The key to an open, transparent malware filtering system
* Ryan Naraine is on vacation.
Guest editorial by Max Weinstein
There's a good reason for this approach's popularity: it works reasonably well. Although not perfect -- fast-flux attacks and other techniques sometimes keep the filters a step behind the bad sites -- we know that many users will skip sites that they've been warned against, and therefore avoid possible infection.
Not all filters and blocking services are created equal, however, and I'm not referring to the interface or the list of dangerous sites. Instead, I'm talking about the approach companies take to ensure that this de facto filtering is done fairly and accurately.
Imagine this scenario: you are a small business Web site owner running a simple shopping cart application. You're doing decent business, when suddenly, one day, your business and site traffic drop off by 20 percent, and you have no idea why. Your Google PageRank hasn't changed, you haven't done anything new, and you don't know of any new competitors. Only after a loyal customer e-mails you a few days later to tell you that he received a warning from his AV software about your site are you able to figure out what's happening.
You try to go to the AV vendor's website, but you can't find any information about why your site is receiving a warning, and an e-mail to the company goes unanswered. In this scenario, one of two things happened, neither of which is acceptable: your site was flagged erroneously when there was nothing wrong, or your site was compromised, and no one is helping you to fix it and restore your site's security and reputation. Either way, you and your potential customers got hurt.
The same problem has historically occurred with certain spam blacklists and other approaches that have attempted to protect users but, in so doing, created collateral damage to well-intentioned and sometimes completely innocent site or network owners.
A good filtering system, then, isn’t just about collecting a list of bad sites and warning users about them. Instead, it requires all of these traits:
- A low false-positive rate
- Clear, publicly-available criteria for determining which sites are listed
- Information about why a particular site is listed
- A transparent, responsive process for requesting removal of incorrect or outdated listings
- Support and education for owners of compromised sites
Note that a system with all of these traits isn't just better for the website owners; it's better for the end users, too. It ensures that they aren't being kept away from their favorite sites (or new sites that they've yet to discover) any longer than necessary. With a little additional effort, the provider can also use the warnings as a way to educate consumers about the danger of drive-by downloads or phishing and how to protect themselves more generally from malware.
One of the reasons StopBadware.org exists is to help realize this ideal of an open, transparent system that protects and educates, that serves end users and site owners. It's not easy, and one could argue that we're not fully there yet, but we continue working with our partners and keeping our door open to new partners who are committed to these principles. I hope that as website warning products evolve and mature, we will see more companies producing systems that are designed with the broadest public interest in mind.
* Maxim Weinstein is the manager of StopBadware.org, a partnership among academic institutions, technology industry leaders, and volunteers committed to protecting computer users from threats to their privacy and security caused by bad software.