User perception of SafeBrowsing

I’ve rarely hit the Google SafeBrowsing (malware) warning page, but last week it flagged a few sites that caught my attention. One was example.com (a reserved domain, which amusingly caused our test suite to fail :). The others were real web sites, both for popular Firefox extensions — joehewitt.com and downthemall.net.

Blocking the user when they’re familiar with the site (and expect it to be safe) is rather annoying. Doubly so because there’s no obvious way to bypass it (other than disabling the feature entirely in the preferences). There’s some discussion on this point in bug 400731, and I think there’s a strong argument to be made for *not* having an easy bypass.

But what I find really frustrating is that there’s no specific, useful feedback on *why* the site is being blocked. That is, it does a good job of explaining what “attack sites” are, but not why this specific site is one of them. I think this could lead to distrust of the feature, especially when “legitimate” sites get flagged. For example, here’s the page I currently get:

The “request a review” link goes to a rather unhelpful page on stopbadware.org, intended for the site owner (who is almost assuredly not the person sitting in front of the browser). If you search around on the Stop Badware site, you can get a vague report which says:

“This site is currently (as of 02/17/2008) being reported to StopBadware by the following partners: Google: reported bad.” … “joehewitt.com/ contains or links to badware or otherwise violates Google’s software guidelines.”

So, uhh, completely not helpful. As a user, I’m now inclined to believe that it’s just some kind of screwup, and now I’m grumpy at Firefox and Google.

Of course, I may be completely wrong. The other warning I saw, for downthemall.net, turns out to have been real. A notice on their site now says: “After a complete check up of the site structure, we’ve found that an attacker had exploited a WordPress vulnerability to inoculate unauthorized code into our theme. This code contained links to a site which tried to install malicious code on visitor’s computer.” So, score one for Firefox / Google, and chalk this up an example of the difficulties security prompts face when you’re blocking the user from doing something they want to do. [edit: well, then again, http://www.downthemall.net/howto/ is still being blocked, so I'm left wondering if there's a new problem, or if the SafeBrowsing database isn't up to date.]

But I think it’s important to give the user a specific indication of why they’ve been blocked, and that’s not being done here. I’d like to see the browser warning page link to the actual site report, and the report should have specific information that can help me trust its claim. For example:

  • Why exactly is the site “bad”? What guideline(s) does it violate?
  • What’s going to happen if I visit it anyway?
  • Is the whole site bad, or just part of it?
  • Does it have a history of problems? Might it just be a recent hack?
  • If I was there last week, should I worry that it did something bad before the block started?
  • Has the report been verified/confirmed, perhaps by a Real Human? When was it last checked?

About Justin Dolske

Mostly harmless.
This entry was posted in Firefox, PlanetMozilla. Bookmark the permalink.

15 Responses to User perception of SafeBrowsing

  1. Heidi says:

    I usually get those when going to sites in search of a serial code, so I often ignore them, and assume they’re marked that way due to the illegality of my actions :P

    That, and I figure it’s also because of the .exe files that I don’t download from there, anyways…

    Yeah, I guess I’m not tech savvy enough to worry about having my browser hijacked. I figure whatever happens, my Anti Virus (AVG), Anti Spyware (AVG, Spybot) and Firewall (ZoneAlarm) can handle it =)

    btw, you have yet to fill out the “Comment Policy” thing…unless that is your comment police :P

  2. George says:

    Yes we need a ignore, however i can see where Connor is comming from.
    Maybe we need a prefrence in Advanced, to be able to activate the ingore button. Thus making it something that only Advanced Users are likely to use.

  3. Aleksej says:

    Heidi, by using serial codes, you are supporting proprietary shareware. :P

    (couldn’t resist)

  4. dave says:

    Are these things graded in any way or is it a binary yes/no? I’m just wondering if Firefox will block the site because it tries to install ActiveX controls, or on Macs or Linux it’ll prevent you from downloading dodgy .exes?

    Would a warning message like “don’t visit this site with Internet Explorer” be more appropriate?

  5. While it’s great to see this feature in Firefox 3, I agree. It’s going to piss people off too often if the page doesn’t provide the information you’ve bulleted and a means of deciding to viewing the specific site in question once you’ve read that information (requiring the user to jump through a few hoops is no doubt a good idea).

  6. Ke Zhang says:

    This has affected one of the site I go to and it’s very annoying there isn’t any work around even if I trust the site. The site I went to has nothing to do with badwares, I suspect the site was blocked because it has a forum where once every few days a user will post a link to bad websites. The user would then be banned in less than a day, but I guess during this time the website itself has been marked bad. Since I am not the owner of this site, nor did I comb through all the posts to make sure there isn’t any links to bad sites, there is no way to get this site un-banned. I only have 2 choices, disable the anti-phishing feature or go back to firefox 2. I think this is a serious issue that could hurt firefox 3 when it’s out.

  7. God yes that message is so annoying. At least when it occurs at Google you can still continue onto the site. Second it would be great if you could whitelist sites so that error message never came up.

    By the way the other one that is really annoying is the security certificate one. When it comes up I always think I have hit a 404 (never had a problem with Firefox 2) because of how it is designed. Then I have to do two mouse clicks just to accept (really annoying) the certificate and whitelist it. I have to say Safari has the nicest version of this as it is quick. Only problem with Safari is that you can’t whitelist it so it never asks you again.

  8. Erica George says:

    Hi Justin,

    I work for StopBadware, so I hope I can both help answer your questions, and pass along your suggestions.

    First, at present the block list in Firefox 3 is entirely from Google. The Google list and the StopBadware Clearinghouse list are currently the same, with Google doing the high-intensity site scanning work required to keep the list as comprehensive and up-to-date as possible, and StopBadware focusing on education and awareness. We’re working on adding other data partners, and we certainly hope that as we do, the list used by Firefox will include that data.

    You’ve got excellent points in terms of how a user will interpret the current Firefox warning. I’m going to flag this post to the folks we’re in touch with at Mozilla. The Google warning pages link straight to the custom report for the site in question, and it should be possible to shift the link from Firefox’s warnings to that same customized report, which has information both for site owners and for average users.

    Because so many of the sites that Google flags are victims of hacking – usually via server vulnerabilities, security holes in the website’s CMS, or compromised third-party-provided ads – one of the purposes of the warning is to tell a user when a site that is normally fine turns out, one day, to unexpectedly be distributing malicious content. Often it’s as much a surprise to the webmaster as to the site’s users.

    We’ve seen only a small handful of potential false positives from Google in a year and a half of working with them on websites, so the odds are strong that when a site is flagged, it’s been malicious at some recent point. How fast the flag is lifted once the site is clean depends mainly on whether the site owner files a review request (with StopBadware, directly with Google, or both). Sites where the owner has actively requested a review, and where the site has indeed been cleaned up, lose the flag fastest. When a site hasn’t then also been secured against whatever vulnerabilities allowed the first compromise to happen, it’s often hacked again and re-flagged. We actually see relatively few of those – most website owners are shaken into taking preventive action after their first flag.

    Looking at your questions at the end, we’re working on helping to answer them. When StopBadware itself has reviewed a site (in response to owner request), the site’s report page updates with information about what we find, including behaviors that violate guidelines. It’s difficult to be too specific with the general warning, and there are some more complicated security and intellectual property issues involved (including the rights of the folks who make the various applications Google uses to test sites), so the high level of specificity you’d like to see may not be possible. However, StopBadware is always trying to improve our transparency and accessibility, and we’re continually working on ways to show more information to folks who visit our Clearinghouse reports.The reports show information about review requests filed with us, and any past reviews and their resolution. Over time, that can give a sense of how well secured a site is against attacks.

    Heidi – While more and more badware is being distributed through hacked legitimate sites, codec and serial key sites are still a huge source of real malware problems. The Google malware flag isn’t about content, illegal or not, it’s about malware. If there’s a warning on a serial site, I’d recommend avoiding that site while the warning is active. Sites often use enticing content as bait and then either surreptitiously download malware using exploits when you visit the site, or secretly bundle adware or worse in with the download you’re looking for.

    Erica
    StopBadware staff

  9. Erica: Thanks for the great reply! I’d be happy to give feedback on changes you might be considering.

    “there are some more complicated security and intellectual property issues … the high level of specificity you’d like to see may not be possible”

    Yeah, I figured that would be a problem at some level. It probably helps that the user really doesn’t need *all* the details, although I’m not sure where the happy middle is… something more than a generic form-letter, but less than a nitty-gritty autopsy.

  10. PA says:

    The whole argument for not allowing any passthrough relies on having 100% accuracy of Google’s malware scan.
    This is obviously not true and as long as there will be false positives there should be a way for the user to bypass Google’s choices with his/her own choice, specially when the degree of granularity of the malware warning is next to none: its not the same visiting a site that bundles adware with their user-initiated downloads than a site that automatically downloads and install a self-replicating trojan horse using some Firefox vulnerability.
    This could be implemented maybe using different policies for the malware warning engine, instead of a simple on/off, something like “informative” (show warnings) / “suggestive” (show advices on whats more secure) / “executive” (“blocks without choice).

  11. Anonymous says:

    I’m starting to hate Google and Firefox!

    I visited this website and it was blocked:
    http://www.vcdquality.com/

    I have visited it many times, never had any problems. This was the warning:

    “Reported Attack Site!

    This web site at http://www.vcdquality.com has been reported as an attack site and has been blocked based on your security preferences.

    Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

    Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.”

    Firefox gives me these options:

    “Get me out of here!” “Why was this site blocked?”

    And in small letters:

    “Ignore this warning”

    When I click on “Why was this site blocked?” this is all it tells me:

    “Safe Browsing
    Diagnostic page for http://www.vcdquality.com/

    What is the current listing status for http://www.vcdquality.com/?

    Site is listed as suspicious – visiting this web site may harm your computer.

    Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

    What happened when Google visited this site?

    Of the 2 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 10/03/2008, and the last time suspicious content was found on this site was on 10/03/2008.

    Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, http://www.vcdquality.com/ did not appear to function as an intermediary for the infection of any sites.

    Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

    How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

    Next steps:

    * Return to the previous page.
    * If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.”

    So, it tells me absolutely nothing!

    Nowadays lots of people think Google is God…
    http://www.thechurchofgoogle.org/

    So the internet is becoming an imposed theocracy!

    We now have to simply trust Google with blind faith!

    Even when I click on “Ignore this warning” every new page I click brings me back to the warning page so I have to click on it over and over again for no obvious good reason! Ridiculous! Shame on you Google and Firefox. Bad bad bad. Please don’t turn into Microsoft!

  12. Anonymous says:

    Google theocracy, basically.

  13. Clicking the “Why was this site blocked?” button gives:

    What happened when Google visited this site?

    Of the 2 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 10/03/2008, and the last time suspicious content was found on this site was on 10/03/2008.

    So, working as intended. If you don’t want the browser to warn you when visiting a site that is dangerous, you can turn it off in Preferences -> Security -> “Block reported attack sites.”

  14. Anonymous says:

    It does not tell me what really happened when Google visited the website, it says there was malicious software but does not give any details, so it is like telling me to trust or believe Google with blind faith. It does not tell me what it supposedly found there. It’s like “believe me, I’m Google, I say this site is bad”. It does not even tell me if it was a human or a robot that checked the site.

    And this report for example is confusing cause it says “1 page(s) resulted in malicious software being downloaded and installed without user consent.” but then it says “Has this site hosted malware? No, this site has not hosted malicious software over the past 90 days.” Maybe that means somebody posted some malware link there? It doesn’t explain.

    Even if I did want to be warned about dangerous website that still does not mean I should accept somebody’s report with blind faith. There should be a detailed explanation. It is not helpful, suppose a website I trust is attacked and then fixed, I cannot know what happened, on which page, or link or whatever, and how to defend myself from possible malware, for example by avoiding a certain part of the website like forums where people post things. I am simply supposed to stop using the whole website altogether cause Google says so!

    And it could end up like those zillion warnings you get on Vista when doing anything with a file, so many permission prompts, users just end up learning to ignore them. If “? No, this site has not hosted malicious software over the past 90 days.”, why is it blocked then? Just not helpful. And there is room for abuse. Suppose somebody intentionally posts a malware link on the website, just to get it banned. Quickly lots of people around the world who do not know what is happening get that scary warning. And no details are given to them. This is not right.

  15. Matthew Paul Dragon says:

    solution is switching back to internet explorer until they change this. this a bs attempt at stopping piracy.

Comments are closed.