

Dropbox flagged as unsafe by IE - simcop2387
http://forums.dropbox.com/topic.php?id=52107

======
sirclueless
Title is a bit misleading. It's the site, www.dropbox.com, that is flagged.
Which might be reasonable, considering that people can and do host arbitrary
publicly accessible executables on dl.dropbox.com.

~~~
simcop2387
I actually had it complain about dl.dropbox.com also when grabbing a file for
work this morning. That's what made me post it here. IE wouldn't let me
download a file from "an untrusted site" without jumping through a few dialog
boxes.

EDIT: It looks like it's gotten some attention from MS at some point as it
seems to have cleared up now.

------
Miked_tradedesk
It actually looks like Microsoft flagged the amazonaws.com domain which
Dropbox uses for file storage. This impacted my companies services as well
where we got flagged at aroud 2:00 am MT this morning. We were able to swap
our DNS over to point to the cloudfront.net DNS easily to get around the
issue. It only happens if you directly send the browsers to a amazonaws.com
CDN url.

------
Karunamon
Ugh.. this is the same problem that exists with Web of Trust. Too easily
gamed, entire sites hurtfully (and wrongfully) flagged.

The more cynical side of me would say that MS got a chuckle out of this. After
all, Dropbox is a competitor to SkyDrive.

~~~
dsl
I have assisted a number of companies in resolving these types of blocking
issues. In 100% of cases it was not any system being "gamed." The culprit is
always a hacked webserver hosting a phishing page, an open URL redirector
being used in a massive spam campaign, or something else equally evil.

Only in rare cases will the company in question sheepishly admit they fucked
up. Most of the time the site remains tight lipped, or blames $browservendor
and maintains their innocence.

~~~
Karunamon
If you want to tell me WoT isn't gamed, install the toolbar and then go visit
the MPAA's website.

As far as malware goes, vendors should exclude domains which are basically
user-administrated file lockers. Someone uploading a file which may or may not
be sketchy should never be cause for blocking of the _entire freaking
subdomain_!

~~~
shabble
At which point, how do you identify which is a user-specific issue vs a site
or fractional-site wide one?

And who's responsible for building that list? Does the vendor have to add
things manually? Is there a submission process? How do you stop genuine
malware sites from hosting multiple copies on subdomains and claiming
innocence?

What about where you don't use subdomains, but a url structure like
example.com/user/file/?

Making exceptions always sounds like the easy option, until you have to try
doing it, and running it at any scale.

~~~
Karunamon
>At which point, how do you identify which is a user-specific issue vs a site
or fractional-site wide one?

Separate subdomains, having a human spend 30 seconds clicking around and
deciding "Oh, this is a file locker. Obviously not a malware host or infected
site. Whitelisted".

>And who's responsible for building that list? Does the vendor have to add
things manually? Is there a submission process?

The vendor. Which is how its done already. So yes and depends.

>How do you stop genuine malware sites from hosting multiple copies on
subdomains and claiming innocence?

This is Dropbox, not TotallyLegitFiles302.ru

I see what you're getting at, but something this high visiblity (and
obviousness to pretty much everyone) points to something rotten in their
process somewhere.

Furthermore, it's more effective and efficent to just register a new domain
than to haggle (in broken english, another red flag) with the platform owner.

------
overshard
It's an interesting problem, should the site be flagged because you can host
viruses and such on the public folders even though the site and company itself
is not malicious it's users might be.

~~~
woodall
I think that is treading down a slippery slope. Here,
<http://jsfiddle.net/a2zK5/> , I have used Imgur to host a bit of javascript;
this could be a blob or anything for that matter but this is only an example.
It's not Imgur's fault that this was uploaded, but if it got popular then the
easiest thing to do would be to block all request to the site.

The real issue isn't what we don't allow/block, but what we do allow/let pass.

~~~
epikur
How would you go about fixing this vulnerability? Is MrGrim aware of it?

------
martingordon
This is similar to an issue I've come across in Chrome recently: I get asked
to enable the QuickTime plugin every time I access a site with QT (e.g., any
trailer on trailers.apple.com).

There's no way to disable this checking globally aside from using a command
line flag. If you hit the link for more information, you are taken to this
page
([https://support.google.com/chrome/bin/answer.py?hl=en&an...](https://support.google.com/chrome/bin/answer.py?hl=en&answer=1247383)),
which states:

> Some plug-ins, such as Flash, are used by many websites on the Internet.
> Other plug-ins are only used by a small number of sites. Since plug-ins can
> occasionally be a security risk, Google Chrome now blocks plug-ins that are
> not widely used.

Which runs counter to the conventional wisdom that a larger installed base
means a larger attack target and seems a bit anti-competitive especially since
Google is trying to push WebM over the Apple-backed H.264 and the deal Google
made with Adobe to bundle Flash.

~~~
gcp
_seems a bit anti-competitive especially since Google is trying to push WebM
over the Apple-backed H.264_

Google Chrome still includes H.264 support. They said they were going to
remove it a year ago, but never did. There's no need to install plugins to
play H.264 video with Chrome.

PS. Pushing a royality-free standard over a heavily patented one is anti-
competitive?

~~~
martingordon
The plan to remove H.264 support is probably why trailers.apple.com served up
an <object> rather than <video>.

When Chrome does lose H.264 support, I'll be using the QuickTime plugin even
more to play H.264 videos. Then, the only way for me to watch H.264 in Chrome
is by a plugin that is purposefully given an inferior user experience for a BS
reason. If security were the real reason, the Flash plugin should also get the
same treatment as QuickTime given its history of security flaws and crappy
performance (at least on OS X).

~~~
jsight
Flash should not be given the same treatment, because the browser itself
bundles an up to date version.

Nevertheless, the handling of QuickTime stinks. They should check the version
number and only disable if it is out of date. Their current approach is just
inviting complaints.

------
pflats
For whatever little it's worth, I just logged into my dropbox account on IE9
here at work with no issues; downloaded and uploaded .zip files without it
complaining.

Our settings are managed by policy, though, so I can't say what security
features are on/off. I've seen the Safe Browsing stuff before, though.

------
my8bird
maybe dropbox should run security checks on uploaded content that goes in the
public folder. if they are going to host it they should make sure it's safe.

of course this makes an assumption about why IE flagged Dropbox.

------
nhebb
I got a Windows Firewall warning yesterday on a Win7 system. At the time I
thought it was a bit curious since I've been running Dropbox on that system
for a long time, but I'm guessing it was related to this issue.

------
its_so_on
people pick on Microsoft when they do the same thing Google does, just because
they suck at it. This goes for scores of things. Lesson: don't suck at what
you're trying to do, then you'll be treated specially.

www.google.com/search?&tbm=isch&q=google+chrome+malware+page

~~~
gcp
It doesn't help Microsoft that they have been beating their own drum about the
"superior" malware detection performance in Internet Explorer, as compared to
other browsers.

I already pointed out months ago that this was mostly an illusion due to their
greater amount of false positives: [http://www.morbo.org/2011/08/note-on-
malware-detection-perfo...](http://www.morbo.org/2011/08/note-on-malware-
detection-performance.html)

~~~
billpatrianakos
Right, their superiority comes from flagging just about anything as dangerous.
Their whole approach to security seems to me like they're putting lipstick on
a pig. You can't go two seconds without Windows or IE throwing up some
security warning dialog box. Dialog boxes aren't security. Throw enough of
them at a user frequently enough and sooner or later the user just gets
frustrated and disregards them. Then you have users just clicking through
every time and eventually you actually _do_ end up with a virus.

Instead of throwing up more dialog boxes or making them look prettier or more
noticeable or just different they actually need to address the security of
their products. It seems like they're just being stubborn and instead of
rewriting what needs rewriting they wrap every security hole with new, ever
more annoying dialog boxes with every major release.

~~~
davux
SmartScreen addresses the security 'hole' that is the user itself. I'm curious
about what you are really asking them to address here? I'm not seeing a
solution other than for the OS to only run signed code. What OS is secure from
arbitrary executables that the user chooses to run?

I agree that it is annoying, but I'm very interested to hear what they should
be addressing here.

------
mikecrowl
Wow, reading the comments over at Dropbox was a real rollercoaster ride.

I kept thinking, "Will this ever get resolved?"

