Often when this happens with a large site, it's because of an malware-laden ad. Typically with a smaller site, it's because the site was somehow hacked or didn't stay fully up-to-date on security patches.
Added: Looks like it was an actual hack, not just a bad ad. The Wired folks will want to make sure there's no more iframes from hxxp://zlu bob.org. Folks can use our free Fetch as Google tool to see what we see when we try to fetch a page. You can find out more about the Fetch as Google tool here: https://support.google.com/webmasters/answer/158587?hl=en
If they leave their WordPress un-patched, or have a crappy plugin installed with security holes, or their FTP info is guessed, etc, hackers drop some malicious Javascript on their sites, and the next thing you know, their site cannot be accessed in Chrome, and usually Firefox as well. Depending on what services pick-up on the bad javascript.
For me, it usually takes a day(ish) from the time we are notified of the issue, update the sites, remove the malware, install webmaster tools from Google, submit and wait for the review to be unblocked.
On one hand, this is very frustrating, but on the other hand, many small businesses would have no idea their site had been hacked without it being blocked.
The only thing I'd like to see personally is if Google were somehow able to notify the domain registrant of the block via email so they find out right away, and not after a few weeks (or longer) in some cases. Some small business owners don't check their sites very often. We like to monitor our client sites, but sometimes new clients come to us with these problems and have no idea how long they've been down.
Yes, but they still block websites that are not connected to Google Webmaster Tools, and the site owners may not realize it. It would be nice if they notified the domain registrant as a heads-up because most small biz site owners that find their way to me may have sites that were designed years ago that need little to no maintaining, so they don't know they've been blocked as they barely ever look at their own sites.
We explored trying to email whois contacts or standard addresses (such as webmaster@example.com or postmaster@example.com) and essentially got zero pickup. That's one of the reasons we provide Webmaster Tools, and so far it's our best channel to notify small business owners.
We can sometimes label sites as hacked in the search results, but Webmaster Tools is definitely the preferred channel for communication of stuff like this.
"We explored trying to email whois contacts or standard addresses"
Ironic since the original reason for the tech contact was exactly to be notified for issues like this.
Would like to add that as a registrar though we get a reasonably good response to emails that we send. [1]
Perhaps there is something about getting an email from google that says "it's probably spam". Or any large well known company that is often the subject of spam attempts.
Even given that though it's hard for me to believe that the results were close to zero.
[1] We also find that when a domain is deleted for non payment the person frequently claims they received no email notice but then proceeds to make some reference to something that was on the email notice.
Man, we could talk about this for hours. There's a lot of nuances involved in trying to alert site owners to issues, especially at a large scale. We've tried about 6-7 approaches over the years, and I'm still not completely happy with where we are. Freehosts are especially tough (WordPress, Blogger, etc.) because whois would just never work there.
Yes, but it varies, because we have automatic malware detection, automatic hacked site detection, and manual hacked site detection.
For example, if we manually detect that a subdirectory of a site is hacked, we may remove only that subdirectory from our search results. If your entire site is hacked, then your entire site may be demoted or removed until the site is clean.
The main page is not blocked but anything I click on is blocked.
Here is the Why page:
Safe Browsing
Diagnostic page for wired.com/2014/04
What is the current listing status for wired.com/2014/04?
Site is listed as suspicious - visiting this web site may harm your computer.
What happened when Google visited this site?
Of the 135 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-04-05, and suspicious content was never found on this site within the past 90 days.
This site was hosted on 12 network(s) including AS31377 (AKAMAI-BOS), AS701 (UUNET), AS12989 (HWNG).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, wired.com/2014/04 did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
funny it says "Of the 20 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-03-25, and suspicious content was never found on this site within the past 90 days."
does zero count to be blocked?
Of the 26 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-04-05, and the last time suspicious content was found on this site was on 2014-04-05.
Malicious software is hosted on 1 domain(s), including zlubob.org/.
--SNIP--
They're doing a good thing with this, and they're helping webmasters who can't help themselves.
Actually the issue was that I was using Google's DNS. When I disabled that, it worked just fine. But thanks for showing me the Chrome trick.
As to the technically correct statement, don't you think that saying a site is a "known malware distributor" is a bit more sweeping than saying something more accurate like "we discovered malware on this site"?
In other words, they are using the same language I would expect to see directed towards sites that have malicious intent and should never be visited.
How should they word when the site is known to distribute malware? There is no difference between discovery and distribution, if you consider the method of discovery.
-------
The website at www.wired.com contains elements from sites which appear to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
Below is a list of all the unsafe elements for the page. Click on the Diagnostic link for more information on the thread for a specific element.
The wired homepage itself is fine for me, but Firefox 28.0 is blocking both of those images in your post along with any links I try to click from the Wired homepage.
Security company found a vulnerable Alexa Top 50 site where someone was able to inject XSS code in the comments section creating "DDoS Zombies" of the visitors.
I just tried to go there using Chrome on Ubuntu and I got a malware warning: "Content from www.wired.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your computer with malware."
Exploiting programming errors in the browser is one way.
Because browsers are written in very unsafe programming languages (C++), bugs are regularly exploitable so that by specially crafting the bug-triggering input data they can be fooled to scribble content-controlled data inside the browser's memory space. For example, a memory handling bug might let the page overwrite some of the browser's code with data coming from the web page.
This lets the web page break into your computer, running arbitrary code of its choosing on your box.
Browser plugins can be similarly targeted instead of the browser itself.
While some of the vectors you've mentioned could potentially be exploitable, blaming a "very unsafe programming language," isn't really a good explanation. These issues could occur in any program and any programming language -- it's not a problem specific to C languages.
Most(?) browser vulnerabilities are caused by errors in C++ code which would not be exploitable in memory safe languages. One of the goals of Mozilla's Servo is to write a browser that's memory safe without compromising performance.
I think Servo's "safety" is ultimately due to the fact that it's built on Rust. Rust, however, seems to be ultimately built on C, unless I'm mistaken (having a hard time telling by briefly glancing through their Github, but it looks that way).
My point was that it's not a C specific problem, though. Most browsers are in fact built on C, I agree. This is due primarily to the speed and performance of the language that is harder to reach with other languages.
It is definitely a more difficult language to write, as it is much more "raw," but that doesn't make it inherently unsafe to use, or any more unsafe than other languages.
having hacked websites serve infected or specially crafted files that exploit 0 day bugs is a very common vector actually. like 0 day PDF reader bugs - they spread by being linked to in phishing emails for example. people click on them and boom they load a bad PDF and are drive by infected.
specially crafted jpgs and gifs have also been used to exploit overflows in image handling code.
I always thought that using the safe browsing feature is asking for trouble so it is disabled in all my browsers. So my browser doesn't need to make an extra request to Mozilla/Google/etc every time I load a new website and the web is not censored if there is a technical issue
The browser has a local copy of the blocked sites database; so it doesn't have to do any extra request in order to check if a web site is blocked or not.
Google always cared about which website you visit. They are using javascript to dynamically change the destination address of search results on Google.com using an on-click... but I guess they figured that most people who uses chrome didn't bother to change the default search engine so the small percentage of bookmark browsing (that doesnt have Google services embedded) is not worth it.
Your premise about Google's motivation for creating Chrome is belied by the fact that they were dominant in search for years before Chrome came out. They never had anything to worry about there.
Being dominant doesn't mean that there is no foreseeable threat to dominance. Preventing a hostile browser monopoly which could work against Google's search dominance is a credible motivation for Chrome (though probably not the sole motivation -- moving web technology in a direction favorable to Google's non-search roadmap was clearly a factor, as well.)
Similarly, a major reason for Android could be seen to be preventing a hostile mobile-platform monopoly which would either block or extract monopoly rents from (and thus limit the value of) Google services reaching mobile users.
Performance side effects should be negligible, but there are some privacy concerns (your browser is asking Google for each page it visits if it is ok - thus telling G where you surf).
True, I usually wait until the facts are in, but I'm more curious about the question itself. At what point do semi-autonomous programs or constructs become liable for their words or actions.
I am surprised why anyone is still using Chrome. Their debacle with remotely disabling extensions that are not from the Web Store should have spooked users enough.
I can't believe on HN of all places people are using Chrome its malware-detecting-capabilities. Friendly reminder that EVERY REQUEST you make with it enabled, will be passed through Google its filters.
You should turn all Google networking activities in your browser off. By default, there are at least five or so enabled which will happily send every request you make to Google. Some services even go as far as logging every keystroke you make.
pearjuice, this simply isn't true. The way that Chrome does this is periodically downloads a file from Google. The file consists of hashes of known-dangerous web pages. When you visit a new URL, the URL is hashed locally and checked against the client-side list of hashes of known-bad pages. If there's no match, Chrome proceeds normally. Only if there is a hash collision does Chrome do more checking to see if the URL is safe.
The majority of safe browsing checks happen client side (when a page matches the client side list, more info is retrieved from Google). It's covered in the appropriate section here:
Added: Looks like it was an actual hack, not just a bad ad. The Wired folks will want to make sure there's no more iframes from hxxp://zlu bob.org. Folks can use our free Fetch as Google tool to see what we see when we try to fetch a page. You can find out more about the Fetch as Google tool here: https://support.google.com/webmasters/answer/158587?hl=en