[SOLVED] Google Safe Browsing Diagnostic false positives?

General discussion about the NoScript extension for Firefox
Post Reply
fidesetratio
Posts: 3
Joined: Tue Sep 25, 2012 3:39 pm

[SOLVED] Google Safe Browsing Diagnostic false positives?

Post by fidesetratio » Tue Sep 25, 2012 4:20 pm

Hi.

I wanted to whitelist all the primary domains that I frequently visit, and also the domains included by the primary ones (including advertising, because I feel guilty to adblock; I don't want to freeload on sites that cost time and money). I care little about advertisers "tracking" me, but I care about security (in the sense of not allowing viruses and trojans) even though I already use Ubuntu+Firefox, and disabled Flash and Java.

To see which domains were safe, I used NoScript Shift-click feature. That feature, as you surely know, analyses the domain with 5 web utilities.

The problem is that one of those utilities - Google Safe Browsing Diagnostic - seems to flag every other domain, including domains that all the other utilities found secure.

Even important domains like gmodules.com get flagged:

http://www.google.com/safebrowsing/diagnostic?site=gmodules.com (EDITED to fix link according to Tom T suggestion below)

The last time Google visited this site was on 2012-09-24, and the last time suspicious content was found on this site was on 2012-09-23.

Malicious software includes 6 trojan(s).


Over the past 90 days, gmodules.com appeared to function as an intermediary for the infection of 8 site(s) including kakoslykos7.blogspot.com/, misterika.blogspot.com/, libdes.blogspot.com/.


Notice, too, that despite the above problems the gmodules.com domain is not listed as suspicius
This site is not currently listed as suspicious.


And in fact, it says
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.


Which seems contradictory. And neither McAfee SiteAdvisor nor WOT found problems with gmodules.com.

What am I to do?

Thank you for your attention.

EDIT: after waiting for the past 8 days, I have pretty much decided to exclude from the whitelist the sites accused by Google of being of dubious security, even if they could be false positives.
Last edited by fidesetratio on Wed Oct 03, 2012 8:18 pm, edited 2 times in total.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Google Safe Browsing Diagnostic false positives?

Post by Tom T. » Wed Sep 26, 2012 4:20 am

The long links are a known problem with the forum software. Use the "URL" tags to protect them. Highlight the link, then click URL in the toolbar above the Compose box. You can also use Code tags, which shows the entire address but does not create a live link.

I believe that gmodules may host user-created content, or links to same. If so, then the diagnostic is detecting this -- following the link, perhaps, to a malware page. Hence the high rate of false positives.

Any site that hosts user-created content or links to same could be flagged in this fashion.
However, it is in fact more risky to visit sites with user-content, so it is vital to keep NoScript locked down fully against such sites unless/until you are able to investigate and satisfy yourself that the site is safe and reputable.

Advertising agencies come and go, especially on the Internet. Some are well-known, and while they may be privacy-invasive, probably would not want to risk their reputation by loading malware. But there's nothing to stop bad people from starting a new ad agency, soliciting business -- or even just paying websites to let their scripts run -- and using those scripts to load malware. Just a thought.

I hope this helps.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1

fidesetratio
Posts: 3
Joined: Tue Sep 25, 2012 3:39 pm

Re: Google Safe Browsing Diagnostic false positives?

Post by fidesetratio » Wed Sep 26, 2012 4:18 pm

@Tom T.

Thank you for you opinion. It is helpful indeed.
However, I still want this thread open until I get at least one more opinion. I always prefer to hear at least two opinions.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Google Safe Browsing Diagnostic false positives?

Post by Thrawn » Wed Sep 26, 2012 11:06 pm

Here's one from Giorgio: the NoScript FAQ indicates that the reason hackademix.net is not whitelisted by default is that it contains user-generated content (comments). So, if gmodules is similar, then it certainly is more dangerous than other Google sites.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1

fidesetratio
Posts: 3
Joined: Tue Sep 25, 2012 3:39 pm

Re: Google Safe Browsing Diagnostic false positives?

Post by fidesetratio » Wed Oct 03, 2012 8:16 pm

Despite my moral concerns, I have decided to remove from the whitelist all advertising domains of dubious security.
I will only keep in the whitelist domains of solid security, and one or two domains of mediocre security that I can't avoid (because their functionality is too important).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Google Safe Browsing Diagnostic false positives?

Post by Tom T. » Thu Oct 04, 2012 5:19 am

fidesetratio wrote:Despite my moral concerns, I have decided to remove from the whitelist all advertising domains of dubious security.
I will only keep in the whitelist domains of solid security, and one or two domains of mediocre security that I can't avoid (because their functionality is too important).

Are we still speaking of advertising domains? Their "function" is almost never important.
Please see List of scripts for which NS runs surrogate for why this is so. It is an excellent feature of NoScript.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3330
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: [SOLVED] Google Safe Browsing Diagnostic false positives

Post by GµårÐïåñ » Tue Oct 09, 2012 9:43 pm

@TOM what he means is when google-syndication or webtrends, or whatever is weaved into a submit or click function and without it the site won't function. He considers that necessary to function because the surrogates don't always account for it, specially if the programmer is smart enough to not use the global keywords common to them.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
world is a vampire and browsers are zombies and users are the virus

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: [SOLVED] Google Safe Browsing Diagnostic false positives

Post by Tom T. » Wed Oct 10, 2012 6:11 am

GµårÐïåñ wrote:@TOM what he means is when google-syndication or webtrends, or whatever is weaved into a submit or click function and without it the site won't function. He considers that necessary to function because the surrogates don't always account for it, specially if the programmer is smart enough to not use the global keywords common to them.

I would rather hear that from him, and be pointed to examples of such sites, or do you have any? I don't think I've ever seen a site break for lack of g-s or webtrends, but of course I haven't seen every web site on the planet. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3330
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: [SOLVED] Google Safe Browsing Diagnostic false positives

Post by GµårÐïåñ » Fri Oct 12, 2012 2:27 am

Tom T. wrote:I would rather hear that from him, and be pointed to examples of such sites, or do you have any? I don't think I've ever seen a site break for lack of g-s or webtrends, but of course I haven't seen every web site on the planet. ;)

Oh my brother, trust me there are TONS. Most common offenders are banks, credit card companies, utilities and etc. Most of the time the surrogates will grab them but in many cases they don't. Trust me when I say that Giorgio is probably got a list as long as his arm on the incidents I have reported to him regarding surrogates, many of which have been made permanent and in some cases we decided to just keep using it myself and if in the future we get more voices for it, then I will post it for them or if we get even more then we'll implement them permanently. 99% of the time, they happen when you are within a "logged" state if you will and required to get around the site and they want to know what members are doing that will tie closest to the code. Although some popular public services do it too, just because they want to know where they can getcha :P
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (world is a vampire) Gecko/99999999 (browsers are zombies) AntidoteXXX (users are the virus)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: [SOLVED] Google Safe Browsing Diagnostic false positives

Post by Tom T. » Fri Oct 12, 2012 6:37 am

GµårÐïåñ wrote:...Trust me when I say that Giorgio is probably got a list as long as his arm on the incidents I have reported to him regarding surrogates, many of which have been made permanent and in some cases we decided to just keep using it myself and if in the future we get more voices for it, then I will post it for them or if we get even more then we'll implement them permanently. ...P

If you and Giorgio have a list of working surrogates that are not in NS by default, where is the harm in adding them? Not much work to copy/paste into the code, is it?

I must just be lucky. Never personally had any site, logged-in or otherwise, bank, etc. break for lack of g-s or webtrends or whatever. Comes from clean living. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:16.0.1) Gecko/20100101 Firefox/16.0.1

Post Reply