I feel the "i want my friends and family to be safe" is similar to the "but think of the kids!" excuse.
Maybe its some kind of a Stockholm Syndrome variant of people using Chrome, but its definitely not healthy.
I don't actually believe that it has blocked that many people from being phished, and I doubt that all the entries on that list are malicious. It seems like a system that was designed by someone to simply get a pat on the back and a promotion, and then not touched again.
The point of hosting yourself, and not making another facebook/youtube page, or discord server, is really to be free of their terms, control, etc. Your browser itself blocking self hosted sites is such a malicious attack of that.
The consensus, even among tech people, seems to be that this is a good thing. Sure, lots do argue it shouldn't be maintained by Google, but ultimately such list itself is fine.
I personally don't agree with, as I think modern browsers (not just Chrome) already do way too much handholding to a point that neutrality is inevitably lost.
I would go even further and say I don't like ideas like Firefox's/Brave's "Enhanced Tracking Protection" which blocks certain services with a handpick ruleset. Don't get me wrong, I block these trackers myself in uBlock Origin, but I don't like idea that a browser maintains an arbitrary list itself of what to block for the users.
>I would go even further and say I don't like ideas like Firefox's/Brave's "Enhanced Tracking Protection" which blocks certain services with a handpick ruleset. Don't get me wrong, I block these trackers myself in uBlock Origin, but I don't like idea that a browser maintains an arbitrary list itself of what to block for the users.
The primary difference is in the messaging. Tracking protection is an opt-in feature, so the user is always aware of it. Additionally, at least in the forms I've encountered it, it doesn't outright prevent you from navigating to a website. At worst it breaks some sites, and you disable it, it's sitting right there in your browser navigation bar. Don't agree with some block? Overriding it is a click away.
Meanwhile, safebrowsing doesn't announce itself anywhere except when it hits you in the face with a giant red screen, specifically designed to inspire a sense of fear/dread. Override buttons are intentionally not outright presented to the user, and the toggles to completely disable the feature are tucked deep into advanced features where no muggle may reach.
It may sound stupid but this simple difference in optics radically changes the effect such a "manual blacklisting" feature has on its users. That said I agree it'd be nice to have more control over the tracking protection feature in firefox, e.g. by allowing custom lists, like uBlock does.
> I don't actually believe that it has blocked that many people from being phished
The data says the opposite, the safe browsing list is very effective* which is why many other browsers and systems use the same list to block malicious pages.
Very effective at... what? I mean, they seem to not be able to tell the difference between a legit mastodon instance and a phishing site, so why would they suddenly be able to tell if it effectively blocked a site that was actually malicious?
Yes, blocking sites on a blocklist works very well. Whether those sites are legit or not doesnt matter at that point, to them, as they assume they all are malicious.
I often click links on phishing mails I get just for fun, and more often than not they result in webpages being blocked by Chrome. Anecdotal, but there you go.
Very much true. It's almost always a specific type of phishing that tries to get me to enter bank credentials, usually not really serving malware. But you make a good point.
You shouldn't, the links usually have unique data embedded and it will confirm your email as a valid target for future attacks. You are basically adding a "real mailbox with an active, gullible user" tag to your email in the spammers list.
The strange thing about SSL is that it is meant for strangers. If a group knows each other a self signed certificate can be safer because the group controls the certificate. I always assumed the push for SSL everywhere was to institutionalize man in the middle attacks.
Some things are worth protecting against, but most of the blocking I've seen has beeen sites that just don't conform with google's prefences. Given that there is a conflict between google's preferences and mine, there is a problem.
Especially relevant when you consider the organic search traffic legitimate webmasters may rely upon, vs. the email campaigns or even paid traffic bad actors can quickly spin up.
On mobile (Android) it's different. You cannot continue past the warning in Firefox Daylight (or Chrome, of course).
about:config is also walled off in every mobile Firefox build except Nightly - and even then, the "safe browsing" keys toggle back every time the app restarts.
Android WebView listens to the safe browsing list too, so you can have native apps open up with blood-red warning screens which is very uncomfortable on mobile.
Don't think I've ever seen a GSB warning page that _wasn't_ a false-positive. Google also still links out to https://www.stopbadware.org/ on some of their GSB webpages, even though the site has been dead for ages.
It has the feel of a system staffed _exclusively_ by robots. This isn't necessarily a bad thing (Google does an overall good job) but it has its blind spots for sure.
Self-hosters getting sucker punched offline for a day or two isn't the worst (it happened to me just the other week). I get it, overall it's probably worth the collateral. I also get that mobile should _probably_ be protected more aggressively. But if you are on Android, I don't think there's any way to meaningfully disable it unless you are root.
It really pisses me off that even Firefox on desktop tries to scare you away from about:config with a lie, claiming that using it will void your warranty. Meanwhile the license under which Firefox is provided says "Covered Software is provided under this License on an "as is" basis, without warranty of any kind"
Firefox has no warranty to void. The warning message they make you view the first time you try to use about:config is simply lying to you. You might say "Oh well it's a well intentioned lie", but it's still a lie and there is no reason for this lie to even exist. The warning could be worded without this lie. It could simply say "You might break stuff if you continue" and that would be true enough and still scare off people who don't know what they're doing. So why the hell are they lying?
What's even worse is that Firefox, Safari, Vivaldi, Brave, Instagram, other Google services (like Gmail and Search) all rely on this list in some capacity, though their delivery method may differ. It's got far bigger reach than Chromium alone.
Sneak in your competitor onto this list and they'll lose all of their traffic for as long as it takes them to convince someone at Google they've made a mistake.
Even worse, the data is crowd sourced. I've been playing whack-a-mole with this service for over a year now. Strongly suspecting that this is negative SEO. It is temporarily unblocked, then in the next week the entire domain is re-flagged.
Yes and no, the public crowdsourcing is only a part.
The biggest influence are trusted security groups, where security teams of influential websites who trust each other can push or remove websites from these lists without any vetting from anyone.
This is also from there that you can download and share lists of unhashed passwords with e-mails (you know this warning "This password has likely been compromised", they need to source it from somewhere).
If the owner of a website complains, he is never going to win the appeal against a member of the special group.
So it's a very (useful and important) political game once your website becomes large.
This is also where you can informally directly communicate with agencies like FBI.
> This is also from there that you can download list of unhashed passwords with e-mails (you know this warning "This password has likely been compromised", they need to source it from somewhere).
You (or anyone else) can get such a list (no emails, weak hashing better thought of as obfuscation) from Pwned Passwords[1]. (There used to be direct download links usable without the tricky downloader tool for pre-2022 archives on that page, but not anymore, huh. Take this[2,3].)
I agree, but also what's the alternative. A complete free-for-all doesn't work because malicious actors be malicious and a majority of users aren't competent to protect themselves against such threats. So we need something, if not google, then it would be something else. We can't trust private corporations because of potential for conflicts of interests (between users and profit motives) and we don't seem to want to trust government bodies to do this because then it would be censorship (conflict between users and political motives). What else is there?
> A complete free-for-all doesn't work because malicious actors be malicious and a majority of users aren't competent to protect themselves against such threats.
It does work. You claim it doesn't because you think the resultant state of affairs is intolerable, but to subsequently claim it "doesn't work" because you don't like the outcome is simply wrong. You might as well claim that allowing people to buy pointy kitchen knives "doesn't work" because sometimes people stab each other and you think murders are simply intolerable. But the reality is that allowing people to have pointy knives even though some people get hurt does work, even though it doesn't produce an outcome the hypothetical you are happy with.
The problem with "think of the children" style arguments is they are always unbounded, and there is always something more controlling than what we're doing presently that could obstensibly make children even safer. Why not have browsers ship a whitelist of trusted websites, and forbid all others? That would be even safer, and if you oppose this then you're not thinking of the children. In fact I find the present state of affairs with bad websites being blacklisted simply intolerable, new malicious websites are permitted by default and that just doesn't work!
Well of course when I said "it doesn't work" I meant that I found the outcome intolerable. That outcome being a majority of users being vulnerable to malicious attacks with a whole host of real world bad consequences for them.
I think that regular people having unrestricted access to enriched plutonium also to have intolerable outcomes. Even if some people would be able to handle the substance safely (both to themselves and others), the ones that don't or can't will cause intolerable outcomes. And yes, this is a 'think of the children' style argument. I don't want the children (or adults) to get radiation sickness. My hot take here is that it would be bad.
We had a similar issue, but unfortunately this is not as easy at it seems.
google will remove you from that database fo bad websites but many other crap antivirus/security software will not automatically refresh it. So you will get report from customer A that the website is not safe, you then have to ask for what security program they use, then you need to find the form on those people website , it is not easy since a big securityu company might have different websites and support pages for different stuff so you need to find the right one to submit a form or open a ticket.
And one of this big security companies(unfortunately I do not remember which of them) had a bug on their form, when you submit it it would show an error, and that was for a few weeks.
If anyone works at this "security" companies, make the fuck sure that adding some website on the list should be as easy to also remove it from the list. if you use Google lists to add a site then use same fucking list to remove them, and make a fucking form that works.
I Never ever use Safe Browsing, just because the ideologically based blockings.Even antivirises' browsing protection is infected with ideological censorship. Fuck them!
My website also ended up in Safe Browsing list for some reason, and instead of registering on Google, I started to make an example of it to my friends to disable that Safe Browsing feature in their browser.
It lasted for a week, perhaps, before it disappeared from the list.
I didn't change anything during that time.
I cannot have such BS any more. So I deployed something on my home server and exposed it on a port just above 10000. And I tried to access it with Chrome, and it was blocked coz it on an unusual port!! So obviously one of them had to go. So Chrome went away from my network.
Port 10080 is blocked on most browsers[0] per the WHATWG "bad ports" list[1]. That particular port was added to the list due to the Slipstream attack[2] that made the news a few years ago[3].
You don't have to switch to a browser that ignores standard security mitigations. Just pick a different port for your service.
I have never seen a 'wrong' case of safebrowsing warning...
Always after sufficient investigation I find that the server has been broken into and there are some malicious PHP files sitting in some directory named '.system' or something similar.
Either that or the site allows user uploads and some user has uploaded some malicious JavaScript crypto miner or something.
On a mastodon server, it is hard to check all the content posted by all the users... But I'd bet somewhere there is something malicious that safebrowsing detected.
Everyone just assumes, incorrectly, that their systems are clean and secure. It didn't seem to even occur to OP to seriously investigate his site for "malware or social engineering attacks".
On this topic: I've encountered multiple small business websites that have a spam JavaScript redirect that on a referral from google.com -- if you go directly to the website (as the business owner or the GoogleBot might), everything is fine, if you click out from Google you get served either a small page with nothing both the JavaScript redirect, or the page with the JavaScript redirect prepended.
Some variants of this use cookies to only serve the redirect on the first click from Google, so if you're like "weird" and try again, everything looks fine the second time.
You can see the problem if you curl such a URL with Google as the referrer.
Sometimes the console does tell you which URL they found malicious content at.
However, if they detect you doing dodgy things like trying to cloak from their scanner (eg. giving bad content when given a browser user agent from a home internet IP range, but not when scanned by googlebot from a google datacenter), then they won't give the URL because that would leak what IP range they scan from to detect such cloaking.
If we let Google design our criminal justice system, the accused would never be informed of what crime they broke because that would "help criminals get away with it"
Do we know what categories a website to be part of the 'safe browsing' list? Did the author confirm that his similarly designed mastodon server was the culprit or just a hunch?
I didn't realise Google safe browsing extended beyond google products. In a way, it makes me think about what other products have ties in to google.
Safe browsing means that your browser sends a list of websites that you visit to Google (so basically to NSA too), who can then build a nice profile of you.
If a website looks suspicious, Chrome sends a subset of likely phishing and social engineering terms found on the page to Google, in order to determine whether the website should be considered malicious. These client-side checks also include comparisons of the visual appearance of the page to a list of images of login pages. If a website appears similar to a page on this list, Chrome will send the URL and the matched entry on the list to Google to determine whether the page is a likely phishing attempt. Chrome can also help protect you from phishing if you type one of your previously saved passwords into an uncommon site. In this case Chrome sends the URL and referrers of the page to Google to see if the page might be trying to steal your password.
There's also a handful of other things they will send in the name of safe browsing, should they be enabled (I don't know if any are defaults):
https://www.google.com/chrome/privacy/
It's Enhanced Safe Browsing that you are talking about.
It collects all URLs you are visiting, associates it to your Google profile, and send samples of content to Google.
(There are other similar mechanisms in Chrome as well, but it's not called Safe Browsing).
Mastodon is often used to distribute illegal content. If you self host you need to be ready to deal with this stuff. Like with self hosted SMTP server.
> It’s mostly for me and friends I know personally – nothing like the bigger, public ones.
I'd agree with you if it had thousands of users, but not when the user count is 8. If you have 8 users on your SMTP server, damn easy to know with certainty if any of them did anything that might be considered malicious.
In reality, it barely makes a difference if you want to avoid hotlinking (and that has other bad privacy privacy implications, now all your users load bad content).
Law enforcement makes no difference between proxying, caching and storing indefinitely. At least not during all the steps that precede your hardware being seized.
Maybe its some kind of a Stockholm Syndrome variant of people using Chrome, but its definitely not healthy.
I don't actually believe that it has blocked that many people from being phished, and I doubt that all the entries on that list are malicious. It seems like a system that was designed by someone to simply get a pat on the back and a promotion, and then not touched again.
The point of hosting yourself, and not making another facebook/youtube page, or discord server, is really to be free of their terms, control, etc. Your browser itself blocking self hosted sites is such a malicious attack of that.