If you were walking into a store and got mugged, would you immediately assume that it was the store's fault or the mugger's? What if you visited a Website and immediately got hit with malware? The two situations are essentially the same, but in the latter case, most people would blame the venue rather than the attacker. In the online world, however, Google's Safe Browsing service is pointing fingers at the attack venue, not the assailant.
On most small Websites, a third-party ad network delivers the ads. The site itself has no idea what the ad is or where it originated -- the ad network is supposed to handle that information. But bad ads still slip into ad networks, and in some cases, it can take the those networks days to find the culprit. Meanwhile, the site loses its reputation. If you were visiting a site for the first time and it gave you a virus, would you go back?
[ Also on InfoWorld: Security Adviser blogger raises another question about Google's tactics in "Will Google's bounty for bugs really improve security? | Learn how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
Google has been running its Safe Browsing program for a while now. If Google crawls a Website that tries to deliver a malware payload, it marks the site as dangerous and notes some of the particulars of the attempted attack, including URL vectors and whatnot. Browsers like Firefox and Chrome pay attention to Google's ratings of particular sites and throw up warning pages before the site loads. To be sure, this protects some users from the malware -- but the site wears a scarlet letter until the warning is removed. Unfortunately, Google isn't very speedy about reviewing warnings after they've been issued.
Say you run a small Website that served some malware-laden ads delivered through a third-party ad network. Google then brands you as a malware/virus site. Suddenly your pageviews drop through the floor and your users head elsewhere.
Meanwhile, you can find neither hide nor hair of a malware menace on your site since it only exists if and when certain ads are served. You read Google's diagnostic page for your site until your eyes bleed, but you still can't find any malware on your site. So you submit the site for a review (which requires you to sign up for Google Webmaster Tools) and pray you can clear up the issue.
Google takes anywhere from 16 to 48 hours to review your site. If Google happens to get the same malware-injecting ad, you lose the review. If Google doesn't detect malware, it will (probably) pull down the warning pages and your traffic will (probably) pick back up.
If you're running a legitimate site, Google's well-meaning Safe Browsing service bears an unfortunate resemblance to a protection racket. Google is hanging around the entrance to your business and warning people to stay away because a mugger was lurking around the corner the other day. Want me to go away, buddy? Then sign up for Google Webmaster Tools and I'll think about it.
I realize these warnings, in aggregate, reduce the number of infections, but they also snare a vast number of legitimate sites in their nets -- and there's nothing those site owners can do about it. Also, the malware warnings are not platform-specific. If a site is serving up Windows malware, Linux and Mac users will get the same warning pages from Google even though their systems are immune to the infection.
Google's Safe Browsing is a good idea, but it needs improvement: Make it platform-specific and reduce the review time to an hour or so. It will be exponentially better for everyone.
In the meantime, I'm going to work on lobbying for a bounty on malware authors. It's always best to fix the problem at its root.
This story, "Google Safe Browsing practices guilt by association," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Paul Venezia's The Deep End blog at InfoWorld.com.