new | ask | show | jobs
ericselin 3 days ago  [ - ]

Author here. What kind of security negligence are you referring to? What would be a specific attack vector that I left open?

Regarding the PSL - and I can't believe I'm writing this again: you cannot get on there before your service is big enough and "the request authentically merits such widespread inclusion"[1]. So it's kind of a chicken and egg situation.

Regarding the best practice of hosting user content on a separate domain: this has basically two implications: 1. Cookie scope of my own assets (e.g. dashboard), which one should limit in any case and which I'm of course doing. So this is not an issue. 2. Blacklisting, which is what all of this has been about. I did pay the price here. This has nothing to do with security, though.

I'm sorry to be so frank, but you don't know anything about me or my security practices and your claim of negligence is extremely unfounded.

[1] https://github.com/publicsuffix/list/wiki/Guidelines#validat...

trod1234 2 days ago  [ - ]

Eric, I think it appropriate to mention, and I'd like to point out the lack of any real documentation (reaching a professional level) related to PSL on the professional working groups touching on these things (i.e. M3AAWG).

There are only two blog posts on M3AAWG in 2023 where it had been used silently (apparently for years), but was calling for support. I would think if it were an industry recognized initiative it would have the appropriate documents/whitepapers published on it in the industry working group tasked with these things. These people are supposed to be engineer's after all. AFAIK this hasn't happened aside from a brief-after-action with requests for support which is highly problematic.

When there is no professional outreach (via working group or trade group), its real hard to say that this isn't just gross negligence on google's part. M3AAWG has hundreds if not thousand's of whitepapers each hundreds of pages. A single blog post or two that mention it insufficiently, won't rationally negate this claim supporting gross negligence.

Why do I mention Gross negligence?, when coupled with loss, it is sufficient in many cases to support a finding of 'malice' without specific intent (i.e. general intent), especially when such an entity has little/no credibility, but is overshadowed by power/authority that is undeserved. Deceitful people that reasonably should know the consequences will go bad, often purposefully structure towards general intent to avoid legal complications and the legal system has evolved. I am not a lawyer, but this paraphrase about gross negligence/general intent/malice did come from a lawyer, its not meant or intended for use as legal advice in paraphrase form, so standard IANAL disclaimer applies. If the that is needed, consult a qualified professional for a specific distinction on this.

The company is more than technically capable of narrowly defining blacklists and providing due process and appropriate noticing requirements.

The situation begs questions of torturous interference, and whether the PSL is being used as an anti-competive mechanistic moat to prevent competitors from entering the market by imposing additional cost arbitrarily on competitors that is assymetric to the costs such companies have with competing services (as oligopoly/monopoly).