Google flags Immich sites as dangerous

(immich.app)

742 points janpio | 1 comments | 22 Oct 25 20:53 UTC | HN request time: 0s | source

Show context

arccy ◴[22 Oct 25 23:30 UTC] No.45676475[source]▶

If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....

replies(15): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #

thayne ◴[23 Oct 25 03:05 UTC] No.45677758[source]▶

>>45676475 #

Looking through some of the links in this post, I there are actually two separate issues here:

1. Immich hosts user content on their domain. And should thus be on the public suffic list.

2. When users host an open source self hosted project like immich, jellyfin, etc. on their own domain it gets flagged as phishing because it looks an awful lot like the publicly hosted version, but it's on a different domain, and possibly a domain that might look suspicious to someone unfamiliar with the project, because it includes the name of the software in the domain. Something like immich.example.com.

The first one is fairly straightforward to deal with, if you know about the public suffix list. I don't know of a good solution for the second though.

replies(4): >>45677810 #>>45677812 #>>45678057 #>>45678836 #

1. VTimofeenko ◴[23 Oct 25 03:16 UTC] No.45677812[source]▶

>>45677758 #

> When users host an open source self hosted project like immich, jellyfin, etc. on their own domain...

I was just deploying your_spotify and gave it your-spotify.<my services domain> and there was a warning in the logs that talked about thud, linking the issue:

https://github.com/Yooooomi/your_spotify/issues/271

↑