Why Google Chrome 17 is making small developers unhappy
In February 2012 Google introduced Chrome 17, and with it, enhancements to its Safe Browsing technology (these enhancements have persisted relatively unchanged in Chrome 18). You can read the official description of Safe Browsing here:
One of the enhancements is called Download Scanning Protection. This feature attempts to classify downloaded EXE files and such as malicious or non-malicious using something akin to the following flawed set of policies:
- First, Chrome checks the file against a known whitelist of non-malicious executables (and publishers, according to the blog)
- If the file is not in the whitelist, Chrome sends the URL of the file, the IP of the host, the file’s hash and file size “and other metadata” to Google – without the user’s explicit knowledge or consent (you can opt-out in Under The Hood -> Enable phishing and malware protection, but it is enabled by default and its function is not fully explained to users when the application is started for the first time). Google then uses heuristics to compare this data against previously indexed data from the web site / publisher in question, looking at the so-called “reputation” of previously released executable files from the same location, and makes a determination of whether the file is malicious or not, which is then reported back to the Chrome user in the form of a ‘Discard’ button and warning next to the download if the file is regarded as malicious.
It would appear from other people’s experiences that after some undetermined amount of time – seemingly a number of days – any suspect files are downloaded and scanned for viruses or malware by Google, which then adds them to Chrome’s automatically updated whitelist if they are found to be problem-free. This process is entirely automatic.
This approach is problematic in three ways:
- Privacy: normal users are unknowingly exposed to having non-whitelisted portions of their executable file download activity automatically tracked by Google (they state that the information is deleted after two weeks).
- Security: there have been many instances in the past of infected files and other malicious content accidentally appearing on otherwise reputable sites. If the site already has a high reputation with Google, these files are automatically whitelisted, allowing them to slip through the net. It’s also possible for a site to be hacked and malicious files to be uploaded.
- Inconvenience to small developers and programming bloggers: I was disturbed to find that files from my blog were being marked as malicious by Chrome, when in Internet Explorer and Firefox they downloaded with no problems.
While all of these problems are relevant, it is the 3rd that is of greatest concern to me. What we have here is a system that punishes new developers, those who create new web sites, and those who perhaps have only one product or produce specialist software that is not downloaded much. As a sidenote, the system also seems to be particularly bent against self-extracting executables, which for many vendors is a perfectly legitimate way of crunching a bunch of files down to a single-click download for the user without making them unzip an archive first.
Google must acknowledge one simple fact and change their policy accordingly:
Lack of evidence does not automatically infer lack of integrity
In the quest to protect users from themselves, I feel that Google have taken an overzealous angle here, that should be re-evaluated.
What do you think? Post below.