Comment by ericselin
5 months ago
I'm not saying that Google or Safe Browsing in particular did anything wrong per se. My point is primarily that Google has too much power over the internet. I know that in this case what actually happened is because of me not putting enough effort into fending off bad guys.
The new separate domain is pending inclusion in the PSL, yes.
Edit: the "effort" I'm talking about above refers to more real time moderation of content.
> My point is primarily that Google has too much power over the internet.
That is probably true, but in this case I think most people would think that they used that power for good.
It was inconvenient for you and the legitimate parts of what was hosted on your domain, but it was blocking genuinely phishing content that was also hosted on your domain.
Every website operator employee worth their salary in this area would have told the site's operator this beforehand, and could have avoided this incident. Hell, even ChatGPT could tell you that by now. The word that comes to mind is incompetence on someone's part, but I don't know of the details on particularly who was the incompetent one in this situation. Thankfully, they've learned a lesson about the situation and ideally won't make the same mistake again going forwards.
I disagree, as a professional in this field for over a decade.
For this to be a legitimately backed statement, professional's would have needed to know about the PSL. This is largely unmet.
For it to be met, there would need to be documentation in the form of RFC's and whitepapers in industry working groups which would be needed. This didn't happen.
M3AAWG only has two blog post mentions, and that's only after the great layoffs of 2023, and only that its being used by volunteers and needs support. No discussion about organization, what its being used for, process/due process, etc.
It wholly lacks the needed outreach to professionals in order to make such a statement and have it be true.
3 replies →
"Google does good thing, therefore Google has too much power over the internet" is not a convincing point to make.
This safety feature saves a nontrivial number of people from life-changing mistakes. Yes we publishers have to take extra care. Hard to see a negative here.
I respectfully disagree with your premise. In this specific case, yes, "Google does good thing" in a sense. That is not why I'm saying Google has too much power. "Too much" is relative and whether they do good or bad debatable, of course, but it's hard to argue that they don't have a gigantic influence on the whole internet, no? :)
Helping people avoid potentially devastating mistakes is of course a good thing.
What point are you trying to make here? You hosted phishing sites on your primary domain, which was then flagged as unsafe. You chose not to use the tools that would have marked those sites as belonging to individual users, and the system worked as designed.
6 replies →
You're not wrong. You just picked a poor example which illustrates the opposite of the point you're making.
1 reply →
> but it's hard to argue that they don't have a gigantic influence on the whole internet, no? :)
Then don't relate this to safe browsing. What is the connection?
You could have just written a one liner. Google has too much power. This has nothing to do with safe-browsing.
In fact you could write...
- USA/China/EU etc has too much power..
You use the word relative in another reply..
Same way.. My employer has relatively too much power...
Is it? Companies like Google coddle users instead of teaching them how to browse smarter and detect phishing for themselves. Google wants people to stay ignorant so they can squeeze them for money instead of phishers.
How does Google get money out of people in that case? As a corporation, Google contributes greatly to the education sector and also profits greatly, so it seems like they're pro-education to me, and are merely making the best of a bad situation, but I'd love to hear how Google extracts money from the people they've protected from phishing schemes in some secret way that I haven't considered. I do happen to have Google stock in my portfolio though, so maybe that indight's my entire comment for you though.
This is a fine mentality when it takes a certain amount of "Internet street smarts" (a term used in the article) to access the internet - at least beyond AOL etc.
But over half of the world has internet access, mostly via Chrome (largely via Android inclusion). At least some frontline protection (that can be turned off) is warranted when you need to cater to at least the millions of people who just started accessing the internet today, and the billions who don't/can't/won't put the effort in to learn those "Internet street smarts".
How does flagging a domain that was actively hosting phishing sites demonstrate that Google has too much power? They do, but this is a terrible example, undermining any point you are trying to make.
The thing about Google is that they regularly get this stuff wrong, and there is no recourse when they do.
I think most people working in tech know the extent to which Google can screw over a business when they make a mistake, but the gravity of the situation becomes much clearer when it actually happens to you.
This time it's a phishing website, but what if the same happens five years down the line because of an unflattering page about a megalomaniac US politician?
Then that would be an example of a system having failed and one that needs to change. Instead, this is an example of a hosting company complaining about the consequences of skipping some of the basic, well-documented safety and security practices that help to isolate domains for all sorts of reasons, from reputation to little things like user cookies.
This article shows an example of this process working as intended though.
The user's site was hosting phishing material. Google showed the site owner what was wrong, provided concrete steps to remedy the situation, and removed the warning within a few hours of being notified that it was resolved.
Google's support sucks in other ways, but this particular example went very smoothly.
> Oh my god, my site was unavailable for 7 hours because I hosted phishing!
Won't someone please think of the website operator?
Maybe google can have large impact is a more accurate way of putting it vs power.
There are two aspects to the Internet: the technical and the social.
In the social, there is always someone with most of the power (distributed power is an unstable equilibrium), and it's incumbent upon us, the web developers, to know the current status quo.
Back in the day, if you weren't testing on IE6 you weren't serving a critical mass of your potential users. Nowadays, the nameplates have changed but the same principles hold.
Social wasn't always sole powered, only began with the later social networks, not the early. And now people are retreating to smaller communities anyways.
Testing on IE6 wasn't the requirement, all browser's was. IE shipped default on windows and basically forced themselves into the browser conversation with an incomplete browser.
I don't mean social as in social network. I mean that people have always been a key aspect of the technology and how it it practically works.
Yes, yes, IE6 shipped by default shipped by default on Windows. And therefore if you wanted a website that worked, you tested against IE6. Otherwise people would try and use your website and it wouldn't work and they wouldn't blame the browser, they would blame your website.
Those social aspects introduce a bunch of not necessarily written rules that you just have to know and learn as you develop for the web.
> Google has too much power over the internet.
In this case they did use it for good cause. Yes, alternatively you could have prevented the whole thing from happening if you cared about customers.
Exactly.
> Second, they should be using the public suffix list (https://publicsuffix.org/) to avoid having their entire domain tagged.
NO, Google should be "mindful" (I know companies are not people but w/e) of the power it unfortunately has. Also, Cloudflare. All my homies hate Cloudflare.
It is mindful.
... by using the agreed-upon tool to track domains that treat themselves as TLDs for third-party content: the public suffix list. Microsoft Edge and Firefox also use the PSL and their mechanisms for protecting users would be similarly suspicious that attacks originating from statichost.eu were originating from the owners of that domain and not some third-party that happened to independently control foo.statichost.eu.