My experience being blocked by Google Safe Browsing

Since April of 2021, I’ve hosted a Mastodon server on the domain snake.club. It’s mostly for me and friends I know personally – nothing like the bigger, public ones. Until the last week or two, the server was mostly dead. Then Elon finally bought Twitter, triggering a mass exodus from Twitter, right into Mastodon. Conveniently, my server was already there, so it was a nice place for me and my friends to jump right in and grab some popcorn while we all watch Twitter implode.

And it has been great! Several friends have become active users. As many people jumped ship from Twitter, we began to form real social networks. But then something weird happened.

Blocked!

On Tuesday, November 8th at 2:30pm, I got a text saying “This seems not great?” with an image of a browser tab loading snake.club, except there was a red background and the tab said “Deceptive site ahead”. My friend’s browser had blocked my Mastodon instance! So I fired up Firefox on my computer, and got the same error. Same on my phone, and same on iPhones as well.

What happened: for some reason, my site got onto a list called “Google Safe Browsing”, which is a list of sites which may contain malware or social engineering attacks. Browsers can check URLs against this list and warn users when they are going to an “unsafe site”. I don’t know much about it, and so I don’t want to make too many assertions about how it works. Instead, here’s my guess about why I got blocked: it seems like whatever automation was behind this classification saw that my site’s pages (especially the login page) looked similar to several other, more popular sites (i.e. other Mastodon instances), and so assumed that my site was phishing users.

Resolution

I did a few things immediately. First, I used the browser interface to submit a false positive report, and so did my friend. Then, I registered my domain on the “Google Search Console” product (which I’ve already used for other domains). Sure enough, the console showed a “security issue.” So, I filed a request for review. The help articles stated that the review could take several days, up to several weeks. Then, I posted a rather long, self-righteous thread about the situation. Knowing that the narrative “big, bad Google is hurting the decentralized fediverse” was good for a few angry upvotes, I posted it to Hacker News, in the hopes that it would get my case looked at faster. Not my finest hour, I’ll admit.

But what ended up happening was anti-climactic, in a good way. By 8:50pm, I noticed that I was no longer seeing the big red banner preventing people from visiting my site. And on Friday, at 2:40pm (not even 72 hours after submitting my report) I got an email saying that my review request had been processed successfully. The Search Console now shows no security issues, and Google’s “Transparency Report” shows my site as safe.

I have to say, as somebody who was pretty loudly complaining, that’s some decent response time. I’m not convinced that my loud complaining even sped things up. At best, I’d like to believe that spreading the word allowed several different people to submit “false positive” reports, and maybe that helped the big red banner come down within a few hours. But who can really tell?

Reflection

Thankfully, this was a 72-hour experience. The resolution was speedy and accurate. It’s definitely true that more people saw my angry toot thread (and HN thread) than would have seen the actual security warning banner otherwise. So the impact was very small. With all that in mind, I think one fair conclusion is that my reaction was a bit impetuous. My site is small, there was minimal impact, and I made a pretty big stink about it. Of course, I had no way of knowing that the resolution would be speedy, but I definitely could have waited a bit and given Google the benefit of the doubt. Hindsight is 20/20.

So, while I was definitely impetuous, was I right or wrong? I’m honestly not sure about that.

Certainly, Google Safe Browsing seems to me like a good thing. Despite my experience being wrongly blocked, I haven’t actually disabled the feature from my browsers (and I know how to do it). For less experienced computer users, it seems really important to protect them from known harmful sites. Even for experienced users like me, it seems nice to have a second set of eyes watching out for a deceptive site which may have slipped past me. I have to imagine that Google Safe Browsing has prevented a ton of social engineering attacks, many of which could have resulted in individual financial harm. Thinking of my own family and friends, I’m glad that this protection exists.

But then again - what if I were a small business running an e-commerce site? What if I depended on the goodwill of my users, who might be easily scared off? The cost of a false positive in the Google Safe Browsing system seems quite high to me: since nearly every web browser uses this system, getting onto this blacklist is one of the most severe things that could happen to a website or piece of content. It means that suddenly, users are afraid to interact with you. Most will click away without understanding the problem. Few would transact with a “deceptive site”. And plenty who click away from your site may never come back!

The purpose of a web browser is roughly similar to that of a TV: display content from somewhere else. Your TV doesn’t make editorial decisions about what content is safe enough for you to view. Maybe the TV channel you view won’t show certain types of content, but it’s not up to the TV to make that decision. Similarly, it’s not your browser’s job to moderate content that you browse. You may decide to use extensions to alter that content (maybe remove ads, change themes, or stop tracking). But the browser itself shouldn’t have that right: it’s up to the user.

Now, it bears repeating that in most cases, a user can click through the warning and still access your website. So you may argue that in this case, the user is in control. But defaults are powerful: they are the de-facto law of computer use. Saying that the user is in control is like saying a customer can take advantage of a mail-in rebate. Sure, it’s technically correct, and certainly many people would. But the majority will leave their defaults the same, or fail to mail their rebate card.

Maybe I would feel better if there had been more transparency in the process. I was left to guess what Google thought was deceptive about my site. I had essentially three means of seeing progress: (1) using a web browser to access my site, (2) viewing the Google Transparency Report, and (3) the Search Console and my review request. Frequently these three sources of information conflicted, and I had no idea whether progress on one meant progress on the other. Having worked in the spam, fraud, and abuse space, I know that for the people who run this system, lack of transparency is a feature, not a bug! The more that their attackers know about the process, the more effectively attackers can circumvent and overwhelm them. But that logic doesn’t make the experience of being a false-positive any nicer.

All of this is just to say that I’m not certain where I land here. I really do want safer browsing for my friends and family, even if Google and the browsers which use its list (Chrome, Firefox, and Safari) are implementing it in a somewhat… authoritarian way. But there’s a lingering feeling of injustice: I’m just running a small site for me and a few friends to enjoy. I’m not advertising or spamming it across the web, I’m just minding my own business. And here I get blacklisted by some murky authority figure I didn’t know even existed, on trumped-up changes. And when you think about it, those charges are absurd! When was the last time you visited youtube.com or twitter.com and saw a browser warning saying “Deceptive site ahead”? But, how much deceptive content have they spread? I don’t know, but I can tell you it’s several orders of magnitude more than my Mastodon site.

Legal • RSS



Stephen Brennan's Blog is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License