The service was blocking our grapheneos.network connectivity check server for a period of time yesterday/today. It was unblocked after users reported it. It's very strange and I think it reflects quite badly on their processes for blocking supposed malware domains.
Conversation
Replying to
I'd really like to know why a domain using DNSSEC and running an HTTP / HTTPS server serving empty 204 responses for /generate_204 was blocked.
It doesn't serve anything else beyond redirects to grapheneos.org/faq#default-co for /, a static MTA-STS configuration and 404 responses...
1
2
The grapheneos.online domain wasn't blocked but we hadn't yet started using it for one of the fallback URLs.
If you run into a similar issue with content filtering, you can use the toggle we added to use the standard Google servers for connectivity / captive portal checks.
1
2
Enumerating badness is not just an unworkable approach but inflicts serious collateral damage. Have had multiple users fall behind on updates, etc. from these kinds of issues. Drains development time too.
Safe Browsing and assorted content filtering lists have the same issues.
2
something like this happened before to pypi.org, the official python package repository with many billions of package downloads from all over the world.
2
This Tweet was deleted by the Tweet author. Learn more
They might have had other issues but they were definitely specifically blocking grapheneos.network. It got confirmed by having users test opening it in their browser on another computer. grapheneos.online wasn't blocked and hopefully neither were our other domains.
1
Show replies
Quad9 receives threat intel feeds from many sources and reputation-scores them, about 4M malware domains with ~400K daily change, while the project only has about a dozen people. We're running about a 1/600,000 false-positive rate, but user reports define the source reputations.
1
2
How is abuse through malicious reporting prevented?
GrapheneOS is being actively attacked by people hostile towards us. The servers are regularly under denial of service attack. It's not at all above them to send in false reports for our domains to different services.
1
1
1
Show replies
So, the system worked the way it was supposed to, yours happened to be that one-in-six-hundred-thousand, unfortunately, but it got fixed and whichever threat-intel source reported it now has a lower reputation score. If you can think of a better way, we always want to improve.
1