Remove fallback API key for Google SafeBrowsing API

[Zodiac1978]

We are not allowed to use this API in the plugin. We are forced to use the paid Web Risk API:
https://cloud.google.com/web-risk

There seems to be a free rate, but with a public key this is to risky for me.

So we need to remove the fallback API key completely.

Looking at the test URL we could provide a direct link for testing:
https://transparencyreport.google.com/safe-browsing/search?url=example.de

And we should add a documentation to get this the Safebrowsing API key.

[stklcode]

Strictly speaking is was never really "okay" to use a shared key, I guess.

We have this option for SafeBrowsing since 1.4, so my suggestion is to

1. add a link to the Google documentation how to obtain the key
   add a hint to the "non-commercial" clause
   probably add a link to the web UI for a manual check
2. push a minor release with an admin notice that the fallback will be removed with the next point release and administrators must migrate
3. remove the fallback with 1.5 and only run the check if a key is provided
4. revoke "our" API key shortly after 1.5 has been released - remaining 1.4 instances yet generate an email notice for invalid keys

Introducing additional Web Risk support would be a nice feature, too.

[Zodiac1978]

Strictly speaking is was never really "okay" to use a shared key, I guess.

Yes.

add a link to the Google documentation how to obtain the key

Looking at the Map API documentation, I don't think there is an easy tutorial on the Google pages for this.

add a hint to the "non-commercial" clause

Where and why?

probably add a link to the web UI for a manual check

Yes, it seems to be easy to provide a link which contains the URL of the site already.

push a minor release with an admin notice that the fallback will be removed with the next point release and administrators must migrate

We should not wait for too long with this ...

remove the fallback with 1.5 and only run the check if a key is provided

👍

revoke "our" API key shortly after 1.5 has been released - remaining 1.4 instances yet generate an email notice for invalid keys

What do you mean with email notice? They will get false positives or not? No email informing about invalid kex, or not?

Introducing additional Web Risk support would be a nice feature, too.

What is the difference? I thought it is just non-commercial vs. commercial:
"The following Safe Browsing APIs are for non-commercial use only. If you need to use APIs to detect malicious URLs for commercial purposes – meaning “for sale or revenue-generating purposes” – please refer to the Web Risk API."

[stklcode]

Looking at the Map API documentation, I don't think there is an easy tutorial on the Google pages for this.

Pretty straight forward in my eyes.
https://developers.google.com/safe-browsing/v4/get-started

But yes, the UI and the ACL system aren’t that intuitive for the average user.

Yes, it seems to be easy to provide a link which contains the URL of the site already.

We already send such links along with the warning. Show it on the settings page should be no problem.

antivirus/inc/class-antivirus-safebrowsing.php

Lines 81 to 87 in b9c9afd

	self::_send_warning_notification(
	esc_html__( 'Safe Browsing Alert', 'antivirus' ),
	sprintf(
	"%s\r\nhttps://transparencyreport.google.com/safe-browsing/search?url=%s&hl=%s",
	esc_html__( 'Google has found a problem on your page and probably listed it on a blacklist. It is likely that your website or your hosting account has been hacked and malware or phishing code was installed. We recommend to check your site. For more details please check the Google Safe Browsing diagnostic page:', 'antivirus' ),
	urlencode( get_bloginfo( 'url' ) ),
	substr( get_locale(), 0, 2 )

What do you mean with email notice? They will get false positives or not? No email informing about invalid kex, or not?

Depends on the version they use. In 1.4 we detect errors (key invalid, limit exceeded, etc.) and send such message “check failed ... provide/check your key“. Older versions will send false positives.

Introducing additional Web Risk support would be a nice feature, too.

What is the difference? I thought it is just non-commercial vs. commercial:

Isn‘t that enough difference?
Function and result are pretty close for our use case, both will likely give the same results and are similar to use. So it should be no problem to enable both APIs and let the uses decide for which they provide an API key. Maybe just add a select box, using both should not give any benefit.

[Zodiac1978]

the UI and the ACL system aren’t that intuitive for the average user.

Yes, that's what I thought. Many Map plugins have their own documentation because of this.

We already send such links along with the warning. Show it on the settings page should be no problem.

Yes. URL encode the site URL - that's what I meant 👍

Depends on the version they use.

Therefore the misunderstanding. You are complete right with this longer explanation.

should be no problem to enable both APIs and let the uses decide for which they provide an API key

You are right. This makes sense. In most cases the free tier should be sufficient for our use case.