Bert Hubert NL πΊπ¦πͺπΊπΊπ¦RE: https://aus.social/@mojo/116321714247825786
En Wero draait op (tadaa) het Amerikaanse Amazon Web Services. Van de regen in de drup.
divVerent@bert_hubert Despite this it may still be worth using, but we would definitely need to be strong in lobbying towards getting them off American services.
From command `dig -t any wero-wallet.eu`:
- Amazon for DNS: `wero-wallet.eu. 86400 IN NS ns-155.awsdns-19.com.`
- Microsoft for E-Mail: `wero-wallet.eu. 3600 IN MX 0 werowallet-eu01b.mail.protection.outlook.com.`
- Digital Ocean for hosting: `wero-wallet.eu. 3600 IN A 142.93.239.121` and `wero-wallet.eu. 3600 IN AAAA 2a03:b0c0:2:d0::115a:1001`
- Google for "site verification: `wero-wallet.eu. 3600 IN TXT "google-site-verification=mXzESlCJHy0hf-CC4eArUzeTYVsfCyqZpx2tdc3UAO0"` (this one might be a harmless SEO thing)
From visiting the website I see HTTP requests to the following non-EU domains:
- vimeo.com (in the US)
- plyr.io (in the UK)
- zdassets.com (i.e. ZenDesk, in the US)
- hs-scripts.com (i.e. HubSpot, in the US)
This also lists a `weropay.eu` domain. This in addition finds:
- Amazon for E-Mail: `weropay.eu. 300 IN TXT "v=spf1 include:amazonses.com -all"`
Not very European at all. I didn't list the few EU services they use, but it was less than 30% of the total.
Using Amazon and Microsoft for E-Mail means they cannot have any US-sanctioned employees. Using Digital Ocean and various Javascript hosts from the US means the US can get at the data.
Mark Koek@divVerent @bert_hubert it looks like theyβre not hardcoding amazon host names, at least, so it should be possible to swap things out without requiring a gazillion apps and sites to change the address
Jan Wildeboer π·
@divVerent Note that this is "just" the marketing page for Wero. Payments themselves flow through the APIs of the participating banks, not through wero-wallet.eu @bert_hubert
@jwildeboer @divVerent trust me, I checked, Wero fully relies on AWS to function. Also those banks are also on AWS/Azure.
@bert_hubert Sure. And that should be changed. But Wero is an opportunity to build a better payment system, so let's force them do better. Campaigning against the use of Wero is not my thing because of that. @divVerent
jon r@jwildeboer
I don't see a campaign here, but caution.
Indeed getting regulation up to speed to provide sane guardrails will help.
@bert_hubert @divVerent
@jwildeboer @bert_hubert Yeah. I still see it as an incremental improvement over the status quo and will switch to it when it becomes available to me - however will definitely make sure to leave feedback about these US connections.
@bert_hubert @jwildeboer Out of curiosity, how does on check? Does user traffic actually hit AWS (or even just Amazon managed DNS domains)?
This is precisely what I will try to check once I can use it, and annoy customer support and regulators about it.
@jwildeboer @bert_hubert I will check that once I can use it. Definitive will sniff the traffic.
Also the website may be used for logging in from a laptop.
Plus, the part that their use of MS and Amazon for E-Mail implies that they can still be arbitrarily threatened with US sanctions.
So, if none of the user data based flows go through these domains, that would be good, but they still need to move off the MS Teams suite at least, or else MS can basically fire their employees.