Posted on | April 2, 2008 | 1 comment
A big revelation about the deadly rudder design of Boeing 737s was that Boeing knew the rudder could move on its own, and twist the jet into a catastrophic dive, but failed to tell pilots this was a possibility. Once the phenomenon became public knowledge, pilots began to take steps to avoid the conditions under which uncommanded rudder movements were likely. And Boeing was forced to go to a safer rudder design.
The wave of cross-site scripting attacks that take advantage of search engine optimization exchanges between Google and high-traffic sites strikes me as similar. Knowledge is power, from the public’s view. But Knowledge can be a liability, from the corporate view.
Here are three views on Google’s dilemma:
Scott Cleland, Precursor Group: “Google not informing their users is the conflict of interest in their advertising business model. Google does not get paid by users. Google gets paid by advertisers and websites who do not want to sully their brands online by having Google identify which of its website clients and which advertising has been infected and are the source for these new rapidly spreading cyber-scams. Google also does not want to discourage searching in any way, because they get paid only when users search.â€
Yuval Ben_Itzhak, Finjan Software: “Pointing the finger to Google is technically wrong, in my view. I’ll use an example to explain why: When someone drive a car and rob a bank, its not the car manufacture to blame – it’s the bank owner to blame for not securing the money. Although Google can assist in preventing the distribution of the attack, Google cannot solve the main security problem of XSS – it’s the website owner that needs to take action and secure the site.”
Jeremiah Grossman, White Hat Security: “I do not believe Google is sole culprit, but does bare partial responsibility for protect its users. Google is a search engine like many others, they index content on publicly-facing websites. What happens if the website is hosting malware as part of its content? How does Google really know before directing traffic to that page that’s its been infected, which could happen at anytime. Google is simply being abused by the bad guys to drive traffic so I have a hard time pinning all the blame on them. “
Comments
It is in Google’s best interests for consumers to feel safe while using their search engine. Declining consumer trust in Google would directly harm their advertising revenues. Therefore, it seems reasonable to assume that Google will take the appropriate steps to warn consumers if they are navigating to a dangerous site. This includes sites prone to cross site scripting, sites distributing malware and sites involved with many other forms of fraud. At some level, they are already doing this with malware and phishing sites.
If Google looks to the long term, the recent knowledge that SEO and malware form a dangerous combination will be viewed as an empowering development. It enables Google to take steps to proactively protect their trusted customer relationships which in turn protects their pay-per-click advertising revenues. These corrective steps can include everything from warning consumers who are about to visit a dangerous web page to contacting site owners running tainted or vulnerable Web sites.
Comment by Todd Bransforfd — 4/2/2008 @ 5:55 pm