Deceptive site ahead - warnings just started today from Google Chrome (only)

[spaceman]

Hi All,

Latest version of Google Chrome 89.0.4390.90 (Official build) has suddenly started today, 15th March 2021, to display some of our sites as insecure, despite the fact that the TLD and subdomains are reporting just fine with SSL Shopper:

SSL Checker

Use our fast SSL Checker will help you troubleshoot common SSL Certificate installation problems on your server including verifying that the correct certificate is installed, valid, and properly trusted.

www.sslshopper.com

SSL Checker

Use our fast SSL Checker will help you troubleshoot common SSL Certificate installation problems on your server including verifying that the correct certificate is installed, valid, and properly trusted.

www.sslshopper.com

Google Chrome is claiming that the SSL certs for the above domains are NOT valid, NOT secure. Other browsers don't seem to have a problem.

As per what SSL Shopper says, the certificate was issued by Sectigo, but also that the Issuer is cPanel, Inc. Certification Authority.

So we're wondering whether either:

1. Google Chrome is wrong, and they'll need to fix it, OR
2. There is indeed some security issue with SSLs issued by Sectigo / cPanel which Google Chrome is (now) validly detecting and reporting.

Will continue to investigate...

Any other ideas are welcome.

 

[ZenHostingTravis]

Hi,

There is no issue with SSL.

I think your site/s are infected with malware because even though I didn't see the warning you mentioned, Sophos blocked the website for potentially being malicious.

You have to clean the website of any malware and then resubmit the website to Google to re-assess.

On the node, I'd recommend using Imunify 360 if you aren't already.

It is the best software for malware prevention and detection.

The following link may assist you further:

Malware detection - Tag Manager Help

The term malware, short for "malicious software," refers to any software specifically designed to harm a computer or any software it has installed. Malware can steal sensitive information (like credit

support.google.com

 

[spaceman]

Thanks for your reply @ZenHostingTravis .

Note that the issue appears to be affecting MULTIPLE websites, where there is zero technical connection between these website... they're even hosted on remove servers from one another. The only commonality being that they're all using the same TLD in various sub-domain configurations. So even if one site is infected.... it wouldn't make sense to effectively blacklist every subdomain site using the same TLD.

 

[spaceman]

Good news! The problem has gone away.

We did terminate one (of many) sites that were using the same TLD in a subdomain configuration. It did look like that one site might have been hacked.

This doesn't explain why ALL subdomain sites would have been blacklisted. That makes no sense.

I did report the issue to Google via the Google Search Console (formally Google Webmaster Tools) for them to review the situation, so whether or not they acted on this manually, and/or it was because we terminated the single "possibly suspect" hosting account... who knows.

A good result either way.

 

[ZenHostingTravis]

They have acted on submissions quickly in the past, when a customer of ours has had their website hacked.

Glad to hear the problem has been resolved.

 

[cPRex]

I'm glad you were able to get that resolved! You may want to contact Google and ask why they marked them all as having an issue as they would be the ones that are able to provide more details on that behavior.