Jump to content

Blanket TLD Blocking sets a whole new precedent of security fraud!


erenfro
Go to solution Solved by AdvancedSetup,

Recommended Posts

Hello, developers.

I am Eric Renfro, a member of many technical communities, primarily for Linux and macOS. I decided this year to check out Malwarebytes Premium instead of renewing the product I was originally going to do. The price was great, but after just 1 week of using it, more so specifically, the recommended Browser Guard extension that was pushed by it, I was incredibly thrown back by some unacceptable policies you at this company have chosen to do.

What I am talking about is literal blanket blocking of entire Top-Level Domains (TLDs), such as just the few I initially ran into: .info, .biz, .zyx, and .im! I get you're out "to protect everyone, including those less tech savvy.", but whoah there! This literally was blocking informational websites, businesses, and communication oriented websites, just blindly, and completely. Yes, people can check the box to allow it through, and everything, but by throwing a big banner up before even allowing the page to load, is a setting a huge precedent to ESPECIALLY those less knowledgeable, and needlessly. This, to me, is a serious stain on your credibility as a company that is supposed to be about security, but blanket banning so many TLDs with just a whitelist, guys, this is extremely bad practice, and everyone I've spoken to about this, and will continue to do so about it, agrees. This stains your reputation, and so far I've even insisted on a refund for my recent purchase of Malwarebytes Premium.

I was suggested by your support staff to bring these concerns up here. While this is for Chrome, the problem exists for Firefox as well, because it's an extension for both browsers.

So, here's the deal. Very quickly your whitelist for each individual site people complain about, will become vastly larger than your blacklist, and thus, will require more, and more, and more processing power to go through the filters. Second. You're literally blocking all sites in all the TLDs, by default. This is never OK. Third, you're setting a precedent that all TLDs not within the smaller select few domains, are "OK". Also NOT OK! Four, You're scaring non-tech-savvy people needlessly, and yes, I mean it, needlessly.

Until I saw this, I was going to recommend Malwarebytes, and even Malwarebytes Premium, and the Browser Guard extensions based on some tests I was doing myself. Now, I won't recommend ANY of Malwarebytes' products because this reputation killer blacklist approach to "security", it extremely bad, and ruins your entire credibility as a security-minded company of which you /are/ supposed to be, making things to protect/enhance security.

Please don't respond to this with blanket statements like "protecting everyone", or "you can simply remove it" (it is afterall, pushed onto people by the main app). I've been in the community and the industry, for 30 years. I started programming BASIC at age 5, I've been a cyber security specialist for many companies. I'm not really looking for excuses, but to hopefully give correction to these policies, and if not, let others know this is not acceptable. I know I've spoken about this issue to 3 different communities of varying different focuses, and 100% of several hundred people within each, agreed that these practices are very bad. Not just for themselves, but for everyone, even the non-tech-savvy.

Eric Renfro

Link to post

In further research, just from this forum alone, I'm seeing a confirming number of people with varying TLDs being covered by this egregious TLD blacklist.

*.online, *.club, *.live

Guys, this is really freaking ridiculous. What I'm also commonly seeing in response to some of these is, "malicious people tend to register these non-normal TLDs....", well, they register .org, .com, and .net too, And regular people do too in every cases. And what's worse about this is, most of the time, what I'm seeing are "MY website is blocked", not, "xyz website is blocked, it's a really useful site, please unblock it." Which goes to show you the level of precedent you're pushing by this course of action. My 2 support cases I opened weren't even for my own sites, but for OTHER PEOPLE's sites I was trying to get to, and got a "Suspicious TLD" on it. Websites like launchd.info, an Informational website on macOS's LaunchD service manager. 

When I removed the extension, I filed a complaint about it to Google because of this egregious method of blocking sites. 

Eric Renfro

Link to post
  • 1 month later...

Well, that's a VERY long vacation.....

Still no response on this concern, and still happening, too.

I just have a hard time believeing how many entire TLD's are being just outright blocked for no reason. I saw *.chat as well, among others...

Eric Renfro

 

Link to post
  • Staff

Really sorry for the late reply here. I was just made aware of this post.

For transparency, the aggressive gTLD blocking was introduced when our browser extension was in prototype mode and as a way to test a bunch of really aggressive approaches and heuristics in order to come up with a good balanced blacklist-plus-whitelisting approach. Those gTLDs were selected due to the high ratio of malicious to legitimate websites found in those gTLDs. Many of those aggressive detection approaches are still in the browser extension but some of the whitelisting approaches never solidified as originally intended. The result is an unbalanced aggressive blocking as you're correctly pointing out.

Having said that, now that the extension is not prototype/beta anymore and it is being pushed by the Premium product, we should revisit and fine-tune a lot of those aggressive detection blocks and heuristics to strike the right balance.

Thanks for raising this topic. We are investigating fine-tunings based on your feedback.

 

  • Like 2
  • Thanks 1
Link to post

I must admit I was shocked when one of our users reported this to me. I thought - wow, how are they going to block millions of legitimate sites. It's nearly 6 years ago that ICANN greatly expanded the TLDs available. You're not going to be able to sustain this. I admire the intention but it is unworkable. I thought erenfro made excellent points - agree with them all.

Link to post
On 1/20/2021 at 5:54 AM, rustleg said:

I must admit I was shocked when one of our users reported this to me. I thought - wow, how are they going to block millions of legitimate sites. It's nearly 6 years ago that ICANN greatly expanded the TLDs available. You're not going to be able to sustain this. I admire the intention but it is unworkable. I thought erenfro made excellent points - agree with them all.

Yep. When I first saw it, my jaw dropped. When I kept seeing it, I literally got angry. As a security professional, I was livid about it.

I'd been highly recommended Malwarebytes Premium for a while, which I use on my MacBook Pro, my "business" computer for when Linux alone doesn't cut it... Or has interoperability issues that macOS just makes easier or capable. After seeing this, and yes, I know it's a secondary thing, but it's strongly pushed and recommended by the main Anti-Virus/Anti-Malware application itself as an extension of itself, but as an extension it should follow suit with good security practices and work together. Instead, what I found, was left brain/right brain, and the left brain was completely blocking entire TLDs without any consideration to the idea.

As a result, Malwarebytes did lose my business this time, likely others I work with and within my community since I am very outwards socially. I insisted on a refund, got it, and reported this issue to the forums because of it's severity.

Once this problem is fixed, and I hope it's fixed ASAP, I might actually try it again.

Link to post

Hi

I am Dirk Bhagat, CTO for .Club Domains.

I second what Eric Renfro and rustleg have said regarding the Blanket blocking of whole TLDs.

The implications of this "Guilty until proven innocent" strategy are huge and completely unacceptable.  It's completely unfair to thousands of site owners that have customers scared away simply because of a false positive.

In addition, once users realize that domains are safe even though the browser guard says they're not safe, they will ignore the warning and will continue to the site. Which then means that when there's a real malicious threat, users will expose themselves to it, believing its just another false alarm.

The Suspicious TLD feature blocks domains like: 

Coffee.club - an ecom membership site for coffee lovers

CSE.club - a Scientific community site in Algeria

Salonsustainability.club - a community site that focuses on Sustainability and recycling.

and there are hundreds of thousands of others in .Club and in other TLDs like .online,  .info that are also blocked by default.

The assertion that you see a lot of abuse from the newer extensions does not hold  water in the case of .Club and probably other new gTLDs as well.

Spamhaus, an anti abuse site, lists and compares TLDs with respect to their ability to control abuse in their namespace.

It lists .CLUB's score at 0.06 compared with .COM at 0.54. The lower the score the better and it takes into account the size of the TLDs as well.

Clearly, .Club has one of the lowest (and best) scores with respect to abuse management. See here: https://www.spamhaus.org/statistics/tlds/

Even forbes pointed out this contradiction today with respect to .Club and .Com.

https://www.forbes.com/sites/barrycollins/2021/01/27/are-club-websites-unsafe-this-security-firm-says-so/?sh=32e7b9d835d6

When will this be fixed guys?

Link to post
  • Staff

As a stop-gap measure, we have implemented an initial whitelist which went live a few minutes ago. We are implementing further mitigating measures and new logic in the next few hours and days which should completely solve the problem.

 

Link to post
14 minutes ago, pbust said:

As a stop-gap measure, we have implemented an initial whitelist which went live a few minutes ago. We are implementing further mitigating measures and new logic in the next few hours and days which should completely solve the problem.

 

Pedro, does this mean that this wrongheaded practice of blanket blocking .Club will stop with the upcoming release in a few days? That would reduce false positives massively. Totally wrong to start from a position of block every domain in the TLD, and then look to whitelist manually or automatic .  hard to quantify  damage done to legitimate owners of websites and your own community by using this heavy handed approach.

Link to post
1 hour ago, pbust said:

As a stop-gap measure, we have implemented an initial whitelist which went live a few minutes ago. We are implementing further mitigating measures and new logic in the next few hours and days which should completely solve the problem.

 

While I appreciate the update. I think we'll all need a lot better detail than that vague update. This blatantly abusive tactic of block first, whitelist later, to hundreds of gTLDs, is not some simple matter, it's huge.

Eric Renfro

Link to post

I agree what said other users

MBG before the uodate you say, makes all sites out of .com .net .org culprit until probe their innocence. Also as messages are only enlgish and the red row is same as trojan detection, people think those pages contain virus

Link to post
  • Staff
7 hours ago, DirkBhagat said:

Pedro, does this mean that this wrongheaded practice of blanket blocking .Club will stop with the upcoming release in a few days? That would reduce false positives massively.

Yes, that's correct.

Link to post

I'm a security researcher. When I had a user email me to tell our my .info site was blocked by malwarebytes, I found other posts from site operators complaining, which had generally been 'resolved' by whitelisting. So I politely asked for my site to be whitelisted, and suggested how the warning ought to be toned down here.

However, like @erenfro, I was gob-smacked that malwarebytes has amplifyied attacks emanating from 11.7% of the .info domain into an attack on the whole top level domain (and on others).

Product Manager @pbust says, "We are implementing further mitigating measures and new logic in the next few hours and days which should completely solve the problem." Really? By "completely" do you mean distinguish all good from all bad? If so, I think you're on the wrong drugs.

In this case, I think the remedy is Darwinism - survival of the fittest. So, I'm shifting my previous constructive tone into disdainful.

I looked at malwarebytes reputation on trustpilot. It's so bad that I just figured it's not going to be long before this product tanks, so I'm not going to invest my emotional energy trying to persuade them to improve their practices.

I would normally sign off by saying I wish you well. But I don't.

Link to post
  • Staff

Thanks for your productive criticism. When I said "completely" above, refers to the problem of near-blanket gTLD blocking, not distinguishing all good from all bad.

 

  • Like 1
Link to post
13 hours ago, pbust said:

Thanks for your productive criticism. When I said "completely" above, refers to the problem of near-blanket gTLD blocking, not distinguishing all good from all bad.

 

In other words it mean consider as standard TLD .info and .club?

Link to post
  • Staff

FWIW, .XYZ and .CLUB are fixed. We are still finetuning other gTLDs, so you might still see some aggressive gTLD blocks outside .XYZ and .CLUB. Over the next few days and weeks we'll tackle the rest of the gTLDs.

 

 

  • Thanks 1
Link to post
5 hours ago, pbust said:

FWIW, .XYZ and .CLUB are fixed. We are still finetuning other gTLDs, so you might still see some aggressive gTLD blocks outside .XYZ and .CLUB. Over the next few days and weeks we'll tackle the rest of the gTLDs.

 

 

Are you serious? Just.... Those?

I am never going to recommend this company's products to anyone ever. Fine tuning WHAT? You're blacklisting way too much and should literally drop your entire default blacklist entirely and go with a much saner approach, period!

If you can't do that, you're company isn't worth the grain of salt it claims to secure. I'd literally at this point recommend taking this particular extension off the market, stop recommending it, and until you fix it.... Don't put it back!

Eric Renfro

 

Link to post
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.