What is s3.amazonaws.com, and why is Chrome blocking it?
Lately, whenever I click on a download link in Google Chrome, it redirects to another link starting with
s3.amazonaws.com, which in turn gets blocked either by Chrome or by my Antivirus (Comodo Internet Security). Copying the same link into
Firefox or(*) a download manager downloads the file normally.
I have tried resetting Chrome settings, disconnecting my Google account, removing all extensions, disabling all plugins, and performing a system scan, but the issue persists.
My question is: What exactly is
s3.amazonaws.com? Is it malicious, or is Chrome mistrusting it? And how do I fix the issue?
An example file that invokes such behavior is Pandoc
msisetup from this page
(*) It no longer works with Firefox
@thexacre clicking the link you posted leads me directly to this one: https://s3.amazonaws.com/github-cloud/releases/571770/ee4e642e-87e0-11e4-864a-9f8485371008.msi?response-content-disposition=attachment%3B%20filename%3Dpandoc-1.13.2-windows.msi&;response-content-type=application/octet-stream&AWSAccessKeyId=AKIAISTNZFOVBIJMK3TQ&Expires=1428195561&Signature=67TuZKsrJ4kw3V7xDFxkhtW7KZw%3D which is blocked by my browser
My mistake, you're right. The link is on a GitHub domain but it 302 redirects to an S3 domain. You might want to a. post this on the Pandoc issue tracker https://github.com/jgm/pandoc/issues and b. ask for a checksum of the packages so you can confirm the ones you downloaded haven't been tampered with.
For me the md5sum of pandoc-1.13.2-windows.msi is d368d072a2b84c72f1ed863db96d7826. I didn't have any trouble downloading it but I'm on Ubuntu and I don't have Comodo.
It looks like you used 1.13.1 but mine was for 1.13.2. I downloaded 1.13.1 and got f40cb166d8f915afa9df978c014cc94d the same as you.
@thexacre I just noticed that too. My bad. 1.13.2 matches with your previous result d368d072a2b84c72f1ed863db96d7826. Does this mean my browser and antivirus are giving false alerts?
It might just be a false positive, but I'd encourage you to raise this issue on their issue tracker just in case. I myself have been involved with a fairly large open source project who were the the victim of targeted attacks to both compromise our GitHub accounts and tamper with our download packages. It can happen.
s3.amazonaws.comis an endpoint for a cloud file storage product offered by Amazon Web Services (AWS) and is used by many websites and apps (albeit usually behind the scenes, but you can serve files from it directly too).
Seeing references to that domain is definitely not inherently malicious, however given that you can store just about any file in S3 there's no guarantee that it isn't being used to store some malicious files (among the overwhelmingly legitimate files). AWS credentials are a valuable target for hackers so it's possible the owner of the account has been compromised.
Chrome and Comodo may know that attributes such as the size, checksum, name, etc. of the file match that of known malware which is why they're blocking it (rather than necessarily because it's served from
I'd recommend reporting it via the AWS abuse form or by emailing
[email protected]. If it is malware then they'll most likely remove it and contact the account owner. AWS is usually extremely proactive about security issues.
The main problem is sites that might serve malware hide behind the relative anonymity of the cdns. You're not likely able to differentiate between one cdn source as legitimate as another. You essentially need a higher level way of determining endpoint identity such as that provided through ssl than just eyeballing the url. Alternatively you could try to figure out the ipv4 address and go from there.