My Magento 1.9 webshop is marked as unsafe (phishing which is not true) in Microsoft Edge, if switch to IE and run Smart Screen security check it says all safe.
And strangely only on one of my computers and therefore didn't bother much but also a customer complained about it today.
Anyone experienced this before and have a solution? Is there a way to check why a site is marked as unsafe by smartscreen?
Based on my searching results, Below information may helpful to you.
Q. If I am a website owner, how do I correct a warning on my legitimate site?
A. You can immediately submit a request for a correction. Windows Defender SmartScreen has a built-in, web-based feedback system in place to help customers and website owners report any potential false warnings as quickly as possible. In Windows Internet Explorer, from a red warning, click More information then Report that this site contains no threats. This will take you to a feedback page where you can indicate you are a site owner or representative. Follow the instructions and provide the information on this site to submit a site for review...
Reference:
Resolving “This website has been reported as unsafe” (Windows Defender SmartScreen)
Q.
If I am a website owner, what can I do to help minimize the chance of my website being flagged by Windows Defender SmartScreen?
A.
There are several things you can do that can help minimize the chance of your site being flagged as suspicious. Think of these as best practices or optimal website design ethics.
If you ask users for personal information, use HTTPS with a valid, unexpired server certificate issued by a trusted certification authority.
Make sure that your webpage doesn't expose any cross-site scripting (XSS) vulnerabilities. Protect your site by using anti-cross-site scripting functions such as those provided by the Microsoft Anti-Cross Site Scripting library.
Use the fully-qualified domain name rather than an IP-literal address. (This means a URL should look like "microsoft.com" and not "207.46.19.30.")
Don't encode or tunnel your URLs unnecessarily. If you don't know what this means, you probably aren't doing it.
If you post external or third-party hosted content, make sure that the content is secure and from a known and trusted source.
Reference:
Windows Defender SmartScreen Frequently Asked Questions
In MS Edge browser there's an option to "report file as safe". After clicking it - select the "I'm a website owner" option and fill the false-positive form.
I have encountered the "Phishing Detected" warning in Chrome browser on my dev site. Interestingly I don't encounter the same warning in Firefox or Safari even though, as far I can tell, they are using the same phishing database (although in Safari preferences it says "google safe browsing service is unavailable"). I also don't encounter the warning on the same page of the production sites.
It first popped up on a new account verification page I created which amongst other things asked users to confirm their PayPal account with the GetVerifiedStatus API. This requires only name and email.
I have also encountered the warning on a configuration page which asks for the PayPal email address which the user wishes to receive payments to.
Neither page requests a password or any other data that would be considered a secret.
As you might gather I have zeroed in on a potential false positive on the PayPal portion of the content as if perhaps I am phishing for PayPal information beyond the payers email address. There has been no malicious code injection or any such thing. Even when i've removed all content from the page the warning is still present.
I reported the first incorrect detection to Google, and intend to do the same for the second incident, however what I really want to clear up is:
What content can lead to this warning?
How can I avoid it in the future?
How can I get some info from the "authorities" on which urls are blocked? (Webmaster Tools is not showing warnings for the dev site)
How can I flush my local cache of "bad sites" in case I want to re-test?
Clearly having a massive red alert presented to a user on a production site would be disastrous, and there is a (perhaps deliberate) lack of information about how this safe browsing service actually works.
I have been developing a website for a banking software developer and ran into the Phishing warning as well. Unlike you I had no PayPal associations in any of my code and well not even any data collection besides a simple contact form. Here are some things I managed to figure out to resolve my false positive warnings.
1) The warnings in Chrome (red gradient background) is a detection method built into the Chrome browser itself and it does not require to check any blacklists to give the warning. In fact Google themselves claim that this is one of the methods that they discover new potentially harmful sites. When your site is actually on the blacklists you get another red warning screen with diagonal lines in the background. This explains why you only see the warning in Chrome.
2) What actually triggers this warning is obviously kept kind of hidden. I could not find anything to help me debug the content of my site. You have pretty much done this, so for anybody else in need of help, I had to isolate the parts of my site to see what was triggering the warnings. Due to the nature of the site I was working on it turned out to be the combination of words and phrases in the content itself. (e.g Banking Solutions, Online Banking, Mobile Banking). Alone they did not trigger anything but when loaded together chrome would do its thing. So I'm not sure what your triggers are or even what the list of possible triggers are. Sorry...
3) I found that simply quitting Chrome completely and restarting it resets the "cache" for whether it has perviously detected a page. I closed Chrome hundreds of times while getting to the bottom of my warnings.
Thats all I have and hope it helps.
Update: My staging area was accessed via an IP address. Once I moved the site to use a domain instead all the warnings stopped in chrome.
I experienced the same today while creating an SSL test report for my web server customers. What I had there was simply something like this:
"Compare the SSL results of our server to the results of a well-known bank and its Internet banking service". I just wanted to show that the banking site had grading B whereas ours had grading A-.
I had two images from SSL-Labs (one the results for my server and the other the results of the bank). No input fields, no links to any other site and definitely no wording about then name of the bank.
One h1, two h2 titles and two paragraphs plus two images.
I moved the HTML to the page and opened it in my Chrome browser. The web server log told me that a Google service had loaded the page after 20 seconds from my first preview. Nobody else had seen it so far. The phishing site warning came to me (webmaster) in less than an hour.
So it seems to me that the damn browser is making the decision and reporting to Google which then automatically checks and blocks the site. So the site is being reported to Google by Google tools, the trial is run by Google and the sentence is given by Google. Very, very nice indeed.
I need to capture image from web page without security warning.
Page where i need webcam functionality can not be switched to https protocol.
I've installed root certificates and made them trusted.
I tried to insert iframe (which pointed to secure protocol https://mysecurepage.com) inside page (http://mypage.com), but not worked.
#bjelli is correct - this is a major security flaw for any internet content. Just imagine if you could go to a website which would start taking photos/recording everything going on without any permissions or notifications!
However, I am working on an intranet project where disabling the prompt would be quite safe.
If you are in this sort of position - there is one thing you can do;
Google Chrome Policies
If you are deploying the browser, you can override the security prompt for sites you specify. I don't know if you are working in such an environment, but this is the only way you can avoid the prompt all together. Similar things probably would apply for other browsers too.
As defined in http://www.w3.org/TR/mediacapture-streams/
When the getUserMedia() method is called, the user agent MUST run the following
steps:
[9 steps omitted]
Prompt the user in a user agent specific manner for permission to provide the
entry script's origin with a MediaStream object representing a media stream.
[...]
If the user grants permission to use local recording devices, user agents are
encouraged to include a prominent indicator that the devices are "hot" (i.e. an
"on-air" or "recording" indicator).
If the user denies permission, jump to the step labeled failure below. If the
user never responds, this algorithm stalls on this step.
If a browser does not behave as described here it is a serious security problem. If you find a way of making a browser skip the "permission" you have found a security problem.
What do you do if you find a security problem?
Report it IMMEDIATELY! Wikipedia: Vulnerability Disclosure
Firefox: http://www.mozilla.org/security/#For_Developers
Internet Explorer: http://technet.microsoft.com/en-us/security/ff852094.aspx
Safari: https://ssl.apple.com/support/security/
Chrome: http://www.google.com/about/appsecurity/
Opera: http://www.opera.com/security/policy
This is not just a question of technical possibilities, it's also a question of
professional ethics: what kind of job would I not take on? should I be
loyal to my customer or should I think of the welfare of the public? when do I
just follow orders, when do I stop bad stuff from happening, when do I blow the whistle?
Here are some starting points for computing professionals to think about the ethics of their work:
http://www.acm.org/about/se-code
http://www.acm.org/about/code-of-ethics
http://www.ieee.org/about/corporate/governance/p7-8.html
http://www.gi.de/?id=120
I have a page that is just a non interactive display for a shop window.
Obviously, I don't link to it, and I'd also like to avoid people stumbling across it (by Google etc).
It will always be powered by Chrome.
I have thought of...
Checking User Agent for Chrome
Ensuring resolution is 1920 x 1080 (not that useful as it is a client side check)
Banning under robots.txt to keep Google out of it
Do you have any more suggestions?
Should I not really worry about it?
Not that I would EVER recommend what I'm about to suggest - how about filtering by IP address. Since you provider IP is rarely going to change you can use Javascript to kick out or deny requests from IP addresses other than yours. Maybe a clean redirect to http://www.google.com or something silly like that. Although I would still suggest locking it down with a login and password and just have it write a never expiring cookie. That's still not a great idea but a shy bit better than the road your trucking down right now.
You could always limit the connections by IP address (If you know it ahead of time/it's reliable):
Apache's access control
If it is just for a shop window, do you even need access to a web page?
You can host the file locally.
Personally, I wouldn't worry about it, if no-one is linking to it externally it is unlikely to ever be found by search engines.
In your experience as a developer, what kinds of things have turned away users and prospective users from using your programs? Also, what kinds of things turn you away from using someone else's programs?
For example, one thing that really bugs me is when someone provides free software, but require you to enter your name and email address before you download it. Why do they need my name and email address? I just want to use the program! I understand that the developer(s) may want to get a feel for how many users they have, etc, but the extra work I have to do really makes me think twice about downloading their software, even if it does really great things.
Requiring lots of information when signing up -- name and email is bad enough, as you say, but some registration forms have many many fields. The fewer the better.
Charging money but refusing to disclose the price unless you speak to a sales rep
Having a web site that only works in certain browsers
No releases since 2003
No documentation
Support forum with many questions and no answers
Here are a few annoyances that I haven't seen anyone else mention:
Programs that auto-launch one or more processes at system startup that run constantly in the background (invisibly, in the clock tray, or otherwise).
While some of these are necessary, most would either be better implemented with a utility that runs periodically (use the system's task scheduler!) or don't need to be launched until the associated program is launched.
Dialog boxes that pop up on top of all open windows (even those of other applications).
This is even more annoying if you run full-screen apps.
Pop-up dialogs that won't let you switch to another app until they are dismissed make me want to throw something.
Stealing my file type associations or changing the icons associated with a MIME type when I already have that type assigned to another application. At an absolute minimum, ask me first.
Storing user data/documents in file types that can't be opened by other applications
The worst is when files are also bound to a specific version of the application
Automatically cluttering my desktop and quick launch menus with icons
Automatically adding a link to your crappy website into my web browser's bookmarks
Assuming I use Internet Explorer and launch it specifically instead of querying the system for the default browser (same goes for media player, email client, etc)
Failing to understand the difference between user-specific settings and system-wide settings
Re-mapping common, near-universal keyboard shortcuts (cut, paste, undo, print, refresh, etc) for no good reason
If you're going to re-map Ctrl+C from "copy" to "close without saving anything", at least pop up a dialog warning people when they use it
Requiring an exact version of a library or framework. I don't want to have to uninstall the .Net 2.0 framework and re-install 1.1 just to run your program.
Spelling, punctuation, or grammar errors in the user interface or documentation. If you can't be bothered to at run (at least) an automated spelling checker, then you probably also didn't bother testing your app properly.
Displaying error messages to the user in a way that isn't useful. I don't care if "unexpected error #3410 occurred", I want to know what on earth that means and what I should do about it.
If you thought the error was important enough to program in a unique error message, why did you instead program error-handling code that could gracefully handle the situation? Only let me know about an error if I caused it directly or if I can fix it.
On a related note, aren't all errors unexpected?
Sending me to a website when I click "Help" instead of including help files with the local installation. I don't mind if you periodically download updated help files from the web, but people still need documentation when an Internet connection isn't available.
Bulleted lists that are way too long.
Setup programs that come bundled with all sorts of freeware (even things like Google toolbar) that are selected by default. I just want the program I downloaded, not all sorts of other programs. I can understand that developers might get something in return for including these add-ons in their setups but I hate it when they are selected to be installed by default.
Automatic updates and "information" screens that pop up every single system startup.
Yes, you updated yourself good job but I don't care nor want to know that you have. Do I really have to click "No, I don't want to upgrade to the pricier version" every single time I start my computer?
Ad infections. You know the kind where if you scroll your mouse over the text your reading it'll pop up a thing so you can't read it anymore. And flash ads that have sound(especially that you can't turn off. this was the reason I installed adblock plus) and pop up windows that happen multiple times while your sitting on a page.
Also, pop ups telling me to join a sites news letter mailing list. (where the "no" button is very small)
I will rethink downloading something if I think they will start sending me SPAM if I give them my e-mail address.
At a previous employer we had a program I helped write that was online as a "free" download. They had to put something in for Name, address, phone, and e-mail. Oh, and no opt-out checkbox. It annoys me when other companies do this, but I didn't have any say in the matter.
The info needed for free things gets me too, but other than that:
Bundled software, most of the time adware or browser bars
Having to click too many times to do a simple action
Websites that advertise "Free Download!" for something that turns out to be a paid app. Wow, so generous to allow me to transfer data over the internet for free.
Putting an icon in the taskbar when I don't want it there.
I installed an app called Pamella that records Skype calls. I'm fine with 1 icon in the taskbar -- Skype's icon -- but Pamela adding a second just got me angry and I uninstalled it.
Ugly / unfit user-interface. For me, this is really important.
Having to register to download the program (specially if it's freeware)
Browser-specific / requiring special/other applications to work properly
Bloated applications that start with a few MBs and finally grow to 100's of MBs and huge mem consumption.
That'd be most of the things that turn me away from a program.
One of the things that bugs me the most (using, not downloading to try in the first place...):
I download or buy software it is because I want to USE it for something. If it is so friendly that it is 100% intuitive and needs no documentation before being useful, great! If it has comprehensive on-line or other help that answers all my questions as they come up, that's OK too.
However, if it has any kind of learning curve at all and nothing but my own persistent trial and error before I can do anything with it.... Off the drive it goes, within the first 5 minutes. Well, maybe I will use it if I am being paid to, but even in these cases I would probably recommend something else.
A user interface that is so simple that practically no documentation is required, or that has documentation that is accessible is a joy to use. If the program is complex and requires non-trivial documentation, that documentation should explain EVERYTHING a user might want to know, making no assumptions about his or her prior knowledge. That also puts my appreciation meter way up there.
Make your software actually do something people want done, and make it painless for them to do that with it, and you will have lots of satisfied users and word of mouth recommendations.
I left this on my list but it's a big enough annoyance that it probably stands on its own:
Software that requires users to pay for bug fixes, security patches, or critical updates.
If you have a patch that adds some new feature that I want, I don't mind paying for it. If you made a mistake and you are trying to get me to pay you to fix your mistake, then that's where we have a problem. Any physical product manufactured and sold would call this a "recall" and wouldn't dare charge customers to fix it.
In the past, some software products have shipped with known flaws to encourage users to buy the "critical updates subscription". This is downright evil.
How much pain am I going to endure to develop a conscious competence in using the program? Some computer games I tried to play but after a few hours if I haven't figured things out, I'll stop playing. If a program is hard to use and I don't have a really good motivation to resolve it, that will stop me right there.
How complicated is the installation process? How many minutes will I spend getting the basics of the program understood so I can be productive with it? How close to other programs is it, so that I can leverage how I use other programs to use this,e.g. if I've used Microsoft Office for years are the menus similar to that or is it someone else's idea of the ultimate menu system? Those are the questions I tend to wrestle with in a new program.
If something takes hours to install and then more hours to configure for my use, this really makes me question how useful is the software, really. I can understand the appeal of software that can be customized in a bazillion ways, but if I'm just getting used to the software, do I want these options at this point? To give an example of how absurd this would be in other situations, imagine if you had to list all the ingredients in a pizza or an automobile before getting to the options that mattered to you? You have to list everything in the pizza dough or car's body that most people don't think twice about what is there.