I’ve redirected my main URL (which was proposing to login to yunohost) to another service on my yunohost and the google shit disappeared.
The service itself proposes to login (it’s hedgedoc) but it only appears when you click on a link. So a workaround could maybe to use a similar behavior on the main yunohost login page. I understand it’s a PITA, but it seems this ingerence of google in “how a website should be” is driving everyone crazy.
Google is really bad and “evil” (they removed the “don’t be evil” motto from their slogan probably for a purpose)
Don’t forget that it’s not only Google. Google was in my case easy to deal with. But my URL has been listed by 11 other “vendors”, and this is stil the case more than a week after Google delisted the URL. I even deinstalled Yunohost on that server and pointed the domain to another server without Yunohost where it only displays Apache’s default page. Nevertheless nothing changes, still listed by 11 vendors (including some that are used at work, where this URL therefore is blocked). And how to contact all of them? Not so straightforward as with Google, it seems.
I don’t use Google for anything, but I still got flagged after my sister (who uses Gmail) emailed my mother (who doesn’t use Google anything) a link to my Element login.
Avoiding Google (/Microsoft/Amazon/Apple/Facebook) is good imo, but it’s not enough unless you can get everyone else to avoid them, too.
Got flagged by Google as Phishing and, according to VirusTotal, by Seclookup as Malicious, bringing down my main domain with Akkoma, as well as subdomains: Roundcube, Element, Whitebophir, Listmonk, CryptPad, static html pages. It’s a dedicated server, IP was used by me for a year, never in blocklists, 10/10 mail-tester rating, Let’s Encrypt on every subdomain.
Links to SSO pages appeared in private Matrix and Telegram chats (with people who have Google services installed on their phones) when I explained users how to sign in, but not on public social media. My SSO page looks slightly different from the YunoHost defaults. Logo and Cyrillic font are added with CSS, contact email is added with JS.
I found no misbehaving apps. The most recent install was Listmonk this week. One unusual thing about my server may be that after creating every subdomain, I turn off both incoming and outgoing email for it and manually remove its remaining autoconfig/mail/config-v1.1.xml about which the diagnostic complains.
I wonder if sharing the URLs without creating links would help everyone. In security articles I have started seeing URLs being shared like this: something[.]example[.]com/nextcloud
Email would be someone[at]example[.]com
Etc…
That way a hyperlink is never created. There would need to be an explanation along with sharing the URL to clarify.
My server got flagged, too. I only have Nextcloud, Synapse and Element Web apps installed. I don’t use Google services (their services are blocked at the router DNS level). It happened the same day though that I sent a login link to a family member who uses Gmail, so yet again it seems that when Google first detects a server through any of their services they scan and for whatever reason flag it as phishing.
I refuse to register who owns/runs/uses my site with Google though, so I didn’t use search console. I just chose to view the site anyway which in Firefox displayed a warning bar at the top and a button saying that it isn’t a deceptive site. I clicked that, entered the domain name and a comment just saying that the site wasn’t asking for any login details but those of the same site. Next day it was unblocked and VirusTotal has changed from 2 sites reporting it as phishing to zero.