeg.org/download.html. The site is entirely static, no user data is collected or stored.
Starting in late October, lasting for around a month, users would get the dreaded red page upon visiting the site at https://www.gyan.dev/ffmpeg/builds/
Search Console would show a couple of files as 'install malicious or unwanted software'. Never mind that all files are plain archives (7z,ZIP) with no installers or even self-extraction, containing CLI apps. These file URLs when scanned via Virustotal (Google-owned) would be flagged by Google Safe-browsing and no other engine. Weird thing is, the same files mirrored at Github would be detected as clean. A review request at SC would get rid of the warning temporarily only to return after a day or two.
I found no support email so I opened a thread at Google Webmaster community (now called Search Central community). But there was no help and none of the regulars seem to be Google employees. Finally, I found an email through Mozilla's page on their use of Google's Safe Browsing blacklists at https://support.mozilla.org/en-US/kb/how-does-phishing-and-m... which leads to https://safebrowsing.google.com/safebrowsing/report_error/?t.... This page's title is 'Report Incorrect Forgery Alert' which would indicate a different purpose but I managed to get hold of human attention. After 10 days or so, the warnings disappeared. Till date, I don't know what triggered the warnings in the first place, and so how to prevent a recurrence.
We got hit by this as well. Very similar story to this and others shared in this thread: Use an S3 bucket for user uploads - and Google then marks the bucket as unsafe. In our case a user had clicked “Save link as...” on a Google Drive file. This saves an HTML file with the Google login page in some cases (since downloading the file requires you to be logged in). The user then proceeded to upload that HTML file. Then it was automatically marked since it looked like we were phishing the Google login page.
It should be noted that Firefox uses the Google banlist as well so switching browsers does not work!
We seriously need to break up Google. This is a chokepoint for innovation, should not be controlled by one company, and has serious downstream consequences on economic growth as a nation.
I think another take away from this article is “don’t allow users to upload malicious files that you then host from your domain”
This seems easier to do than jumping domains.
Being completely blacklisted is very bad, but u know at least that something needs fixing. Imagine if google partially punishes u and downrank you in the search for no reason. This is harder to figure out. It took us several months to discover such a problem until finally we registered to google websmaster tool.
> Proactively claim ownership of all your production domains in Google Search Console.
That's one of the first things you should do, when registering a domain and setting up a website. It takes about 2 minutes. So I wonder a bit why a business of this size would learn doing this through such a crisis.
Is there any reason that Google couldn't, or wouldn't, repurpose Google Safe Browsing to blacklist sites that are "unsafe" due to under- or poorly moderated content? E.g. doing this to Parler after they find hosting again? I can't think of a reliable one.
McAfee SiteAdvisor recently started flagging the website for my open source project https://datasette.io/
"slightly risky" due to being a "Technical/Business Forums" and a PUP - "Potentially Unwanted Programs
I submitted a review a few weeks ago and I just checked and it's green now, which is a big relief. https://www.siteadvisor.com/sitereport.html?url=datasette.io
So, essentially they let someone host malicious content on their CDN, which led to Google blocking it. I don't see the scandal here. Also, it seems Google fixed the issue within 2 hours, which is quite good TBH.
There are many open-source & commercial IOC lists in distribution from vendors like Crowdstrike, Team CYMRU etc., a lot of them are being fed into SIEM systems, firewalls and proxies at companies. If you happen to end up on one of these lists it can take months or years to clear your reputation.
> losing access to their GMail accounts and their entire digital life.
This is why my email address is @ a domain that I own. Thus, if my hoster goes ventral fin up, I find another hoster. I might lose some time, but I won't lose everything permanently.
My mail reader (Thunderbird) is also configured to always download all new email and delete it from the server. Hence I have backups going back 25 years, which has turned out to be valuable many times. One case was when I was reconstructing the timeline for "History of the D Programming Language" I had a solid resource rather than my barnacle-encrusted memory.
Its not just startups. I work at a major company and we’ve had internal domains flagged in the past due to internal security testing. We resolved it by making some calls to people at Google because the Safe Browsing dashboard is so slow to fix things.
This is especially troublesome if you allow customers to upload code to run on your systems (e.g. Javascript for webpages or interactive data analytics) You have to isolate every customer on separate domains.
This is not new; such things happened many times in the past (25 years ago Microsoft was the behemoth trampling small companies) and will happen again. I do not think Google is doing it consciously -- this is probably just collateral damage from some bot or rule.
The way to handle it is to reduce dependencies on the cloud. This does not mean cutting cloud services altogether, but once the company is big enough (and the author talks about 1000s SMEs and millions of users), plan for graceful degradation with a fallback to a different provider and another fallback to owned servers.
This takes work and reduces capability during the crunch, but it is often a lot easier and cheaper than people think if planned properly and not in a shotgun style of crisis engineering. My 2c.
One corporation must not have so much power over billions of citizens of many countries. A power like that must only come from a transparent non-profit organization with a publicly elected management board.
We will get to that point sooner or later. But the road there will be long and painful.
I’ve being increasingly wary of Google’s offerings altogether. Their ban hammer seems to be driven by Mr Magoo, who looks at everything and sees threats, and makes judgements.
Can anyone "in the know" objectively comment if Google Safe Browsing (GSB) has had a net positive result or outcome for the Internet, at large?
Has GSB helped users, more than it has hurt them?
The anti-Google rhetoric [on HN] is becoming more tiresome as of late. Personally, I welcome the notifications in my browsers that a domain is unsafe. I can't possibly be the only one.
The story he links to, about the "Online Slang Dictionary" being removed from google search because the founder of Urban Dictionary was friends with googlers (true) and (allegedly) used his influence is fascinating:
http://onlineslangdictionary.com/pages/google-panda-penalty/
Eventually, Google will get to the point when regulators will come to gut it and the crowd will be cheering
Are there any no win, no fee law firms that specialize in these cases? What if for every hour offline, your SAAS loses X money? For this particular case, what if due to the service disruption, some customers decide to move their business elsewhere? Enforce an SLA?
Stupid question: Isn't this clear-cut grounds for a defamation lawsuit?
Also, is it possible to have a class-action defamation lawsuit?
The fundamental issue that the author gomox is not stating clearly in his article is that there are no consequences to Google for their actions. None. Literally zero.
I don't think the best plan is to wait and hope for a government to step in and take action. Hope is not a strategy.
Complaining on public forums has similarly done nothing to curb Google's careless wielding of the ban-hammer.
So sue them. Cost them money. Punish them in a material way that they can't ignore.
I can't imagine anything else working...
Teach people how to get past the scary warning one way or another, and spread that knowledge far and wide. With enough false positives their blacklist will be diluted to the point of uselessness and hopefully people will also become better educated in the process.
Google will of course do everything in their power to stop that from happening, but every little bit of opposition helps --- from recommending others to not install censorware browsers, to showing them articles like this --- because this is a fight for the freedom for the Internet. As big as Google is, the Internet is far bigger.
For desktop software, antivirus "industry" can be almost equally destructive.
For instance, Avast breaks installers of software made with a specific installation framework: https://github.com/wixtoolset/issues/issues/5593
The problem lasts for years. At one point I've tried to contact them, but people from Avast were either unable or unwilling to fix their software.
Doesn't Safe Browsing require every URL you visit to be sent to G$$gle first? I know Chrome users "have nothing to hide", but this looks like complete surrender.
Yep this happened to me too and I came to exactly the same conclusions.
We have a list of completely separate “API domains” that our scripts talk to and which also host the cloudfront CDN.
We also cohort our customers by Sift score and keep trusted enterprise customers away from endpoints given to new signups. This way if someone new does something sketchy to get you flagged it won’t affect your core paying customers.
Some web hosts use Safe Browsing to automatically perm-ban any sites on the list. I've been banned from Heroku for a couple years at this point because one of my sites got added to Safe Browsing as malware and Heroku's systems just automatically perm-banned me (and to make things worse, in the ban email they tell you to send ban appeals to just bounces).
My idea, which will be ignored as usual, is that the problem is the monopoly.
The reason we have a monopoly is because the web browser is now a full operating system that is so complicated that no group can replicate it.
Start over with a new protocol. Make it content-centric, i.e. distributed protocols with no central servers. Support download-limited lightweight markdown sites for information sharing.
Then for applications and interactive content, add a canvas-light graphics system to web assembly. Again, I suggest limiting download size to keep things snappy. And make sure not to load any applications automatically or put them in the same process as the markdown browser.
If you do it right, you will have a common protocol that is straightforward enough that there can actually be several implementations. And it won't be controlled by one company.
If customers using google incurs a tax upon business regardless of whether the business does business voluntarily with google why not work on changing that.
Start with a snazzy our service works better in firefox. Eventually offer trivial new features in firefox but not chrome terminating with a small discount for using firefox. Over time small price increases can render the discounted price the same as the current price and effectively you are charging your users for using a vendor which costs you to do business with.
Google views chrome as a moat around their business keeping other vendors from cutting them off from the revenue stream that powers their entire business. Attack the moat and you might see movement to make your life easier.
It is quite good Google cares about users. But it does not care about website owners. There is one and only reason. For Google WWW is a competition for Google Play marketplace.
Literally open internet is a competition for Google. That is why the company has no problem to issue domain wide ban, without informing website owner, without any explanation and with showing a scary message to website users to make them go away.
Author of the blog post seems to believe it is an AI action. But what I can see his company was hit with some serious damage due to a company that, I assume, has some competing apps on its Google Play platform.
I can believe AI can be the cause, but it should be a court to decide if there is no collusion and who should pay for the damage.
This is an area where regulatory action should be taken against Google. Google needs to implement a process with manual review in a reasonable timeframe, or they should be broken up for having monopolistic power over which sites are on the internet.
I wouldn't be surprised if this was done just in order to associate somebody with something interesting Google sees on the Internet and has no ownership information about so "that they know". Benefit of the doubt is already gone.
Can Google be held legally accountable for this behavior? Seems like they are hurting businesses by spreading false information. With their market power there need to be some incentive for them to react quicker and with human oversight.
This reminds me of ugliest.app - there was a hn post on it a while ago. And then suprise, suprise, someone made a "paypal" login page which was hosted on the main domain. It was put on the blacklist, not sure if it still is.
I'll tell you a mini story about a coffee shop I visited few days ago. That place was hidden in yelp search when I looked for 'coffee & tea' in my area (their yelp page existed). While I don't know the actual reason why this happened, I immediately discovered that coffee shop using google (as a double check). It gave me a charm because it reminded me a fact that if you have the 'right service', people will find out. Given this flow, I started to believe gatekeepers might begin losing their odds.
It seems like the FTC should be running this for US based customers and browsers should default to a local resource and/or let users override the default source of truth.
Google:Don't be evil. Yes, don't be evil but opaque and inconsiderate. It's amazing how a company as profitable as Google has such a horrible customer service.
I have to add that firefox seems to be using the same logic/data for their safe browsing featureand will happily flag sites as malicious with no human oversight.
Before even imagining all the ways to start regulating a tech company, I think we desperately need a few basic regulations like:
- For every major service offered, company must provide 3 ways to contact live support, two of which must be immediate, e.g. chat, phone, E-mail. [As opposed to today’s “standard” of having none of these!]
- Every action that can be taken automatically by an AI must be possible for support staff to immediately reverse.
If algorithms they own are operating on a list they maintain and they are making you lose profit, exactly why can you not sue them for that lost profis? What's the legal theory here? A product they own and is entirely disconnected from you is banning you. This is not and should not be OK, nor should you be required to do any special dances and magic gestures to try and mitigate the problem.
The mitigations suggested are easier said than done. In particular, domains can't share cookies which means switching domains likely means logging out any users that are logged, and losing any local settings. Likewise splitting your site between different domains makes it much more difficult to share state (such as whether you are logged in) between the sites.
Add to the list of preventative measures:
- Establish a Twitter account for anything dev ops related.
Don't assume you'll have the ability to communicate via your internal infrastructure. It also helps customers to know there is a 3rd party medium for staying informed and getting in touch.
Knowing that such things exist, while minor, is good marketing fodder as well. It walks the comms are important talk.
As much as I like to give Google a hard time, this isn' really Google's fault. Always use your own URL's for everything. Also, why would you allow customers to upload files and then make them available? Unless you are dropbox or similar, that's bad configuration.
This really sounds like "We made some configuration mistakes and now blame Google"
Maybe there should be a law that any business that has over ten billion dollars in annual revenues has to answer the phone when you call them and have a reasonable resolution process for complaints.
If that ruins your business model, cool. Just spin off parts of the business until each one is back under ten billion in revenue and do whatever you want.
Am I missing something? Is there ever a reason to expose a CloudFront url to the end user instead of using a custom domain?
Great, so legitimate businesses need to implement tactics commonly used by c2c and malware to operate successfully
Well, as long as you are spending 6 or 7 figures a year on advertising with Google, you'll have a account rep at Google that you can always reach out to. Your ad spending level works as Google's filter for which websites on the internet that they actually give any care about not killing.
There's an effective monopoly on web browsing, and then any private decision here becomes de facto censorship. How can this be constitutional, ants need to rise and get some rulings down on this topic, the web needs to be brought back to how it was.
Seems like a good case for a strict content security policies and self hosting static assets.
I'm always surprised by the gall of Google and other companies that decide for others if websites are suspicious. I'm always sure to disable all those garbage warnings, together with email spam "features".
For a SaaS, CDN's are of limited utility as you have many returning visitors who have cached these assets already. Of course, YMMV, but for us, it was easier to host almost all static assets locally.
Isn't this way to get hurt by a Google's bot a brand new discovery as of 2008 or so? And the bottom line of "letting users upload things is dangerous" is no newer?
We all let it come to this. We are all lazy as f and only care about convenience and short term benefit.
That is why we have the big 5 now that basically are too powerful now to turn away from.
How long until antivirus and safe browsing start marking websites that are "hate sites" as harmful and start, essentially, censoring the internet?
isn't the problem here keeping the cloudfront hostname, vs. setting up a CNAME from your own domain to point at the distribution?
Anyone knows what happens if you include resource from a banned domain? Is the resource blocked, or will the user get red screen too?
root.cern was affected by this in the fall, apparently due to a false positive in the windows installer. It was resolved relatively quickly (a day or so?) but hugely inconvenient for e.g. documentation, and of course the particle physics community has connections. root.cern.ch worked but the internal links were all over the place.
Thank you for sharing this. I wonder if having a ton of subdomains might also flag Google to blacklist the parent domain...
"...And that's reason number 3955430, ladies and gentlemen, why monopolies are bad and MUST be dismantled."
Is this not libelous? If the site is neither deceptive nor malware-hosting, and Google are telling people that it is?
BTW, did using another giant's (Amazon) services (like Cloudflare) made the problem better or worse?
> A lot of the cases of blacklisting that I found while researching this issue were caused by SaaS customers unknowingly uploading malicious files onto servers.
This is terrifying - what business is it of Google’s what party A uploads to MY servers? And how are they getting that information without dramatically violating the privacy of their users?
Easily solved using the anti-trust act. Time to break up Google and perhaps a few others.
Will anybody here stop using safe browsing though? Or Google products for that matter?
This is really terrible, I sure hope the EU causes a stink about this
A new method of DDos: send the domain to GSB blacklist!
Could the re-use of IP addresses be the problem here?
I say it's time we get rid of these monopolies?
Cool thread I have archived this on my tidbits feed.
Soon enough this will be used to block other kinds of "unsafe" sites containing dangerous things like "hate speech".
Can we have an ant army already!
Sue them for libel.
posted on medium which decided to paywall after years of being publicly available.
A bit of deception on how their site ended up on the block list. They strangely block out a part of their response, but we can see "was cleared", which sounds a lot like "the malware some nefarious agent put on my site was removed".
How sites end up on the block list-
-they host malware, either intentionally or because they were hacked.
-they host a phishing site, either intentionally or because they were hacked.
Protecting users is a monumentally more critical task than your concerns.
And this system is incredibly valuable. When I get a text to a phishing site, I immediately report it to the safe browsing list. I also notify the nameserver, the hosting agent, and if applicable the SSL cert provider. Bit.ly if in the chain, though they never do anything [fun fact, even -- phishers and malware authors love putting bit.ly in the chain because they're paying subscribers, and as domains are taken down they can just change the destination. Bit.ly exists on the backs of scumbags, and itself should be on the safe browsing exclusion list]
Usually the safe browsing list addition happens within an hour, saving many people from being exploited. The nameserver and host -- DAYS. Namecheap takes an eternity to do anything, even for outrageously blatant phishing sites. GoDaddy - an eternity. SSL providers seem to act quickly, but propagation delays makes that negligible.
EDIT: 11 days ago I reported the scn- prefixed netflix.com to all of the above. This is a blatant phishing site, and was mass texted to Canadians. It was blacklisted by safe browsing within an hour, likely saving a lot of people grief.
Namecheap, who I informed by their email and by their garbage ticket system, still host the nameserver and physical hosting for this site. 11 days later. Grossly negligent behavior, and there needs to be some window of responsiveness because these players are just grotesque at this point.
Could this be the basis for a class action lawsuit?
He talks about Google welding too much power with this. Another example is how their spam filtering can pretty prevent a business from being able to relay emails to any of their customers with a Gmail address. This has led to many people just outsourcing their mail relaying to companies like SendGrid, to lessen the chance of having their emails blocked by Google.
Most of Google's "safety" features are somewhat evil in some way. I don't want any of them, but some of them can't be disabled (like the one that can lock you out of your account even if you have the correct password).
Top burny busty chicks only on this site! Follow the link, and you won’t be sorry! - https://adultlove.life
Top burny busty chicks only on this site! Follow the link, and you won’t be sorry! - https://adultlove.life
Just sue them for damages. It's libel.
Top burny busty chicks only on this site! Follow the link, and you won’t be sorry! - https://adultlove.life
Why can't companies like google just have a warning and review period before taking actions like this?
This happens when the ticket for braking anti-monopoly laws is magnitudes cheaper than the profit you rake in breaking it.
Wow. I wonder how lng it will be before the Big Tech oligarchy will start blocking websites for “misinformation”.
Insane world we’re heading towards.
Wait until this is also applied to a list of domains from the SPLC and other groups to further censor “hate speech” on the internet.
Imagine a future where multiple big tech companies share “blacklists” of individuals and applications that should be banned across their networks. Your entire business and digital life could be snuffed out in an instant. Already seen it happen, now it just has to scale.
I wonder if a blockchain/bittorrent decentralized option could exist to replace google.
most people don't have billions lying around to compete, but you could reward people who rented out space for the indexing data, and have advertisements baked in that could maybe still use some retargeting but without tracking any personally identifiable data about a person.
Nodes could double as ai/cpu processing for algorithms related to search and storage. Computation and storage amounts could have their own payout per action, or per time on storage.
Most people have their computers on all the time anyways, so if they're working in the background for them to earn some side income, while helping create a better internet.
Would need some centralization I'd imagine though, I think the problem with de-centralization is the goal is ALL or nothing.
Like one or two big servers that maybe tie everything to the rest, and push 'updates' on algorithms, contracts,etc... to end users. Maybe a segregation index, knowing all airplane related searches are indexed on cluster c which has nodes 1-8, so you know where to go to get the info being searched.
I'm a mainly full-stack but 'dumb' developer, not an algorithms wiz, mostly focused on crud apps. But this would be fun to build.
This is actually funny, because I was involved with the creation of this list, way back in 2004. The whole thing started as a way to stop phishing.
I was working at eBay/PayPal at the time, and we were finding a bunch of new phishing sites every day. We would keep a list and try to track down the owners of the (almost always hacked) sites and ask them to take it down. But sometimes it would take weeks or months for the site to get removed, so we looked for a better solution. We got together with the other big companies that were being phished (mostly banks) and formed a working group.
One of the things we did was approach the browser vendors and ask them if we could provide them a blacklist of phishing sites, which we already had, would they block those sites at the browser level.
For years, they said no, because they were worried about the liability of accidentally blocking something that wasn't a phishing site. So we all agreed to promise that no site would ever be put on the list without human verification and the lawyers did some lawyer magic to shift liability to the company that put a site on the list.
And thus, the built in blacklist was born. And it worked well for a while. We would find a site, put it on the list, and then all the browsers would block it.
But since then it seems that they have forgotten their fear of liability, as well as their promise that all sites on the list will be reviewed by a human. Now that the feature exists, they have found other uses for it.
And that is your slippery slope lesson for today! :)