Home > IT Industry > Why Google Chrome 17 is making small developers unhappy

Why Google Chrome 17 is making small developers unhappy

In February 2012 Google introduced Chrome 17, and with it, enhancements to its Safe Browsing technology (these enhancements have persisted relatively unchanged in Chrome 18). You can read the official description of Safe Browsing here:

Chromium Blog: All About Safe Browsing

One of the enhancements is called Download Scanning Protection. This feature attempts to classify downloaded EXE files and such as malicious or non-malicious using something akin to the following flawed set of policies:

  1. First, Chrome checks the file against a known whitelist of non-malicious executables (and publishers, according to the blog)
  2. If the file is not in the whitelist, Chrome sends the URL of the file, the IP of the host, the file’s hash and file size “and other metadata” to Google – without the user’s explicit knowledge or consent (you can opt-out in Under The Hood -> Enable phishing and malware protection, but it is enabled by default and its function is not fully explained to users when the application is started for the first time). Google then uses heuristics to compare this data against previously indexed data from the web site / publisher in question, looking at the so-called “reputation” of previously released executable files from the same location, and makes a determination of whether the file is malicious or not, which is then reported back to the Chrome user in the form of a ‘Discard’ button and warning next to the download if the file is regarded as malicious.

It would appear from other people’s experiences that after some undetermined amount of time – seemingly a number of days – any suspect files are downloaded and scanned for viruses or malware by Google, which then adds them to Chrome’s automatically updated whitelist if they are found to be problem-free. This process is entirely automatic.

This approach is problematic in three ways:

  1. Privacy: normal users are unknowingly exposed to having non-whitelisted portions of their executable file download activity automatically tracked by Google (they state that the information is deleted after two weeks).
  2. Security: there have been many instances in the past of infected files and other malicious content accidentally appearing on otherwise reputable sites. If the site already has a high reputation with Google, these files are automatically whitelisted, allowing them to slip through the net. It’s also possible for a site to be hacked and malicious files to be uploaded.
  3. Inconvenience to small developers and programming bloggers: I was disturbed to find that files from my blog were being marked as malicious by Chrome, when in Internet Explorer and Firefox they downloaded with no problems.

While all of these problems are relevant, it is the 3rd that is of greatest concern to me. What we have here is a system that punishes new developers, those who create new web sites, and those who perhaps have only one product or produce specialist software that is not downloaded much. As a sidenote, the system also seems to be particularly bent against self-extracting executables, which for many vendors is a perfectly legitimate way of crunching a bunch of files down to a single-click download for the user without making them unzip an archive first.

Google must acknowledge one simple fact and change their policy accordingly:

Lack of evidence does not automatically infer lack of integrity

In the quest to protect users from themselves, I feel that Google have taken an overzealous angle here, that should be re-evaluated.

What do you think? Post below.

  1. fra
    September 1, 2012 at 22:25

    I agree completely. The smaller developers will be forced to find ways to enroll in the white list. I hope there’s a chance

  2. March 11, 2013 at 10:09

    Do you know of any way to submit files that are being falsely flagged as malicious?

    • March 12, 2013 at 00:19

      I don’t but it seems that google scans them within about a month. However we are on Chrome 24 now and they seem to have relaxed the checks somewhat and changed the wording to say that the file is ‘not downloaded often’ instead, and now allows the option to downoad, so the problem has more or less gone away.

      • April 18, 2013 at 11:15

        I’m on Chrome 26 and i still see the same malicious file warning

        • April 18, 2013 at 15:30

          Strange. I have no explanation for that..

  3. Jus
    May 9, 2013 at 04:07

    Google is a terrible corporation masquerading as anything but – they are absolute assholes.

  4. charmaine
    May 25, 2015 at 15:23

    Google chrome, for sometime over a year you keep on telling me to upgrade untill one morning ,my google gmail account was a mess.!!!!!! So now I am forced to upgrade. What is it with upgrades and going backwards. NOW I cannot same a download/attachment. Is this the intention. !!!!!!!!!!!!!!!!!!!!!!!!!!!.

  1. No trackbacks yet.

Share your thoughts! Note: to post source code, enclose it in [code lang=...] [/code] tags. Valid values for 'lang' are cpp, csharp, xml, javascript, php etc. To post compiler errors or other text that is best read monospaced, use 'text' as the value for lang.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: