Bert Hubert NL πŸ‡ΊπŸ‡¦πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦Mar 31

RE: https://aus.social/@mojo/116321714247825786

En Wero draait op (tadaa) het Amerikaanse Amazon Web Services. Van de regen in de drup.

Show threaddivVerentMar 31

@bert_hubert Despite this it may still be worth using, but we would definitely need to be strong in lobbying towards getting them off American services.

From command `dig -t any wero-wallet.eu`:

- Amazon for DNS: `wero-wallet.eu. 86400 IN NS ns-155.awsdns-19.com.`
- Microsoft for E-Mail: `wero-wallet.eu. 3600 IN MX 0 werowallet-eu01b.mail.protection.outlook.com.`
- Digital Ocean for hosting: `wero-wallet.eu. 3600 IN A 142.93.239.121` and `wero-wallet.eu. 3600 IN AAAA 2a03:b0c0:2:d0::115a:1001`
- Google for "site verification: `wero-wallet.eu. 3600 IN TXT "google-site-verification=mXzESlCJHy0hf-CC4eArUzeTYVsfCyqZpx2tdc3UAO0"` (this one might be a harmless SEO thing)

From visiting the website I see HTTP requests to the following non-EU domains:

- vimeo.com (in the US)
- plyr.io (in the UK)
- zdassets.com (i.e. ZenDesk, in the US)
- hs-scripts.com (i.e. HubSpot, in the US)

This also lists a `weropay.eu` domain. This in addition finds:

- Amazon for E-Mail: `weropay.eu. 300 IN TXT "v=spf1 include:amazonses.com -all"`

Not very European at all. I didn't list the few EU services they use, but it was less than 30% of the total.

Using Amazon and Microsoft for E-Mail means they cannot have any US-sanctioned employees. Using Digital Ocean and various Javascript hosts from the US means the US can get at the data.

Show threadJan Wildeboer 😷
@divVerent Note that this is "just" the marketing page for Wero. Payments themselves flow through the APIs of the participating banks, not through wero-wallet.eu @bert_hubert
Mar 31 at 9:28amWeb
Show threadBert Hubert NL πŸ‡ΊπŸ‡¦πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦Mar 31
@jwildeboer @divVerent trust me, I checked, Wero fully relies on AWS to function. Also those banks are also on AWS/Azure.
Show threadJan Wildeboer 😷Mar 31
@bert_hubert Sure. And that should be changed. But Wero is an opportunity to build a better payment system, so let's force them do better. Campaigning against the use of Wero is not my thing because of that. @divVerent
Show threadjon rMar 31

@jwildeboer
I don't see a campaign here, but caution.

Indeed getting regulation up to speed to provide sane guardrails will help.
@bert_hubert @divVerent

Show threaddivVerentMar 31
@jwildeboer @bert_hubert Yeah. I still see it as an incremental improvement over the status quo and will switch to it when it becomes available to me - however will definitely make sure to leave feedback about these US connections.
Show threaddivVerentMar 31

@bert_hubert @jwildeboer Out of curiosity, how does on check? Does user traffic actually hit AWS (or even just Amazon managed DNS domains)?

This is precisely what I will try to check once I can use it, and annoy customer support and regulators about it.

Show threaddivVerentMar 31

@jwildeboer @bert_hubert I will check that once I can use it. Definitive will sniff the traffic.

Also the website may be used for logging in from a laptop.

Plus, the part that their use of MS and Amazon for E-Mail implies that they can still be arbitrarily threatened with US sanctions.

So, if none of the user data based flows go through these domains, that would be good, but they still need to move off the MS Teams suite at least, or else MS can basically fire their employees.