Title is a bit misleading. It's the site, www.dropbox.com, that is flagged. Which might be reasonable, considering that people can and do host arbitrary publicly accessible executables on dl.dropbox.com.
I actually had it complain about dl.dropbox.com also when grabbing a file for work this morning. That's what made me post it here. IE wouldn't let me download a file from "an untrusted site" without jumping through a few dialog boxes.
EDIT: It looks like it's gotten some attention from MS at some point as it seems to have cleared up now.
It actually looks like Microsoft flagged the amazonaws.com domain which Dropbox uses for file storage. This impacted my companies services as well where we got flagged at aroud 2:00 am MT this morning. We were able to swap our DNS over to point to the cloudfront.net DNS easily to get around the issue. It only happens if you directly send the browsers to a amazonaws.com CDN url.
I have assisted a number of companies in resolving these types of blocking issues. In 100% of cases it was not any system being "gamed." The culprit is always a hacked webserver hosting a phishing page, an open URL redirector being used in a massive spam campaign, or something else equally evil.
Only in rare cases will the company in question sheepishly admit they fucked up. Most of the time the site remains tight lipped, or blames $browservendor and maintains their innocence.
If you want to tell me WoT isn't gamed, install the toolbar and then go visit the MPAA's website.
As far as malware goes, vendors should exclude domains which are basically user-administrated file lockers. Someone uploading a file which may or may not be sketchy should never be cause for blocking of the entire freaking subdomain!
At which point, how do you identify which is a user-specific issue vs a site or fractional-site wide one?
And who's responsible for building that list? Does the vendor have to add things manually? Is there a submission process? How do you stop genuine malware sites from hosting multiple copies on subdomains and claiming innocence?
What about where you don't use subdomains, but a url structure like example.com/user/file/?
Making exceptions always sounds like the easy option, until you have to try doing it, and running it at any scale.
>At which point, how do you identify which is a user-specific issue vs a site or fractional-site wide one?
Separate subdomains, having a human spend 30 seconds clicking around and deciding "Oh, this is a file locker. Obviously not a malware host or infected site. Whitelisted".
>And who's responsible for building that list? Does the vendor have to add things manually? Is there a submission process?
The vendor. Which is how its done already. So yes and depends.
>How do you stop genuine malware sites from hosting multiple copies on subdomains and claiming innocence?
This is Dropbox, not TotallyLegitFiles302.ru
I see what you're getting at, but something this high visiblity (and obviousness to pretty much everyone) points to something rotten in their process somewhere.
Furthermore, it's more effective and efficent to just register a new domain than to haggle (in broken english, another red flag) with the platform owner.
It's an interesting problem, should the site be flagged because you can host viruses and such on the public folders even though the site and company itself is not malicious it's users might be.
I think that is treading down a slippery slope. Here, http://jsfiddle.net/a2zK5/ , I have used Imgur to host a bit of javascript; this could be a blob or anything for that matter but this is only an example. It's not Imgur's fault that this was uploaded, but if it got popular then the easiest thing to do would be to block all request to the site.
The real issue isn't what we don't allow/block, but what we do allow/let pass.
This is similar to an issue I've come across in Chrome recently: I get asked to enable the QuickTime plugin every time I access a site with QT (e.g., any trailer on trailers.apple.com).
> Some plug-ins, such as Flash, are used by many websites on the Internet. Other plug-ins are only used by a small number of sites. Since plug-ins can occasionally be a security risk, Google Chrome now blocks plug-ins that are not widely used.
Which runs counter to the conventional wisdom that a larger installed base means a larger attack target and seems a bit anti-competitive especially since Google is trying to push WebM over the Apple-backed H.264 and the deal Google made with Adobe to bundle Flash.
seems a bit anti-competitive especially since Google is trying to push WebM over the Apple-backed H.264
Google Chrome still includes H.264 support. They said they were going to remove it a year ago, but never did. There's no need to install plugins to play H.264 video with Chrome.
PS. Pushing a royality-free standard over a heavily patented one is anti-competitive?
The plan to remove H.264 support is probably why trailers.apple.com served up an <object> rather than <video>.
When Chrome does lose H.264 support, I'll be using the QuickTime plugin even more to play H.264 videos. Then, the only way for me to watch H.264 in Chrome is by a plugin that is purposefully given an inferior user experience for a BS reason. If security were the real reason, the Flash plugin should also get the same treatment as QuickTime given its history of security flaws and crappy performance (at least on OS X).
Flash should not be given the same treatment, because the browser itself bundles an up to date version.
Nevertheless, the handling of QuickTime stinks. They should check the version number and only disable if it is out of date. Their current approach is just inviting complaints.
For whatever little it's worth, I just logged into my dropbox account on IE9 here at work with no issues; downloaded and uploaded .zip files without it complaining.
Our settings are managed by policy, though, so I can't say what security features are on/off. I've seen the Safe Browsing stuff before, though.
I got a Windows Firewall warning yesterday on a Win7 system. At the time I thought it was a bit curious since I've been running Dropbox on that system for a long time, but I'm guessing it was related to this issue.
maybe dropbox should run security checks on uploaded content that goes in the public folder. if they are going to host it they should make sure it's safe.
of course this makes an assumption about why IE flagged Dropbox.
people pick on Microsoft when they do the same thing Google does, just because they suck at it. This goes for scores of things. Lesson: don't suck at what you're trying to do, then you'll be treated specially.
It doesn't help Microsoft that they have been beating their own drum about the "superior" malware detection performance in Internet Explorer, as compared to other browsers.
Right, their superiority comes from flagging just about anything as dangerous. Their whole approach to security seems to me like they're putting lipstick on a pig. You can't go two seconds without Windows or IE throwing up some security warning dialog box. Dialog boxes aren't security. Throw enough of them at a user frequently enough and sooner or later the user just gets frustrated and disregards them. Then you have users just clicking through every time and eventually you actually do end up with a virus.
Instead of throwing up more dialog boxes or making them look prettier or more noticeable or just different they actually need to address the security of their products. It seems like they're just being stubborn and instead of rewriting what needs rewriting they wrap every security hole with new, ever more annoying dialog boxes with every major release.
SmartScreen addresses the security 'hole' that is the user itself. I'm curious about what you are really asking them to address here? I'm not seeing a solution other than for the OS to only run signed code. What OS is secure from arbitrary executables that the user chooses to run?
I agree that it is annoying, but I'm very interested to hear what they should be addressing here.
