Google offers security blacklists to all

Computerworld - Google Inc. yesterday released to outside developers the same security API currently used by its own Google Desktop and Mozilla Corp.'s Firefox for warding off phishing and malware-dropping Web sites.

Dubbed the Safe Browsing API, the application programming interface gives third-party developers a way to integrate the ability to check for malicious sites into their own applications, said a pair of Google developers in an entry on the company's security blog. "It provides a simple mechanism for downloading Google's lists of suspected phishing and malware URLs, so now any developer can access the blacklists," wrote Brian Rakowski and Garrett Casto.

Google maintains a pair of blacklists that any client application using the API can now access to warn users of potentially dangerous sites. Developers could use the API, suggested Google, to prevent users from posting phishing links on a blog or to alert users that a link from a software download site is a known malware distributor.

"The API is still experimental, but we hope it will be useful to ISPs, Web hosting companies and anyone building a site or an application that publishes or transmits user-generated links," Rakowski and Casto wrote in their blog posting.

According to the limited documentation Google made available, developers who choose to use the API have to comply with several guidelines and a live with a few limitations. Presumably for liability reasons, Google requires that developers qualify any warning. "You may not lead users to believe that the page in question is, without a doubt, a phishing page or a page that distributes malware," Google said. "You must qualify the warning using terms such as: suspected, potentially, possible, likely, may be."

Developers' client applications are also limited to 10,000 users sending regular requests to the API for the blacklists, Google noted, although it provided an e-mail address for requests to expand an application's user base.

Interested developers can request an API key at Google's site.

Safe Browsing's blacklists -- and the API that updates locally-stored lists on users' PCs -- is the basis of Firefox 2.0's current anti-phishing feature, and it may be used in Firefox 3.0, which is scheduled to ship before the end of the year, to display alerts of sites suspected of spewing malicious code.