

When Google (Chrome) oversteps its authority - c3d
http://grenouillebouillie.wordpress.com/2013/01/17/when-google-oversteps-its-authority/

======
justinschuh
Safebrowsing's malicious download detection uses a large number of factors to
attempt to determine if something is dangerous, but the full analysis by
necessity takes a bit of time. So, for a new unknown download, all it can do
immediately is check for best-practices that can include: a valid code
signature, a known software publisher, secure file delivery, and source
site(s) reputation. Even failing this, the warning for an unknown executable
is not that it's malware, but that it "is not commonly downloaded and could be
dangerous."

So, a cursory look shows that the installer referenced in this blog post has
no signature and isn't being served securely. That means the user (and
SafeBrowsing) have no way of knowing if the correct file is even being served,
or if it was (for example) replaced by a man-in-the-middle attack. That hurts
a file's initial reputation, and since Safebrowsing hasn't had a chance to
fully analyze the file, it's pretty much indistinguishable from malware at
this stage. However, once the file works its way through the pipeline and has
a chance to establish reputation, a safe file will eventually be marked as
such.

For anyone who wants to eliminate latency with Safebrowsing, the solution is
really just common best-practices for software distribution: sign your
packages, serve them securely, and maintain a safe site. For the safety of
your users in general, this is stuff you really should be doing anyway.

