Google flags my sites as dangerous (Deceptive site ahead)

There are some posts here already about the bright-red warning in every browser about the “deceptive website” warning. I have a few instances which are running for a while - the oldest was installed in Jan 2021.

First of all, I assume this is an ‘upstream’ problem, which means that without fundamentally altering YunoHost configuration I cannot fix this. The fix for this will come from the YunoHost upstream, and it’s very likely that the YunoHost upstream is waiting on PhP, its framework, and on others.

I post this because I read a lot of guesses about the cause and a fix, and none of them make more sense than mine above. I am hoping to save folks here a lot of frustration trying to fix this issue - which is pretty detrimental to us, node operators. No use to tell your users that fresh nodes, built an hour ago were not online long enough to be hijacked, people are freaking out and will not use your node.

On the upside, YunoHost is a phenomenal service stack, I am able to build fully RFC-compliant networks for DNSSEC, SSL, DKIM, DMARC, SPF, just to mention a few. I would like to see an upgrade ASAP for the issue with the Google API - and then the issue documented so we can shame Google.

Calling an entire community “deceptive”, for not being able to separate criminal intent from technical causes is a pathetic behavior from Google, a technology expert. This show just how arrogant Google has become, and how scared people are of everything they do not understand.

Thanks for reading, and hope to see an explanation soon for what is exactly failing the Google API here: Google Safe Browsing

2 Likes

I took the liberty to merge your post with the original one. :slight_smile:

1 Like

I own the YunoHost stack at w3pbs.us, with subdomains fediverse.w3pbs.us, zot.fediverse.w3pbs.us and a few others. Everything is RFC-compliant, the apex is even registered with Google’s Postmaster. There is no creepware of any sort on my network, and the last subdomain was flagged as soon as it came online. The apex is on a different VPS from the subdomains, and I use my own BIND on three separate VPS. Even when I have a fully configured, fully controlled and independent stack, I am still a “deceptive website”.

My only explanation that the Google API was changed, and that triggered the issue. YunoHost must deal with this because Google not even going to acknowledge anything.

1 Like

Google changed something the way they inspect web pages and now they are embarrassing themselves. Mistaking technical issues with criminal behavior is nothing short of spectacular self-own.

2 Likes

I updated to Yunohost 11.0.11 this morning after having my ynh.fr domain reset so I could re-use it after a fresh install, and I have also just started getting these red warning pages appearing on my main domain and subdomain… but only when I use stock Chromium or other Google-linked services.
When I use Ungoogled Chromium on my laptop, or Mull or Bromite on my de-Googled Android smartphone, I can view my domains with no warnings.

I have submitted a review request here: Report Incorrect Phishing Warning
…so will wait and see what happens, if anything.

If there is no change, I will try adding a MyWebapp page as the default app for the domain and see if that fixes it.
It’s so strange that some of us have been getting this immediately after a Yunohost update.

hope I don’t jinx myself but for about a 2/3 weeks now ive not had issues after doing this which someone above posted but now seems to be gone?

anyway use these link

  1. https://search.google.com/search-console
  2. https://postmaster.google.com/
    add your domain to both links by google and then go to security under search console then click on fixed enter some random malarkey then wait for it to happen again in few days but by then you should be hopefully good with google and might have to do the malarkey once more and hope that works.

but i dont know yet if google will still red flag me again but so far no issues.

1 Like

Would have agreed with you but then I logged in this morning and bam… Back again.

Do you reckon it’s worth doing a coordinated campaign against google? Setup some tickets then get everyone here to jump on and comment. While that is going start a Twitter campaign #googleisbeinga**** (Or something more polite)?

1 Like

Just as an update:

  1. I’m unable to use Google’s search-console because I am using a stock ynh.fr domain. As such, I have no access to my domain’s DNS records.

  2. Adding a My_Webapp page and setting it as the default – both as domain.tld/site and at the domain root (domain.tld/), and even with a customised HTML splash page explaining it’s a private server run for a family – made the situation worse. Before, VirusTotal said only Google Safebrowsing thought my domain was a phishing site. Immediately after, I had 2 extra companies think so, and “multiple redirects” was the reason given, as before.

  3. I submitted a request for review here (Report Incorrect Phishing Warning) as I said in my previous post, but so far there’s been no change.

I second what others have said about customising the SSO login screen. I know it has been mentioned in passing that it is possible using custom style sheets (CSS) and/or Javascript, but I’m sure I’m not the only one who would really appreciate a step-by-step guide on how to actually do this in the context of a Yunohost server. Not everyone is a web developer.

You could also try asking Google Webmasters for help directly, Google Search Central Community

As another update, I have done the following and now have 7 companies in total marking my ynh.fr domain as “phishing” or “malicious”.

  1. Modified the blue “Please sign in to see this content” box that appears above my server’s SSO login fields, so that the text says, “This is a private server for a family’s own use. We aren’t phishing anyone.”
    For anyone else who wants to do this, edit the file /usr/share/ssowat/portal/locales/en.json (or if your locale is French: fr.json), and look for the line that begins with "please_login:".
    For example: "please_login": "Here is some sample text",
    Keep the quotation marks and the comma on the end. Save & exit.
    Check that nginx is still OK by running: sudo nginx -t
    Then either reboot your server (sudo reboot now) or restart nginx (sudo systemctl reload nginx)

  2. Followed the instructions here to add robots.txt to the root of the domain.

Strangely VirusTotal gives different results if you type https:// on the front of the URL. It also has results for subdomains I no longer have.

Right, some success.
I realised that the report I made to https://safebrowsing.google.com/safebrowsing/report_error/?hl=en-US hadn’t gone through because of a browser extension I was using, so I turned it off, tried again, and within a few hours, Google Safebrowsing had stopped marking my domain as phishing/malicious.

I have also been writing to the other companies in the VirusTotal analysis results to either flag up my domain as a false positive, or ask them to review it. You can either contact them in the normal ways or use the ‘report false positive’ feature that some of their websites have. Of the 8 that were marking it as phishing/malicious yesterday morning, I’m now down to 2. :slight_smile:

since it seems google doesn’t like the redirect url like “sso/?r=aHR0cHD6Ly9wcm9qZWNRG”, why isn’t this ‘r=’ part completely removed?

isn’t it possible to either remove the redirect from site.ltd/sso to site.ltd/yunohost/sso (people will have to type yunohost instead of sso) or to make a redirect without the r= which cause the problem? (even if I understand the problem is google itself)

The r= part isn’t here for nothing, it’s a callback URL meant to redirect you to the page you were looking for once you login … Maybe we could tweak the behavior to use HTTP headers instead, but my rough guess is that it’s gonna be less robust / less practical … I just don’t see anything inherently wrong with using a base64 callback url in query arg, I’ve seen many other software do this as well …

Now it has happened to me as well. The flagged domain.com was behind the SSO while the main domain for login was yh.domain.com while some other sub domains were freely accessible. It started yesterday morning, with 2 companies listing the site, today it went up to four companies: Avira, Google Safebrowsing, ESET (Phishing) and Seclookup (Malicious).

In Google Search Console it says “Deceptive pages”. Tthe sample URL it lists is located on a different non-yunohost-server with no redirects that I just started using for backups. It says

Sample Urls:

http://sub.domain.com/
https://sub.domain.com/yunohost/admin/

I have contacted Google via the Search Console, so far nothing has happened, but it’s weekend…

I have two other Yunohost severs with similar setup, even with different domains, but no problems there. The affected Yunohost server is rather recent, used more for testing than serious stuff for production use. All of them have been updated to the most recent YH version.

Update: Google delisted the domain, yeah! Success! BUT: Virustotal says now: “11 security vendors flagged this URL as malicious”
Yesterday I made the URL open and used Dokuwiki as the main app for the domain.

Maybe the other vendors are slower, they lag behind google. So maybe after a few days, they will delist the domain as well? Let’s see. Otherwise I will deinstall Yunohost on this server and move it somewhere else

UPDATE: In the Google Search Console it is still listed as malicious, but not in Google Safebroewsing according to Virustotal and I can access the domain

If it keeps happening I definitely recommend opening a ticket with the Google Webmasters (link in my post above). I now have an open ticket where I can get almost instant help from a real human each time it happens. They have assured me the tech team has “fixed my problem so it will not recur” but I have now been told that twice, after two recurrences, so I am keeping the ticket open :wink:

2 Likes

should we enlessly beg at Google because they break the web due to their horrid monopoly?

Maybe it’s high time at least firefox (and other independant web browsers) remove this stupid fonctionnality to rely on google for telling if a website is OK or not OK…

3 Likes

I received a message from Google

Google has received and processed your security review request. Google systems indicate that [your domain] no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site.

But no change over at Virustotal:

12 security vendors flagged this URL as malicious

So Google is not the only problem here, unfortunately…

EDIT three days later: Still flagged by 11 “security vendors”

Just adding my experience here. I operate https://snipettemag.com, but the admin is hosted on a members subdomain which isn’t actively promoted anywhere. Despite that, the domain has been flagged twice by Google’s robots.

The first time, I filed a review request on the search console detailing the security situation (nobody logged in) and also explaining that YunoHost login pages look the same and that doesn’t mean we’re phishing. I also did a “report false flagging” (or whatever the option’s called) from the scary red page itself, again explaining that YunoHost login pages aren’t phishing (and comparing it to Mastodon). I asked a couple of other users to report it as well, and it went away after a few days.

The next time, another user and I did the “report false flagging” with a more strongly worded “we are not even trying to phish and this is the second time, stop messing with us” message. Later that day, I signed in to the search console but by the time I wrote out a review request it had already been un-flagged. (I was annoyed that the request wasn’t even going through; then I realised it was because the flag had been withdrawn so there was nothing to request for).

It’s still annoying though, and if anyone wants to do a hashtag campaign I’m in. (Ditto for the class action, but perhaps with a bit more thought!)

For reference, here’s the first review request I wrote. Please don’t copy it verbatim because I don’t know how Google will like that, but feel free to modify/rephrase it for your own context.

Full review request filed by me to Google

All SSL certificates have been updated recently. Since the security alert from Google Search Console did not provide any specific affected URL, we went through the homepage and last 4 published pages (i.e. all pages from the last 1 month) and could not find any misleading, deceptive, or harmful content. The last 4 published pages include links to the following 17 domains, none of which we found to be deceptive or harmful: academia.edu, avi-loeb.medium.com, lweb.cfa.harvard.edu, theatlantic.com, globalnews.ca, chernobylguide.com, livescience.com, preview.discovermagazine.com, theworldcounts.com, usatoday.com, flatcreekinn.com, arstechnica.com, time.com, www.architectural-review.com, antoniomelonio.medium.com, theconversation.com, www.zmescience.com. We are self-hosting Ghost, YunoHost, Commento, and Goatcounter, all from official sources. Besides that, the only third-party embeds are to Google Fonts and Google Forms. We are assuming neither of those two services have been compromised. One page published on March 2022 has embeds from the Desmos online calculator (https://desmos.com) but the Desmos logo is clearly visible. We verified that the embeds are not looking significantly different from when the page was originally published. If there are any other issues that we missed we would be happy to rectify them.

(Okay, having found and re-read it it’s a lot different than I expected and more like just a bunch of links :sweat_smile: the second report was more focused on “this is YunoHost and you can’t accuse all YunoHost installations of spam” but unfortunately that’s the one where the filing failed and I didn’t save it! Note that I am usually very meticulous about these things and you might not have to go into as much detail as I did).

1 Like

My YunoHost website has also been falsely flagged by Google about ten days ago. I appealed with their form and the warning seems to be gone now, but my domain has been put on serverHold status by the registry which I assume was an automatic measure to help prevent potential abuse.

I went ahead and contacted the registry to have the serverHold status lifted but it really sucks that Google seems to be flagging so many websites running YunoHost.

Update: according to VirusTotal, it seems like ESET and Avira also flagged my website as malicious, I have contacted them as well and I hope they will unflag it soon.

Another update: Avira keeps unflagging my domain but it gets re-flagged by them shortly after, I think they might either be basing their flags on other security engines or on the WHOIS information which contains the serverHold status.

1 Like