Google offers security blacklists to all
- 20 June, 2007 08:27
Google Monday released to outside developers the same security API currently used by its own Google Desktop and Mozilla's Firefox for warding off phishing and malware-dropping Web sites.
Dubbed the Safe Browsing API (application programming interface), it gives third-party developers a way to integrate malicious site-checking into their own applications, said a pair of Google developers in an entry on the company's security blog. "It provides a simple mechanism for downloading Google's lists of suspected phishing and malware URLs, so now any developer can access the blacklists," said Brian Rakowski and Garrett Casto.
Google maintains a pair of blacklists that any client application using the API can now access to warn users of potentially dangerous sites. Developers could use the API, suggested Google, to prevent users from posting phishing links on a blog or to alert users that a link from a software download site is a known malware distributor.
"The API is still experimental, but we hope it will be useful to ISPs, Web hosting companies and anyone building a site or an application that publishes or transmits user-generated links," added Rakowski and Casto.
According to the documentation Google made available, developers have to comply with several guidelines and a live with a few limitations. Presumably for liability reasons, Google requires that developers qualify any warning. "You may not lead users to believe that the page in question is, without a doubt, a phishing page or a page that distributes malware," Google said. "You must qualify the warning using terms such as: suspected, potentially, possible, likely, may be."
Developers' client applications are also limited to 10,000 users sending regular requests to the API for the blacklists, Google noted, although it provided an e-mail address for requests to expand an application's user base.
Interested developers can request an API key from Google's site.
Safe Browsing's blacklists -- and the API that updates locally-stored lists on users' PCs -- is the basis of Firefox 2.0's current anti-phishing feature, and may be used in Firefox 3.0, scheduled to ship before the end of the year, to display alerts of sites suspected of spewing malicious code.