Google Goofs On Firefox's Anti-Phishing List

Stephen writes "While phishing is a problem, giving one company the power to block any site that it wishes at the browser level never seemed like a good idea. Today Google blocked a host of legitimate web sites by listing mine.nu. mine.nu is available as a dynamic dns domain and anybody can claim a sub domain. All sub-domains are blocked regardless of whether phishing actually occurs on the sub-domain or not. Several Linux enthusiast sites are caught up in the net including Hostfile Ad Blocking and Berry Linux Bootable CD."

Get a real domain then.

[Restil]

Granted, I can see there are opportunities for abuse here, but if the owners of dynamic dns domains don't properly police their "customers" and spammers and/or other malicious websites start using it, then Google has every right to blacklist the entire domain. Of course, it's arguable exactly how much can be done to prevent it, but if you're really concerned about not getting your site blocked, go ahead and blow the $7 a year on your own domain, or use a smaller ddns service that can actually pay attention to the nature of the hosts it's serving.

As far as having any one third party responsible for maintaining a blacklist, exactly how else do you intend to do it? You can always create your own blacklist, but that would first require you to "enjoy" the sites you would prefer get blocked automatically. You'll just have to trust someone to make that reasonable decision for you. Sure, there will be some mistakes, but that's the price you pay for protection.

-Restil

Re:Trust

[Bieeanda]

Yeah. While I reflexively rankle at the idea of blocking a whole swathe of domains like that, it's unfortunately clear that services like dyndns and mine.nu are going to be overrun with phishers and scammers because they're just as convenient to them as they are to non-malicious Internet users.

Not google's fault

[ninjapiratemonkey]

The summary reads as though it was google's fault that the entire domain was blacklisted, while it's more of a mozilla issue. Mozilla releases this list of "Attack Sites" and Google Search automatically blocks them. Even if I get to the site without google, FF3 still lists it as dangerous, and warns me.
If anyone should receive blame (which IMO they shouldn't), it's Mozilla and their blacklist.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Everybody makes mistakes, false positives

[Mr. Gus]

Any maintained blacklist of any reasonable size is going to end up with false positives. It's one of those things you just have to accept. People notice and report it, the entry gets removed, and we move on.

Re:I hate that Google can do this

[Anonymous Coward]

What? How can you misunderstand everything quite so much?

No, Google doesn't filter by IP address. But because the site was hosted on the same server as a bad site it added a URL block for the innocent too. Do you see?

Secondly, the issue isn't about me using Firefox/Google. It's about customers who did and were told that the site they had browsed to was malicious. The business lost a valuable customer this way and folded.

Re:Trust

[calmofthestorm]

We need to educate users to check the URL before entering anything. Any time you rely on a technological solution to a social problem you end up with woes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Never ascribe to malice ...

[RAMMS+EIN]

Never ascribe to malice what can be equally ascribed to incompetence.

The corollary of this is, of course, that you should still be wary of single points of failure, even if you do not believe they will fail you on purpose.

Re:Trust

[GIL_Dude]

I don't know anything about the FWT site; it may be fine. However, do remember that just because a site is trustworthy over time doesn't mean it is trustworthy today , on this visit.

I just had that driven home for me the other day. In my off time, I am a youth soccer coach. The website for our league has been fine for several years. Last week I visited it and got the malware warning from FireFox. I checked with the webmaster and sure enough, they had gotten hit with a SQL injection attack and had indeed gotten malware of some sort hosted on the site.

So, FWT may be a false positive - but it is at leat possible that they also got successfully attacked.

We really don't have a good system to evaluate trust on the fly due to the dynamic nature of internet content. A page that was fine 20 minutes ago may attack you now.

Oh no, someone made a mistake!

[lattyware]

Shit happens. Yes, it sucks, but it happens. Now, should we try to blow up the googleplex? No. Google are not blocking based on a secret agenda here, and you can bypass it or turn off the feature. OK, it'd be nice if you could choose who provides the service, but overall, it's not that big a deal.

Re:Trust

[santiagodraco]

It's just not going to happen. We like to think that "everyone" is capable of understanding what is going on when they browse the web, but that's wishful thinking.

It will be a LONG time until you can ever hope that the general public is as smart as the malicious few out there. Until then technology solutions will continue to be needed, desired and our best bet in combating this. Hell, they always will.

Re:Firefox's anti-* shouldn't be enabled by defaul

[Karellen]

"There's no way that I know of, anyway, to share this data - SQLite seems to make it impossible."

Well, I doubt it's SQLite that makes it impossible, it's more that you don't want ordinary users writing to a single shared blacklist. Because if a user can download and write good data to it, they can write bad data to it.

Suddenly all it takes is for one user to click on the dancing bunnies, and they're running a daemon without knowing it that writes bad data to the blacklist, monitors the list for changes, and rewrites it if any of the other users change it back to what it "should" be. That fucks things up for *everyone*, which kind of defeats the whole idea of having separate user accounts that protect everyone from each other.

"The second mistake is enabling website blocking based on 3rd party blacklists by default."

If you don't do that then non-geeks - the people who need this most - will never find it to switch it on. If you're a geek and you don't like it and are smart enough to spot phishing attempts yourself (and good luck with that by the way; I've seen reports of many trials here on /. where even seasoned network admins don't get a 100% success rate at spotting them) then you're probably smart enough to find the checkbox to disable it.

"And even if you argue with that, at the LEAST make it cross-DB compatible, so you can put everyone's in a nice big central MySQL database."

Bleargh! You want a DB-abstraction layer so that ... everyone can write to the same DB? That will add bloat and do nothing to fix the problem.

If you make the database writable only by root/Administrator and have a separate daemon/service that runs as that user to update, with all users having read-only access, that would solve your problem. But then someone else would complain that this service was running and creating network traffic uselessly when no-one was actually running firefox, or even logged in.

For a home user, what they've got makes sense. If you're running a reasonable-sized network, or have something like LTSP, you should be able to set up Squid proxy (or similar) so that only one user causes the list to be fetched from the network and everyone else loads your cached copy.

Make it do the right thing for n00bs out of the box. Experts can configure it differently for themselves because, well, they're experts.