Hacker News new | ask | show | jobs
by trod1234 256 days ago
Yes, its generally good advice to keep user content on a separate domain.

That said, there are a number of IT professionals that aren't aware of the PSL as these are largely initiatives that didn't exist prior to 2023 and don't get a lot of advertisement, or even a requirement. They largely just started being used silently by big players which itself presents issues.

There are hundreds if not thousands of whitepapers on industry, and afaik there's only one or two places its mentioned in industry working groups, and those were in blog posts, not whitepapers (at M3AAWG). There's no real documentation of the organization, what its for, and how it should be used in any of the working group whitepapers. Just that it is being used and needs support; not something professional's would pay attention to imo.

> Second, they should be using the public suffix list

This is flawed reasoning as is. Its hard to claim this with a basis when professionals don't know about this, a small subset just arbitrarily started doing this, and seems more like false justification after-the-fact for throwing the baby out with the bath water.

Security is everyone's responsibility, and Google could have narrowly tailored the offending domain name accesses instead of blocking the top-level. They didn't do that, and worse that behavior could even be automated in a way that the process could be extended and there could be a noticing period to the toplevel provider before it started hitting everyone's devices. They also didn't do that apparently.

Regardless, no single entity should be able to dictate what other people perceive or see arbitrarily from their devices (without a choice; opt-in) but that is what they've designed these systems to do.

Enumerating badness doesn't work. Worse, say the domain names get reassigned to another unrelated customer.

Those people are different people, but they are still blocked as happens with small mail servers quite often. Who is responsible when someone who hasn't been engaged with phishing is being arbitrarily punished without due process. Who is to say that google isn't doing this purposefully to retain their monopolies for services they also provide.

Its a perilous torturous path where trust cannot be given because they've violated that trust in the past, and have little credibility with all net incentives towards their own profit at the expense of others. They are even willing to regularly break the law, and have never been held to account for it. (i.e. Google Maps WIFI wiretapping).

Hanlon's razor is a joke intended as a joke, but there are people that use it literally and inappropriately to deceitfully take advantage of others.

Gross negligence coupled with some form of loss is sufficient for general intent which makes the associated actions malicious/malice.

Throwing out the baby with the bath water without telling anyone or without warning, is gross negligence.
1 comments
SquareWheel 255 days ago
I'm not sure what to tell you. I'm a professional with nearly two decades of experience in this industry, and I don't read any white papers. I read web publications like Smashing Magazine or CSS Tricks, and more specifically authors like Paul Irish, Jake Archibald, Josh Comeau, and Roman Komarov. Developers who talk about the latest features and standards, and best practices to adopt.

The view that professionals in this industry exclusively participate in academic circles runs counter to my experience. Unless you're following the latest AI buzz, most people are not spending their time on arXiv.

The PSL is surely an imperfect solution, but it's solving a problem for the moment. Ideally a more permanent DNS-based solution would be implemented to replace it. Though some system akin to SSL certificates would be necessary to provide an element of third-party trust, as bad actors could otherwise abuse it to segment malicious activity on their own domains.

If you're opposed to Safe Browsing as a whole, both Chromium and Firefox allow you to disable that feature. However, making it an opt-in would essentially turn off an important security feature for billions of users. This would result in a far greater influx of phishing attacks and the spread of malware. I can understand being opposed to such a filter from an idealistic perspective, but practically speaking, it would do far more harm than good.

link
trod1234 255 days ago
You seem to have not understood what I said conflating academia with whitepapers and then construct the rest on an improper foundation from there.

Whitepapers aren't the sole domain of academia. What we are talking about aren't hosted on Arxiv. We are talking about industry working groups.

The M3AAWG working group, and browser/CA forum publish RFCs and Whitepapers that professionals in this area do read regularly.

There's been insufficient/no professional outreach about PSL. You can't just do things at large players without disclosure for interop, because you harm others by doing so neglecting the imposing fallout from lack of disclosure on everyone else that's impacted within your sphere of influence which as a company running the second most popular browser is global.

When you do so without first doing certain reasonable and expected things (of any professional organization), you are being grossly negligent. This is sufficient to prove general intent for malice in many cases, a reasonable person in such circumstances should have known better.

This paves the way for proving tortuous or vexatious interference of a contract which is a tort and punishable by law when brought against the entity.

> The PSL is surely an imperfect solution but its solving the problem for the moment.

It is not, because the disclosure hasn't happened properly for interop, and in such circumstances it predictably creates a mountain of problems without visibility; a timebomb/poison pill where crisis arises from the brittle structure later following shock doctrine utilizing the snowball effect (a common tactic of the corrupt and deceiver alike).

Your entire line of reasoning which you constructed is critically flawed. You presume trust is important to this, and that such systems require trust, but trust doesn't have anything to do with the reputational metrics which the systems we are talking about are using to impose cost. Apples to Oranges.

You can't enumerate badness. Lots of professionals know this. Historic reputational blacklists also punish those that are innocent after-the-fact when not properly disclosed, or engineered for due process. A permanent record deprives anyone from using a blacklisted entry after it changes hands from the criminal to some unsuspecting person.

Your reasoning specifically frames a false dichotomy about security. This follows almost identically the same reasoning the Nazi's used (ref at the bottom).

No one is arguing that Safe Browsing and other mechanisms are useful as mitigation, but they are temporary solutions that must be disclosed to a detailed level that allows interoperability to become possible.

If you only tell your friends, and impose those draconian costs on everyone else, you are abusing your privileged position of trust for personal gain (a form of corruption), and causing harm on others even if you can't see it.

Chrome does not have an opt-out. You have to re-compile the browser from scratch to turn those subsystems off. Same with Firefox. That is not allowing you to disable that feature since users aren't reasonably expected to be able to recompile their software to change a setting.

There is no idealism/pacifism here. I'm strictly being pragmatic.

You neglect the harm you don't directly see, in the costs imposed on business. Second, Third, and n-order effects must be considered but have not been (this must necessarily grow in consideration based on the scope/scale of impact).

There are a few areas where doing such blind things may directly threaten existential matters (i.e. food production where failure of logistics lead to shortages, which whipsaw into chaos). It won't happen immediately, and we live in a growingly brittle but still somewhat resilient society, but it will happen eventually if such harm is adopted and allowed as standard practice; though the method is indirect the scope starts off large.

If you only look through a lens at a small part of the cycle of the dynamics that favors your argument which you set in motion, ignoring everything else; that is called cherry-picking or also commonly known as the fallacy of isolation.

Practically speaking, that line of reasoning is without foundational support and unsound. Its important to properly discern and reason about things as they actually exist in reality.

Competent professionalism is not an idealistic perspective. The harm naturally comes when one doesn't meet well established professional requirements. When the rule of law fails to hold destructive people to account for their actions; that's a three-alarm fire as a warning sign of impending societal collapse. The harms of which are incalculable.

Ref: "Of course the people don't want war. But after all, it's the leaders of the country who determine the policy, and it's always a simple matter to drag the people along whether it's a democracy, a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders.

(Your implications follow this part closely): That is easy. All you have to do is tell them they are being attacked, and denounce the pacifists for lack of patriotism, and exposing the country to greater danger."

    -- Herman Goering at the Nuremberg trials
link