My site is marked as dangerous and I did not use wireguard at all
your site is marked as dangerous because of the SSO has nothing to do with wireguard.
- when google search is indexing it tries to access the admin parts of your website or domains that the login is behind YunoHost SSO and the SSO redirects google indexer to the SSO portal and google freaks out thinks your sending them to a scammer to rob them or hack them.
only way to avoid this is really do not hide applications or domains behind the SSO and try to use the google search consoles
Shit⊠jâai dĂ©cochĂ© les trois cases sous « Protection contre les contenus trompeurs et les logiciels dangereux ».
Cette histoire me va loin⊠câest comme pour les mails, on peut finir dans les spams sans savoir pourquoi (mis Ă part que les gafam utilisent des mĂ©canismes internes pour protĂ©ger les gens, sans expliquer correctement ce qui se passe).
Edit: 3h plus tard, en cochant Ă nouveau ces 3 cases⊠plus dâalerte.
Hello, depuis aujourdâhui, jâai exactement le mĂȘme problĂšme avec mon serveur : meurthemadon.nohost.me
Impossible de valider la propriĂ©tĂ© du site sur la console google. Jâai utilisĂ© my_webapp pour uploader le fichier de contrĂŽle de google mais la rĂ©ponse est âVotre site est introuvable. Veuillez vĂ©rifier que vous avez correctement renseignĂ© lâURL de votre propriĂ©tĂ©.â
Google also flagged my personal server for âphishingâ (behind the login screen also) yesterday, but I got the warning removed in just 24 hours via Firefoxâs false positive report tool by saying something like:
This is my personal server where I self-host my services for my own use only. Check yunohost.org for more info.
Iâm not phishing anyone. If random person from internet stumbleupon to the site and enters their credentials, itâs none of my business.
Iâm stunned that it was the decision was reversed that fast I guess I got lucky?
Same procedure and same solution for me! I also mentioned Yunohost so that they can update their phishing models
give it time⊠itâd get flagged in again in 1 week to a month.
- i stopped doing the review ⊠i dont care any more⊠anything i want seen i dont put behind the SSO.
If that happens again, then I donât care. I finally disabled safe browsing stuff from my browsers, pretty useless feature to me. And since this is my personal server, I donât give a f about what Google thinks this server is.
I added robots.txt though (if thatâs gonna help, even if it doesnât, I donât want my server to be indexed on Google or other search engines) with these instructions: Best way for disallowing robots with robots.txt from everything?
We now know that several recent Mastodon instances had the same misadventure.
It seems that several similar authentication pages on a lot of IP is considered as a phishing botnet.
Do you know any workaround to this problem??
Applying a custom theme to login page can mitigate this problem, it worked for me
Ah I get the same exact issue for one of my Mastodon instances.
Can you give us more info about this? What do you mean more exactly and why would this solve the issue?
What I realized is that some Mastodon pages have an SSO redirect like security=ae917efeb1d0450a48667a989608191230206534
- why? Can we disable that?
Basically the Mastodon âaboutâ page wants to redirect to security=ae917efeb1d0450a48667a989608191230206534
This keeps happening to me as well. All of the domains I have added in Yunohost have a default app, theyâre not all static HTML. There is no domain that you can visit, which is attached to my yunohost server, which directs to anything but an app that was installed via the yunohost admin. I would have to remove some of them to create a static HTML page at â/siteâ so thatâs kind of not a solution.
I would love to pay for development on this. If I donate $500, can this be addressed on the development side? Anyone want to sweeten the pot with me and add to that number?
I donât claim to have a solution but I am just throwing here my 2cents solutionsâŠprobably not a perfect one.
But since this had happen to me twice and both time I got it solved almost fine following below procedure.
First of all, make sure you know that your server has not be compromised.
Then you need a gmail account.
Log in
Go to postmaster console
Add your domain
It will give you a unique code that you will use to create a TXT DNS entry at your provider.
Go to you DNS provider add the TXT DNS field and click back on verify domain ownership at google postmaster tool.
Then go to âGoogle Search Consoleâ and add your domain, it shall be already recognized as yours because of previsous step.
Then you shall see a warning telling you about the security issue. Eventually you might get details specific to why it is considered as dangerous.
There you can fill up a request for review where you explain a bit that everything is fine and you are a responsible admin and very aware of security practices and proactive in taking great care of your server etcâŠ
It did work for me and both cases I found out why.
The first time it was a cryptocurrency related project that I was hosting for a hackathon
The second time was a wierd sub-domain I created with an hashâŠbut funnily enough I kept some hash domains for quite long and no issue.
At the end I think avoiding google is good but you cant help if other you share your server link does avoid google too. That is exactly when I got issues, if I donât share my server url around then I donât get flaggedâŠ
(class action sound like a great great idea, who is in ?)
I put your question in the contributor meeting of this evening Instance Etherpad Publique de La Quadrature Du Net
As simple as being able to display a message on the login screen as a declaration on who is operating the website would be fantastic. Seems to be the baseline requirement that Google wants.
Specifically on the /admin and /sso login pages.
What are you basing this on? Google published something?
here
Hi there, i was flagged few days ago.
My server is installed at my home (laptop with Debian OS), with static public IP and my own domain with CloudFlare SSL
I use some apps in subdomains, like:
- excalidraw to collaborate with my team (i could post links to this in gmail)
- Drupal to test migrations from Worpdress
- AdGuard as home DNS
for now iâve used âReport incorrect phishing warningâ form and waiting for response. Maybe iâll try to use some advice from this topic (like static app, robots.txt, theming login form etc).
But ultimately i can live with this for now (i use this rather for my own apps only)