In a recent report by security experts Sucuri and Unmask Parasites (UP) of companies reported that Google’s security systems make the lists of harmful sites pages where passwords and credit card data is transmitted over HTTP. When you transfer the site to HTTPS, they were excluded from the list of hazardous sites.
Not all the listed sites have been infected
The audit showed that, although some of the sites were actually infected with malware, many others still no possibility of danger. First on the requests to remove these pages from the black list, followed by a refusal from Google, despite the absence of viruses or suspicious content. Only after the addition of SSL security experts Google allows browsing among the query results, and removed a frightening warning about the danger.
After careful review, the researchers found that most concerned the ban on new sites that have not yet managed to earn a reputation. The term of the domain of existence is important in this matter, since phishing attacks are most often carried it to the newly registered pages.
Google vs. HTTP?
Apparently, the presence of the HTTP status has aroused the suspicion of the Google Security system. Sucuri experts and UP have come to the conclusion that now Safe Browsing is guided by the new criteria. The first criterion – the age of the domain, and the second – the use of fields for entering a password and credit cards on pages HTTP data.
In other words, Google security system is a recently registered domains that use the HTTP protocol to obtain passwords and data cards, and automatically identifies them as phishing sites.
Google has never published the principles of the Safe Browsing service. However, it is not surprising that the system pays attention to the protocol at the decision to relegate page to dangerous or not.
Since 2014, Google promotes the idea of HTTPS spread by placing the sites with similar content, but with the HTTP-report, later in the query results list. In February this year published version of Chrome 56. It all pages with HTTP, require password administration and data cards automatically marked warning of the danger. The experts noted Sucuri and UP, this policy applies not only to Chrome, but also to the Safe Browsing service.