
Ask HN: Google Chrome heuristic warnings pose threat to our business - Filecloud
Many businesses use our Enterprise File Sharing Product called FileCloud (http:&#x2F;&#x2F;www.tonido.com&#x2F;filecloud). Think of it as a self-hosted alternative to Dropbox.  With the latest Chrome update, the browser is showing phishing warning (http:&#x2F;&#x2F;patch.codelathe.com&#x2F;foruser&#x2F;phish_1.jpg) with our installations.  The warning is not based on the domain and it appears in our different customer installations. It has to be heuristic based because it generates warning even on a debug&#x2F;local webpage. The chrome browser heuristically decides our login page as a phishing page and gives the wrong warning. We are trying to find if there are any published &quot;guidelines&quot; as to legitimate web pages should NOT be doing to trigger these? Either there should be clear methods to resolve these warnings or Chrome should avoid doing this blanket-so-called-protection racket.
Because of Google’s missteps, our reputation as well as customer reputation got a hit. We have spent countless hours in our resources to see what is going on and all thing points to heuristic decision making by Chrome browser.  There is no way to contact Google Chrome team to resolve this issue. We have lost few large deals. Now all our support team is pretty much focused on this issue and fielding queries from our customers.
Since our UI code (Developed in GWT) is common between our Enterprise and Consumer product (Tonido), if we this error start appearing in our consumer version (half a million users) it is an EXISTENTIAL RISK to our company that we have built over 5 years.
We have 2 questions.
1.	How to get in touch with Chrome team and solve the issue?
2.	Are there any legal avenues or precedence to force Google to take action and claim compensation for lost business?
Please provide us with your suggestions.
P.S:  It is happening to our software today. It may happen to your products tomorrow.
======
mgevans
I just ran into this with some pages in our product as well. If you run Chrome
with '\--enable-logging --v=2' the chrome_debug.log will contain messages from
the phishing classifier (search for 'phishing_classifier'). I was able to
tweak the wording on the page to drop the score below 0.5, but there are other
features that may be causing your problem.

You may need to restart the browser between edits, as it seems to cache the
classifier results by URL. It also skips classification for hosts with private
IPs, I had to jump through some hoops to test.

~~~
markshepard
Very nice! This will actually be very helpful in tracking this. Thank you.

~~~
markshepard
Here is the output snippet. Basically some "algorithm" thinks it has found
phishyness with some score above 0.5 and flags it. No clue as to what caused
it (We know that it can be triggered by simply changing the name of the
"Login" button to "Connexion"!!

Must be nice to dream up some "algorithm" and push it out.. sigh

[5570:1799:0701/133949:VERBOSE1:client_side_detection_host.cc(221)] Instruct
renderer to start phishing detection for URL:
[http://dev1.codelathe.com/ui/core/index.html](http://dev1.codelathe.com/ui/core/index.html)
[5579:1799:0701/133949:VERBOSE2:phishing_classifier_delegate.cc(238)] Not
starting classification, no Scorer created.
[5579:1799:0701/133950:VERBOSE2:phishing_classifier_delegate.cc(238)] Not
starting classification, no Scorer created.
[5570:1799:0701/133954:VERBOSE2:client_side_detection_service.cc(255)] Sending
phishing model to RenderProcessHost @0x7aa18a00
[5570:1799:0701/133954:VERBOSE2:client_side_detection_service.cc(255)] Sending
phishing model to RenderProcessHost @0x8043d620
[5579:1799:0701/133954:VERBOSE2:phishing_classifier_delegate.cc(283)] Starting
classification for
[http://dev1.codelathe.com/ui/core/index.html](http://dev1.codelathe.com/ui/core/index.html)
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
UrlTld=com = 1 [5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)]
Feature: PageImgOtherDomainFreq = 0
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
UrlOtherHostToken=dev1 = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
UrlPathToken=html = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageLinkDomain=tonido.com = 1
[5574:1799:0701/133954:VERBOSE2:phishing_classifier_delegate.cc(275)] Not
starting classification, last url from browser is , last finished load is
chrome-extension://jpjpnpmbddbjkfaccnmhnkdgjideieim/background.html
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
UrlPathToken=core = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageTerm=password = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageHasTextInputs = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageExternalLinksFreq = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageHasPswdInputs = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageSecureLinksFreq = 0
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageTerm=connexion = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
UrlDomain=codelathe = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
UrlPathToken=index = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageTerm=account = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageHasForms = 1 [5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)]
Feature: PageNumScriptTags>1 = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier.cc(192)] Feature:
PageNumScriptTags>6 = 1
[5579:1799:0701/133954:VERBOSE2:phishing_classifier_delegate.cc(211)] Phishy
verdict = 1 score = 0.548927
[5570:1799:0701/133954:VERBOSE2:client_side_detection_host.cc(447)] Feature
extraction done (success:1) for URL:
[http://dev1.codelathe.com/ui/core/index.html](http://dev1.codelathe.com/ui/core/index.html).
Start sending client phishing request.
[5570:1799:0701/133954:VERBOSE2:client_side_detection_host.cc(415)] Received
server phishing verdict for
URL:[http://dev1.codelathe.com/ui/core/index.html](http://dev1.codelathe.com/ui/core/index.html)
is_phishing:1
[5570:1799:0701/133954:VERBOSE2:client_side_detection_service.cc(255)] Sending
phishing model to RenderProcessHost @0x802b7ff0
[5580:1799:0701/133954:VERBOSE2:phishing_classifier_delegate.cc(259)] Toplevel
URL is unchanged, not starting classification.

~~~
miomyosky
Thanks for the really useful tip to look into Chrome's debug log.

First of all we see that this so called phishing detection filter's code is
found at
[http://src.chromium.org/svn/trunk/src/chrome/renderer/safe_b...](http://src.chromium.org/svn/trunk/src/chrome/renderer/safe_browsing/)

Second, this code and the logic it employs is really bull __ __.

The world wide web is not a kiddie playground especially for a browser, and
especially for a plugin whose's job is to detect phishing. The way Chrome's
anti-phishing works is to use several foolish measures that mean nothing in
the real world and then 'punish' and push websites into oblivion when someone
crosses these arbitrary sets of rules.

The way the plugin appears to work is to look at various things * The type of
URL (IP vs domainname, number of subdomains, size of the subdomain names, the
strings in the Path URL) * Whether the page contains form data * Whether the
page contains password input box * Whether the page contains checkboxes/radio
boxes * Whether the page text contains some terms (in this case 'connexion') *
Whether page has links/images to other domains

and so on.

None of these are _ANY_ indication of phishing behavior and if this set of
quackery based logic is what we see from Google Chrome, where else can we go
to really feel safe and protected?

~~~
hiddenfeatures
As much as I can understand you being upset that Chrome shows a warning for
your site, I don't think that the approach they are using is unreasonable.

I'd take bets that those criteria show a correlation to phishy sites.
Especially if you combine those metrics together.

Is it perfect? No. Does it produce false positives? Yes. Is it beneficial on
average? I think so.

PS: Since you have found the relevant file in the open source project (or
'kiddie playground' \- as you like to call it), why don't you supply a
superior implementation with less "foolish" measures?

~~~
Filecloud
You are trivializing the underlying issue here. If the same thing happened in
a physical world it will be a high profile public defamation case.

Browser is the window through people sees the world. That’s the reality we
live in. In our target market, Google chrome holds 40% market share. Because
of its stupid categorization, in one stroke Google harmed our reputation and
the reputation of companies we serve. It is not a simple browser compatibility
issue. Google chrome is telling the world our software is phishing software
while we are not. What is the recourse here?

We don’t care what Chrome’s algorithms are. But the results are not factual
and it harms our business. "One cannot escape saying hey that is our
algorithm. We don’t do evil…" Remember.

~~~
hiddenfeatures
Believe me, I am empathetic to the pain this is causing you. I can understand
the anger you are feeling.

But I don't think that I am trivializing things. The fact is, that phishing
sites are causing a real pain (as in millions of dollars lost by the victims,
hundreds of thousands of computers becoming zombies, etc). All major browsers
are trying to mitigate these risks by implementing phishing & malware filters.
None of these implementations are perfect (you probably know a bit or two
about bugs in software development).

But on average these filters have a positive ROI - especially for the target
market (which is Joe WebUser and sadly NOT your company - or mine for that
matter). The costs of a false positive ("I'll go & find that information on
another site") far outweigh the costs of a false negative ("I put my
login+password into this legitimate looking website and now I can no longer
access PayPal").

------
smtddr
Hey there, I actually worked for a "competitor" of yours at one time in my
career. We had a very similar problem, turned out that one of our users
shared(probably unknowingly) a file containing malware and probably posted it
to their twitter or facebook(we had that feature built-in at the time). This
URL was caught by a very popular anti-virus company, which posted it on their
site. I guess the software phones-home to get all copies out there in sync. So
for awhile, anyone with this anti-virus software would get blocked on our
site's homepage for malware and/or phishing attempt. My somewhat-educated
guess would be that a costumer of yours has hosted something that Google(or
whatever Google uses to get its info) considers shady. Our solution was first
to contact the company to get delisted, then I think we ended up changing
domains for the sharing stuff. Similar to dropbox's dl.dropbox.com for any
sharing stuff. Or maybe we did some kind of URL-shortener. But somehow, a
change to the URL's domain of anything that hosted user-generated content was
the solution to the problem, AFAIK.

~~~
Filecloud
Hi,

Our software is little different. It is a self-hosted software. It is hosted
by our customers under different domain names in their infrastructure. So it
is not the same domain or URL.

For Example:

Customer 1: fileshare.abcplumbing.com

Customer 2: dataanywhere.peterlawfirm.com

Thats the real problem here. It affects our customer installations under
different domains. To some extent, we are fine if google is blocking one
domain because somebody in the domain is sharing malware. The issue here is
different.

~~~
smtddr
Ah, we did have a feature sorta-kinda like that too... if you had your own
domain you login on our webUI, enter in your own domain and if no other user
had it, you'd get it. Then, you add a CNAME record pointing to us and we'd do
certain things when we received the request depending on settings the customer
provided during the domain-name setup. I think we used the Referrer in the
request-headers. So I could point portal.mypersonaldomain.com -> CNAME ->
whateverIchoose.yourcompetitor.com and get a custom page, kinda. If we had a
customer use a domain that CNAME pointed to us and had a history of
questionable content, I wonder if Google would follow the CNAME direct to see
where it's going and incorrectly(or correctly?!) decided bad stuff is
happening, thus marking the CNAME target as bad. Just my random'ish guess.
Hope you find the issue soon.

~~~
Filecloud
We are not a SaaS or PaaS business. The software itself is hosted by the end
customer in thier infrastructure.

The warning appears even in local IP/debug page.

~~~
grey-area
Have you tried deleting things from your page till you work out what causes
the warning? Just start with a static copy of you page, and gradually delete
elements till you find the culprit. It shouldn't take long to go through
through the elements of the page and work it out if this is some sort of
heuristic triggered by some element on your page and not based on the domain.

Another thing it could be is if you fetch any assets at all from your domain,
and the domain is blacklisted, that causes the warning regardless of the page
where it is hosted.

~~~
Filecloud
Yeap. we are doing exactly as you said. Hopefully we can find out.

------
blauwbilgorgel
Report an incorrect phishing warning at
[http://www.google.com/safebrowsing/report_error/](http://www.google.com/safebrowsing/report_error/)
.

    
    
      If you received a phishing warning but believe that this is
      actually a legitimate page, please complete the form below 
      to report the error to Google. Information about your 
      report will be maintained in accordance with Google's 
      privacy policy.
    

Try posting a thread on the Google forums and decribe the false positive in
neutral terms:
[http://productforums.google.com/forum/#!forum/chrome](http://productforums.google.com/forum/#!forum/chrome)

Use Google Webmaster Tools for your product site and check for issues:
[https://www.google.com/webmasters/tools/home?hl=en](https://www.google.com/webmasters/tools/home?hl=en)

Try to come up with a reason why this may not be a false positive. Perhaps you
have trademark issues? etc.

More info:

[http://blog.chromium.org/2008/11/understanding-phishing-
and-...](http://blog.chromium.org/2008/11/understanding-phishing-and-
malware.html) This includes the URL of the website you are visiting, as well
as the URL of any included resources (such as included JavaScript or Adobe
Flash movies)

[https://support.google.com/chrome/answer/99020](https://support.google.com/chrome/answer/99020)

[https://www.usenix.org/legacy/event/hotbots07/tech/full_pape...](https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/provos/provos.pdf)
[pdf] The Ghost In The Browser. Analysis of Web-based Malware (a paper to make
this post interesting to others)

~~~
Filecloud
Unfortunately we have done all that. It is not a domain issue or safe browsing
issue. The best analogy here is let us say lot of customers run a default
drupal or joomla site under their domain and Google chrome show these sites as
phishing site.

~~~
blauwbilgorgel
Please host the HTML source of a page that throws a warning somewhere. And
mention the version of Chrome that gave the warning ( chrome://chrome/ ). Also
can you post the thread on the Google forums with a proper bug report? I can't
find it.

~~~
markshepard
Try [http://dev1.codelathe.com](http://dev1.codelathe.com)

Shows up now with Chrome v27.0.1453.116

~~~
jcase
Same version, no warning. Edit: Oops, had yet to read that it's now
temporarily whitelisted by google.

------
daave
I work at Google but not on this product.. so I escalated your issue to the
team that works on the anti-phishing classifier. They're looking into it now,
and put you on a temporary whitelist in the mean time (should take effect
within 30 mins).

~~~
Filecloud
Just one more thing. Since our product is self-hosted by our customers under
their own domain, white listing just our development domain is unlikely to
help our cause.

~~~
ISL
In fact, whitelisting would tend to hurt your debugging efforts.

~~~
markshepard
The whitelisting already active for this domain now.

Trace showing server overriding the "Phishyness" verdict of the client

[5760:1799:0701/150256:VERBOSE2:phishing_classifier_delegate.cc(211)] Phishy
verdict = 1 score = 0.548927

[5751:1799:0701/150256:VERBOSE2:client_side_detection_host.cc(447)] Feature
extraction done (success:1) for URL:
[http://dev1.codelathe.com/ui/core/index.html](http://dev1.codelathe.com/ui/core/index.html).
Start sending client phishing request.

[5751:1799:0701/150256:VERBOSE2:client_side_detection_host.cc(415)] Received
server phishing verdict for
URL:[http://dev1.codelathe.com/ui/core/index.html](http://dev1.codelathe.com/ui/core/index.html)
is_phishing:0

------
fotcorn
Have you tried to produce a minimal version of the software to show the
problem? If not do it now and post it on the Google Chrome Bug tracker:
[http://code.google.com/p/chromium/issues/list](http://code.google.com/p/chromium/issues/list)

Other contact forms: Mailing Lists:
[http://www.chromium.org/developers/discussion-
groups](http://www.chromium.org/developers/discussion-groups) IRC Channel:
[http://dev.chromium.org/developers/irc](http://dev.chromium.org/developers/irc)

~~~
gcb0
That failing, get money for them blocking a competitor.

before downvoting, take the time to explain how this would be different from
old good Google suing Microsoft just for not making their product use Google
easier than it already allowed.

~~~
jsun
this is HN, you can't get downvoted:)

~~~
emhart
I'm assuming some people are downvoting you to help disprove your point, but
to be clear, once you've reached a karma threshold you can downvote.

------
retube
Hmm that sucks. All I can suggest is you systematically remove content from
the page until the error stops - this way perhaps you can identify the
offending content (or combination of content which aggregates to an "offence")

~~~
Filecloud
There is no offending content here. We are not a SaaS company and we dont host
content. We provide shrink ware software to other companies which they use to
host content.

~~~
rallison
The person you are responding to is not talking about user-uploaded content.

------
toddmorey
External dependencies on that page? Anything being pulled from a domain that
might have made the list? It might not be specific to your page, it might be
on a JS library you are including.

~~~
tjohns
This was precisely my thought. If it's happening even on a local staging
server, it's highly likely that this is being caused by a third-party
dependency somewhere in your site. I'd start by looking at any JS libraries
you're loading.

------
pyvek
I opened
[http://dev1.codelathe.com/ui/core/index.html](http://dev1.codelathe.com/ui/core/index.html)
(URL in your screenshot) in Chrome (latest) but I'm not getting any phishing
warning.

~~~
vigneshv_psg
Same here. I'm in Chrome 28 beta.

~~~
Filecloud
The issue is much more complex. It appears in the latest live production
version. if any of you are part of Google chrome team we can show you.

------
alternize
i'm not seeing the phishing warning when visiting the url from the screenshot
using chrome v29.0.1547.0 dev-m.

maybe you caught a malware on your computer. did you try from different
machines?

~~~
Filecloud
We have checked with one of the latest beta builds. In that build it didn't
show the warning. It happens with the live chrome version. The issue is much
more complex.

~~~
coverband
On a Mac with current Chrome (Version 27.0.1453.116) hitting your sample dev
URL, I don't get any errors at all...

~~~
markshepard
It shows up now on Version 27.0.1453.116

------
markshepard
While I think chrome having strong anti fraud protection built in is nice, the
fact that there is no way to understand what constitutes "correct behavior"
and no clear way to get clarification is appalling.

It is essentially engineering how things should be developed, which still
could be tolerable if there are guidelines.

If an average user sees a red page indicating risk to a page, then that
site/page is essentially killed.

------
grey-area
Do you have an example page where this happens, like a demo login page? If so
it'd be a good idea to post it as at the moment there's no way for us to see
what you see and no way for people to help you work out what is wrong.

------
olalonde
If you are lucky, Matt Cutts
([https://news.ycombinator.com/user?id=Matt_Cutts](https://news.ycombinator.com/user?id=Matt_Cutts))
will read this and investigate with the Chrome team.

------
hitchhiker999
You may also be interested in this article: [https://medium.com/surveillance-
state/32ba2b38c219](https://medium.com/surveillance-state/32ba2b38c219)

~~~
Filecloud
Yeap. That summarizes our issue.

The next step for us is to hire PR and go public. We are spending 1500$ per
month on google adwords now.

May be use that money to get some legal help. In a physical world it is a
clear public defamation case.

~~~
ccleve
Get a lawyer. Send a demand letter to Google's corporate counsel that they
stop falsely identifying your software as dangerous. Fax, FedEx, and email it.
If they don't respond in 24 hours, have your lawyer file an emergency
injunction in federal court.

Google's failure to respond to issues like this is appalling, and it's
probably going to take a lawsuit and public embarrassment to get them to stop
being evil.

------
Filecloud
A request to YC mods. It seems like this post is getting flagged. This issue
is really a big risk for our startup and we will appreciate if you allow the
post to get the visibility it deserves.

