A report released today by security experts from Sucuri and Unmask Parasites (UP) describes numerous instances where sites that handled password and credit card via HTTP pages found themselves on Google's Safe Browsing blacklist.
As soon as those sites were moved to HTTPS, investigators said that Google removed the sites from the Google Safe Browsing blacklist.
Not all blacklisted sites were infected with malware
While some websites were infected with malware, experts said that in many cases the sites where they were called in to investigate had no malware infection.
Initial requests to have these sites removed from the Safe Browsing blacklist were met with a refusal on Google's part, despite the lack of any malware or suspicious content. It was only after SSL was added to those sites that Google security experts cleared them to show up in search results and removed the scary "Deceptive Content" warning.
After some clever sleuthing on the researchers' part, they also realized that most of these cases happened with relatively new sites that hadn't had the chance to build a reputation. Domain age is important because most phishing sites operate from newly registered domains.
Google appears to be using HTTP status for Safe Browsing alerts
Putting all the clues together, Sucuri and UP experts believe that Google has started using a new combination of factors when blacklisting sites.
The first is the domain age, while the second is the presence of password or credit card input fields on HTTP pages.
In other words, Google was seeing newly registered domains being used to collect password and credit card data via HTTP, and it thought they were used for phishing.
Google has been pushing for HTTPS
While Google never publicly reveals how its Safe Browsing system actually works, it's no surprise seeing Google take into consideration the usage on HTTPS into deciding if a site is suspicious or not.
Starting with 2014, Google has started pushing for wider HTTPS adoption, promising to rank HTTPS sources above sites with similar content, but hosted on HTTP.
Back in February, Google rolled out Chrome 56, which started marking as "Not secure" all HTTP pages that contain password and credit card input fields.
As Sucuri and UP experts have noticed, it appears that Google is also applying this same policy to the Safe Browsing system as well, and not just Chrome.
"Enabling SSL on your website is a wise decision," says Sucuri's Cesar Anjos. "If you have a relatively new website and want to ensure that Google does not blacklist you for accepting form data, be sure to get SSL enabled on your website."
Comments
GT500 - 6 years ago
Warning users that websites do not use secure connections (especially when sites transmit sensitive information over unencrypted connections) is a good thing. Browsers should implement a standard warning to show visitors when a website does not use a secure connection at all (especially when those sites have login forms and/or forms for personal/payment information). Since obtaining SSL certificates is no longer a major issue (thanks to services that offer them for free to those who need them) it shouldn't be an issue for website owners to implement HTTPS in most situations.
That being said, browser makers (such as Google) need to have resources to help website owners understand the importance of secure connections, and how to get started with getting SSL certificates and configuring web servers for HTTPS. It's not quite so useful (to the website owner or the users who visit the website) when a web browser mysteriously marks a website as dangerous and gives no explanation as to why.
Steve Holle - 6 years ago
HTTP sites are NOT safe even though they haven't been hacked...yet, they probably will be. How do I tell if an HTTP site has been hacked?