Safe Browsing

A report released today by security experts from Sucuri and Unmask Parasites (UP) describes numerous instances where sites that handled password and credit card via HTTP pages found themselves on Google's Safe Browsing blacklist.

As soon as those sites were moved to HTTPS, investigators said that Google removed the sites from the Google Safe Browsing blacklist.

Not all blacklisted sites were infected with malware

While some websites were infected with malware, experts said that in many cases the sites where they were called in to investigate had no malware infection.

Initial requests to have these sites removed from the Safe Browsing blacklist were met with a refusal on Google's part, despite the lack of any malware or suspicious content. It was only after SSL was added to those sites that Google security experts cleared them to show up in search results and removed the scary "Deceptive Content" warning.

After some clever sleuthing on the researchers' part, they also realized that most of these cases happened with relatively new sites that hadn't had the chance to build a reputation. Domain age is important because most phishing sites operate from newly registered domains.

Google appears to be using HTTP status for Safe Browsing alerts

Putting all the clues together, Sucuri and UP experts believe that Google has started using a new combination of factors when blacklisting sites.

The first is the domain age, while the second is the presence of password or credit card input fields on HTTP pages.

In other words, Google was seeing newly registered domains being used to collect password and credit card data via HTTP, and it thought they were used for phishing.

Google has been pushing for HTTPS

While Google never publicly reveals how its Safe Browsing system actually works, it's no surprise seeing Google take into consideration the usage on HTTPS into deciding if a site is suspicious or not.

Starting with 2014, Google has started pushing for wider HTTPS adoption, promising to rank HTTPS sources above sites with similar content, but hosted on HTTP.

Back in February, Google rolled out Chrome 56, which started marking as "Not secure" all HTTP pages that contain password and credit card input fields.

As Sucuri and UP experts have noticed, it appears that Google is also applying this same policy to the Safe Browsing system as well, and not just Chrome.

"Enabling SSL on your website is a wise decision," says Sucuri's Cesar Anjos. "If you have a relatively new website and want to ensure that Google does not blacklist you for accepting form data, be sure to get SSL enabled on your website."