Is Google Wrongly Blocking Your Web Site?

Security Notice Regarding Brief Hacking of Home Page and Subsequent Google / Firefox Warning Message

Google Wrongly Blocked for Five Months After Brief Site Hacking Incident

Last updated 22 December 2008

Update: After I filed a seventh review request, posted this protest notice, and posted a complaint about this situation in the Google Blog, Google  finally removed from its malware site blocking list after five months of requests. If you are a webmaster whose web site is safe but is being wrongly blocked by Google, I recommend that you do the following:
  1. Post a protest notice about the problem on your web site immediately; patience is not rewarded in this situation
  2. File a review request through Google Webmaster Tools
  3. If your review request is rejected, post your own complaint about this situation in the thread on the Google Blog; right now, that seems to be the only route to escalate to a human being. Be aware that email messages to Google employees that contain a link to a "suspected attack site" may not get through to their account. (See below.)
Here are my suggestions to Google of some ways to improve their malware site blocking program that could reduce the possibility and duration of this kind of "false positive" problem in the future:
Kudos to Google for being transparent and self-critical enough to allow through my complaint about this situation in the thread on the Google Blog. The fact that Google did this gives me hope that the company is open to criticism, holds itself publicly accountable for mistakes, and may improve their well-intentioned site blocking system going forward. I've preserved a slightly edited, corrected, and updated version of my original protest notice below for the public record. Now I'm going to go back to finishing new videos, getting links to the site restored, and continuing to answer questions about HIV/AIDS through YouTube. Anyone from Google is of course welcome to contact me.

-- Eric Krock

On July 4th, 2008, a hacker managed to replace the page with one that was identical but included a JavaScript redirect instruction at the bottom of the home page. They appear to have done this by using sophisticated password cracking software to break the site's FTP password. The password in use at that time was not stupid (e.g. "password," the administrator or site or account name, or a word you could find in a dictionary) and it used letters and numbers, but it was not particularly long, so a long-term attack could have broken it. We apologize for the inconvenience. The lesson here is to use very long and complex FTP passwords (or better yet, S/FTP) and to change them periodically.

This problem came to the attention of the site administrator in late July when Firefox began blocking the site as part of its integration of Google's malware site detection and flagging system. The site was promptly analyzed and repaired. Every character of every HTML file on the site was manually inspected for evidence of tampering. All pages were either restored from original backups (as in the case of Word.doc binary files that could be hard to manually review) or from a copy that had been manually inspected character by character and reparied as needed (as in the case of the home page). All means of accessing the site were reviewed and FTP accounts previously provided to other not-for-profits were disabled. The hosting service provider was notified and confirmed that the binaries of the web servers and operating systems were fully up to date including all patches. The password in use was GREATLY strengthened. Recommendations on Google's "best practices" list for site administrators have been followed. has been entirely free of any hostile or foreign code or links since late July, 2008.

The site administrator then filed SIX requests to Google to have removed from its malware blocking list. All six were denied without explanation or justification.

The first three times, the automated system reported that the site still posed a threat and said "Here is an example URL of a page that poses a threat:" but provided no URL, indicating a poorly-written review system that wasn't even internally consistent in the presentation of its results.

On the next three review requests, the messaging had been modified to eliminate any reference to a particular URL, but the system still claimed without explanation or justification that the site might pose a threat to visitors. Google's search engine still claimed that "This site may harm your computer." This claim by Google was false. The web site is very simple. It has about 170 static HTML, .doc, and .txt files. It uses simple SSI includes of static header files but does not use CGI scripts of any kind. There is no way that the site could have been posting a threat to users during this period. By falsely claiming that it might, Google was misleading and obstructing Internet users who were attempting to access potentially lifesaving HIV/AIDS prevention education messages.

In an attempt to get some human attention on the problem from Google, the site administrator also repeatedly emailed friends at Google. This approach too yielded no results.

Recently, the Open Media Network, to which previously linked for hosting of high quality videos, ceased operations. The administrator wonders whether these broken links were wrongly flagged as a potential risk. All those links were replaced by links to, and a seventh review request was submitted.

Google (and by extension Firefox) blocked the site and wrongly claimed that the site posed a threat to visitors for five months. This caused significant problems for in our efforts to provide scientifically and medically accurate HIV/AIDS prevention education messages to the world. One leading not-for-profit eliminated a link to the web site until it is removed from Google's list. Prospective donors and volunteers have asked about the situation. People at workplaces may have been completely unable to access the site during this period, and anyone using Firefox was (wrongly) warned on every page access that the site may pose a threat, interfering with their attempts to access the site's content. Repeatedly filing review requests and emailing contacts at Google seeking help consumed valuable time that would have been better spent on editing and publishing new prevention education videos. The site's brand was harmed. respectfully requests that Google improve the timeliness and accuracy of its responses to site review requests going forward. With great power comes great reponsibility. Google has every right to try to warn Internet users about web sites that genuinely pose a threat, but it has a responsibility to not continue to falsely flag as a threat innocent web sites that have been hacked but have recovered, repeatedly requested review and removal, and are now trying to continue doing good work in a hostile, dangerous world.





Afrikaans, Amharic, Arabic, Bengali, Bulgarian, English, French, Gujarati, Hindi, Hungarian, Icelandic, Japanese, Korean, Mandarin, Portuguese, Punjabi, Russian, Spanish, Swahili, Thai
Africa, Brazil, Cambodia, Cameroon, Caribbean, China, Egypt, Ethiopia, Ghana, India, Kenya, Mozambique, Namibia, Nigeria, Russia, Rwanda, Somalia, South Africa, Sudan, Swaziland, Thailand, Uganda, USA, Zimbabwe
ARVs & Treatment, Clinical Trials, Denialism, Drug Use, Faith-Based, HIV+, MSM, Science, Stigma, Testimonials, Testing, Women
Home Page, Mission, Guidelines, Myths, FAQ (Risk, Symptoms), Comments Policy, Who We Are, Contact, Support

Copyright © 2004-2011

Links, Rights, Disclaimers, Credits