His central theme, though, is a bit misguided. I don't understand why 1) using opengraph, or 2) using a like button implies facebook should trust your link and whitelist it. Even pages with those integrations can be malicious.
In this actual case though, the notification link (generated from the commenting widget) seems to malformed and causing it to trip a security check. I've pinged a bunch of people about figuring out what is happening and getting it fixed. The guy sitting next to me is currently trying to repro.
As for convincing Google/Microsoft to warn users when visiting facebook.com because of security false-positives, I'll leave that discussion for you guys.
Why does not Google pop-up similar warnings when you click on its search results?
-Because Google is dependent on the richness and abundance of third-party websites, for its search to be meaningful.
What is the objective of Facebook?
- To suck users into facebook.com, and sandbox them there. Similarly, the smaller objective of Facebook Social plugins is to lift the userbase from third party websites and move it into Facebook.
1. Google does warn in various ways when it detects possible badness. As it should.
2. We don't gate ALL links through such warnings. This can be verified by going to your news feed and clicking just about anything.
3. This is about a specific issue with notifications generated from comment widgets (a very common spam vector).
4. Detecting all badness via the domain name at "write-time" is not a sufficient solution to the malicious link problem.
5. Whatever that was, it wasn't reductio ad absurdum.
Additionally, Facebook has disallowed me from posting specific legitimate links. You've failed as a communication medium when you censor links. There was no indication that anything was wrong with these links that I shared with friends. There's no excuse for this practice.
Yet, at the same time, you allow seriously terrible practices on your own site, such as pages which require users to click on fake button images to do actions. It makes absolutely no sense how you are "policing" the integrity of your own site and the linking to other parts of the greater web.
Doesn't Google has this problem too, that detecting badness at the "indexing time" is not a sufficient solution? The content of a site may change between their checks. No pop-ups are shown in between indexing times nevertheless.
With your abuse reporting volume, you should be able to almost instantly detect statistically significant malicious links, and remove them from your news feeds, should the content change to malicious after "write-time".
If a site appears to contain malicious content at time X but not at time Y than I would PREFER to be notified that it is a dubious site until the site has earned back trust in some way. Continuing to warn users about a site that historically contained badness seems to me to be a FEATURE.
But I don't think that's the issue here. That facebook warning does not, as far as I know, get generated from a positive malware/spam/badness metric. It's just thrown up as a default action when someone links to an unblessed site on the web. That's what the poster doesn't like: it goes against the whole idea of hyperlinking.
I happen to run a well known service, and we encountered the malicious links problem. It has never even crossed our mind to display those pop-ups, instead we stop malicious links from being posted after a domain is reported or detected otherwise.
That being said, I'd eagerly await resolution of the bugs you've described.
I do not mean to suggest that use of OG or the like button should imply trust, but rather that crawling of a site by Facebook consistently over months or years should show whether it has ever been a bad actor, or whether it's ever been flagged by others as a site with ill intention; Indeed, that's exactly what Stop Badware et. al do.
I find it annoying as hell, but I took it as a bad UX decision and not a conspiracy.
I certainly feel that Anil's post could have benefited from at least a cursory application of Hanlon's razor.
† For those who don't know, the term "gaslighting" refers to a form of mental abuse where you undermine a person's confidence in their own perceptions and competence in order to retain their belief or loyalty. The typical example is an abusive husband who keeps his wife from leaving by making her feel like it's all her fault.
Do you actually believe the things you're saying? I'm struggling here.
(StopBadware actually doesn't flag sites at all.)
At the time it was being caused by McAfee (yes, dust-off the anti-virus conspiracy theories) had flagged our domain as untrusted because our main virtual host (www.) was returning an HTTP 200 on a 404 Not found page. Yes, that's the "security risk" they found. sigh