← Back to context

Comment by cadence-

5 years ago

I can confirm everything that was said in that article. I run a free dynamic dns service (freemyip.com) and every time someone creates a subdomain that later hosts some questionable material, Google will immediately block my whole domain. Their response time for clearing these up varies from a few hours to two weeks. It feels completely random. I once had a malicious subdomain that I removed within two hours, yet the ban on Google lasted for more than two weeks. Now, this is a free service so bans like these don’t really matter that much to me, but if it was a business, I would have most likely gone bankrupt already.

I noticed that recently, they are only sending me the warning, but don’t block me right away. Perhaps after a few years of these situations I advanced to a more “trusted” level at Google where they give me some time to react before they pull the plug on my domain. I don’t know. But I would be truly petrified of Google if this was my real business.

12 comments

cadence-

Reply
jefftk  5 years ago

Have you considered requesting that your domain be added to the public suffix list? https://publicsuffix.org/

If subdomains of your domain should be treated as independent sites, the public suffix list is (sadly) how you communicate that to browsers.

(Disclosure: I work for Google, speaking only for myself)

  • gomox  5 years ago

    Fascinating. I had never heard of this, and cloudfront.net is in there, which might provide a clue as to why Google only blacklisted our subdomain and not the whole thing (imagine that!).

    Is there any downside to being on this list?

    • jefftk  5 years ago

      > Is there any downside to being on this list?

      If example.com were on list then a cookie set on a.example.com couldn't be read on b.example.com. In this case that would probably be a good thing, since the subdomains represent independent sites, but if a site were erroneously added that could be a problem (mail.yahoo.com and groups.yahoo.com should share login cookies, for example).

      The list was originally created to handle cookies, but more recently it's been used for other notions of "site", like cache sharding.

  • kps  5 years ago

    > the public suffix list is (sadly) how you communicate that to browsers

    Sadly, indeed. Had they never heard of DNS?

    • jefftk  5 years ago

      How would you propose handling this with DNS? Here are some things it covers:

      * a.example.com and b.example.com are the same site

      * a.co.uk and b.co.uk are not the same site

      * a.cloudfront.net and b.cloudfront.net are not the same site

      * a.higashikawa.hokkaido.jp and b.higashikawa.hokkaido.jp are not the same site

      * a.example.higashikawa.hokkaido.jp and b.example.higashikawa.hokkaido.jp are the same site

      There is a proposal to do something similar using response headers and .well-known urls: https://github.com/privacycg/first-party-sets

      5 replies →

gomox  5 years ago

Author here. This is fascinating because I figured Google would definitely not ban cloudfront.net entirely and that's why they blacklisted the subdomain, but had this been hosted on our actual company domain, would we have been spared?