Has this impacted your self hosted instances of Immich? Are you hosting Immich via subdomain?
Related:
Google, protecting you from privacy
Google flags Immich sites as dangerous
Submitted 1 day ago by rustyredox@lemmy.world to selfhosted@lemmy.world
https://immich.app/blog/google-flags-immich-as-dangerous
Comments
aarch0x40@lemmy.world 1 day ago
InnerScientist@lemmy.world 1 day ago
Google protecting Google from FOSS.
They’re right too, after using Immich I don’t want to go back.
witten@lemmy.world 1 day ago
Also protecting you from the East Wing of the White House.
MrSulu@lemmy.ml 10 hours ago
Deadly to their margins by 0.000000000000000000000000000000000001%
wesker@lemmy.sdf.org 1 day ago
Google
I have identified the problem.
ramenshaman@lemmy.world 1 day ago
I smell fear.
Vex_Detrause@lemmy.ca 8 hours ago
I knew it was too good to be true when they give away free pic storage for their pixel phones. I just didn’t listen to my gut.
Dirk@lemmy.ml 1 day ago
The URLs mentioned in their blog article all have a wrong certificate (different host name).
I am sure if they fix it Google’s system would reclassify the sites as safe.
porcoesphino@mander.xyz 1 day ago
I think that marking things as “safe” could have more complications than this depending on their definition but I think you’re right that’s probably all this issue is. This is almost the only sane comment here. Everyone else seems to be frothing at the mouth and I’m guessing its a decent mix of not understanding much of how these systems work (and blindly running tutorials for those that do self host) and blind ideology (big companies are bad / any practice that restricts my personal freedom in any way is bad)
Rooty@lemmy.world 3 hours ago
any practice that restricts my personal freedom in any way is bad
Yes? I don’t want to live in a world where giant companies decide what I can and cannot see. And big companies are bad, they act as pseudo governments that aren’t accountable to anyone, we used to break them apart before they started buying up politicians and political power.
anyhow2503@lemmy.world 21 hours ago
I don’t blame people for thinking that something is off after reading the linked blog post. This wouldn’t be the first time Google does something like this to OSS that poses some kind of potential threat to their business model (this is also mentioned in the post).
RheumatoidArthritis@mander.xyz 20 hours ago
Yeah, sure, 5 years after google flagged one of the sites i hosted, some firewalls (including isp-level blocks) mark the domain as unsafe. Google removed the block after more than a week but the stink continues until today.
It was also a development domain and we were forced to change it.
Meron35@lemmy.world 1 day ago
Immich users flag Google sites as dangerous
cyberpunk007@lemmy.ca 1 day ago
Stock using google. Don’t you know their motto? “Be evil”
Appoxo@lemmy.dbzer0.com 15 hours ago
OP is inpacted by Google SafeBrowsing which various websites use.
mic_check_one_two@lemmy.dbzer0.com 20 hours ago
Easier said than done, if your end users run Chrome. Because Chrome will automatically block your site if you’re on double secret probation.
The phishing flag usually happens because you have the Username, Password, Log In, and SSO button all on the same screen. Google wants you to have the Username field, the Log In button, and any SSO stuff on one page. Then if you input a username and go to start a password login, Google expects the SSO to disappear and be replaced by the vanilla Log In button. If you simply have all of the fields and buttons on one page, Google flags it as a phishing attempt. Like I guess they expect you to try and steal users’ Google passwords if you have a password field on the same page as a “Sign in with Google” button.
Appoxo@lemmy.dbzer0.com 15 hours ago
Firefox ingests Google SafeBrowsing lists.
If you are falsely flagged as phishing (like I was), then you are fucked regardless of what you use (except you use curl).I couldnt even bypass the safebrowse warning on my Android phone in Firefox.
FreedomAdvocate@lemmy.net.au 1 day ago
Why are the immich teams internal deployments available to anyone on the open web? If you go to one of their links, like they provide in the article, they have an invalid SSL certificate, which google rightly flags as being a security risk, warns you about it, and stops you from going there without manual intervention. This is standard behaviour and no-one should want google to stop doing this.
I was going to install linux on an old NUC to run immich some time soon, but think I might have to have a look to see if it has been audited by some legit security companies first. How do they not see this issue of their own doing?
chaospatterns@lemmy.world 1 day ago
It is for pull requests. A user makes a change to the documentation, they want to be able to see the changes on a web page.
If you don’t have them on the open web, developers can’t see the previews.
The issue they had was being marked as phishing, not the SSL certificate warning page.
Nibodhika@lemmy.world 22 hours ago
It is for pull requests. A user makes a change to the documentation, they want to be able to see the changes on a web page.
So? What that has to do with SSL certificates? Do you think GitHub loses SSL when viewing PRs?
If you don’t have them on the open web, developers and pull request authors can’t see the previews.
You can have them in the open, but without SSL you can’t be sure what you’re accessing, i.e. it’s trivial to make a malicious site to take it’s place an MitM whoever tries to access the real one.
The issue they had was being marked as phishing, not the SSL certificate warning page.
Yes, a website without SSL is very likely a phishing attack, it means someone might be impersonating the real website and so it shouldn’t be trusted. Even if by a fluke of chance you hit the right site, all of your communication with it is unencrypted, so anyone in the path can see it clearly.
FreedomAdvocate@lemmy.net.au 1 day ago
The issue they had was being marked as phishing, not the SSL certificate warning page.
Have you seen what browsers say when you have a look at the SSL certificate warning page?
It is for pull requests. A user makes a change to the documentation, they want to be able to see the changes on a web page.
Why is a user made PR publishing a branch to Immich’s domain for the user to see?
cyberpunk007@lemmy.ca 1 day ago
You could just host it inside your network and do an always on VPN. That’s what I do.
RheumatoidArthritis@mander.xyz 22 hours ago
Now imagine you’re running a successful open source project developed in the open, where it’s expected that people outside your core team review and comment on changes.
chaospatterns@lemmy.world 1 day ago
How would that work? The use case is for previews for pull requests. Somebody submits a change to the website. This creates a preview domain that reviewers and authors can see their proposed changes in a clean environment.
CloudFlare pages gives this behavior out of the box.
Darkcoffee@sh.itjust.works 1 day ago
They’ve also started warning against android apps from outside repos. Basically they want to force people to use their ai-filled bullshit apps.
Appoxo@lemmy.dbzer0.com 15 hours ago
Was also flagged recently.
In my case it was the root domain which is- Geofiltered to only my own Country in Cloudflare
- Geofiltered to only my country in my firewall
- Protected by Authelia (except the root domain which says 404 when accessing)
So…IDK what they want from me :p
FreedomAdvocate@lemmy.net.au 7 hours ago
Is it available for the public to get to? Yes, so that’s why.
makingStuffForFun@lemmy.ml 1 day ago
Google marks half the apps on my phone as dangerous. Google are evil xxxxxx’s
cupcakezealot@piefed.blahaj.zone 1 day ago
ripcord@lemmy.world 1 day ago
Lifewolf has Google “safe browsing” to disable…? Google?
cupcakezealot@piefed.blahaj.zone 1 day ago
firefox has google safe browser api protection; librewolf disables it by default under librewolf settings.
https://support.mozilla.org/en-US/kb/safe-browsing-firefox-focus
N0x0n@lemmy.ml 23 hours ago
Thanks for sharing this nice blocklist :)
WhyJiffie@sh.itjust.works 1 day ago
jellyfin had a similar issue too for a long time for servers exposed to the internet. google would always reblock the domains soon after unblocking them. I think they solved it in the latest update. Basically it’s that google’s scraping bots think that all jellyfin servers are a scam that imitate a “real” website.
01189998819991197253@infosec.pub 1 day ago
But the malvertisements on Google’s front page are ok, I guess
MalReynolds@piefed.social 19 hours ago
What is the usecase for exposing jellyfin to the outernet anyway ?
WhyJiffie@sh.itjust.works 10 hours ago
watching it remotely, like at friends. even if you can access it on your phone through VPN, the smart TV won’t be able to use it
Appoxo@lemmy.dbzer0.com 15 hours ago
What’s the usecase for Netflix? Same case.
A_norny_mousse@feddit.org 1 day ago
Same when you try to deviate from the approved path of email providers or, dog forbid, even self-host email.
This is why I always switch off that “block potentially dangerous sites” setting in my browser - it always means Google’s blacklists. This is how Google influences the web beyond its own products.
possiblylinux127@lemmy.zip 1 day ago
I wouldn’t recommend turning off safe browsing
If a page is blocked it is very easy to bypass. However, the warning page will make you take a step back.
hexagonwin@lemmy.sdf.org 1 day ago
just use ublock origin and a proper password manager. google safe browsing means google sees what sites you browse.
ripcord@lemmy.world 1 day ago
This is why I always don’t use Chrome or Google Search
NewNewAugustEast@lemmy.zip 1 day ago
Fuck you google. I can’t see youtube videos with my browser because google wants me to sign in. Tells me it is protecting the community.
BULLSHIT.
Because google doesnt make me sign in to view or edit someone elses google docs they are sharing. Which one is more important google? Assholes.
FreedomAdvocate@lemmy.net.au 1 day ago
I can’t see youtube videos with my browser because google wants me to sign in. Tells me it is protecting the community.
I’m guessing the videos are age restricted 18+ videos? You don’t have to be signed in to watch any other videos.
asbestos@lemmy.world 23 hours ago
Nope, sometimes it asks for normal videos as well, it really depends on the case since there’s a lot of background stuff happening, making the experience vary between users.
ITGuyLevi@programming.dev 1 day ago
I got a ‘dangerous site’ warning and then prompts for crap on my Vaultwarden instance (didn’t see it on Immich but this was a while ago). I think I had to prove I owned the domain with some DNS TXT records then let them “recheck” the domain. It seems to have worked.
oneser@lemmy.zip 1 day ago
Similar issues were reported with aves libre early this week, maybe it’s related?
artyom@piefed.social 1 day ago
From the OP:
Google Safe Browsing looks to be have been built without consideration for open-source or self-hosted software. Many popular projects have run into similar issues, such as:
Jellyfin
YunoHost
n8n
NextCloud
phoenixz@lemmy.ca 1 day ago
I’m sure it’s all accidental and coincidental that open source project that rival Google just weirdly got flagged as being dangerous. Google also doesn’t know how this happened, it just did! Magic!
lambalicious@lemmy.sdf.org 1 day ago
Google flags F-Droid updates…
Why would people have Google security going on if they have set up F-Droid as their appstore? Doesn’t that defeat the entire purpose?
Mika@piefed.ca 1 day ago
Like I understand that if I buy a phone from Apple, and they control everything on the phone and what I can install - well I mean I bought it from Apple, what else did I expect?
But I didn't buy my phone from Google. They should have no say in what I could or couldn't install.
FreedomAdvocate@lemmy.net.au 1 day ago
But I didn’t buy my phone from Google. They should have no say in what I could or couldn’t install.
You bought a phone running a Google operating system, knowingly so. This one is on you buddy.
ripcord@lemmy.world 1 day ago
I mean, I don’t think it matters if you bought the phone from Google or not (and you could have). Samsung or Motorola or whoever shouldn’t have any say either.
Dave@lemmy.nz 1 day ago
Well according to the OP, it’s a list they offer for free and it’s integrated with many browsers including Firefox…
possiblylinux127@lemmy.zip 1 day ago
Hopefully your Immich server isn’t public facing…
spaghettiwestern@sh.itjust.works 1 day ago
Google Safe Browsing looks to be have been built without consideration for open-source or self-hosted software.
IMO this has nothing to do with user safety. The harder they make it to move away from their products by making using alternatives difficult, the more money they make. Even if this only adds a fraction of a fraction of a percent to their profit it’s something they will do. The old implied social contract of businesses providing value to the community as a whole in addition to making a profit is long gone.
Onomatopoeia@lemmy.cafe 1 day ago
Google has always been evil. Why else was their byline “Don’t be evil”?
If you have to make such a disclaimer…
umbrella@lemmy.ml 4 hours ago
Google is dangerous.