←back to thread

Google flags Immich sites as dangerous

(immich.app)
1021 points janpio | 1 comments | 22 Oct 25 20:53 UTC | HN request time: 0s | source
Show context
arccy ◴[22 Oct 25 23:30 UTC] No.45676475[source]
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
replies(16): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #>>45679802 #
thayne ◴[23 Oct 25 03:05 UTC] No.45677758[source]
Looking through some of the links in this post, I there are actually two separate issues here:

1. Immich hosts user content on their domain. And should thus be on the public suffic list.

2. When users host an open source self hosted project like immich, jellyfin, etc. on their own domain it gets flagged as phishing because it looks an awful lot like the publicly hosted version, but it's on a different domain, and possibly a domain that might look suspicious to someone unfamiliar with the project, because it includes the name of the software in the domain. Something like immich.example.com.

The first one is fairly straightforward to deal with, if you know about the public suffix list. I don't know of a good solution for the second though.

replies(6): >>45677810 #>>45677812 #>>45678057 #>>45678836 #>>45679383 #>>45679806 #
smaudet ◴[23 Oct 25 03:15 UTC] No.45677810[source]
I don't think the Internet should be run by being on special lists (other than like, a globally run registry of domain names)...

I get that SPAM, etc., are an issue, but, like f* google-chrome, I want to browse the web, not some carefully curated list of sites some giant tech company has chosen.

A) you shouldn't be using google-chrome at all B) Firefox should definitely not be using that list either C) if you are going to have a "safe sites" list, that should definitely be a non-profit running that, not an automated robot working for a large probably-evil company...

replies(7): >>45677835 #>>45677892 #>>45677899 #>>45677928 #>>45678115 #>>45678656 #>>45680148 #
thayne ◴[23 Oct 25 03:40 UTC] No.45677928[source]
Firefox and Safari also use the list. At least by default, I think you can turn it off in firefox. And on the whole, I think it is valuable to have _a_ list of known-unsafe sites. And note that Safe Browsing is a blocklist, not an allowlist.

The problem is that at least some of the people maintaining this list seem to be a little trigger happy. And I definitely thing Google probably isn't the best custodian of such a list, as they have obvious conflicts of interest.

replies(1): >>45678231 #
zenmac ◴[23 Oct 25 04:44 UTC] No.45678231[source]
>I think it is valuable to have _a_ list of known-unsafe sites

And how and who should define what is consider unsafe sites?

replies(1): >>45678271 #
1. MostlyStable ◴[23 Oct 25 04:54 UTC] No.45678271[source]
Ideally there should be several/many and the user should be able to direct their browser as to which they would like to use (or none at all)