from Hacker News

Google flags Immich sites as dangerous

by janpio on 10/22/25, 8:53 PM with 656 comments

by arccy on 10/22/25, 11:30 PM
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
by mads_quist on 10/23/25, 6:27 AM
Never host your test environments as Subdomains of your actual production domain. You'll also run into email reputation as well as cookie hell. You can get a lot of cookies from the production env if not managed well.
by dmoreno on 10/23/25, 8:34 AM
Happened to me last week. One morning we wake up and the whole company website does not work.
Not advice with some time to fix any possible problem, just blocked.
We gave very bad image to our clients and users, and had to give explanations of a false positive from google detection.
The culprit, according to google search console, was a double redirect on our web email domain (/ -> inbox -> login).
After just moving the webmail to another domain, removing one of the redirections just in case, and asking politely 4 times to be unblocked.. took about 12 hours. And no real recourse, feedback or anything about when its gonna be solved. And no responsibility.
The worse is the feeling of not in control of your own business, and depending on a third party which is not related at all with us, which made a huge mistake, to let out clients use our platform.
by jdsully on 10/23/25, 1:39 AM
The one thing I never understood about these warnings is how they don't run afoul of libel laws. They are directly calling you a scammer and "attacker". The same for Microsoft with their unknown executables.
They used to be more generic saying "We don't know if its safe" but now they are quite assertive at stating you are indeed an attacker.
by kevinsundar on 10/22/25, 11:07 PM
This may not be a huge issue depending on mitigating controls but are they saying that anyone can submit a PR (containing anything) to Immich, tag the pr with `preview` and have the contents of that PR hosted on https://pr-<num>.preview.internal.immich.cloud?
Doesn't that effectively let anyone host anything there?
by heavyset_go on 10/23/25, 1:25 AM
Insane that one company can dictate what websites you're allowed to visit. Telling you what apps you can run wasn't far enough.
by zackify on 10/23/25, 3:54 AM
The open internet is done. Monopolies control everything.
We have an iOS app in the store for 3 years and out of the blue apple is demanding we provide new licenses that don’t exist and threaten to kick our app out. Nothing changed in 3 years.
Getting sick of these companies able to have this level of control over everything, you can’t even self host anymore apparently.
by gomox on 10/23/25, 4:45 AM
Story of when it happened to my company: https://news.ycombinator.com/item?id=25802366
by david_van_loon on 10/23/25, 2:50 AM
I'm fighting this right now on my own domain. Google marked my family Immich instance as dangerous, essentially blocking access from Chrome to all services hosted on the same domain.
I know that I can bypass the warning, but the photo album I sent to my mother-in-law is now effectively inaccessible.
by NelsonMinar on 10/22/25, 11:29 PM
Be sure to see the team's whole list of Cursed Knowledge. https://immich.app/cursed-knowledge
by trollbridge on 10/22/25, 11:47 PM
A friend / client of mine used some kind of WordPress type of hosting service with a simple redirect. The host got on the bad sites list.
This also polluted their own domain, even when the redirect was removed, and had the odd side effect that Google would no longer accept email from them. We requested a review and passed it, but the email blacklist appears to be permanent. (I already checked and there are no spam problems with the domain.)
We registered a new domain. Google’s behaviour here incidentally just incentivises bulk registering throwaway domains, which doesn’t make anything any better.
by callc on 10/23/25, 5:00 AM
Us nerds *really* need to come together in creating a publicly owned browser (non chromium)
Surely among us devs, as we realize app stores increasingly hostile, that the open web is worth fighting for, and that we have the numbers to build solutions?
by akersten on 10/23/25, 3:34 AM
This is #1 on HN for a while now and I suspect it's because many of us are nervous about it happening to us (or have already had our own homelab domains flagged!).
So is there someone from Google around who can send this along to the right team to ensure whatever heuristic has gone wrong here is fixed for good?
by nucleative on 10/23/25, 1:05 PM
We really need an internet Bill of Rights. Google has too much power to delete your company from existence with no due process or recourse.
If any company controls some (high) percentage of a particular market, say web browsers, search, or e-commerce, or social media, the public's equal access should start to look more like a right and less like an at-will contract.
30 years ago, if a shop had a falling out with the landlord, it could move to the next building over and resume business. Now if you annoy eBay, Amazon or Walmart, you're locked out nationwide. If you're an Uber, Lyft, or Doordash (etc) gig worker and their bots decide they don't like you anymore, then sayonara sucker! Your account has been disabled, have a nice day and don't reapply.
Our regulatory structure and economies of scale encourage consolidation and scale and grant access to this market to these businesses, but we aren't protecting the now powerless individuals and small businesses who are randomly and needlessly tossed out with nobody to answer their pleas of desperation, no explanation of rules broken, and no opportunity to appeal with transparency.
It's a sorry state of affairs at the moment.
by asimpleusecase on 10/23/25, 9:39 AM
I see a lot of comments here about using some browser that will allow ME to see sites I want to see, but I did not see a lot about how do I protect my site or sites of clients from being subjected to this. Is there anything proactive that can be done? A set of checks almost like regression testing? I understand it can be a bit like virus builders using anti virus to test their next virus. But is there a set of best practices that could give you higher probability of not being blocked?
by aetherspawn on 10/23/25, 3:36 AM
A good takeaway is to separate different domains for different purposes.
I had prior been tossing up the pros/cons of this (such as teaching the user to accept millions of arbitrary TLDs as official), but I think this article (and other considerations) have solidified it for me.
For example
www.contoso.com (public)
www.contoso.blog (public with user comments)
contoso.net (internal)
staging.contoso.dev (dev/zero trust endpoints)
raging-lemur-a012afb4.contoso.build (snapshots)
by bogzz on 10/23/25, 3:08 AM
The same thing happened to me earlier this year with a self-hosted instance of Umami Analytics.
https://news.ycombinator.com/item?id=42779544#42783321
Unironically, including a threat of legal action in my appeal on the Google Search Console was what stopped our instance getting flagged in the end.
by akshayKMR on 10/23/25, 3:10 AM
Maybe a dumb question but what constitutes user-hosted-content?
Is a notion page, github repo, or google doc that has user submitted content that can be publicly shared also user-hosted?
IMO Google should not be able to use definitive language "Dangerous website" if its automated process is not definitive/accurate. A false flag can erode customer trust.
by sinuhe69 on 10/23/25, 12:26 PM
>> Unfortunately, Google seems to have the ability to arbitrarily flag any domain and make it immediately unaccessible to users. I'm not sure what, if anything, can be done when this happens, except constantly request another review from the all mighty Google.
Perhaps a complaint to the ETC for abusing the monopoly and lack of due process to harm legitimate business? Or DG COMP (in the EU).
Gather evidence of harm and seek alliances with other open-source projects could build a momentum.
by curioussquirrel on 10/23/25, 5:17 AM
Looking forward to Louis Rossmann's reaction. Wouldn't be surprised if this leads to a lawsuit over monopolistic behavior - this is clearly abusing their dominant position in the browser space to eliminate competitors in photos sharing.
by petepete on 10/23/25, 8:55 AM
I write a couple of libraries for creating GOV.UK services and Google has flagged one of them as dangerous. I've appealed the decision several times but it's like screaming into a void.
https://govuk-components.netlify.app/
I use Google Workspace for my company email, so that's the only way for me to get in contact with a human, but they refuse to go off script and won't help me contact the actual department responsible in any way.
It's now on a proper domain, https://govuk-components.x-govuk.org/ - but other than moving, there's still not much anyone can do if they're incorrectly targeted.
by teekert on 10/23/25, 6:57 AM
Given the scale of Google, and the nerdiness required to run Immich, I bet it's just an accident. Nevertheless, I'm very curious as to how senior Google staff looks at Immich, are they actually registering signals that people use immich-go to empty their Google Photos accounts? Do they see this as something potentially dangrous to their business in the long term?
The nerdsphere has been buzzing with Immich for some time now (I started using it a month back and it lives up to its reputation!), and I assume a lot of Googlers are in that sphere (but not neccessarily pro-Google/anti-Immich of course). So I bet they at least know of it. But do they talk about it?
by account42 on 10/24/25, 9:46 AM
Yes, this is not a new problem: Web browsers has taken on the role as internet police but they only care about their judgement and don't afford websites operators any due process or recourse. And by web browsers I mean Google because of course everyone just defers to them. "File a complaint with /dev/null" might be how Google operates their own properties but this should not be acceptable for the web as a whole. Google and those integrating their "solutions" need to be held accountable for the damage they cause.
by captnasia on 10/22/25, 10:57 PM
This seems related to another hosting site that got caught out by this recently:
https://news.ycombinator.com/item?id=45538760
by archon810 on 10/24/25, 8:15 AM
A similar issue happened to us at APKMirror last week. https://x.com/ArtemR/status/1979428936267501626.
We still don't know what caused it because it happened to the Cloudflare R2 subdomain, and none of the Search Console verification methods work with R2. It also means it's impossible to request verification.
by pkulak on 10/23/25, 5:35 AM
Can I use this space to comment on how amazing Immich is? I self host lots of stuff, and there’s this one tier above everything else that’s currently, and exclusively, held by Home Assistant and Immich. It is actually _better_ than Google photos (if you keep your db and thumbs on ssd, and run the top model for image search). You give up nothing, and own all your data.
by KuSpa on 10/23/25, 2:13 PM
I wonder when google.com will be flagged with all the phishing happening on sites.google.com.
by awill on 10/23/25, 3:26 PM
I'm sure it was a simple mistake. The fact that Immich competes with Google Photos has nothing to do with it.
by aborsy on 10/23/25, 5:25 AM
Safe Browsing collects a lot of data, such as hashes of URLs (URLs can be easily decoded by comparison) and probably other interactions with web like downloads.
But how effective is it in malware detection?
The benefits seem to me dubious. It looks like a feature offered to collect browsing data, useful to maybe 1% in special situations.
by dizlexic on 10/23/25, 6:47 AM
Ran a clickbait site, and got flagged for using a bunch of 302 redirects instead of 301s. Went from almost 500k uniques a month to 1k.
During the appeal it was reviewed from India, and I had been using geoblocking. This caused my appeal to be denied.
I ended up deploying to a new domain and starting over.
Never caught back up.
by dpifke on 10/23/25, 4:58 PM
I had this same problem with my self-hosted Home Assistant deployment, where Google marked the entire domain as phishing because it contains a login page that looks like other self-hosted Home Assistant deployments.
Fortunately, I expose it to the internet on its own domain despite running through the same reverse proxy as other projects. It would have sucked if this had happened to a domain used for anything else, since the appeal process is completely opaque.
by stack_framer on 10/23/25, 3:17 AM
This happened to one of our documentation sites. My co-workers all saw it before I did, because Brave (my daily driver) wasn't showing it. I'm not sure if Brave is more relaxed in determining when a site is "dangerous" but I was glad not to be seeing it, because it was a false positive.
by Animats on 10/22/25, 11:29 PM
If you block those internal subdomains from search with robots.txt, does Google still whine?
by akerl_ on 10/23/25, 12:49 AM
Tangential to the flagging issue, but is there any documentation on how Immich is doing the PR site generation feature? That seems pretty cool, and I'd be curious to learn more.
by asmor on 10/23/25, 4:19 PM
This can happen to everyone. It happened to Amazon.de's Cloudfront endpoint a week ago. Most people didn't notice because Chrome doesn't look at the intermediate bits in the resolver chain, but DNS providers using Safe Browsing blocked it.
https://github.com/nextdns/metadata/issues/1425
by kazinator on 10/23/25, 8:37 PM
The .internal.immich.cloud sites do not have matching certs!
Navigating to https://main.preview.internal.immich.cloud, I'm right away informed by the browser that the connection is not secure due to an issue with the certificate. The problem is that it has the following CN (common name): main.preview.internal.immich.build. The list of alternative names also contains that same domain name. It does not match the site: the certificate's TLD .build is different from the site's .cloud!
I don't see the same problem on external sites like tiles.immich.cloud. That has a CN=immich.cloud with tiles.immich.cloud as an alternative.
by jakub_g on 10/23/25, 12:16 AM
Regarding how Google safe browsing actually works under the hood, here is a good writeup from Chromium team:
https://blog.chromium.org/2021/07/m92-faster-and-more-effici...
Not sure if this is exactly the scenario from the discussed article but it's interesting to understand it nonetheless.
TL;DR the browser regularly downloads a dump of color profile fingerprints of known bad websites. Then when you load whatever website, it calculates the color profile fingerprint of it as well, and looks for matches.
(This could be outdated and there are probably many other signals.)
by maltris on 10/23/25, 8:44 AM
This is crazy, it happened to the SoGO webmailer, standalone or bundled with the mailcow: dockerized stack as well. They implemented a slight workaround where URLs are being encrypted to avoid pattern detection to flag it as "deceiving".
There is no responses from Google about this. I had my instance flagged 3 times on 2 different domains including all subdomains, displaying a nice red banner on a representative business website. Cool stuff!
by a10c on 10/23/25, 6:57 AM
Google often marks my homelab domains as dangerous which all point to an A record that is in the private IP space, completely inaccessible to the internet.
Makes precisely zero sense.
by your_challenger on 10/23/25, 2:09 AM
Them maintaining a page of gotchas is a really cool idea - https://immich.app/cursed-knowledge
by almosthere on 10/23/25, 5:41 PM
This happened to me, I hosted a Wordpress site and it got 0'day'd (this was probably 8 years ago). Google spotted the list of insane pornographic URLs and banned it. You might want to verify nothing is compromised.
by boobsbr on 10/23/25, 10:48 AM
> YAML whitespace is cursed
YAML itself is cursed: https://ruudvanasseldonk.com/2023/01/11/the-yaml-document-fr...
by p0w3n3d on 10/23/25, 9:11 AM
When the power is concentrated in one hands, those hands will always become the hands of a dictator
by jstrong on 10/23/25, 1:14 AM
google: we make going to the DMV look delightful by comparison!
by scottydelta on 10/23/25, 10:30 AM
This is a known thing since quite some time and the only solution is to use separate domain. This problem has existed for so long that at this point we as users adapt to it rather than still expecting Google to fix this.
From their perspective, a few false positives over the total number of actual malicious websites blocked is fractional.
by gtirloni on 10/23/25, 2:16 AM
There's a reason GitHub use github.io for user content.
by jrochkind1 on 10/23/25, 5:29 AM
I am confused if the term "self-hosted" means the same thing to them as it means to me, not sure if I'm following.
by ozgrakkurt on 10/23/25, 5:49 AM
Curious if anyone had an instance where this blocking mechanism saved them. I can’t remember a single instance in last 10 years
by yabones on 10/23/25, 1:03 PM
This is another case where it's highly important to "plant your flag" [1] and set up all those services like Search Console, even if you don't plan to use them. Not only can this sort of thing happen, but bad-guys can find crafty ways of hijacking your search console account if you're not super vigilant.
Google Postmaster Console [2] is another one everybody should set up on every domain, even if you don't use gmail. And Google Ads, even if you don't run ads.
I also recommend that people set up Bing search console [3] and some service to monitor DMARC reports.
It's unfortunate that so much of the internet has coalesced around a few private companies, but it's undeniably important to "keep them happy" to make sure your domain's reputation isn't randomly ruined.
[1] https://krebsonsecurity.com/2020/08/why-where-you-should-you...
[2] https://postmaster.google.com/
[3] https://www.bing.com/webmasters/
by donmcronald on 10/22/25, 9:46 PM
I tried to submit this, but the direct link here is probably better than the Reddit thread I linked to:
https://old.reddit.com/r/immich/comments/1oby8fq/immich_is_a...
I had my personal domain I use for self-hosting flagged. I've had the domain for 25 years and it's never had a hint of spam, phishing, or even unintentional issues like compromised sites / services.
It's impossible to know what Google's black box is doing, but, in my case, I suspect my flagging was the result of failing to use a large email provider. I use MXRoute for locally hosted services and network devices because they do a better job of giving me simple, hard limits for sending accounts. That way if anything I have ever gets compromised, the damage in terms of spam will be limited to (ex) 10 messages every 24h.
I invited my sister to a shared Immich album a couple days ago, so I'm guessing that GMail scanned the email notifying her, used the contents + some kind of not-google-or-microsoft sender penalty, and flagged the message as potential spam or phishing. From there, I'd assume the linked domain gets pushed into another system that eventually decides they should blacklist the whole domain.
The thing that really pisses me off is that I just received an email in reply to my request for review and the whole thing is a gas-lighting extravaganza. Google systems indicate your domain no longer contains harmful links or downloads. Keep yourself safe in the future by blah blah blah blah.
Umm. No! It's actually Google's crappy, non-deterministic, careless detection that's flagging my legitimate resources as malicious. Then I have to spend my time running it down and double checking everything before submitting a request to have the false positive mistake on Google's end fixed.
Convince me that Google won't abuse this to make self hosting unbearable.
by kazinator on 10/23/25, 8:28 PM
Simply opening a case saying that this is our website not impersonating anyone else is unlikely to get anything resolved.
Just because it's your website, and you're not a bad agent doesn't prove that no part of the site is under the control of a bad agent, and that your site isn't accidentally hosting something malicious somewhere, or have some UI that is exploitable for cross-site scripting or whatever.
by amelius on 10/23/25, 10:44 AM
There is no reason why a browser should __be__ a contentfilter.
Instead, you should be able to install a preferred contentfilter into your browser.
by zerof1l on 10/23/25, 3:36 PM
I believe that Jellyfin, Immish, and NextCloud login pages are automatically flagged as dangerous by Google. What's more, I suspect that Google is somehow collecting data from its browser - Chrome.
Google flagged my domain as dangerous once. I do host Jellyfin, Immish, and NextCloud. I run an IP whitelist on the router. All packets from IPs that are not whitelisted are dropped. There are no links to my domain on the internet. At any time, there are 2-3 IPs belonging to me and my family that can load the website. I never whitelisted Google IPs.
How on earth did Google manage to determine that my domain is dangerous?
by TechSquidTV on 10/23/25, 1:29 PM
My local SABNZBD instance (not even accessible from the internet) was marked as a malicious site too.
by timnetworks on 10/23/25, 11:35 AM
I don't think I ever saw a legitimate warning, EVER. I push past SSL warnings EVERY DAY to manage infra.
by stephenlf on 10/23/25, 3:58 AM
I have no idea what immich is or what this post says, but I LOVE that this company has a collection of posts called, “Cursed Knowledge.”
by ggm on 10/23/25, 1:19 AM
Is there any linkage to the semifactoid that immich Web gui looks very like Google Photos or is that just one of the coincidences?
by XiphiasX on 10/23/25, 5:18 AM
I’m launching a web version for an online game. What to do to prevent this from happening?
by pharrington on 10/23/25, 5:29 AM
They have to fix their SSL certs. "Kubernetes Ingress Controller Fake Certificate" aint gonna cut it.
by throwaway-0001 on 10/23/25, 4:12 AM
I’m also self hosting gitea and pertainer and I’m trying this issue every few weeks. I appeal, they remove the warning, after a week is back. This is ongoing for at least 4 years. I have more than 20 appeals all successfully removing the warning. Ridiculous. I heard legal action is the best option now, any other ideas?
by tjpnz on 10/23/25, 3:51 AM
"might trick you into installing unsafe software"
Something Google actively facilities with the ads they serve.
by renewiltord on 10/23/25, 12:07 AM
I think the other very interesting thing in the reddit thread[0] for this is that if you do well-known-domain.yourdomain.tld then you're likely to get whacked by this too. It makes sense I guess. Lots of people are probably clicking gmail.shady.info and getting phished.
0: https://old.reddit.com/r/immich/comments/1oby8fq/immich_is_a...
by shevy-java on 10/23/25, 8:32 AM
I don't want Google to abuse the world wide web. It is time for real change - a world without Google. A world with less Evil.
by nalekberov on 10/23/25, 6:03 AM
First thing I do when I start to use a browser for the first time is making sure 'Google Safe Browsing' feature is disabled. I don't need yet another annoyance while I browse the web, especially when it's from Google.
by lbrito on 10/23/25, 4:32 PM
This just makes me feel more loyalty towards Immich and disgust towards Google Photos.
At this point I would rather use an analog camera with photo albums than Google Photos.
by shadowgovt on 10/23/25, 3:14 AM
> The most alarming thing was realizing that a single flagged subdomain would apparently invalidate the entire domain.
Correct. It works this way because in general the domain has the rights over routing all the subdomains. Which means if you were a spammer, and doing something untoward on a subdomain only invalidated the subdomain, it would be the easiest game in the world to play.
malware1.malicious.com
malware2.malicious.com
... Etc.
by sneak on 10/23/25, 12:38 PM
This happened to amazon.de last week. It was resolved quickly.
Google shouldn’t be a single chokepoint for web censorship.
by lucideer on 10/23/25, 7:00 AM
I've rarely seen a HN comment section this overwhelmingly wrong on a technical topic. This community is usually better than this.
Google is an evil company I want the web to be free of, I resent that even Firefox & Safari use this safe browsing service. Immich is a phenomenal piece of software - I've hosted it myself & sung its praises on HN in the past.
Put putting aside David vs Goliath biases here, Google is 100% correct here & what Immich are doing is extremely dangerous. The fact they don't acknowledge that in the blog post shows a security knowledge gap that I'm really hoping is closed over the course of remediating this.
I don't think the Immich team mean any harm but as it currently stands the OP constitutes misinformation.
by stemc43 on 10/23/25, 10:37 AM
какие же они все таки гандоны
by inflames123 on 10/23/25, 2:02 PM
sad
by dvh on 10/23/25, 4:13 AM
And yet if you start typing 192 in chrome, first suggested url is 192.168.l00.1
by yapyap on 10/23/25, 5:22 AM
I’d say this is a clear slight from Google, using their Chrome browser because something or someone is inconveniencing another part of their business, google cloud / google photos.
They did a similar thing with the uBlock Origin extension, flagging it with “this extension might be slowing down your browser” in a big red banner in the last few months of manifest v2 on Chrome. After already having to upload the extension yourself to Chrome cause they took it off the extension store cause it was inhibiting on their ad business.
Google is a massive monopolistic company who will pull strings on one side of their business to help another.
With only Firefox not being based on Chromium and still having manifest v2 the future (5 to 10 years from now) looks bleak. With only 1 browser like this web devs can phase it out slowly by not taking it into consideration when coding or Firefox could enshittify to such an extent because of their manifest v2 monopoly that even that wont make it worth it anymore.
Oh and for the ones not in the know, Manifest is the name of a javascript file manifest.js that decides what browser extensions can and cant modify and the “upgrade” from manifest v2 to v3 has made it near impossible for adblockers to block ads.
by 31337Logic on 10/23/25, 11:43 AM
F you, Google! Thank goodness I severed that relationship years ago. With so many other great (and ethically superior) products out there to choose from, you'd have to be a true masochist to intentionally throw yourself into their pool of shit.
by Jackson__ on 10/23/25, 5:30 AM
If there are any googlers here, I'd like to report an even more dangerous website. As much as 30-50% of the traffic to it relates to malware or scams, and it has gone unpunished for a very long time.
The address appears to be adsense.google.com.
by shoelessone on 10/23/25, 12:58 PM
I don't see how this is an issue. To me, this does seem at least confusing, but possibly dangerous.
If you have internal auth testing domains at the same place as user generated content, what's to stop somebody thinking a user-generated page isn't a legit page when it asked you to login or something?
To me this seems like a reasonable flag.