Prototypes are getting blocked as insecure by Google

[joelanman]

We have some reports of prototypes being blocked by Google in Chrome because they look like deceptive fake/scam phishing sites.

It's possible that a real gov.uk domain for prototypes would fix this

one workaround is to use a browser other than Chrome

To do

• [ ] Send examples of false positives to Google
• [ ] Replicate the issue
• [ ] Try some fixes (remove/change branding, add a banner explaining it is a prototype)

[joelanman]

This no longer appears to be happening on the prototype it was originally reported on (gov.uk account) so its possible Google/Chrome checks were too sensitive and they've changed them. Closing for now, can reopen if it happens again

[lfdebrux]

Ollie Chalk (security researcher, previously with GDS) has done some digging into this, had some suggetions:

I've had experience with Google flagging .gov.uk services multiple times, as recent as last Christmas, so it's not sufficient mitigation to just deploy on a gov.uk domain.

Even having something like basic authentication in front of prototypes doesn't prevent flagging as it's done in the user's browsers after any authentication.

The most I've found you can do is register domains early, ensure valid and public whois information, register in Google's web/search console tools, and add appropriate text that explains it is a prototype. Then have a handful of people use the service/prototype internally for a few days before publishing the link.

I have tried to have some convos with folks at Google but been unsuccessful so far..

[querkmachine]

Just of relation to this: We've had a couple of support cases pop up about this in the last two days:

• One from DfT who were using Appspot.
• Another from the GDS Digital Identity team using Heroku.

[joelanman]

last time we looked at this we couldnt reproduce it but as its happening again I'm putting it back in awaiting triage

[joelanman]

Had a report that moving from Heroku to PaaS, with a cloudapps.digital domain fixed this

[Izabela-16]

@joelanman please provide the latest actions taken in regards to this piece of work.

[joelanman]

we are meeting with Deputy Director of Digital Service Platforms to discuss, hopefully then speak to Google

[joelanman]

we had a chat with people at Google, some notes: https://docs.google.com/document/d/1kYOABwnBmpcP4XWK6k1HE1ifTl1ZV5lg-HoCRMw28pg/edit

[henocookie]

The GOV.UK Accounts team have had the red "deceptive" screen appear in a prototype we are testing this week. It appeared almost instantly when pushing to a GitHub repo linked to Heroku. Happy to share the prototype details on cross-GOV Slack @joelanman

[joelanman]

As of today, we are not aware of any prototypes being blocked, please add to this thread or get in touch with the team if your prototype is blocked. https://design-system.service.gov.uk/get-in-touch/

[Ciandelle]

AVG recording updating prototype kit page as virus threat within Home Office as seen in xgov slack

[joelanman]

The related issue about AVG is here: https://github.com/alphagov/govuk-prototype-kit-docs/issues/28