Parts of website blocked by Google Safe Browsing?

Hi Jan,
FYI, I just downloaded SWI 8.15. binaries for Mac, and Safari raised a red flag, too.
Really annoying, to see how Google wants to take control on us.

1 Like

Hi new commenter, I just wanted to say that I am seeing it blocking the downloads page in both Chrome and Firefox and it is blocking the downloaded files until you choose to enable them. In order to get the files I had to click to get past the block, download the file and then go to downloads and click through a second warning.

1 Like

Thanks for reporting. It seems most browsers implement the Google Safe Browsing API, which is at the root of these reports. They base themselves on a number of virus/malware scanners. Such beasts look for patterns in binaries to identify malware. As there are so many of these patterns this leads to false positives for arbitrary safe binaries. Virus reports on the SWI-Prolog binaries were common before this and so far all have proven to be false. Just, this new way of browsers to warn is a bit offensive :frowning:

@jan have you tried the google webmaster account? as described on the stopbadware site:

  • If Google is the only data provider blacklisting your site, you can request a malware review in your Google Webmaster Tools dashboard. No account? You can sign up for free. A malware review from Webmaster Tools is the fastest way to remove your site from Google’s blacklist.

Could this be the solution?
The other links in the source code point to the www version, the “working one”
Until the nginx server is fixed this could be the solution.
The anti malware software could be setting an alert on the failing url.
This change should probably be done anyway, since the non www url does not work,
so it could be worth a try

Today I went to download the latest swipl-devel for mac. Got this same thing when I went on the Development version page. OK, ignore warnings go to page. Click the mac os package, it downloads and then "swipl-8.1.15....dmg" is dangerous, so Chrome has blocked it. Ook, let me try downloading the source and building it. I download the source, it downloads and then “swipl-8.1.15.tar.gz is dangerous, so Chrome has blocked it.” Well! So I used wget to download the mac binary. But that is scary! Also very weird that it says the source code tar is dangerous

It seems to be getting worse :frowning: The party to blame is Google though :frowning: Best we can probably do is make noise and report (see Parts of website blocked by Google Safe Browsing?)

I’ve returned from holidays. Found a beautiful owl :slight_smile: See below. Resolving the safe browsing issue is quite high on the priority list. I checked the site with Google SearchConsole, which currently only triggers on swipl-8.1.15-1.x86.exe. I’ve reported this file and asked how we should tackle this.

So far, besides trying to fix this with Google we have these suggestions:

  • Host Windows downloads elsewhere. I think this is rather undesirable as we can’t make direct links to this location without being trapped by the same problem, indirect links make the process less transparent and may not fix the problem anyway as the externally hosted download pages probably get flagged as well. After all, the issue is that an arbitrary binary often gets flagged as a false positive by a couple of virus and malware checkers and SWI-Prolog is not a top-5000 website in the world (I’ve read these sites have special status).

  • Create an indirection on our website, hosting Windows binaries from a separate page. This too doesn’t make the experience any better :frowning:

While considering to implemented the second anyway it also crossed my mind that we can have an intermediate page/popup that Google cannot follow before the actual download. I might do that as a first step. The biggest disadvantage is that this hinders another popular anti-malware measure: if a binary changes or appears on the internet with the same name but different content this (used to be) flagged as suspicious.

Opinions? Other options?

7 Likes

It may help to link to virus scan results for the Windows installers. For example, the current stable version is available as a Chocolatey package and it’s page provides links to those scan results:

https://chocolatey.org/packages/SWI-Prolog

The scan results use the SHA256 checksum as a tag providing a way for the user to confirm that the downloaded installer is the same that was scanned.

1 Like

Thanks! Didn’t know about choco. It only has the stable versions though :frowning: It shows how to call virustotal for a package. I’ll try to add that.

Implemented and pushed that. This doesn’t remove the red flags on the download pages for now. I hope to get that resolved with Mozilla and/or Google. Changing the download location is of course an option, but breaks a lot of links out there. The new policy is this:

  • Any .exe is linked from the pages as .exe.envelope

  • A file *.envelope opens a page like this:

  • Clicking the checkbox runs a little JavaScript that activates the actual download link.

Improvements/comments/… welcome!

3 Likes

Quibbles:
s/therefore classify our binaries often as malware/therefore often classifies our Windows binaries as malware/
s/large number of antivurus softwares/large number of antivirus programs/
or “software” - the plural of “software” is “software”.

Also, an owl for you: https://twitter.com/ccroucher9/status/1191447962850750465

Thanks. Fixed. Also added the SHA256 to the actual download as well as a direct link to the virustotal analysis. At this moment both Chrome and FF open the download pages without issues! With these changes we hopefully bypass Google Safe Browsing, but in the case of failure only a single file should be blocked rather than the entire download pages. Fingers crossed!

:slight_smile: Real owls are not that cute though :slight_smile:

Status

Right now it seems we are back in business again. I’ve reported several more files at
https://safebrowsing.google.com/safebrowsing/report_error/?hl=en. It typically takes about half a day before the file is considered safe again. It seems most (all?) files in the download area are currently ok.
If you find another blacklisted file, please report using the link above. It is just a copy/paste and click. No explanation seems to be needed.

I don’t know how a reported file is processed. Possibly there is something in our sources that causes a too generic malware signature to trigger and they fixed the signature. Possibly they just whitelist the individual file.

The interesting thing is what is going to happen in the future. Will new signatures at some point cause most of our old downloads to be blacklisted again? Will we only have accidental issues with new releases? The latter seems bearable, especially when they are fixed in half a day or so. The former is not as it takes a long time to gather and report all the files and in the meanwhile we suffer badly

The extra download indirection should prevent the entire download site from being blacklisted and the link to a virus scanner is a nice addition IMO.

5 Likes

All I can say is this:

3 Likes

Jan, you miss all the cute owls by ignoring the Twitter feed!

Now the latest window update blocks again SWI-Prolog install.
But you can click “further informations” and then enable it.

For more security I want to disable as many components as possible.
But the installer allows me to even disable the core components.
What I then get when

I have installed SWI-Prolog:

+- D:\Software\Logic\swipl
    +- Uninstall.exe

Thats all. Could the installer provide some hints what the minimal
components are to have a Prolog top-level without any extras?
Those beginning with “core_” ?

Some installers either disable unchecking core components
or have a different visual for what is the core.

Just tried downloading the x64 version from the devel page. No warnings. Using FF, but all browsers seem to get the info from the same place. Send the url to the virustotal checker which gave 1 false positive classifying as phishing

Kidding? You either trust SWI-Prolog binaries or you don’t. The extensions through exactly the same process as the core. You can of course review the code and compile it yourself :slight_smile:

I think the only thing you really need is Core system. By todays standards the system is so small that we should possibly skip the selection altogether …

1 Like

We had a complaint on twitter this morning swi-prolog.org from a mobile site "this website may be impersonating “swi-prolog.org” to steal your personal or financial information. You should…

And, now I can see it - https:// firefox 72.0.2 from Utrecht is warning potential security risk ahead.

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for swi-prolog.org. The certificate is only valid for the following names: *.ops.few.vu.nl, *.ops.labs.vu.nl, ops.few.vu.nl, ops.labs.vu.nl

Error code: SSL_ERROR_BAD_CERT_DOMAIN

View Certificate

1 Like