A new and innovative way for Google to kill your SaaS startup

I swear I have already checked the FAQ!
All this flat blue surface with a cool red roof thing! So convenient!

What's new under the sun

In today's episode of "the Internet is not what it used to be", let's talk about a fresh new avenue for Google to inadvertently crush your startup that does not require you to use Google services in any (deliberate) way.

This is now your website or SaaS application
That's… not particularly useful.
Great! Requesting a review of an invalid report can cause my future reviews to be even slower.

What happened after

Over the week that followed this incident, and despite having had our URL cleared from the Safe Browsing blacklist, we continued to receive sporadic reports of companies having trouble to access our systems.

How you can prevent Google Safe Browsing from flagging your site

My 2 cents: If you run a SaaS business with an availability SLA, getting flagged by Google Safe Browsing for no particular reason represents a very real risk to business continuity.

  • Don't keep all your eggs in one basket, domain wise. GSB appears to flag entire domains or subdomains. For that reason, it's a good idea to spread your applications over multiple domains, as that will reduce the impact of any single domain getting flagged. For example: company.com for your website, app.company.net for your application, eucdn.company.net for customers in Europe, useastcdn.company.net for customers in the US East coast, etc.
  • Don't host any customer generated data in your main domains. A lot of the cases of blacklisting that I found while researching this issue were caused by SaaS customers unknowingly uploading malicious files onto servers. Those files are harmless to the systems themselves, but their very existence can cause the whole domain to be blacklisted. Anything that your users upload onto your apps should be hosted outside your main domains. For example: use companyusercontent.com to store files uploaded by customers.
  • Proactively claim ownership of all your production domains in Google Search Console. If you do, that won't prevent your site from being blacklisted, but you will get an email as it happens which will allow you to react quickly to the issue. It takes a little while to do, and it's precious time when you are actually dealing with an incident of this sort that is impacting your customers.
  • Be ready to jump domains if you need to. This is the hardest thing to do, but it's the only effective tool against being blacklisted: engineer your systems so that their referenced service domain names can easily be modified (by having scripts or orchestration tools available to perform this change), and possibly even have alternative names available and standing by. For example, have eucdn.company2.net be a CNAME for eucdn.company.net, and if the first domain is blocked update the configuration of your app to load its assets from the alternate domain by using a tool.

What to do if your SaaS app or website is blacklisted by Google Safe Browsing

Here's what I would recommend:

  • If you can easily and quickly switch your app to a different domain name, that is the only thing that will reliably, quickly and pseudo-definitively resolve the incident. If possible, do that. You're done.
  • Failing that, once you identify the blocked domain, review the reports that appear on Google Search Console. If you had not claimed ownership of the domain before this point, you will have to do it right now, which will take a while.
  • If your site has actually been hacked, fix the issue (i.e. delete offending content or hacked pages) and then request a security review. If your site has not been hacked or the Safe Browsing report is nonsensical, request a security review anyway and state that the report is incomplete.
  • Then, instead of waiting in agony, assuming that downtime is critical for your system or business, get to work on moving to a new domain name anyway. The review might take weeks.

A cherry on top 🍒

The second time around, months after the first incident, we received an email from the Search Console warning us that one of our domains had been flagged. A few hours after this initial email report, being a G Suite domain administrator, I received another interesting email, which you can read below.

The "sc" in sc-noreply@google.com stands for "Search Console"

Some chilling final thoughts about the future of the Internet

It's very clear to anyone working in tech that large corporate technology behemoths are to a great extent, gatekeepers of the Internet. But I tend to interpret that in a loose, metaphorical way. The Safe Browsing incident described in this post made it very clear that Google literally controls who can access your website, no matter where and how you operate it. With Chrome having around 70% market share, and both Firefox and Safari using the GSB database to some extent, Google can with a flick of a bit singlehandedly make any site virtually inaccessible on the Internet.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store