←back to thread

Google flags Immich sites as dangerous

(immich.app)
1021 points janpio | 1 comments | 22 Oct 25 20:53 UTC | HN request time: 0.199s | source
Show context
arccy ◴[22 Oct 25 23:30 UTC] No.45676475[source]
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
replies(16): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #>>45679802 #
thayne ◴[23 Oct 25 03:05 UTC] No.45677758[source]
Looking through some of the links in this post, I there are actually two separate issues here:

1. Immich hosts user content on their domain. And should thus be on the public suffic list.

2. When users host an open source self hosted project like immich, jellyfin, etc. on their own domain it gets flagged as phishing because it looks an awful lot like the publicly hosted version, but it's on a different domain, and possibly a domain that might look suspicious to someone unfamiliar with the project, because it includes the name of the software in the domain. Something like immich.example.com.

The first one is fairly straightforward to deal with, if you know about the public suffix list. I don't know of a good solution for the second though.

replies(6): >>45677810 #>>45677812 #>>45678057 #>>45678836 #>>45679383 #>>45679806 #
liqilin1567 ◴[23 Oct 25 04:02 UTC] No.45678057[source]
That means the Safe Browsing abuse could be weaponized against self-hosted services, oh my...
replies(1): >>45678150 #
1. sschueller ◴[23 Oct 25 04:22 UTC] No.45678150[source]
New directive from the Whitehouse. Block all non approved sites. If you don't do it we will block your merger etc...