Readit News logoReadit News
neon_erosion commented on Google Safe Browsing incident   statichost.eu/blog/google... · Posted by u/ericselin
bluesmoon · 5 months ago
Github discovered the same thing a long long time ago which is why you now have the github.io domain.
neon_erosion · 5 months ago
Don't forget the `githubusercontent.com` domain, which is specifically used to host risky, user-generated content, and fully documented in https://docs.github.com/en/authentication/keeping-your-accou... (using an open source component that other companies could also use, if they were interested in similar levels of security)
neon_erosion commented on Google Safe Browsing incident   statichost.eu/blog/google... · Posted by u/ericselin
ericselin · 5 months ago
This is of course true! It just takes an incident like this to get ones head out of ones ass and actually do it. :)
neon_erosion · 5 months ago
This is the kind of thing that customers rely on you to do _before_ it causes an incident.
neon_erosion commented on Google Safe Browsing incident   statichost.eu/blog/google... · Posted by u/ericselin
jeroenhd · 5 months ago
The thing about Google is that they regularly get this stuff wrong, and there is no recourse when they do.

I think most people working in tech know the extent to which Google can screw over a business when they make a mistake, but the gravity of the situation becomes much clearer when it actually happens to you.

This time it's a phishing website, but what if the same happens five years down the line because of an unflattering page about a megalomaniac US politician?

neon_erosion · 5 months ago
Then that would be an example of a system having failed and one that needs to change. Instead, this is an example of a hosting company complaining about the consequences of skipping some of the basic, well-documented safety and security practices that help to isolate domains for all sorts of reasons, from reputation to little things like user cookies.
neon_erosion commented on Google Safe Browsing incident   statichost.eu/blog/google... · Posted by u/ericselin
ericselin · 5 months ago
The thing is, you cannot just add any domain to the PSL. You need a significant amount of users before they will include your domain. Before recently, there really was no point in even submitting, since the domain would have been rejected as too small. An increase in user base, increase in malicious content and the ability to add your domain to the PSL all happen sort of simultaneously.

I'm also trusting my users to not expose their cookies for the whole *.statichost.eu domain. And all "production" sites use a custom domain anyway, which avoids all of this anyway.

neon_erosion · 5 months ago
There are well-documented solutions to this that don't rely on the PSL. Choosing to ignore all of that advice while hosting user content is a very irresponsible choice, at best.
neon_erosion commented on Google Safe Browsing incident   statichost.eu/blog/google... · Posted by u/ericselin
kbolino · 5 months ago
Putting user content on another domain and adding that domain to the public suffix list is good advice.

So good, in fact, that it should have been known to an infrastructure provider in the first place. There's a lot of vitriol here that is ultimately misplaced away from the author's own ignorance.

neon_erosion · 5 months ago
Exactly, this has been documented knowledge for many years now, even decades. Github and other large providers of user-generated content have public-facing documentation on the risks and ways to mitigate them. Any hosting provider that chooses to ignore those practices is putting themselves, and their customers, at risk.
neon_erosion commented on Google Safe Browsing incident   statichost.eu/blog/google... · Posted by u/ericselin
ericselin · 5 months ago
I'm not saying that Google or Safe Browsing in particular did anything wrong per se. My point is primarily that Google has too much power over the internet. I know that in this case what actually happened is because of me not putting enough effort into fending off bad guys.

The new separate domain is pending inclusion in the PSL, yes.

Edit: the "effort" I'm talking about above refers to more real time moderation of content.

neon_erosion · 5 months ago
How does flagging a domain that was actively hosting phishing sites demonstrate that Google has too much power? They do, but this is a terrible example, undermining any point you are trying to make.
neon_erosion commented on Google Safe Browsing incident   statichost.eu/blog/google... · Posted by u/ericselin
ericselin · 5 months ago
I respectfully disagree with your premise. In this specific case, yes, "Google does good thing" in a sense. That is not why I'm saying Google has too much power. "Too much" is relative and whether they do good or bad debatable, of course, but it's hard to argue that they don't have a gigantic influence on the whole internet, no? :)

Helping people avoid potentially devastating mistakes is of course a good thing.

neon_erosion · 5 months ago
What point are you trying to make here? You hosted phishing sites on your primary domain, which was then flagged as unsafe. You chose not to use the tools that would have marked those sites as belonging to individual users, and the system worked as designed.
n

u/neon_erosion

KarmaCake day43October 10, 2025View Original