[SOLVED] Google Safe Browsing Diagnostic false positives?

[fidesetratio]

Hi.

I wanted to whitelist all the primary domains that I frequently visit, and also the domains included by the primary ones (including advertising, because I feel guilty to adblock; I don't want to freeload on sites that cost time and money). I care little about advertisers "tracking" me, but I care about security (in the sense of not allowing viruses and trojans) even though I already use Ubuntu+Firefox, and disabled Flash and Java.

To see which domains were safe, I used NoScript Shift-click feature. That feature, as you surely know, analyses the domain with 5 web utilities.

The problem is that one of those utilities - Google Safe Browsing Diagnostic - seems to flag every other domain, including domains that all the other utilities found secure.

Even important domains like gmodules.com get flagged:

http://www.google.com/safebrowsing/diag ... odules.com (EDITED to fix link according to Tom T suggestion below)

The last time Google visited this site was on 2012-09-24, and the last time suspicious content was found on this site was on 2012-09-23.

Malicious software includes 6 trojan(s).

Over the past 90 days, gmodules.com appeared to function as an intermediary for the infection of 8 site(s) including kakoslykos7.blogspot.com/, misterika.blogspot.com/, libdes.blogspot.com/.

Notice, too, that despite the above problems the gmodules.com domain is not listed as suspicius

This site is not currently listed as suspicious.

And in fact, it says

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

Which seems contradictory. And neither McAfee SiteAdvisor nor WOT found problems with gmodules.com.

What am I to do?

Thank you for your attention.

EDIT: after waiting for the past 8 days, I have pretty much decided to exclude from the whitelist the sites accused by Google of being of dubious security, even if they could be false positives.

[Tom T.]

The long links are a known problem with the forum software. Use the "URL" tags to protect them. Highlight the link, then click URL in the toolbar above the Compose box. You can also use Code tags, which shows the entire address but does not create a live link.

I believe that gmodules may host user-created content, or links to same. If so, then the diagnostic is detecting this -- following the link, perhaps, to a malware page. Hence the high rate of false positives.

Any site that hosts user-created content or links to same could be flagged in this fashion.
However, it is in fact more risky to visit sites with user-content, so it is vital to keep NoScript locked down fully against such sites unless/until you are able to investigate and satisfy yourself that the site is safe and reputable.

Advertising agencies come and go, especially on the Internet. Some are well-known, and while they may be privacy-invasive, probably would not want to risk their reputation by loading malware. But there's nothing to stop bad people from starting a new ad agency, soliciting business -- or even just paying websites to let their scripts run -- and using those scripts to load malware. Just a thought.

I hope this helps.

[fidesetratio]

@Tom T.

Thank you for you opinion. It is helpful indeed.
However, I still want this thread open until I get at least one more opinion. I always prefer to hear at least two opinions.

[Thrawn]

Here's one from Giorgio: the NoScript FAQ indicates that the reason hackademix.net is not whitelisted by default is that it contains user-generated content (comments). So, if gmodules is similar, then it certainly is more dangerous than other Google sites.

[fidesetratio]

Despite my moral concerns, I have decided to remove from the whitelist all advertising domains of dubious security.
I will only keep in the whitelist domains of solid security, and one or two domains of mediocre security that I can't avoid (because their functionality is too important).

[Tom T.]

Despite my moral concerns, I have decided to remove from the whitelist all advertising domains of dubious security.
I will only keep in the whitelist domains of solid security, and one or two domains of mediocre security that I can't avoid (because their functionality is too important).

Are we still speaking of advertising domains? Their "function" is almost never important.
Please see List of scripts for which NS runs surrogate for why this is so. It is an excellent feature of NoScript.

[GµårÐïåñ]

@TOM what he means is when google-syndication or webtrends, or whatever is weaved into a submit or click function and without it the site won't function. He considers that necessary to function because the surrogates don't always account for it, specially if the programmer is smart enough to not use the global keywords common to them.

[Tom T.]

@TOM what he means is when google-syndication or webtrends, or whatever is weaved into a submit or click function and without it the site won't function. He considers that necessary to function because the surrogates don't always account for it, specially if the programmer is smart enough to not use the global keywords common to them.

I would rather hear that from him, and be pointed to examples of such sites, or do you have any? I don't think I've ever seen a site break for lack of g-s or webtrends, but of course I haven't seen every web site on the planet.

[GµårÐïåñ]

I would rather hear that from him, and be pointed to examples of such sites, or do you have any? I don't think I've ever seen a site break for lack of g-s or webtrends, but of course I haven't seen every web site on the planet.

Oh my brother, trust me there are TONS. Most common offenders are banks, credit card companies, utilities and etc. Most of the time the surrogates will grab them but in many cases they don't. Trust me when I say that Giorgio is probably got a list as long as his arm on the incidents I have reported to him regarding surrogates, many of which have been made permanent and in some cases we decided to just keep using it myself and if in the future we get more voices for it, then I will post it for them or if we get even more then we'll implement them permanently. 99% of the time, they happen when you are within a "logged" state if you will and required to get around the site and they want to know what members are doing that will tie closest to the code. Although some popular public services do it too, just because they want to know where they can getcha

[Tom T.]

...Trust me when I say that Giorgio is probably got a list as long as his arm on the incidents I have reported to him regarding surrogates, many of which have been made permanent and in some cases we decided to just keep using it myself and if in the future we get more voices for it, then I will post it for them or if we get even more then we'll implement them permanently. ...P

If you and Giorgio have a list of working surrogates that are not in NS by default, where is the harm in adding them? Not much work to copy/paste into the code, is it?

I must just be lucky. Never personally had any site, logged-in or otherwise, bank, etc. break for lack of g-s or webtrends or whatever. Comes from clean living.