This site is not bad for your computer’s health

… despite Google telling you that it is.
Google’s not always right, it seems.

Google’s assertion that this site is hosting “badware” (warning – made up word) is at best misleading, and at worst an out-and-out untruth.

My reasoning:

  1. Misleading: The version of WordPress I use to power this blog had a security vulnerability in it, which meant people could maliciously edit posts I’d made and inject content. In all of these cases, the additional material injected was a link to another website.
  2. Untruth: As above, the link on my site was just that – a link to another website. My website had absolutely no “badware” on it at any time. It’s a small distinction to make, but if my business was using wordpress, and the world at large was presented with a page from google saying my site could not be trusted and that it was trying to hack their computers, I think I, like many other business owners, would be upset at the loss of business (short term) and reputation (long term) that this causes.

Things that – in my opinion – Google needs to fix.

  • Correct the warning that users see after clicking on a link. The warning page – as pointed out above – is wrong. It should simply state that Google’s automated tool for protecting the internet community has detected that a link on this site has been found to point to a “badware” distribution site. Even changing the sense of the sentence “Warning – visiting this web site may harm your computer!” into a more passive form, so that the implication that “this web site” is actively trying to do something bad is removed.
  • Provide people who’s websites get infected with at least a count of distinct issues that have been found on their website. At the moment, the Google warning email just says that the website is serving up “badware”. This website actually suffered from two seperate problems, after finding the first, I resubmitted for testing, and they came back with the same – unhelpful – statement; that my website was still hosting “badware”. If I had been told that there were 2 (or however many are found) instances of the problem, I wouldn’t have stopped after finding the first.
    The sheer number of people requesting help on the ‘Stop “badware”‘ group pages is indicative that something is seriously wrong with the reporting mechanism.
  • Speed up their review process. If they are making wild accusations that a website is actively hosting “badware”, then they should be as quick to unblock a site as they are to block it. If an online company gets blocked – as has happened (sorry, can’t find the link to the page that I found before) – then Google will hold their website in the blocked state until a retest is done. This can take a long time, during which time, people cannot access the site from google’s search results, and due to the nature of the wording of the warning, harm is done to the business’ reputation
  • Before the browsers start using this “badware” security alert mechanism to block websites in the browser, the process needs to be streamlined, so that an automatic check can not only condemn a website, but also give it a clean bill of health. The process of freeing a website from purgatory should be near real-time. I do not believe that an automatic check of the website cannot be done within a period of half an hour – Google has a famously large number of servers and bandwidth available to it. If it cannot be done in this realtime manner, I think it is too flawed to be useful.

I would like to point out that this last point, about browsers using the Google “badware” database as a check is, in principle a very good idea; afterall, protecting people from “badware” is something that would make the internet a much nicer place to play.
However, with the caveats listed above, the database becomes even more insidious – without turning the whole security mechanism off, I cannot access my own website, even though it is clean (I know it is, I’ve just finished cleaning it, and upgraded the software so it won’t happen again).
It is this real-time checking of the “badware” database by browsers that is the painful part when the database is too slow to de-list websites.

And don’t think that browsers aren’t going to do this. Firefox 3 Beta 3 has the feature turned on by default.

EDIT: Someone else has had the same problem, and has the same problems with the process:

Leave a Reply