Another look at SafeBrowsing warnings

I last blogged in February about some inadequacies with the SafeBrowsing warning page in Firefox 3. There have been some changes since then, which I think greatly improve things.

Here’s the current warning page in Firefox 3:

Just subtle changes here. Notably, there’s now a small “Ignore this warning” link to bypass the warning and load the site (perhaps putting yourself at risk by doing so), and an additional button to click for an explanation of why the site was blocked.

The changes on the “why was this site blocked” page are more significant. Here’s an example of what you get now:

I like that page is clean and chock full of information about why the site was being blocked. It’s helpful information for the what a user is probably asking — “Can I trust this warning, and should I load the site anyway?” After reading that page, *I* certainly wouldn’t be tempted to ignore the warning: it indicates that the site has been visited recently, that lots of pages on the site are infected, and is better at specifying the exact risk (Here, “Malicious software includes 3 backdoors”. Looking at pages for other sites, I’ve also seen descriptions like “23809 trojans” (!!!), “15 scripting exploits”, and “2 worms”.

I do wonder if the page is a little too detail oriented; normal users might benefit from some sort of brief summary at the top. It’s a fine line between being too vague and being too detailed, because there are so many factors involved. I suppose it’s better to err on the side of too much information, especially if the outcome is the user being scared and overwhelmed — it’s not a site to be visiting!

But being more open can have a downside, if it might lull the user into a false sense of safety or muddles the risk. For example: Does “Part of this site was listed for suspicious activity 3 time(s) over the past 90 days” mean that the site is a dangerous repeat offender, or just that it’s a rare to encounter a problem? Does “Successful infection resulted in an average of 0 new processes on the target machine.” mean the infections are harmless?

Anyway, I don’t think these nitpicks are serious problems, and am glad to see this improvement.

[If you’re looking for live examples of malware sites, the StopBadware google group is a good source to find currently blocked pages.]

About Justin Dolske

Mostly harmless.
This entry was posted in Firefox, PlanetMozilla. Bookmark the permalink.

10 Responses to Another look at SafeBrowsing warnings

  1. So it says:

    > Of the 151 pages we tested on the site over the past 90 days, 108
    > page(s) resulted in malicious software being downloaded…

    Then just a bit further down it says:

    > Has this site hosted malware?
    > No, this site has not hosted malicous software over the past 90
    > days.

    Huh??? That’s confusing.

    Also, it says this is for bettasearch.com, but actually it’s for http://www.bettasearch.com. That www. can make a big difference, so they should fix that.

    And why on earth are the URLs to the malicious sites actually hyperlinked? (Unless they go to safebrowsing.clients.google.com of course.)

    I visited the site myself just now, and the page is currently saying:

    > Of the 1 pages we tested on the site over the past 90 days, 0 page(s)
    > resulted in malicious software being downloaded and installed without
    > user consent. The last time Google visited this site was on
    > 03/26/2008, and suspicious content was never found on this site
    > within the past 90 days.

    So why is it still being blocked? Is 1 page test really enough? I suspect the site is still hosting malicious software (being bet_t_asearch.com and all), but if a user sees that only one page was tested, and it wasn’t found to have malicious software on it, they’re going to loose confidence in the protection and think it’s buggy and just a pain. They’re also likely to click through to the page.

  2. Olly says:

    I’ve hit the big red warning in FF3b5 and upon clicking through found that Google’s already marked the site as “safe”. How often does FF update it’s blacklist?

  3. Chris Hubick says:

    How does “malicious software” get “downloaded and installed without user consent”?

    Does this really mean “this web site attempts to exploit security vulnerabilities to download and install malicious software without user consent”?

    I mean, no site should be able to do that, so I’m lost.

    As for the level of detail, IMO, it tells me almost nothing – I want to know what exploits the page attempts with links to corresponding security advisories, etc. So, my preference would be a summary at the top for “normal” users, and then a big divider, and give even more detail below.

  4. jwatt:

    I think, but am not sure, that “this site has not hosted malicious software” is making a distinction between targeting users and just providing bandwidth for distributing malware? It is confusing, though.

    The linked URLs just go to the report pages for those sites, not the actual site.

    I’ve seen mixed results on how often blocked sites are scanned. But I think the important point for the moment is that by making this data available, it’s now possible to critique the method.

    Chris:

    I’m not now sure exactly what “without user consent” means. I’d assume it’s a mix of pages trying to exploit known security vulnerabilities, and distributing software that dishonestly includes malware (eg, a screensaver that includes trojan).

    I don’t think listing the exact exploits and advisories is all that useful for users. If the site is actively distributing malware, then it’s risky to visit, end of story. I would expect that sites using known malware are also highly likely to include unknown attacks.

  5. Gijs says:

    Are those pages localized? Those dates could mean either “May 1st” or “January 5th” to me.

  6. Z says:

    Tried the firefox page in FF3RC1 and didn’t get any warning.

  7. George says:

    This is a big problem for smaller sites, but not a problem for bigger sites – AOL and other companies have a lot of malware on their sites but their sites are not “suspicious”, while smaller sites with just couple “problems” are getting blacklisted – compare links below – first one is blacklistes, the other one is not and compare number of problems:
    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://txdnl.com/
    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://aol.com/
    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://freewebs.com/

  8. Gene says:

    I have Trend Micro as my security program and it has stopped countless tries from safebrowsing …… trying to get my private data ie phone number and bank account number

  9. Gres says:

    I’ve seen the same security message from ZoneAlarm only safebrowsing is trying to get my pin. What is going on with this?

  10. David says:

    I got the same thing with safebrowsing trying to get my pin – is this a genuine attempt to get my pin or is it just that a bunch of data is being transferred and the few digits that make up my pin are sometimes transmitted just by coincidence?

Comments are closed.