Google’s come up with a “naughty” tag for repeat offenders of its Safe Browsing search policy.
Starting on Tuesday, it’s set about flagging such sites as “repeat offenders,” giving them a 30-day time-out that prevents webmasters from simply stopping their bad behavior, showing Google their site is clean and then immediately resuming their hi-jinks.
Brooke Heinichen, from Google’s Safe Browsing Team, said in a post that the team has seen a “small number” of websites that run afoul of Google’s policies – including its Malware, Unwanted Software, and/or Phishing and Social Engineering Policies – who stop the behavior for long enough to have the warnings removed, and then go right back to whatever they’d been doing.
Safe Browsing’s been around since 2005. In 2014, Google added unwanted software download alerts to Safe Browsing warnings, to give users a heads-up when software was doing something sneaky.
That could be switching your homepage or other browser settings to ones you don’t want, piggybacking on another app’s installation, or collecting or transmitting private information without letting a user know, for example.
Last December, Google extended the service to Chrome, to protect its free-range users.
Site operators whose sites fell foul of Google’s Safe Browsing policies were previously able to bring their site into compliance and then request an immediate review of it via Google’s Search Console.
Under the new Repeat Offenders policy, webmasters for sites flagged as a Repeat Offender won’t be able to request additional reviews via the Search Console before 30 days have elapsed.
During that month, users will see warnings when they visit the offending pages.
Repeat Offender site webmasters will be notified that their sites have been labeled as such via email to their registered Search Console email address.
This type of quarantine will only be applied to “those sites that repeatedly switch between compliant and policy-violating behavior for the purpose of having a successful review and having warnings removed,” Heinichen says.
Sites that have been hacked won’t be labeled as Repeat Offenders; rather, only those that “purposefully post harmful content.”
Google’s been hot for tagging risky sites lately. Besides the new Repeat Offenders tag, its years-long campaign to see all sites encrypted with HTTPS included a September announcement that, starting in January 2017, it would start slapping a warning on non-HTTPS sites.
Google said that starting with Chrome 56, password or credit card form fields on non-encrypted sites will be labeled “not secure.”
Then, in following releases, those HTTP warnings will be extended: for example, by labeling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy.
Eventually, all HTTP pages will be labeled non-secure, and the HTTP security indicator will change to the red triangle/exclamation mark that Google uses for broken HTTPS.
Informing users of unsecured sites with tags is no doubt a step in the right direction.
But tags can be ignored. There’s nothing stopping users from clicking on an unsafe link, nor from ignoring Google’s subsequent warning page.
As it is, researchers have found that people ignore security alerts up to 87% of the time.
If Google progresses from this 30-day time-out to something more permanent – say, e-excommunication? – we’ll let you know.
Anonymous
This is a step in the right direction without any dubt, but the average user will always ignore every warning without even read it… Surely many users should learn good practices.
David Pottage
This sounds like a good idea, but I am surprised that sites that get hacked are getting a free pass.
In my view, sites get hacked because they are not properly administered or because they are using low quality middle ware. This sort of thing can easily creep up on a site admin, especially if they have many other responsibilities or if the site business owners don’t want to spend money on security.
However, getting hacked ought to be a wake up call. The expected response for any well run site should be a hardening of security so that future hacks are much more difficult.
If a site gets hacked a second time, then it implies that the wake up call was not heard, the security hardening has not happened, and the site is not professionally run. In that case google should definitely put the site on the repeat offenders list, until they sort themselves out and harden their site to eliminate an risk to their users.