govuk-prototype-kit icon indicating copy to clipboard operation
govuk-prototype-kit copied to clipboard

Published 20 hours ago verified publisher icon alphagov

Prototypes are getting blocked as insecure by Google

Open joelanman opened this issue 3 years ago • 12 comments

We have some reports of prototypes being blocked by Google in Chrome because they look like deceptive fake/scam phishing sites.

It's possible that a real gov.uk domain for prototypes would fix this

one workaround is to use a browser other than Chrome

To do

  • [ ] Send examples of false positives to Google
  • [ ] Replicate the issue
  • [ ] Try some fixes (remove/change branding, add a banner explaining it is a prototype)

joelanman avatar Sep 30 '21 11:09 joelanman

This no longer appears to be happening on the prototype it was originally reported on (gov.uk account) so its possible Google/Chrome checks were too sensitive and they've changed them. Closing for now, can reopen if it happens again

joelanman avatar Mar 04 '22 17:03 joelanman

Ollie Chalk (security researcher, previously with GDS) has done some digging into this, had some suggetions:

I've had experience with Google flagging .gov.uk services multiple times, as recent as last Christmas, so it's not sufficient mitigation to just deploy on a gov.uk domain.

Even having something like basic authentication in front of prototypes doesn't prevent flagging as it's done in the user's browsers after any authentication.

The most I've found you can do is register domains early, ensure valid and public whois information, register in Google's web/search console tools, and add appropriate text that explains it is a prototype. Then have a handful of people use the service/prototype internally for a few days before publishing the link.

I have tried to have some convos with folks at Google but been unsuccessful so far..

lfdebrux avatar May 12 '22 15:05 lfdebrux

Just of relation to this: We've had a couple of support cases pop up about this in the last two days:

  • One from DfT who were using Appspot.
  • Another from the GDS Digital Identity team using Heroku.

querkmachine avatar May 12 '22 16:05 querkmachine

last time we looked at this we couldnt reproduce it but as its happening again I'm putting it back in awaiting triage

joelanman avatar May 24 '22 15:05 joelanman

Had a report that moving from Heroku to PaaS, with a cloudapps.digital domain fixed this

joelanman avatar May 25 '22 08:05 joelanman

@joelanman please provide the latest actions taken in regards to this piece of work.

Izabela-16 avatar May 31 '22 10:05 Izabela-16

we are meeting with Deputy Director of Digital Service Platforms to discuss, hopefully then speak to Google

joelanman avatar May 31 '22 11:05 joelanman

we had a chat with people at Google, some notes: https://docs.google.com/document/d/1kYOABwnBmpcP4XWK6k1HE1ifTl1ZV5lg-HoCRMw28pg/edit

joelanman avatar Jun 09 '22 11:06 joelanman

The GOV.UK Accounts team have had the red "deceptive" screen appear in a prototype we are testing this week. It appeared almost instantly when pushing to a GitHub repo linked to Heroku. Happy to share the prototype details on cross-GOV Slack @joelanman

henocookie avatar Jul 18 '22 08:07 henocookie

As of today, we are not aware of any prototypes being blocked, please add to this thread or get in touch with the team if your prototype is blocked. https://design-system.service.gov.uk/get-in-touch/

joelanman avatar Sep 02 '22 09:09 joelanman

AVG recording updating prototype kit page as virus threat within Home Office as seen in xgov slack

Ciandelle avatar Sep 05 '22 11:09 Ciandelle

The related issue about AVG is here: https://github.com/alphagov/govuk-prototype-kit-docs/issues/28

joelanman avatar Sep 06 '22 08:09 joelanman