←back to thread

Google flags Immich sites as dangerous

(immich.app)
742 points janpio | 9 comments | 22 Oct 25 20:53 UTC | HN request time: 0s | source | bottom
Show context
arccy ◴[22 Oct 25 23:30 UTC] No.45676475[source]
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
replies(15): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #
thayne ◴[23 Oct 25 03:05 UTC] No.45677758[source]
Looking through some of the links in this post, I there are actually two separate issues here:

1. Immich hosts user content on their domain. And should thus be on the public suffic list.

2. When users host an open source self hosted project like immich, jellyfin, etc. on their own domain it gets flagged as phishing because it looks an awful lot like the publicly hosted version, but it's on a different domain, and possibly a domain that might look suspicious to someone unfamiliar with the project, because it includes the name of the software in the domain. Something like immich.example.com.

The first one is fairly straightforward to deal with, if you know about the public suffix list. I don't know of a good solution for the second though.

replies(4): >>45677810 #>>45677812 #>>45678057 #>>45678836 #
1. smaudet ◴[23 Oct 25 03:15 UTC] No.45677810[source]
I don't think the Internet should be run by being on special lists (other than like, a globally run registry of domain names)...

I get that SPAM, etc., are an issue, but, like f* google-chrome, I want to browse the web, not some carefully curated list of sites some giant tech company has chosen.

A) you shouldn't be using google-chrome at all B) Firefox should definitely not be using that list either C) if you are going to have a "safe sites" list, that should definitely be a non-profit running that, not an automated robot working for a large probably-evil company...

replies(6): >>45677835 #>>45677892 #>>45677899 #>>45677928 #>>45678115 #>>45678656 #
2. shadowgovt ◴[23 Oct 25 03:20 UTC] No.45677835[source]
There are other browsers if you want to browse the web with the blinders off.

It's browser beware when you do, but you can do it.

3. knowriju ◴[23 Oct 25 03:32 UTC] No.45677892[source]
If you have such strong feelings, you could always use vanilla chromium.
4. jonas21 ◴[23 Oct 25 03:33 UTC] No.45677899[source]
You can turn it off in Chrome settings if you want.
5. thayne ◴[23 Oct 25 03:40 UTC] No.45677928[source]
Firefox and Safari also use the list. At least by default, I think you can turn it off in firefox. And on the whole, I think it is valuable to have _a_ list of known-unsafe sites. And note that Safe Browsing is a blocklist, not an allowlist.

The problem is that at least some of the people maintaining this list seem to be a little trigger happy. And I definitely thing Google probably isn't the best custodian of such a list, as they have obvious conflicts of interest.

replies(1): >>45678231 #
6. awesome_dude ◴[23 Oct 25 04:15 UTC] No.45678115[source]
Oh god, you reminded me the horrors of hosting my own mailserver and all of the white/blacklist BS you have to worry about being a small operator (it's SUPER easy to end up on the blacklists, and is SUPER hard to get onto whitelists)
7. zenmac ◴[23 Oct 25 04:44 UTC] No.45678231[source]
>I think it is valuable to have _a_ list of known-unsafe sites

And how and who should define what is consider unsafe sites?

replies(1): >>45678271 #
8. MostlyStable ◴[23 Oct 25 04:54 UTC] No.45678271{3}[source]
Ideally there should be several/many and the user should be able to direct their browser as to which they would like to use (or none at all)
9. lucideer ◴[23 Oct 25 06:04 UTC] No.45678656[source]
> I don't think the Internet should be run by being on special lists

People are reacting as if this list is some kind of overbearing way of tracking what people do on the web - it's almost the opposite of that. It's worth clarifying this is just a suffix list for user-hosted content. It's neither a list of user-hosted domains nor a list of safe websites generally - it's just suffixes for a very small specific use-case: a company providing subdomains. You can think of this as a registry of domain sub-letters.

For instance:

- GitHub.io is on the list but GitHub.com is not - GitHub.com is still considered safe

- I self-host an immich instance on my own domain name - my immich instance isn't flagged & I don't need to add anything to the list because I fully own the domain.

The specific instance is just for Immich themselves who fully own "immich.cloud" but sublet subdomains under it to users.

> *if you are going to have a "safe sites" list"

This is not a safe sites list! This is not even a sites list at all - suffixes are not sites. This also isn't even a "safe" list - in fact it's really a "dangerous" list for browsers & various tooling to effectively segregate security & privacy contexts.

Google is flagging the Immich domain not because it's missing from the safe list but because it has legitimate dangers & it's missing from the dangerous list that informs web clients of said dangers so they can handle them appropriately.