Most active commenters
  • bitpush(3)

←back to thread

Google flags Immich sites as dangerous

(immich.app)
706 points janpio | 14 comments | 22 Oct 25 20:53 UTC | HN request time: 0.43s | source | bottom
Show context
arccy ◴[22 Oct 25 23:30 UTC] No.45676475[source]
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
replies(15): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #
1. LennyHenrysNuts ◴[23 Oct 25 01:42 UTC] No.45677274[source]
The root cause is bad behaviour by google. This is merely a workaround.
replies(1): >>45677284 #
2. bitpush ◴[23 Oct 25 01:45 UTC] No.45677284[source]
Remember, this is a free service that Google is offering for even their competitors to use.

And it is incredibly valuable thing. You might not think it is, but internet is filled utterly dangerous, scammy, phisy, malwary websites and everyday Safe Browsing (via Chrome, Firefox and Safari - yes, Safari uses Safe Browsing) keeps users safe.

If immich didnt follow best practice that's Google's fault? You're showing your naivety, and bias here.

replies(6): >>45677317 #>>45677323 #>>45677395 #>>45678677 #>>45678682 #>>45679318 #
3. liquid_thyme ◴[23 Oct 25 01:51 UTC] No.45677317[source]
>You might not think it is, but internet is filled utterly dangerous, scammy, phisy, malwary websites

Google is happy to take their money and show scammy ads. Google ads are the most common vector for fake software support scams. Most people google something like "microsoft support" and end up there. Has Google ever banned their own ad domains?

Google is the last entity I would trust to be neutral here.

4. NetMageSCW ◴[23 Oct 25 01:52 UTC] No.45677323[source]
Please point me to where GoDaddy or any other hosting site mentions public suffix, or where Apple or Google or Mozilla have a listing hosting best practices that include avoiding false positives by Safe Browsing…
replies(1): >>45677462 #
5. delis-thumbs-7e ◴[23 Oct 25 02:05 UTC] No.45677395[source]
Oh c’mon. Google does not offer free services. Everyone should know that by now.
replies(1): >>45678700 #
6. gruez ◴[23 Oct 25 02:20 UTC] No.45677462{3}[source]
>GoDaddy or any other hosting site mentions public suffix

They don't need to mention it because they handle it on behalf of the client. Them recommending best practices like using separate domains makes as much sense as them recommending what TLS configs to use.

>or where Apple or Google or Mozilla have a listing hosting best practices that include avoiding false positives by Safe Browsing…

Since were those sites the go to place to learn how to host a site? Apple doesn't offer anything related to web hosting besides "a computer that can run nginx". Google might be the place to ask if you were your aunt and "google" means "internet" to her. Mozilla is the most plausible one because they host MDN, but hosting documentation on HTML/CSS/JS doesn't necessarily mean they offer hosting advice, any more than expecting docs.djangoproject.com to contain hosting advice.

replies(1): >>45677700 #
7. Zak ◴[23 Oct 25 02:54 UTC] No.45677700{4}[source]
The underlying question is how are people supposed to know about this before they have a big problem?
replies(1): >>45677757 #
8. nemothekid ◴[23 Oct 25 03:05 UTC] No.45677757{5}[source]
If you have a service where anyone can sign up and host content on your subdomain, it really is your responsibility to know. Calling this "unfair" because you didn't know is naive.

If amazon shutdown your AWS account, because those same scammers used those domains to host CP rather than phishing pages, would you accept the excuse of "how was I supposed to know?"

replies(1): >>45678880 #
9. udev4096 ◴[23 Oct 25 06:06 UTC] No.45678677[source]
The irony is fucking palpable. You are showing off your naivety and bias here. Imagine defending the most evil, trillion dollar corp. How many ignorant sell outs do we have on HN?
replies(1): >>45678696 #
10. realusername ◴[23 Oct 25 06:06 UTC] No.45678682[source]
The argument would work better if Google wasn't the #1 distributor of scams and malware in the world with adsense. (Which strangely isn't flagged by safe browsing, maybe a coincidence)
11. bitpush ◴[23 Oct 25 06:09 UTC] No.45678696{3}[source]
> Imagine defending the most evil, trillion dollar corp

Hyperbole much?

12. bitpush ◴[23 Oct 25 06:09 UTC] No.45678700{3}[source]
What is Safari getting by using Safe Browsing?
13. asmor ◴[23 Oct 25 06:42 UTC] No.45678880{6}[source]
Nothing in this article indicates UGC is the problem. It's that Google thinks there's an "official" central immich and these instances are impersonating it.

What malicious UGC would you even deliver over this domain? An image with scam instructiins? CSAM isn't even in scope for Safe Browsing, just phishing and malware.

14. 63stack ◴[23 Oct 25 07:48 UTC] No.45679318[source]
Holy shit look into the mirror.

One of the internet's biggest source of scams, phishing, and malware and everything you are complaining about is google adsense.

Google is using the list to bully out competitors, while telling you it's for keeping you safe.

_You_ are showing naivety and bias.