Google Safe Browsing practices guilt by association
How your Web site can get tarred with the malware brush -- and why there's little you can do about it
Follow @pveneziaIf you were walking into a store and got mugged, would you immediately assume that it was the store's fault or the mugger's? What if you visited a Website and immediately got hit with malware? The two situations are essentially the same, but in the latter case, most people would blame the venue rather than the attacker. In the online world, however, Google's Safe Browsing service is pointing fingers at the attack venue, not the assailant.
On most small Websites, a third-party ad network delivers the ads. The site itself has no idea what the ad is or where it originated -- the ad network is supposed to handle that information. But bad ads still slip into ad networks, and in some cases, it can take the those networks days to find the culprit. Meanwhile, the site loses its reputation. If you were visiting a site for the first time and it gave you a virus, would you go back?
[ Also on InfoWorld: Security Adviser blogger raises another question about Google's tactics in "Will Google's bounty for bugs really improve security? | Learn how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
Google has been running its Safe Browsing program for a while now. If Google crawls a Website that tries to deliver a malware payload, it marks the site as dangerous and notes some of the particulars of the attempted attack, including URL vectors and whatnot. Browsers like Firefox and Chrome pay attention to Google's ratings of particular sites and throw up warning pages before the site loads. To be sure, this protects some users from the malware -- but the site wears a scarlet letter until the warning is removed. Unfortunately, Google isn't very speedy about reviewing warnings after they've been issued.
Say you run a small Website that served some malware-laden ads delivered through a third-party ad network. Google then brands you as a malware/virus site. Suddenly your pageviews drop through the floor and your users head elsewhere.
Meanwhile, you can find neither hide nor hair of a malware menace on your site since it only exists if and when certain ads are served. You read Google's diagnostic page for your site until your eyes bleed, but you still can't find any malware on your site. So you submit the site for a review (which requires you to sign up for Google Webmaster Tools) and pray you can clear up the issue.
