I'm not saying that Google or Safe Browsing in particular did anything wrong per se. My point is primarily that Google has too much power over the internet. I know that in this case what actually happened is because of me not putting enough effort into fending off bad guys.
The new separate domain is pending inclusion in the PSL, yes.
Edit: the "effort" I'm talking about above refers to more real time moderation of content.
> My point is primarily that Google has too much power over the internet.
That is probably true, but in this case I think most people would think that they used that power for good.
It was inconvenient for you and the legitimate parts of what was hosted on your domain, but it was blocking genuinely phishing content that was also hosted on your domain.
Every website operator employee worth their salary in this area would have told the site's operator this beforehand, and could have avoided this incident. Hell, even ChatGPT could tell you that by now. The word that comes to mind is incompetence on someone's part, but I don't know of the details on particularly who was the incompetent one in this situation. Thankfully, they've learned a lesson about the situation and ideally won't make the same mistake again going forwards.
I disagree, as a professional in this field for over a decade.
For this to be a legitimately backed statement, professional's would have needed to know about the PSL. This is largely unmet.
For it to be met, there would need to be documentation in the form of RFC's and whitepapers in industry working groups which would be needed. This didn't happen.
M3AAWG only has two blog post mentions, and that's only after the great layoffs of 2023, and only that its being used by volunteers and needs support. No discussion about organization, what its being used for, process/due process, etc.
It wholly lacks the needed outreach to professionals in order to make such a statement and have it be true.
I mean, it's a very big field, and it's easy enough for me to armchair quarterback and call it a skill issue without being vulnerable and putting my own credentials into question. There's a whole big world of things to know about making and running websites, and I'll readily admit I don't know everything. I don't do a lot of CSS or website SEO or run ad campaigns, so someone experienced there will run circles around me.
Putting user generated content on its own domain is more on the security side of things to know about running a website, and our industry doesn't regulate who's allowed to build websites. Everyone's got their own set of different best practices.
Regardless of the exact date that GitHub moved which kinds of user generated content (UGC) over to which domain/domains, I do expect a curious webdev in 2025 to have used GitHub and to have wondered enough about it to ask what's up with stuff coming from eg raw.githubusercontent.com at some point in their web browsing career to ask Google about it. They should have walked away with the idea that they're putting UGC on a separate domain intentionally for security stuff, even if they never hear mention of the PSL or how exactly it works and is implemented. The /r/webdev post you'll find links to a GitHub blog post that gives a lot of detail as to why they did that, and that doesn't mention the PSL once.
It's fair to point out the PSL isn't common knowledge. I would agree that it isn't. I don't think it's necessary, however. All it takes is being a user of GitHub and a modicum of curiosity. I expect anyone that call themselves a webdev in 2025 to be able to explain to me what git and GitHub is and why they're different. They don't need to know where git came from but I don't think I'm being unreasonable in asking that much. From there, I expect someone to be able to make up an answer as to why there's raw.githubusercontent.com during an interview and mumble something about security, even if they can't give specific details about cookies and phishing and how that all works.
It's possible I'm being unreasonable here but I don't think I am. This isn't knowledge that takes attending W3C meetings about web browser standards to have come across. Regardless of if I am or not though, everyone who's come across this thread should now know that UGC goes in its own domain, even if they can't give details as to why.
I agree this isn't knowledge that takes a lot. The problem is these companies don't explain why they do what they do, in fact a lot of security stuff along these lines in the past has been tight-lipped secrecy bound stuff. You can wonder, but the answer isn't out there unless you know an insider willing to break a broadly worded NDA (not gonna happen, and some are quite broad).
The idea to segment certain types of traffic to different domains isn't that new. For example segmenting certain mail servers by marketing or transactional types into subdomains was done as far back as 2010, but it wasn't explained in whitepapers until around 2016 or 2017, where there was already gathered irrefutable evidence that reputational systems had been put in place and the rules for those damaged people running small email servers who were being illegitimately blocked from delivery; for years with no recourse or disclosure just imposed cost.
Once they published the whitepapers on that, professionals were on board because they specified what they were looking for, and how it should function. Basic Engineering stuff that people who manage and build these systems need to know to interoperate.
These things need professional outreach that standardizes it in some form or another, that's not a one-off blog post imo, and that must fully specify function, requirement, feedback mechanisms, and expectations of how its supposed to work; basic engineering stuff.
The PSL is just the same thing all over again. Big Tech just starts doing something silently that directly imposes cost on others, they don't say what they are doing. Then when it becomes too costly they try to offload it to others calling for support, though if they only do halfsies in a blog post buried in noise, they are only looking for plausible deniability.
The benefit in doing this is in anti-competitive behavior.
Incidentally, while separating subdomains for email servers has been standard practice for awhile now, recently these companies once again changed the reputational weights for things, and they aren't talking. Now its a whole domain as a single reputational namespace not just breakage at the subdomain (bb.aa.com.). No outreach on that as far as I've seen.
There are ways to do things correctly, and then there are ways to do things anti-competitively and coercively. The incentives matched to the outcomes point to which one that happens to be.
How you do something is more important than that you did something in these cases.
If you as a company don't do professional outreach about such changes or standards, and you arbitrarily choose to require something that isn't properly disclosed punishing everyone that hasn't received disclosure; that in my mind is a fair and reasonable case for either gross negligence (for general intent to prove malice) or tortuous interference with third-party companies businesses.
That question which you mentioned about asking in an interview (iirc) was actually asked in an Ignite interview, but was cut out from the recordings later, and the answer was we can't talk about what other departments are doing. They may have followed-up on that elsewhere but I never saw anything related to it.
It is critically important to know the reasons why things are structured a certain way or happen; in order to be able to interoperate. This is and has been known and repeated many times since the adoption of OSI & TCP in the 80s/90s with regards to interoperability of systems.
Blindly copying what others do is a recipe for disaster and isn't justifiable in terms of cost, and competent professional's don't roll the dice like that on large projects of that caliber of expense.
This stuff isn't straight forward either. Like knowing where the reputational namespace stops, what the ramp-up time (dm/dt) is for volume metrics to warm up a server at each provider, and objective indicators associated with when you go above that arbitrarily designed rate. (hint: non-deterministic hidden states) If it takes a month to perfectly warm a new server up without reputational consequences by an insider that knows, that's extra cost imposed on the company by that platform (whom you are competing against for email services).
No disclosure means starting over every time trying to guess at what they are doing, and having breakage later when they change things.
> reddit...
A lot of professionals no longer use reddit anymore because its a bot filled echo chamber that wastes valuable time.
Moderators there often remove posts regularly for simple disagreement, conflicts of interest, or to remove access to detailed solutions or methodology.
For an example of all that's wrong there, look to that CodingBootCamp reddit. There's a guy that's a moderator there that's been, in all probability, using a bot to destroy a competitors reputation and harass them for years, attacking the owners, execs, and going so far as to harass and stalk their children; while violating the Moderator Code of Contact. Crazy and toxic stuff. ---
You can't ever meet professional standards if you don't communicate or properly disclose interop requirements when complex systems are involved.
"Google does good thing, therefore Google has too much power over the internet" is not a convincing point to make.
This safety feature saves a nontrivial number of people from life-changing mistakes. Yes we publishers have to take extra care. Hard to see a negative here.
I respectfully disagree with your premise. In this specific case, yes, "Google does good thing" in a sense. That is not why I'm saying Google has too much power. "Too much" is relative and whether they do good or bad debatable, of course, but it's hard to argue that they don't have a gigantic influence on the whole internet, no? :)
Helping people avoid potentially devastating mistakes is of course a good thing.
What point are you trying to make here? You hosted phishing sites on your primary domain, which was then flagged as unsafe. You chose not to use the tools that would have marked those sites as belonging to individual users, and the system worked as designed.
Please note that this tool (PSL) is not available until you have a significant user base. Which probably means a significant amount of spam as well.
Where'd you see/hear that? It hasn't been my experience at least - but maybe I've just been lucky or undercounting the sites.
There are required steps to follow but none are "have x users" or "see a lot of spam". It's mostly "follow proper DNS steps and guidelines in the given format" with a little "show you're doing this for the intended reason rather than to circumvent something the PSL is not meant for/for something the public can't get to anyways" (e.g. tricking rate limits, internal only or single user personal sites) added on top.
https://github.com/publicsuffix/list/wiki/Guidelines#validat...
"Projects that are smaller in scale or are temporary or seasonal in nature will likely be declined. Examples of this might be private-use, sandbox, test, lab, beta, or other exploratory nature changes or requests. It should be expected that despite whatever site or service referred a requestor to seek addition of their domain(s) to the list, projects not serving more then thousands of users are quite likely to be declined."
Maybe the rules have changed, or maybe you were lucky? :)
Ah yeah, looks like it was added in 2022 https://github.com/publicsuffix/list/wiki/Guidelines/_compar...
Thanks for the note!
You're not wrong. You just picked a poor example which illustrates the opposite of the point you're making.
Fair enough! :)
> but it's hard to argue that they don't have a gigantic influence on the whole internet, no? :)
Then don't relate this to safe browsing. What is the connection?
You could have just written a one liner. Google has too much power. This has nothing to do with safe-browsing.
In fact you could write...
- USA/China/EU etc has too much power..
You use the word relative in another reply..
Same way.. My employer has relatively too much power...
Is it? Companies like Google coddle users instead of teaching them how to browse smarter and detect phishing for themselves. Google wants people to stay ignorant so they can squeeze them for money instead of phishers.
How does Google get money out of people in that case? As a corporation, Google contributes greatly to the education sector and also profits greatly, so it seems like they're pro-education to me, and are merely making the best of a bad situation, but I'd love to hear how Google extracts money from the people they've protected from phishing schemes in some secret way that I haven't considered. I do happen to have Google stock in my portfolio though, so maybe that indight's my entire comment for you though.
This is a fine mentality when it takes a certain amount of "Internet street smarts" (a term used in the article) to access the internet - at least beyond AOL etc.
But over half of the world has internet access, mostly via Chrome (largely via Android inclusion). At least some frontline protection (that can be turned off) is warranted when you need to cater to at least the millions of people who just started accessing the internet today, and the billions who don't/can't/won't put the effort in to learn those "Internet street smarts".
How does flagging a domain that was actively hosting phishing sites demonstrate that Google has too much power? They do, but this is a terrible example, undermining any point you are trying to make.
The thing about Google is that they regularly get this stuff wrong, and there is no recourse when they do.
I think most people working in tech know the extent to which Google can screw over a business when they make a mistake, but the gravity of the situation becomes much clearer when it actually happens to you.
This time it's a phishing website, but what if the same happens five years down the line because of an unflattering page about a megalomaniac US politician?
Then that would be an example of a system having failed and one that needs to change. Instead, this is an example of a hosting company complaining about the consequences of skipping some of the basic, well-documented safety and security practices that help to isolate domains for all sorts of reasons, from reputation to little things like user cookies.
This article shows an example of this process working as intended though.
The user's site was hosting phishing material. Google showed the site owner what was wrong, provided concrete steps to remedy the situation, and removed the warning within a few hours of being notified that it was resolved.
Google's support sucks in other ways, but this particular example went very smoothly.
> Oh my god, my site was unavailable for 7 hours because I hosted phishing!
Won't someone please think of the website operator?
Maybe google can have large impact is a more accurate way of putting it vs power.
There are two aspects to the Internet: the technical and the social.
In the social, there is always someone with most of the power (distributed power is an unstable equilibrium), and it's incumbent upon us, the web developers, to know the current status quo.
Back in the day, if you weren't testing on IE6 you weren't serving a critical mass of your potential users. Nowadays, the nameplates have changed but the same principles hold.
Social wasn't always sole powered, only began with the later social networks, not the early. And now people are retreating to smaller communities anyways.
Testing on IE6 wasn't the requirement, all browser's was. IE shipped default on windows and basically forced themselves into the browser conversation with an incomplete browser.
I don't mean social as in social network. I mean that people have always been a key aspect of the technology and how it it practically works.
Yes, yes, IE6 shipped by default shipped by default on Windows. And therefore if you wanted a website that worked, you tested against IE6. Otherwise people would try and use your website and it wouldn't work and they wouldn't blame the browser, they would blame your website.
Those social aspects introduce a bunch of not necessarily written rules that you just have to know and learn as you develop for the web.
> Google has too much power over the internet.
In this case they did use it for good cause. Yes, alternatively you could have prevented the whole thing from happening if you cared about customers.
Exactly.
> Second, they should be using the public suffix list (https://publicsuffix.org/) to avoid having their entire domain tagged.
NO, Google should be "mindful" (I know companies are not people but w/e) of the power it unfortunately has. Also, Cloudflare. All my homies hate Cloudflare.
It is mindful.
... by using the agreed-upon tool to track domains that treat themselves as TLDs for third-party content: the public suffix list. Microsoft Edge and Firefox also use the PSL and their mechanisms for protecting users would be similarly suspicious that attacks originating from statichost.eu were originating from the owners of that domain and not some third-party that happened to independently control foo.statichost.eu.