https://news.ycombinator.com/user?id=neon_erosionHacker News RSShttps://hnrss.org/hnrss v2.1.1Wed, 20 May 2026 10:55:57 +0000Don't forget the `githubusercontent.com` domain, which is specifically used to host risky, user-generated content, and fully documented in https://docs.github.com/en/authentication/keeping-your-accou... (using an open source component that other companies could also use, if they were interested in similar levels of security)

]]>Fri, 10 Oct 2025 21:03:02 +0000https://news.ycombinator.com/item?id=45543758neon_erosionhttps://news.ycombinator.com/item?id=45543758https://news.ycombinator.com/item?id=45543758This is the kind of thing that customers rely on you to do _before_ it causes an incident.

]]>Fri, 10 Oct 2025 21:00:45 +0000https://news.ycombinator.com/item?id=45543728neon_erosionhttps://news.ycombinator.com/item?id=45543728https://news.ycombinator.com/item?id=45543728Then that would be an example of a system having failed and one that needs to change. Instead, this is an example of a hosting company complaining about the consequences of skipping some of the basic, well-documented safety and security practices that help to isolate domains for all sorts of reasons, from reputation to little things like user cookies.

]]>Fri, 10 Oct 2025 20:59:29 +0000https://news.ycombinator.com/item?id=45543716neon_erosionhttps://news.ycombinator.com/item?id=45543716https://news.ycombinator.com/item?id=45543716There are well-documented solutions to this that don't rely on the PSL. Choosing to ignore all of that advice while hosting user content is a very irresponsible choice, at best.

]]>Fri, 10 Oct 2025 15:07:54 +0000https://news.ycombinator.com/item?id=45539916neon_erosionhttps://news.ycombinator.com/item?id=45539916https://news.ycombinator.com/item?id=45539916Exactly, this has been documented knowledge for many years now, even decades. Github and other large providers of user-generated content have public-facing documentation on the risks and ways to mitigate them. Any hosting provider that chooses to ignore those practices is putting themselves, and their customers, at risk.

]]>Fri, 10 Oct 2025 15:04:07 +0000https://news.ycombinator.com/item?id=45539876neon_erosionhttps://news.ycombinator.com/item?id=45539876https://news.ycombinator.com/item?id=45539876How does flagging a domain that was actively hosting phishing sites demonstrate that Google has too much power? They do, but this is a terrible example, undermining any point you are trying to make.

]]>Fri, 10 Oct 2025 15:02:32 +0000https://news.ycombinator.com/item?id=45539864neon_erosionhttps://news.ycombinator.com/item?id=45539864https://news.ycombinator.com/item?id=45539864What point are you trying to make here? You hosted phishing sites on your primary domain, which was then flagged as unsafe. You chose not to use the tools that would have marked those sites as belonging to individual users, and the system worked as designed.

]]>Fri, 10 Oct 2025 15:01:05 +0000https://news.ycombinator.com/item?id=45539849neon_erosionhttps://news.ycombinator.com/item?id=45539849https://news.ycombinator.com/item?id=45539849