Over the past few days I’ve spoken to several other developers and two Google Chrome engineers regarding the difficulties surrounding distributing software online caused by the over-zealousness of Google’s Safe Browsing technology, which in an effort to combat malware, flags perfectly safe new releases of software as “harmful content” until they have been downloaded a secretive number of times (it is well in excess of 1,000 times from personal experience.)
(For more background, this is a follow-up to my previous Medium article: https://medium.com/@byuu_san/googles-monopoly-is-stifling-free-software-e63dea114f39)
Although I was able to raise some awareness of this issue within Google, which I am cautiously optimisitic something positive will arise from, unfortunately there has been no resolution to this issue — at least not as of yet. I can however offer some clarifications and advice for now.
Code Signing
First, here is what Google has to say about code signing, in their own words:

(Source: https://support.google.com/webmasters/answer/3258249)
Google recommends code signing with bolded emphasis. It states that binaries not being signed will not automatically flag your software as unwanted, but it does not clarify the inverse condition — if signing might help to prevent it being flagged.
I’ve since been informed by a Google engineer that the code signing recommendation is the only advisory (non-normative) advice in the support article. In other words, it seems as though code signing will not help.
Further, I wanted to clarify from my previous article: it is roughly $400 a year to obtain a business code signing certificate. Obtaining a code signing certificate in your own name typically costs $70 a year, which is still a significant barrier for open source developers on a budget, and carries with it the dangerous requirement of attaching a legal name to the certificate name.
I understand that many don’t see a problem with this, and it’s far beyond the scope of this article, but please believe me that for certain people, disclosing their real name can put them in harm’s way (doxxing, swatting, employer harassment, etc.)
Free Certificates
I advocated for free certificates akin to Let’s Encrypt in my previous article, and I’d like to elaborate on that.
The common argument against free certificates is that paying money somehow represents “skin in the game” and reduces fraud. But I feel this is nonsense. Ransomware can earn back the $70 from a certificate fee in a single successful exploitation. Whereas a small developer from Mali would earn only $1,953 per year of income.
Free code signing certificates do not need to imply trust by default, just as they do not when issued by Let’s Encrypt for HTTPS connections: what they provide is accountability: if I were to have a certificate with a Common Name of byuu.org, then all of my software would be identified as originating from byuu.org. When third-parties (content delivery networks, mirrors, websites that catalog groups of tools, physical media, etc) redistributed my software, users could be sure the software was compiled by me, and not modified in transit. This is a good thing!
Furthermore, it could gather trust over time: if I am signing all of my software as byuu.org, then perhaps after 1–2 years, AI such as Microsoft SmartScreen and Google Safe Browsing could see that my software is clean and safe, and begin to treat it with less suspicion than a random unsigned binary.
As such, I still stand by my original claim: free software code signing is a net benefit for everyone. Having money to spend on a certificate does not imply trust: only that someone has money, and can rope another unsuspecting person into submitting an ID card to get it. I mean, you didn’t really believe that there would be extensive vetting that a person is who they claim for $70, did you?
Reassurances
I’ve been reassured by both Google engineers that the wording of the Search Console (“Your website contains harmful content. We recommend removing it immediately.”) is overly strong, and that it is a safe warning to ignore.
Unfortunately, without a public reassurance by Google corporate, I don’t believe it would be wise to trust this. For one example, a friend of mine distributed a safe video game map-editing utility on his website, which was subsequently flagged by Google. He submitted a request for review, which came back negative (in spite of the binary actually being clean), which resulted in his entire website being blocked until he removed the binary. When accessing any page on his site, you would be greeted with the following full-screen message:

Others have suggested distributing binaries from GitHub, but as you can see in the image above, github.com is not automatically exempt from Google Safe Browsing: it infers no added trust, and as a developer, having your GitHub page blocked can be just as damaging as your personal website.
In the words of Jason Scott from archive.org and with my concurrence, this represents “a total and complete domain death penalty.” (Source: https://twitter.com/textfiles/status/1079860578829680640)
(If you’re interested in further reading, my friend’s story regarding his site being blocked can be found here: https://helmet.kafuka.org/logopending/2020/01/04/some-personal-notes-on-the-case-of-byuu-v-google/)
Alternatives
Finally, I’d like to talk about alternatives.
I’ve had people suggest I password-protect my binary downloads and provide the password in clear-text (ZIP files leak their .exe filenames even when encrypted, so it would have to be 7-zip which is less commonly available.) And incredulously, I’ve even had a self-professed SEO expert advise me to cloak the download (hide it from Google’s crawler.) This is about the most terrible advice anyone could give: trying to outsmart Google is a sure-fire way to escalate the issue into a manual action against your site. Don’t ever do this.
Your situation may vary, but the alternative I’ve come up with for now is to use third-party distribution platforms, and with a heavy heart, I will likely give in and pay the certificate authority racket fees myself.
Since my content is gaming related, I’ve begun hosting it on https://byuu.itch.io instead. There’s also my Cirrus CI buildbot for providing nightlies. And finally, I am also providing my binaries on my Discord server in a special #releases channel so that there’s a method of obtaining the binaries outside of web browsers where pages and files can be blocked.
It’s important to note that directly linking to software hosted elsewhere from one’s own site carries the same risk as directly hosting it. Unfortunately, it will have to be an external page link (which will siphon traffic from you), which then leads to the downloads.
In this way, your software is still at risk of being erroneously flagged by Google Safe Browsing as “harmful content”, but at least it will no longer be on mission critical pages like your main website or your GitHub site.
I still very much consider this to be an unresolved issue of great importance, but until and unless Google makes much-needed revisions to their Safe Browsing technology, this is the best that I feel we can do.
Closing
I do believe in the goal of Google to protect users from malware, but it’s a balancing act between protecting against bad actors and harming good actors, and I feel Google has put their enormous weight far too heavily onto the latter, and that it is not beneficial to society for one company to hold so much power. But unfortunately, with 92.72% of US search traffic and a combined 80% of web browsers relying on Safe Search, they objectively call the shots at this point.
Thank you for reading. I hope that one day I can provide a final update to this story with a positive resolution for everyone.
